OK, I've been thinking about wireless security when traveling. Many hotels, businesses and convention centers offer wireless connections, but I've been wondering why you can't/how to configure a small router/firewall (like the following links) to work in reverse, i.e. to use the wireless connection of the router to connect to the public wireless, and then serve wired clients (laptops). This would result in an additional layer of security (a second NAT layer, for example).
Is this logical? Possible?
I've setup a number of homebrew firewalls using IPCop and Smoothwall, and with those you can choose the NIC (interface) you want to use for inside and outside, so I think that part could be done (especially using a WRT54G or similar). I guess the trick would be in passing login authentication to the public wireless controller for initial login. Suppose that could be passed through to a client browser?
Greg Lawson Rolling Hills Consolidated Library 1912 N. Belt Highway St. Joseph, MO 64506
If it's for personal use I would recommend setting up a Linux server at
home with SSH installed and use dynamic port forwarding for your entire
web browsing when using public access points. Your web traffic is
encrypted and much more secure this way not to mention its dirt easy to
set up. I've used this technique for a couple years now.
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
________________________________
From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On
Behalf Of glawson
Sent: Tuesday, November 03, 2009 8:42 AM
To: kulua-l@googlegroups.com
Subject: [KULUA] Public Wireless Access
OK, I've been thinking about wireless security when traveling. Many
hotels, businesses and convention centers offer wireless connections,
but I've been wondering why you can't/how to configure a small
router/firewall (like the following links) to work in reverse, i.e. to
use the wireless connection of the router to connect to the public
wireless, and then serve wired clients (laptops). This would result in
an additional layer of security (a second NAT layer, for example).
Is this logical? Possible?
I've setup a number of homebrew firewalls using IPCop and Smoothwall,
and with those you can choose the NIC (interface) you want to use for
inside and outside, so I think that part could be done (especially using
a WRT54G or similar). I guess the trick would be in passing login
authentication to the public wireless controller for initial login.
Suppose that could be passed through to a client browser?
Greg Lawson
Rolling Hills Consolidated Library
1912 N. Belt Highway
St. Joseph, MO 64506
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
________________________________
From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On
Behalf Of Rudy, Jared
Sent: Tuesday, November 03, 2009 8:46 AM
To: kulua-l@googlegroups.com
Subject: [KULUA] Re: Public Wireless Access
If it's for personal use I would recommend setting up a Linux server at
home with SSH installed and use dynamic port forwarding for your entire
web browsing when using public access points. Your web traffic is
encrypted and much more secure this way not to mention its dirt easy to
set up. I've used this technique for a couple years now.
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
________________________________
From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On
Behalf Of glawson
Sent: Tuesday, November 03, 2009 8:42 AM
To: kulua-l@googlegroups.com
Subject: [KULUA] Public Wireless Access
OK, I've been thinking about wireless security when traveling. Many
hotels, businesses and convention centers offer wireless connections,
but I've been wondering why you can't/how to configure a small
router/firewall (like the following links) to work in reverse, i.e. to
use the wireless connection of the router to connect to the public
wireless, and then serve wired clients (laptops). This would result in
an additional layer of security (a second NAT layer, for example).
Is this logical? Possible?
I've setup a number of homebrew firewalls using IPCop and Smoothwall,
and with those you can choose the NIC (interface) you want to use for
inside and outside, so I think that part could be done (especially using
a WRT54G or similar). I guess the trick would be in passing login
authentication to the public wireless controller for initial login.
Suppose that could be passed through to a client browser?
Greg Lawson
Rolling Hills Consolidated Library
1912 N. Belt Highway
St. Joseph, MO 64506
This sounds like a lot of trouble, wouldn't it be simpler to set up an
openvpn server at home or work and just tunnel your traffic through
that? That's what I typically do when I travel. Is there a reason you
want to do it this way?
On Tue, Nov 3, 2009 at 8:42 AM, glawson <glaw...@rhcl.org> wrote:
> OK, I've been thinking about wireless security when traveling. Many hotels,
> businesses and convention centers offer wireless connections, but I've been
> wondering why you can't/how to configure a small router/firewall (like the
> following links) to work in reverse, i.e. to use the wireless connection of
> the router to connect to the public wireless, and then serve wired clients
> (laptops). This would result in an additional layer of security (a second
> NAT layer, for example).
> Is this logical? Possible?
> I've setup a number of homebrew firewalls using IPCop and Smoothwall, and
> with those you can choose the NIC (interface) you want to use for inside and
> outside, so I think that part could be done (especially using a WRT54G or
> similar). I guess the trick would be in passing login authentication to the
> public wireless controller for initial login. Suppose that could be passed
> through to a client browser?
