Re: routing over 802.11b?
James Yonan <jim <at> yonan.net>
2003-03-16 07:37:58 GMT
While I haven't personally run OpenVPN over a wireless network, I would expect
it to work on a configuration similar to that of a typical WAN setup with
multiple hosts communicating over the internet; only in this case just treat
the wireless LAN the same way as you would the internet.
Create two private, distinct subnets, one for the wireless LAN and two for the
VPN. Decide if you want all VPN traffic to be routed through a central
server, or peer-to-peer between each host (in the latter case, each host needs
an explicit tunnel to every other host). Firewall off the wireless LAN
interfaces to only allow secure protocols, i.e. openssh, openvpn, etc. Set up
tunnels between the server and all wandering hosts. If you are using OpenVPN
to make the tunnels, use the --ifconfig option to allocate secure IP address
endpoints to each host from the pool of addresses you've set aside for the VPN
subnet (Note the VPN subnet is not a true subnet in the sense that it is
really a just a collection of endpoints used in point-to-point routing). Set
a default routing rule on the wandering hosts to route to the far endpoint of
the VPN link to the server (as in --ifconfig [near-endpoint] [far-endpoint]).
The server will need to be set up to route traffic between interfaces, such
as tun* <-> tun* and tun* <-> eth0 (masquerading as eth0's public IP addr), so
that the wandering hosts have internet access. When it's all working, you
would be able to connect to the web from a wandering host, the connection
would get routed over the secure wireless tunnel to the server, then get
masqueraded out to the net using the public IP address of the server.
Here's a more HOWTO-oriented document:
Bradley Alexander <storm <at> tux.org> said:
> This question is not an issue with openvpn, per se, but related because
> openvpn is my weapon of choice. :)
> I have a network in my home, call it 192.168.0.0/24, with a gateway to
> the internet of .4. I also have two laptops, a Toshiba Tecra 8100 with a
> Cisco wireless card, and a Mac Powerbook G3 with an Airport card. I have
> gotten the two cards talking, now it is a matter of setting up the
> networking piece of the puzzle.
> I decided that since 802.11 has enough security issues to make me very
> uncomfortable with its general use, and since both the Mac and the
> Toshiba (as well as the bulk of the rest of the network) run Linux, I
> would set up an IPtables firewall on each wireless interface (eth1) and
> run openvpn across the ether.
> What I'm looking for is as transparent as possible access for the
> roaming laptop (usually the Mac, since the batteries on the Tecra suck),
> as if it were connected to the wired LAN. Given that the wired LAN is
> 192.168.0.0/24, I made the wireless LAN 192.168.1.0/30. This gives me
> two addresses required for the point-to-point link. I got this far, but
> did not get to the point of setting up the openvpn. I was able to
> "double-hop" to the wired network from the roaming laptop (e.g. ssh to
> the wired lappy, then ssh to, say, the mail server).
> What would be the best way to make it as transparent as possible to get
> the roaming laptop to be able to access both local services (dns, mail,
> etc) as well as being able to get it out to the Net as if it were on the
> wired LAN?
> Bradley M. Alexander |
> Debian Developer, Security Engineer | storm [at] tux.org
> Debian/GNU Linux Developer | storm [at] debian.org
> Key fingerprints:
> DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65
> RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34
> Only a government that is afraid of it's citizens try to control them.
> This SF.net email is sponsored by:Crypto Challenge is now open!
> Get cracking and register here for some mind boggling fun and
> the chance of winning an Apple iPod:
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod: