[nycbug-talk] How secure: wireless + ssh?

[George Georgalis]

>On 2005-12-26, Charles Sprickman wrote:
>
>> I wonder if anyone can comment on the overhead that running everything 
>> through a VPN might have?  Specifically when we're talking about older 
>

Hi Charles-
Interesting thread. you may remember my frustrations
with deploying a vpn a while back, we settled on a
linksys piece of junk which had doggy performance,
before it failed completely.

I was "compelled" to learn and deploy openvpn while
people where unable to work. That turned out a good
thing because the software has been rock solid,
running on a 500Mhz box with 64Mb RAM, and apparently
outperforms the the 2Mb connection it is on.

That aside, a big plus with openvpn is it runs in
user space, which is another way of saying
client/server, *BSD, Mac, Windows, some other OS,
it doesn't matter, mix as you please.

So what does this have to do with wireless ;)
well I happen to notice a feature of openvpn

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

while I haven't tried that out yet, I got most of
the rest of the system in place with these design
goals:

1) max security
2) min hardware
3) min public (wifi available) resources
4) ease of operation

So, I happen to have a 4 port NETGEAR wifi device
(rocks over linksys), a bridging firewall, and
a couple hosts to run on public IPs behind the
bridge.

ISP---+
      |        ( * )
  bridge fw      |
      |          |
      +-------+-----+
host1 --------+ soho+--WAN---
host2 --------+ wifi|
host3 --------+-----+
  |
private lan


(looks much better in pencil) the 3 hosts are connected
to the dmz side of the firewall via the lan switch on
the wifi device, they use public address space.

the wifi is then configured to provide dhcp for
192.168.a.0/24 with a wan ip of 192.168.b.0/24 and
gateway 192.168.b.1/24 and dns of 192.168.b.c/24,
nothing is connected to the wan port.

host3 has two interfaces, a public ip on the dmz and
a private lan address on the other interface. an
alias ip of 192.168.b.c/24 is added to the public
interface, which listens for dns, ssh and openvpn.

so, establish a no password wifi connection and you
have nearly nothing: http htpasswd from the wifi;
dns, sshd and openvpnd from host3. Start openvpn and
gain an ip in the private lan and a default route
via the private lan gateway.

kinda stinks that I cannot turn off the wifi http
interface to the air (that's not wan access), but
I can have it email failed passwd attempts to a
procmail recipe to call the police to arrest my
neighbor... kidding.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george at galis.org