Wlan w/ openvpn, how to block unencrypted traffic [SOLVED]

Message

zen_guerrilla · Post by **zen_guerrilla** » Wed Jun 08, 2005 6:10 pm

Hello all,
I have a firewall/router that also doubles as an wireless access point using an atheros-based card. I don't use wep, instead I route all wlan traffic through openvpn tunnels.
The firewall has eth0 (192.168.2.254) connected via a switch on my lan, ath0 (10.10.0.1) acting as access point for my wlan, tun0 (192.168.3.1) openvpn server & ppp0 for 'net.
No associated wlan client can't access my lan or internet outside of openvpn, however it can access other wlan clients on 10.10.0.0/24 subnet.
On the firewall I have a drop policy & allow only dhcp/openvpn from ath0.
Is it possible to disallow all connectivity between non-openvpn'd clients using the firewall ?
My lappy runs linux & a minimal number of services that listen only on the openvpn interface so it's ok, however my gf's w2k lappy is wide open & I'd prefer not to run a firewall locally on it (unfortunately installing linux is not an option

).

TIA,
zen

klavrynd · Post by **klavrynd** » Wed Jun 08, 2005 7:51 pm

if openvpn does ipsec you can only allow packets with that have either IPSEC ESP payload, and drop all other normal ip traffic. (i _think_ it's 50 as protocol number)

this only allows only encrypted traffic.

the only problem you could have is that ike uses plain ip for setting up, but that should be no problem is you use normal preshared/fixed keys

tutaepaki · Post by **tutaepaki** » Wed Jun 08, 2005 8:54 pm

hmmm, tough problem.

I've never tried this, but it might work.....

Set your DHCP server to supply a mask of 255.255.255.255. This should force all clients
to use the default gateway for ALL traffic, thereby routing all the traffic through the firewall.
You might also need to turn off ICMP redirects in the firewall.

While a malicicious person could easily set themselves a static IP, and wider netmask, as long
as your other machines all have the hostmask set, their return traffic would go to the firewall and be blocked.

if you decide to try this, do let us know if it works

HTH
tut.

jamapii · Post by **jamapii** » Wed Jun 08, 2005 9:06 pm

Code: Select all

     for wlif in ath0 eth3; do
        iptables -A FORWARD -j REJECT -i $wlif
        iptables -A FORWARD -j REJECT -o $wlif
        ip6tables -A FORWARD -j DROP -i $wlif
        ip6tables -A FORWARD -j DROP -o $wlif

        # here insert code to ACCEPT VPN, SSH, ping etc. for the WLAN interface(s)

        iptables -A INPUT  -j REJECT -i $wlif
        iptables -A OUTPUT -j REJECT -o $wlif
        ip6tables -A INPUT  -j DROP -i $wlif
        ip6tables -A OUTPUT -j DROP -o $wlif
     done

zen_guerrilla · Post by **zen_guerrilla** » Wed Jun 08, 2005 9:23 pm

tutaepaki: interesting suggestion, I'll try it tomorrow & let you guys know about it. Any other suggestions are also welcome till then.

others: I've tried a whole lot of weird iptables rules but couldn't fix it. Thanx anyway.

zen_guerrilla · Post by **zen_guerrilla** » Thu Jun 16, 2005 4:31 pm

Finally, I found some time to do this

.
tutaepaki's suggestion seems to work. ath0 on server is 10.10.0.1/255.255.255.0 and it gives (through dhcp) netmask 255.255.255.255 on clients.
Now it's time to fix the routing through openvpn for this openbsd server

.

Thanx again

bigfunkymo · Post by **bigfunkymo** » Thu Jun 16, 2005 6:57 pm

Wouldn't it also be sensible to do something like having a gentoo based router with 3 NIC's. eth0 being the external interface, eth1 being connected to a wired-only segment, and eth2 being connected to the access point. Then block all traffic on eth2 except for OpenVPN. Make a bridge between tap0 and eth1. This would make it so that all your VPN hosts would transparent connectivity to the wired segment and it would make it very easy to block all non-encrypted wireless traffic.

zen_guerrilla · Post by **zen_guerrilla** » Thu Jun 16, 2005 10:35 pm

bigfunkymo: thanx for the info. My router runs openbsd & it's a pentium/166. Since I read on openvpn's howto that bridged mode doesn't scale well I avoided it.
Now I've set it up in bridging mode and everything works great, even my transparent squid on my gentoo server without much trouble

.

bigfunkymo · Post by **bigfunkymo** » Fri Jun 17, 2005 1:27 am

You probably don't have to worry much about scaling if its only your home access point

zen_guerrilla · Post by **zen_guerrilla** » Fri Jun 17, 2005 9:43 am

bigfunkymo wrote:You probably don't have to worry much about scaling if its only your home access point

You're right. Actually I was worried about the performance & the load avg since it's an old box, but for 2-3 wireless clients it scales just great

.