Secure Wireless Using Iptables and OpenVPN

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 18:40, 25 June 2007 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This document is a draft of a more complete guide in development.

V0.09

Iptables and Ipmasquerade has become a cornerstone of secure home and small office Internet sharing while maintaining LAN security. Adding a wireless access-point or router to your secure LAN, even though you are using WEP, will punch a big hole in your security. WEP and MAC authentication alone are not enough; the solution is with the free/open source OpenVPN.

This guide applies to a hybrid wired and wireless LAN that is connected to the Internet via NAT to one public IP address. What you will need to implement this model is a Linux firewall with three available Ethernet devices.

For this example the wireless device is configured as an access-point (bridge), the client workstation is Windows XP, and the firewall is Redhat Linux.

:1. Set up your Linux IPTables firewall with proper packet filtering using IP-Masquerade.

In our example the Internet device is eth0 and the secure LAN is on eth1. Configuration of your basic IP Tables firewall and the necessary packages / modules is not covered here.


:2. Connect your wireless access-point (wireless bridge) to the third Ethernet port on the firewall, which will be eth2 for our example. If you have only a wireless router it can be used as a 'bridge' if it has a built-in hub.


:3. Now you will need to obtain and install OpenVPN and other necessary packages to set up your secure VPN.

For RH9 I used

lzo-1.08-4.0.rh9.rf.i386.rpm 

to install lzo. The version of OpenVPN used when creating this document was installed from

openvpn-2.0-0.rc20.1.0.rh9.test.i386.rpm1

When installing OpenVPN from the rpm package, the necessary init script will be placed in /etc/initd for automated service startup.

The intention here is to use an Ethernet bridge, requiring Bridge Utilities

bridge-utils-0.9.3-8.i386.rpm

:4. Set up a VPN tunnel from the LAN network (10.10.30.0/24 on eth1) to the wireless network (10.10.31.0/24 on eth2), using an OpenVPN server side bridge.

  • New to OpenVPN? This is not a reference guide to discover OpenVPN. It is suggested that you refer to the "Open VPN 2.0 HOWTO" available from the product web site.
  • It will be necessary to generate the necessary certificates and keys prior to continuing. This process is covered in "Open VPN 2.0 HOWTO" and is easily accomplished using the provided scripts in the easy-rsa directory.

In /etc/openvpn create the file server.conf and use the following:

# openvpn --config /etc/openvpn/server.conf
local 10.10.31.1
port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.10.30.4 255.255.255.0 10.10.30.201 10.10.30.254
push "route-gateway 10.10.30.1"
push "redirect-gateway local"
push "dhcp-option DNS 64.21.192.5"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Now you will want to create a 'bridge-start' script in /etc/openvpn, the following is provided as a working example:

#!/bin/bash
# Set up Ethernet bridge on Linux
br="br0"
tap="tap0"
eth="eth1"
eth_ip="10.10.30.1"
eth_netmask="255.255.255.0"
eth_broadcast="10.10.30.255"
for t in $tap; do
    openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

:5. The Ethernet bridge can be established manually to create a persistent tap0 interface and bridge it with eth1, our LAN interface.

'. /etc/openvpn/bridge-start'

:6. Modify your IP-Tables:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

References formerly to eth1 in your IP Tables firewall will now have to be changed to reference br0. The interface has been bridged therefore all properties of that interface including IP address now belong to the bridged interface.

!Note: For maximum security do not route packages from the Internet interface directly to the wireless interface in your IP Tables rules. We will control all traffic through the VPN to prevent rogue clients access the wireless from getting to anything.


:7. The Open-VPN client installation on Windows is very straightforward. However, I was unable to pass the default gateway route from the server to the client automatically. It is possible to do this, I have been unsuccessful. As a work-around I simply manually entered the static route into the Windows client via the DOS prompt

'route add 0.0.0.0 mask 0.0.0.0 10.10.30.1'

My client config resides in c$\Program Files\OpenVPN\config and is the client.ovpn configuration successfully used in this example:

client
dev tap0
proto udp
remote 10.10.31.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca C:\\Program\ Files\\OpenVPN\\keys\\ca.crt
cert C:\\Program\ Files\\OpenVPN\\keys\\client1.crt
key C:\\Program\ Files\\OpenVPN\\keys\\client1.key
comp-lzo
verb 3

The configuration can be tested by a right-click and selecting to start OpenVPN with the currently selected configuration file. OpenVPN is also installed as a system service and may be started and stopped from the Microsoft Management Console.


References and Recommended Reading:

  • OpenVPN 2.0 HOWTO
http://openvpn.net/howto.html
  • Ethernet Bridging
http://openvpn.net/bridge.html
  • Getting secure WLAN by using OpenVPN on a WRT54G under OpenWRT
http://p3f.gmxhome.de/OpenWRT/Configure-OpenVPN.html

The last reference I have yet to go though thoroughly, but seems to accomplish a similar task as we have explored here. Plus, it takes advantage of a project which allows you to run a linux configuration on your Linksys wireless router.

  • Saturday, April 09, 2005