Secure Wireless Using Iptables and OpenVPN
This document is a draft of a more complete guide in development.
- V0.09
Iptables and Ipmasquerade has become a cornerstone of secure home and small office Internet sharing while maintaining LAN security. Adding a wireless access-point or router to your secure LAN, even though you are using WEP, will punch a big hole in your security. WEP and MAC authentication alone are not enough; the solution is with the free/open source OpenVPN.
This guide applies to a hybrid wired and wireless LAN that is connected to the Internet via NAT to one public IP address. What you will need to implement this model is a Linux firewall with three available Ethernet devices.
For this example the wireless device is configured as an access-point (bridge), the client workstation is Windows XP, and the firewall is Redhat Linux.
:1. Set up your Linux IPTables firewall with proper packet filtering using IP-Masquerade.
In our example the Internet device is eth0 and the secure LAN is on eth1. Configuration of your basic IP Tables firewall and the necessary packages / modules is not covered here.
:2. Connect your wireless access-point (wireless bridge) to the third Ethernet port on the firewall, which will be eth2 for our example. If you have only a wireless router it can be used as a 'bridge' if it has a built-in hub.
:3. Now you will need to obtain and install OpenVPN and other necessary packages to set up your secure VPN.
For RH9 I used
lzo-1.08-4.0.rh9.rf.i386.rpm
to install lzo. The version of OpenVPN used when creating this document was installed from
openvpn-2.0-0.rc20.1.0.rh9.test.i386.rpm1
When installing OpenVPN from the rpm package, the necessary init script will be placed in /etc/initd for automated service startup.
The intention here is to use an Ethernet bridge, requiring Bridge Utilities
bridge-utils-0.9.3-8.i386.rpm
:4. Set up a VPN tunnel from the LAN network (10.10.30.0/24 on eth1) to the wireless network (10.10.31.0/24 on eth2), using an OpenVPN server side bridge.
- New to OpenVPN? This is not a reference guide to discover OpenVPN. It is suggested that you refer to the "Open VPN 2.0 HOWTO" available from the product web site.
- It will be necessary to generate the necessary certificates and keys prior to continuing. This process is covered in "Open VPN 2.0 HOWTO" and is easily accomplished using the provided scripts in the easy-rsa directory.
In /etc/openvpn create the file server.conf and use the following:
# openvpn --config /etc/openvpn/server.conf local 10.10.31.1 port 1194 proto udp dev tap0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 10.10.30.4 255.255.255.0 10.10.30.201 10.10.30.254 push "route-gateway 10.10.30.1" push "redirect-gateway local" push "dhcp-option DNS 64.21.192.5" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
Now you will want to create a 'bridge-start' script in /etc/openvpn, the following is provided as a working example:
#!/bin/bash # Set up Ethernet bridge on Linux br="br0" tap="tap0" eth="eth1" eth_ip="10.10.30.1" eth_netmask="255.255.255.0" eth_broadcast="10.10.30.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
:5. The Ethernet bridge can be established manually to create a persistent tap0 interface and bridge it with eth1, our LAN interface.
'. /etc/openvpn/bridge-start'
:6. Modify your IP-Tables:
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
References formerly to eth1 in your IP Tables firewall will now have to be changed to reference br0. The interface has been bridged therefore all properties of that interface including IP address now belong to the bridged interface.
!Note: For maximum security do not route packages from the Internet interface directly to the wireless interface in your IP Tables rules. We will control all traffic through the VPN to prevent rogue clients access the wireless from getting to anything.
:7. The Open-VPN client installation on Windows is very straightforward. However, I was unable to pass the default gateway route from the server to the client automatically. It is possible to do this, I have been unsuccessful. As a work-around I simply manually entered the static route into the Windows client via the DOS prompt
'route add 0.0.0.0 mask 0.0.0.0 10.10.30.1'
My client config resides in c$\Program Files\OpenVPN\config and is the client.ovpn configuration successfully used in this example:
client dev tap0 proto udp remote 10.10.31.1 1194 resolv-retry infinite nobind persist-key persist-tun ca C:\\Program\ Files\\OpenVPN\\keys\\ca.crt cert C:\\Program\ Files\\OpenVPN\\keys\\client1.crt key C:\\Program\ Files\\OpenVPN\\keys\\client1.key comp-lzo verb 3
The configuration can be tested by a right-click and selecting to start OpenVPN with the currently selected configuration file. OpenVPN is also installed as a system service and may be started and stopped from the Microsoft Management Console.
References and Recommended Reading:
- OpenVPN 2.0 HOWTO
- Ethernet Bridging
- Getting secure WLAN by using OpenVPN on a WRT54G under OpenWRT
The last reference I have yet to go though thoroughly, but seems to accomplish a similar task as we have explored here. Plus, it takes advantage of a project which allows you to run a linux configuration on your Linksys wireless router.
- Saturday, April 09, 2005