> Greg Lawson
> Rolling Hills Consolidated Library
> 1912 N. Belt Highway
> St. Joseph, MO 64506
I've also done the openvpn tunnel server. The openvpn setup is much
more technical then setting up a ssh tunnel and not nearly as fast. Not
to mention with ssh you can use compression which can actually further
speed up browsing when using a wireless network with poor connection.
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
-----Original Message-----
From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On
Behalf Of Marshal Graham
Sent: Tuesday, November 03, 2009 8:54 AM
To: kulua-l@googlegroups.com
Subject: [KULUA] Re: Public Wireless Access
This sounds like a lot of trouble, wouldn't it be simpler to set up an
openvpn server at home or work and just tunnel your traffic through
that? That's what I typically do when I travel. Is there a reason you
want to do it this way?
On Tue, Nov 3, 2009 at 8:42 AM, glawson <glaw...@rhcl.org> wrote:
> OK, I've been thinking about wireless security when traveling. Many
hotels,
> businesses and convention centers offer wireless connections, but I've
been
> wondering why you can't/how to configure a small router/firewall (like
the
> following links) to work in reverse, i.e. to use the wireless
connection of
> the router to connect to the public wireless, and then serve wired
clients
> (laptops). This would result in an additional layer of security (a
second
> NAT layer, for example).
> Is this logical? Possible?
> I've setup a number of homebrew firewalls using IPCop and Smoothwall,
and
> with those you can choose the NIC (interface) you want to use for
inside and
> outside, so I think that part could be done (especially using a WRT54G
or
> similar). I guess the trick would be in passing login authentication
to the
> public wireless controller for initial login. Suppose that could be
passed
> through to a client browser?
> Greg Lawson
> Rolling Hills Consolidated Library
> 1912 N. Belt Highway
> St. Joseph, MO 64506
I second the SOCKS proxy setup. I would also suggest that you change your SSH Server port to listen on 443 (some places block anything outbound except 80/443).
On Tue, Nov 3, 2009 at 8:46 AM, Rudy, Jared <Jared.R...@sftks.net> wrote: > If it’s for personal use I would recommend setting up a Linux server at home > with SSH installed and use dynamic port forwarding for your entire web > browsing when using public access points. Your web traffic is encrypted and > much more secure this way not to mention its dirt easy to set up. I’ve used > this technique for a couple years now.
Oh yea I forgot to mention that. You can also just set your home router to listen on port 443 and then forward to the correct computer on port 22. That way you can keep your internal computer default ssh setup.
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
-----Original Message-----
From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On Behalf Of djgoku
Sent: Tuesday, November 03, 2009 9:49 AM
To: kulua-l@googlegroups.com
Subject: [KULUA] Re: Public Wireless Access
I second the SOCKS proxy setup. I would also suggest that you change
your SSH Server port to listen on 443 (some places block anything
outbound except 80/443).
Jonathan
On Tue, Nov 3, 2009 at 8:46 AM, Rudy, Jared <Jared.R...@sftks.net> wrote:
> If it's for personal use I would recommend setting up a Linux server at home
> with SSH installed and use dynamic port forwarding for your entire web
> browsing when using public access points. Your web traffic is encrypted and
> much more secure this way not to mention its dirt easy to set up. I've used
> this technique for a couple years now.
Yes I agree, openvpn does give you a performance hit. One of the big
benefits of openvpn is cross-platform support. You can also get the
server on most of the opensource router projects like DD-WRT. If it's
just for personal use, then you are right, ssh is probably the better
way to go. If you are going to have your employees or family use it,
you might want to look at openvpn.
On Tue, Nov 3, 2009 at 8:58 AM, Rudy, Jared <Jared.R...@sftks.net> wrote:
> I've also done the openvpn tunnel server. The openvpn setup is much
> more technical then setting up a ssh tunnel and not nearly as fast. Not
> to mention with ssh you can use compression which can actually further
> speed up browsing when using a wireless network with poor connection.
> Jared Rudy
> UNIX Administrator
> St. Francis Health Center
> 1700 SW 7th
> Topeka, KS 66606
> 785-295-7942
> -----Original Message-----
> From: kulua-l@googlegroups.com [mailto:kulua-l@googlegroups.com] On
> Behalf Of Marshal Graham
> Sent: Tuesday, November 03, 2009 8:54 AM
> To: kulua-l@googlegroups.com
> Subject: [KULUA] Re: Public Wireless Access
> This sounds like a lot of trouble, wouldn't it be simpler to set up an
> openvpn server at home or work and just tunnel your traffic through
> that? That's what I typically do when I travel. Is there a reason you
> want to do it this way?
