1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

access from wlan to lan only by openvpn security

Discussion in 'Networking Issues' started by onlineuser, Aug 1, 2007.

  1. onlineuser

    onlineuser LI Guru Member

    Hi,

    where do I find any tutorial how to realize this: "access from wlan to lan only by openvpn security". I have a WRT54GL router.

    a lot of greetings from Austria.
     
  2. ifican

    ifican Network Guru Member

    So you only want to allow wireless clients to access lan clients through a vpn tunnel?
     
  3. onlineuser

    onlineuser LI Guru Member

    yes, right.

    I would need a step-to-step tutorial. :)
     
  4. ifican

    ifican Network Guru Member

    Well i cant say all the steps that will be needed, off hand if you want to only allow access by vpn you will have to setup some form of access restriction and then run a vpn server on each device or run a vpn server that you can use as a concentrator. If you are simply just concerned about running encryption of the wireless signal, use wpa and a strong password and you will be fine. Out of curiosity, why only communicate by vpn?
     
  5. onlineuser

    onlineuser LI Guru Member

    ok, on the clients I use openvpn GUI. And my WRT54GL I want to cofigure like a normal access point (disable WAN working) and use openvpn. The openvpn should be more secure than WPA or WEP.

    There I have another quation. How can I disable the DHCP service on the router?
     
  6. ifican

    ifican Network Guru Member

    You can use the router as an access point by not plugging in the wan link, dhcp can be disabled by shutting it off in the router (though you will need static ip's or an internal dhcp server at this point). I would say you can do what you want but thats alot of overhead. WEP is very insecure and worthless, however WPA is very secure. And its is arguable as to which is more secure openvpn or WPA, I will say that is going to depend on how either is configured, just remember any encryption can be broken its just how long it takes to get it done.
     
  7. onlineuser

    onlineuser LI Guru Member

    yes, I have another DHCP server inside my network. But how can I disable the DHCP server on OpenWrt forever!? There is a dhcp_server=1 entry in nvram, but this makes no difference if the value is set on zero.

    Moreover, a VPN connection with 2048 bit encryption is more secure than every type of WPA.

    How can I realize that connections from wlan only comes to the lan through the vpn-tunnel. How I should configure openvpn, is clear. But how can I seperate the default settings between lan and wlan? How do I set the tunnel between lan and wlan???

    a lot of greetings from Austria.
     
  8. onlineuser

    onlineuser LI Guru Member

    I broke up the bridge between bro and eth1. Then I add a tap0 device and gave it an IP for testing. Then I added the bridge to tap0. From notebook I can connect to eth1 via openvpn. But ftom the laptop I can'T ping to the tap adapter from the Linksys.

    eth1: 192.168.11.1
    notebook: 192.168.11.2
    openvpn client connects to 192.168.11.1
    tap adapter on notebook has 192.168.22.22
    tap adapter on Linksys has 192.168.22.1

    From the notebook I can'T pint to 192.168.22.1. But on the Linksys I see that the tap-adapter drops a lot of packets but all firewall rules are disabled!

    PHP:
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.xxxxxxxxxxxxxx       no                  vlan0
                                                                  tap0
    whats' the problem/solution :) !?
     
  9. ifican

    ifican Network Guru Member

    Yes 2048 is more secure but WPA has yet to be broken and until it is its no worry for me. As I was saying before 2048 can still be broken, there is no form of encryption that cannot be broken, what makes it worthwhile is it takes to long to try so no one tries. Now back to your ping issue, do you have a subnet mask big enough to encompass both the 192.168.11.0 and 22.0 networks?
     
  10. onlineuser

    onlineuser LI Guru Member

    yes, i have.

    the strange is that when no openvpn connection is available I can ping to 192.168.22.1 but if openvpn is connected i can' ping to 192.168.22.1 any longer. Maybe it's some bridgeing problem!?

    But ifconfig shows at the tap0 adapter that a lot of packets were dropped.
     
  11. ifican

    ifican Network Guru Member

    Did you create a bridge between tap0 and the ethernet the laptop is on?
     
  12. onlineuser

    onlineuser LI Guru Member

    the laptop comes over eth1 (wireless). first i deleted the brigde from eth1 to br0 and then I added tap0 brigde to eth0

    here my brctl show info:

    PHP:
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.xxxxxxxxxxxxxx       no              vlan0
                                                              tap0
    I think this is ok, isn't it?

    PHP:
    tap0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
              inet addr
    :192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU
    :1500  Metric:1
              RX packets
    :0 errors:0 dropped:0 overruns:0 frame:0
              TX packets
    :0 errors:0 dropped:940 overruns:0 carrier:0
              collisions
    :0 txqueuelen:0
              RX bytes
    :(0.0 B)  TX bytes:(0.0 B)
    do you have any more ideas to solve my little problem?
     
  13. onlineuser

    onlineuser LI Guru Member

    anyone an idea???

    ok. solved! :)
     
  14. ifican

    ifican Network Guru Member

    Good, but what was it so others who might have the same issue have a point of reference.
     
  15. onlineuser

    onlineuser LI Guru Member

    It was a forwarding problem blocked by iptables. Now it runs like it should. WLAN clients only see the eth1 and get from the linksys DHCP-server an IP address. Then the OpenVPN connection will be made and then over the ethernet bridge the tap0 adapter has access to the other LAN. And the clients tap-adapter gets the IP from the DHCP server inside the LAN. Moreover I set the LED to white, when any VPN connection is connected. And it's orange, when anyone tries to logon.

    Now it's very secure. :)
     

Share This Page