On Nov 16, 2007 2:39 PM, Juan Miscaro <[EMAIL PROTECTED]> wrote:
> Hi gang,
>
> So I'm setting up my first wireless network for a small business with
> OpenBSD acting as internet gateway. I am familiar with OpenBSD as
> gateway but not in the wireless context. I picked myself up a card
> that the docs say is supported (Linksys WMP54G) and will be installing
> 4.2 from my CD this evening.
>
> At this point I'm asking myself the obvious question. How do I secure
> my network? I see the authpf is used a lot but is there anything else
> I can do? What of VPN? If so, what implementation?
>
> My client stations will be Ubuntu Linux.
>
> Thank you in advance to any responders,
>
> // juan
>
>
> Get a sneak peak at messages with a handy reading pane with All new
> Yahoo! Mail: http://mail.yahoo.ca
I combined authpf with OpenVPN, using some big hints from some easily
google-able places. Even though WEP and WPA aren't supported by
OpenBSD, I still wanted to have authenticated and encrypted traffic.
This might be overkill for some but it works for me.
After setting up the wireless interface to dhcpd a private netblock, I
locked it down with pf:
block in on $wlan_if
pass in on $wlan_if proto udp to port { bootps, bootpc }
pass in on $wlan_if proto udp to ($wlan_if:0) port domain
pass in on $wlan_if proto tcp to ($wlan_if:0) port ssh
Then I setup authpf to allow authenticated users the ability to
connect to the VPN:
pass in on $wlan_if proto udp from <authpf_users> to ($wlan_if:0) port 1194
Next I configured OpenVPN in routed mode. It hands out IPs from yet
another private netblock I have permanently attached to lo1.
Finally, I treat the tun0 interface like a semi-trusted wired
interface in pf and apply my standard list of allowable client
applications:
client_if = "{ sk0, tun0 }"
pass in on $client_if proto udp to port $udp_client_ports
pass in on $client_if proto tcp to port $tcp_client_ports
This obviously isn't my full pf.conf, and care must be taken because
the rules are highly dependent on order. My initial setup took nearly
a full day to configure and troubleshoot, since I had to get pf,
authpf, dhcpd, named, and OpenVPN to all cooperate. I found that
selectively allowing and denying ICMP was of great assistance while
testing pf rules and tcpdump to be essential when I had other services
misconfigured.
Windows and OS X OpenVPN clients are readily available and
configuration is easy if you understood what you were doing when
setting up the OpenVPN server.
Although I feel like I've got a good handle on all the interactions
here, I'm no professional and if there are any gaping holes in this
setup, I am eager to hear about them. I plan to investigate IPSEC in
the near future, which may be an alternative.
--david