> On Tue, Nov 3, 2009 at 8:42 AM, glawson <glaw...@rhcl.org> wrote:
>> OK, I've been thinking about wireless security when traveling. Many
> hotels,
>> businesses and convention centers offer wireless connections, but I've
> been
>> wondering why you can't/how to configure a small router/firewall (like
> the
>> following links) to work in reverse, i.e. to use the wireless
> connection of
>> the router to connect to the public wireless, and then serve wired
> clients
>> (laptops). This would result in an additional layer of security (a
> second
>> NAT layer, for example).
>> Is this logical? Possible?
>> I've setup a number of homebrew firewalls using IPCop and Smoothwall,
> and
>> with those you can choose the NIC (interface) you want to use for
> inside and
>> outside, so I think that part could be done (especially using a WRT54G
> or
>> similar). I guess the trick would be in passing login authentication
> to the
>> public wireless controller for initial login. Suppose that could be
> passed
>> through to a client browser?
>> Greg Lawson
>> Rolling Hills Consolidated Library
>> 1912 N. Belt Highway
>> St. Joseph, MO 64506
You know, if you guys are *that* worried about people sniffing your traffic, don't surf for bestiality pr0n in public.
Noone's really going to care about what you're surfing on. Encrypt the stuff that's important (use IMAPS, HTTPS when you're sending your cc #, etc), and other than that, remember they're *NOT* out to get you...
Cheers, Dario
-- ************************************************************ Dario Landazuri Triangle Fraternity Minn97Ok da...@landazuri.net http://www.landazuri.net ************************************************************ "When you pull a guy's helmet off and hit him with it, you don't call him for a face mask. That's incidental." -Brett Gilland
----- Original Message ----- From: "glawson" <glaw...@rhcl.org> To: kulua-l@googlegroups.com Sent: Tuesday, November 3, 2009 8:42:16 AM GMT -06:00 US/Canada Central Subject: [KULUA] Public Wireless Access
OK, I've been thinking about wireless security when traveling. Many hotels, businesses and convention centers offer wireless connections, but I've been wondering why you can't/how to configure a small router/firewall (like the following links) to work in reverse, i.e. to use the wireless connection of the router to connect to the public wireless, and then serve wired clients (laptops). This would result in an additional layer of security (a second NAT layer, for example).
Is this logical? Possible?
I've setup a number of homebrew firewalls using IPCop and Smoothwall, and with those you can choose the NIC (interface) you want to use for inside and outside, so I think that part could be done (especially using a WRT54G or similar). I guess the trick would be in passing login authentication to the public wireless controller for initial login. Suppose that could be passed through to a client browser?
Greg Lawson Rolling Hills Consolidated Library 1912 N. Belt Highway St. Joseph, MO 64506
Possible and logical -- it would work, but forget the security benefits.
Using a wired access point to serve non-wireless clients would work just
fine. The security benefits from that don't have much weight in the setting
you have described. It is my opinion that the kind of person who would want
and know how to target your hosts over the local network would be more
likely to just sniff your wireless traffic to get what they want. That is
why everyone is recommending the use encrypted tunneling on each host.
Also, it would be cool to have a capable router that would take care of the
tunneling without any client configuration.
> ----- Original Message -----
> From: "glawson" <glaw...@rhcl.org>
> To: kulua-l@googlegroups.com
> Sent: Tuesday, November 3, 2009 8:42:16 AM GMT -06:00 US/Canada Central
> Subject: [KULUA] Public Wireless Access
> OK, I've been thinking about wireless security when traveling. Many hotels,
> businesses and convention centers offer wireless connections, but I've been
> wondering why you can't/how to configure a small router/firewall (like the
> following links) to work in reverse, i.e. to use the wireless connection of
> the router to connect to the public wireless, and then serve wired clients
> (laptops). This would result in an additional layer of security (a second
> NAT layer, for example).
> Is this logical? Possible?
> I've setup a number of homebrew firewalls using IPCop and Smoothwall, and
> with those you can choose the NIC (interface) you want to use for inside and
> outside, so I think that part could be done (especially using a WRT54G or
> similar). I guess the trick would be in passing login authentication to the
> public wireless controller for initial login. Suppose that could be passed
> through to a client browser?
> Greg Lawson
> Rolling Hills Consolidated Library
> 1912 N. Belt Highway
> St. Joseph, MO 64506
On Nov 3, 9:53 am, Marshal Graham <marshal.gra...@gmail.com> wrote:
> Yes I agree, openvpn does give you a performance hit. One of the big
> benefits of openvpn is cross-platform support. You can also get the
> server on most of the opensource router projects like DD-WRT. If it's
> just for personal use, then you are right, ssh is probably the better
> way to go. If you are going to have your employees or family use it,
> you might want to look at openvpn.
