On Nov 16, 2007 2:39 PM, Juan Miscaro <[EMAIL PROTECTED]> wrote: > Hi gang, > > So I'm setting up my first wireless network for a small business with > OpenBSD acting as internet gateway. I am familiar with OpenBSD as > gateway but not in the wireless context. I picked myself up a card > that the docs say is supported (Linksys WMP54G) and will be installing > 4.2 from my CD this evening. > > At this point I'm asking myself the obvious question. How do I secure > my network? I see the authpf is used a lot but is there anything else > I can do? What of VPN? If so, what implementation? > > My client stations will be Ubuntu Linux. > > Thank you in advance to any responders, > > // juan > > > Get a sneak peak at messages with a handy reading pane with All new > Yahoo! Mail: http://mail.yahoo.ca
I combined authpf with OpenVPN, using some big hints from some easily google-able places. Even though WEP and WPA aren't supported by OpenBSD, I still wanted to have authenticated and encrypted traffic. This might be overkill for some but it works for me. After setting up the wireless interface to dhcpd a private netblock, I locked it down with pf: block in on $wlan_if pass in on $wlan_if proto udp to port { bootps, bootpc } pass in on $wlan_if proto udp to ($wlan_if:0) port domain pass in on $wlan_if proto tcp to ($wlan_if:0) port ssh Then I setup authpf to allow authenticated users the ability to connect to the VPN: pass in on $wlan_if proto udp from <authpf_users> to ($wlan_if:0) port 1194 Next I configured OpenVPN in routed mode. It hands out IPs from yet another private netblock I have permanently attached to lo1. Finally, I treat the tun0 interface like a semi-trusted wired interface in pf and apply my standard list of allowable client applications: client_if = "{ sk0, tun0 }" pass in on $client_if proto udp to port $udp_client_ports pass in on $client_if proto tcp to port $tcp_client_ports This obviously isn't my full pf.conf, and care must be taken because the rules are highly dependent on order. My initial setup took nearly a full day to configure and troubleshoot, since I had to get pf, authpf, dhcpd, named, and OpenVPN to all cooperate. I found that selectively allowing and denying ICMP was of great assistance while testing pf rules and tcpdump to be essential when I had other services misconfigured. Windows and OS X OpenVPN clients are readily available and configuration is easy if you understood what you were doing when setting up the OpenVPN server. Although I feel like I've got a good handle on all the interactions here, I'm no professional and if there are any gaping holes in this setup, I am eager to hear about them. I plan to investigate IPSEC in the near future, which may be an alternative. --david