Chapter 16. Securing a wireless network with openvpn

Chapter 16. Securing a wireless network with openvpn
Prev	Bering User's Guide	Next

Scott Merrill

<smerrill at finelinegraphics.com>

Revision History
Revision 0.8	2003-05-23	SM
initial revision

Table of Contents

Objectives
Step 1: declare the appropriate packages and modules
Step 2: configure openvpn
Step 3: configure Shorewall
Step 3: configure your linux wireless clients
Useful references

Objectives

You can use OpenVPN to create a slim, secure tunnel between two subnets. OpenVPN has several key benefits:

does not require kernel patching
uses a single UDP port for all secured communications
uses OpenSSL cryptographic routines

My specific reaons for using OpenVPN were to easily secure the wireless portion of my home LAN. WEP (Wireless Encryption Protocol) is a good start for securing wireless communications, but it's not enough.

The configuration steps listed below are those I used to achieve my goals. They should be easily modified for other situations (most notably subnet-to-subnet connections across the internet).

Comments on this section should be addressed to its maintainer Scott Merrill <smerrill at users.sourceforge.net>.

Step 1: declare the appropriate packages and modules

Download the openvpn.lrp and the ifconfig.lrp packages on your boot media and declare them in the syslinux.cfg file.

Download the tun.o module in the /lib/modules Bering directory. Be sure to download it from the directory corresponding to the version you are using!

Declare the tun.o module in /etc/modules and backup modules.lrp.

Important

If you use Bering 1.0 or 1.1 you will need to create first the /net/dev/tun device at boot time by adding the following statement in the /var/lib/lrpkg/root.dev.mk:

(..)
#Tun device
mknod net/tun c 10 200 >null 2>&1
(...)

Then backup initrd.lrp, reboot and check that your device is now created (ls -la /dev/net/tun).

Step 2: configure openvpn

Create a pre-shared key:

  cd /etc/openvpn
  openvpn --genkey --secret secret.key

Edit the /etc/openvpn/openvpn.conf file:

  # I use the tun device
  dev tun
  # local  = 10.0.0.1
  # remote = 10.0.0.2
  ifconfig 10.0.0.1 10.0.0.2
  # the pre-shared key must reside in /etc/openvpn
  secret secret.key
  # ping every 15 seconds to keep the tunnel up (probably unnecessary)
  ping 15

Step 3: configure Shorewall

Read the Shorewall documentation Openvpn section.

Define a new Shorewall Zone:

vpn	VPN	VPN

Define the VPN policy:

# if they're on the VPN, we can trust them -- can't we?
vpn	all	ACCEPT

Define the masquerading policy:

# we can't use the interface name here because Shorewall will choke if it's not up yet
eth0	10.0.0.0/24

Step 3: configure your linux wireless clients

Load the tun.o module:

sudo insmod tun

You may need to make the tun device:

sudo mkdir /dev/net
sudo mknod /dev/net/tun c 10 200

Copy the pre-shared key from LEAF/Bering:

scp root@192.168.1.254:/etc/openvpn/secret.key .

Start openvpn

sudo openvpn --dev tun --ifconfig 10.0.0.2 10.0.0.1 --remote 192.168.1.254 --secret secret.key --daemon

Use the tunnel as the default route:

sudo /sbin/route add default gw 10.0.0.1

Test the tunnel:

ping www.yahoo.com

Useful references

Shorewall documentation openvpn section.
Openvpn How-to
Openvpn examples
Openvpn man pages
Openvpn FAQ
Openvpn links

Prev	Up	Next
Chapter 15. Wireless and orinoco drivers	Home	Chapter 17. IPSec configuration