> [ ... ]
Not to derail the topic here, but what is the basis for the comments
on openvpn's performance? I've worked with OpenVPN and OpenSSH for
years. There have been times where I've used OpenSSH's tunnel mode
because it's there and I need a temporary solution. Unless something
has changed in the last version or two of OpenSSH, I generally found
it to actually be a slower tunnel. OpenVPN will do compression if you
want it to. /shrug
I like the OpenVPN solution because of the things that it takes care
of on the routing (and access/firewall stuff if you want to put in the
scriptage. Once you get past the TLS management hump (really: check
out the easy-rsa scripts that are part of the OpenVPN source), I've
found it to be a fabulous solution for when one finds oneself roaming
about.
What neither option is good for is forwarding your entire connection
through (making your VPN end-point your default gateway) unless you've
got some serious up-stream bandwidth on the server side. If you're
using a typical cable or even low-end DSL connection, you're neutering
your connection down to little-better than dialup anyway, so you might
as well just sign up for a Net-Zero account and have done.
Blah blah blah.
Anyway, in answer to the OPs actual question, what you are asking is
indeed possible. What I would suggest you do is check out the
wireless router models that are supported by DD-WRT or some other
OpenWRT derived linux distribution. They are all but legion and
extremely cheap. There were some politics going on in the DD-WRT
community in regards to someone trying to "adjust" its licensing to
make it slightly less open source or slightly more friendly to the
authors selling it in some context or something (dunno... ask Google,
it knows everything, right?) but it is (or was at the time) a pretty
neat replacement firmware for the WRT54 routers (and compatibles) with
a well-written interface and some pretty cool features.
The OpenWRT distro literally just gives you linux and hooks into the
router's hardware. You can probably pick up a WRT54 compatible device
for under $80, so if you were so inclined, buy 2. It's always fun to
have yet-another-device that has a bare-bones Linux distro
installed :)
I didn't get the idea from the original question that the concern was
line security--more along the lines of being able to drop multiple
systems on the ethernet of the wireless router and having a black-box
firewall/nat type thing where you wouldn't have to worry about the old
Windows 95 laptop exploding in your face when it touches a public
network :)
-S
On Nov 3, 9:57 am, Dario Landazuri <da...@landazuri.net> wrote:
> You know, if you guys are *that* worried about people sniffing your
> traffic, don't surf for bestiality pr0n in public.
> Noone's really going to care about what you're surfing on. Encrypt the
> stuff that's important (use IMAPS, HTTPS when you're sending your cc #,
> etc), and other than that, remember they're *NOT* out to get you...
> Cheers,
> Dario
> --
> ************************************************************
> Dario Landazuri Triangle Fraternity Minn97Ok
> da...@landazuri.nethttp://www.landazuri.net > ************************************************************
> "When you pull a guy's helmet off and hit him with it, you
> don't call him for a face mask. That's incidental."
> -Brett Gilland
----- Original Message -----
From: gladiat...@gmail.com
To: "kulua-l" <kulua-l@googlegroups.com>
Sent: Monday, November 9, 2009 10:43:45 AM GMT -06:00 US/Canada Central
Subject: [KULUA] Re: Public Wireless Access
Dario,
I didn't get the idea from the original question that the concern was
line security--more along the lines of being able to drop multiple
systems on the ethernet of the wireless router and having a black-box
firewall/nat type thing where you wouldn't have to worry about the old
Windows 95 laptop exploding in your face when it touches a public
network :)
-S
On Nov 3, 9:57 am, Dario Landazuri <da...@landazuri.net> wrote:
> You know, if you guys are *that* worried about people sniffing your
> traffic, don't surf for bestiality pr0n in public.
> Noone's really going to care about what you're surfing on. Encrypt the
> stuff that's important (use IMAPS, HTTPS when you're sending your cc #,
> etc), and other than that, remember they're *NOT* out to get you...
> Cheers,
> Dario
> --
> ************************************************************
> Dario Landazuri Triangle Fraternity Minn97Ok
> da...@landazuri.nethttp://www.landazuri.net > ************************************************************
> "When you pull a guy's helmet off and hit him with it, you
> don't call him for a face mask. That's incidental."
> -Brett Gilland
gladiat...@gmail.com wrote: > What neither option is good for is forwarding your entire connection > through (making your VPN end-point your default gateway) unless you've > got some serious up-stream bandwidth on the server side.
