Firewall Wizards mailing list archives
Re: VPN over Wireless (Was Re: "802.1x"?)
From: Erick Mechler <emechler () techometer net>
Date: Fri, 20 Dec 2002 13:09:57 -0800
:: I've been interested in setting up a wireless LAN for some time, :: both office and home, Unix machines only, and since I do not :: trust the security built into wireless protocols I'm looking at :: creating multiple VPNs using ssh, at the expense of bandwidth. :: :: My topologies are basically stars, I'm thinking VPN/DHCP server :: on a firewall that has one wireless interface and one interface :: on the copper wire, one RFC1918 class specifically for the "raw" :: wireless network, and another for the secured network. In the wireless network that I helped deploy at my last company, we took this one step further and gave each wireless client their own /30. The basic setup was thus: 1. Unauthenticaed wireless user gets a DHCP address on the unauthenticated wireless network (eg., 10.1.1.2/30) with a default route of 10.1.1.1. 2. Firewall rules on the BSD gateway only allow incoming ssh (and, of course, DHCP requests/replies). 3. User then launches ssh and does PPP over ssh to the DHCP server, which then gives them a new interface on their box, 10.1.2.2/30. This is their "authenticated" IP address, traffic from which is allowed to be routed through the FreeBSD box. Authentication is taken care of using ssh keys. :: Does anyone here have any comments on/experience with this kind :: of solution? What bandwidth can one expect? The solution worked well, even when roaming (all of our wireless access points were on the same switched network feeding into the "wireless" interface on the FreeBSD box). There was some latency involved with tunnelling PPP over ssh, but it was still acceptable for our user base. Our setup involved a mix of NetBSD, FreeBSD, MacOS X, and Linux clients. The other thing to note is that for this to work, your gateway system is going to have a pre-configured interface for every /30 you want to support. I'm sure there's a finite number of these that you can have, so depending on the number of users you're supporting, this might not scale. Cheers - Erick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- "802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
- Re: "802.1x"? Gary Flynn (Dec 17)
- Re: "802.1x"? R. DuFresne (Dec 19)
- VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
- Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)
- Re: "802.1x"? Gary Flynn (Dec 17)