Firewall Wizards mailing list archives
Re: VPN over Wireless (Was Re: "802.1x"?)
From: Erick Mechler <emechler () techometer net>
Date: Fri, 20 Dec 2002 13:09:57 -0800
:: I've been interested in setting up a wireless LAN for some time,
:: both office and home, Unix machines only, and since I do not
:: trust the security built into wireless protocols I'm looking at
:: creating multiple VPNs using ssh, at the expense of bandwidth.
::
:: My topologies are basically stars, I'm thinking VPN/DHCP server
:: on a firewall that has one wireless interface and one interface
:: on the copper wire, one RFC1918 class specifically for the "raw"
:: wireless network, and another for the secured network.
In the wireless network that I helped deploy at my last company, we took
this one step further and gave each wireless client their own /30. The
basic setup was thus:
1. Unauthenticaed wireless user gets a DHCP address on the
unauthenticated wireless network (eg., 10.1.1.2/30) with a default
route of 10.1.1.1.
2. Firewall rules on the BSD gateway only allow incoming ssh (and, of
course, DHCP requests/replies).
3. User then launches ssh and does PPP over ssh to the DHCP server, which
then gives them a new interface on their box, 10.1.2.2/30. This is
their "authenticated" IP address, traffic from which is allowed to be
routed through the FreeBSD box. Authentication is taken care of using
ssh keys.
:: Does anyone here have any comments on/experience with this kind
:: of solution? What bandwidth can one expect?
The solution worked well, even when roaming (all of our wireless access
points were on the same switched network feeding into the "wireless"
interface on the FreeBSD box). There was some latency involved with
tunnelling PPP over ssh, but it was still acceptable for our user base.
Our setup involved a mix of NetBSD, FreeBSD, MacOS X, and Linux clients.
The other thing to note is that for this to work, your gateway system is
going to have a pre-configured interface for every /30 you want to support.
I'm sure there's a finite number of these that you can have, so depending
on the number of users you're supporting, this might not scale.
Cheers - Erick
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- "802.1x"? Mikael Olsson (Dec 14)
- <Possible follow-ups>
- Re: "802.1x"? CTA (Dec 15)
- RE: "802.1x"? Dawes, Rogan (ZA - Johannesburg) (Dec 17)
- Re: "802.1x"? Gary Flynn (Dec 17)
- Re: "802.1x"? R. DuFresne (Dec 19)
- VPN over Wireless (Was Re: "802.1x"?) Lorens Kockum (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 20)
- Re: VPN over Wireless (Was Re: "802.1x"?) Mikael Olsson (Dec 21)
- Re: VPN over Wireless (Was Re: "802.1x"?) Kevin Steves (Dec 22)
- Re: VPN over Wireless (Was Re: "802.1x"?) Erick Mechler (Dec 23)
- Re: "802.1x"? Gary Flynn (Dec 17)