Have you ever gotten this to work? There is one situation where I need to access a web-page from the server IP address. Never could get openVPN to quite do that. (I never could get it to get it to use the servers DNS either.) I have gotten openvpn to work with IMAP quite nicely.
> You can probably pick up a WRT54 compatible device > for under $80, so if you were so inclined, buy 2. It's always fun to > have yet-another-device that has a bare-bones Linux distro > installed :)
I don't think WRT54 supports the 'n' mode...
There are the the WRT3xxN units - but I'm not sure they work with openwrt.
What would be very cool is if one could use Debian and have access to the kernel updates..
What every you do - don't get the WRT610N (unless you want to buy mine?) .. it overheats, barely works - tech support had me turn off most of its features.. still a dog...
--------------------------------------------------------------------------- ----- Karl Schmidt EMail K...@xtronics.com Transtronics, Inc. WEB http://xtronics.com 3209 West 9th Street Ph (785) 841-3089 Lawrence, KS 66049 FAX (785) 841-0434
When your friends begin to flatter you on how young you look, it's a sure sign you're getting old. -- Mark Twain
I was able to configure openvpn to forward all network traffic including
DNS but I felt the performance hit. In fact my only experience with
openvpn was using it in this way so it would explain while I'm a little
biased against it. I would still recommend ssh tunneling in 95% of the
cases. Only when an application won't work through a ssh proxy should
openvpn be used imo. If you like I can try and find the link I used
that showed how to configure openvpn in this manner.
Cheers,
Jared Rudy
UNIX Administrator
St. Francis Health Center
1700 SW 7th
Topeka, KS 66606
785-295-7942
> What neither option is good for is forwarding your entire connection
> through (making your VPN end-point your default gateway) unless you've
> got some serious up-stream bandwidth on the server side.
Have you ever gotten this to work? There is one situation where I need
to access a web-page from the server IP address. Never could get openVPN to quite do that. (I never
could get it to get it to use the servers DNS either.) I have gotten openvpn to work with IMAP
quite nicely.
> You can probably pick up a WRT54 compatible device
> for under $80, so if you were so inclined, buy 2. It's always fun to
> have yet-another-device that has a bare-bones Linux distro
> installed :)
I don't think WRT54 supports the 'n' mode...
There are the the WRT3xxN units - but I'm not sure they work with
openwrt.
What would be very cool is if one could use Debian and have access to
the kernel updates..
What every you do - don't get the WRT610N (unless you want to buy mine?)
.. it overheats, barely works - tech support had me turn off most of its features.. still a
dog...
------------------------------------------------------------------------
--------
Karl Schmidt EMail K...@xtronics.com
Transtronics, Inc. WEB http://xtronics.com 3209 West 9th Street Ph (785) 841-3089
Lawrence, KS 66049 FAX (785) 841-0434
When your friends begin to flatter you on how young you look, it's a
sure sign you're getting old. -- Mark Twain
On Nov 9, 1:43 pm, "Rudy, Jared" <Jared.R...@sftks.net> wrote:
> I was able to configure openvpn to forward all network traffic including [...]
Oh. I gotcha. I didn't realize you were talking about an ssh proxy.
I thought you were talking about SSH's VPN mode (SSH-BASED VIRTUAL
PRIVATE NETWORKS is the heading for the VPN mode in ssh(1)).
Indeed if you were only concerned about http/s traffic, that would be
the way to go.
Karl:
The key to forwarding your entire connection is to make sure you're
not stomping on your ethernet device's route to the openvpn server.
This happens when you're relying on a default route to get the server.
The developers may have programatically addressed this by now, but the
last time I configured this sort of link with openvpn, it required
scriptage to read the default route, drop the default route, set a
static (host) route to the IP address of the vpn server, then execute
openvpn. With the redirect-gateway option, it then sets the remote
end-point as the default route--with the static host route in place,
the actual vpn connection doesn't get interrupted.
Basically, regardless of what sort of vpn software you're using, you
have to do something like that if you want all your traffic to move
over a tunnel. The only real application I've found for doing this
with either openvpn or ssh is when I had a broadcom chip on a laptop
that worked with the ndis-wrapper driver, but wpa was not supported in
any way. I setup a port on my BSD box for the wireless router and
locked it down except for DHCP and an openvpn port. I configured the
AP to bridge its wireless device to the switch ports connected to the
router and made sure to firewall the wireless client device (AP
operating in open mode, ya know) :)
Greg:
You probably are in a bit of a bind with that device if it's causing
trouble even in its default mode! That doth suck. Check out the
Buffalo Wireless devices. Personally, I still have an old WRT54G
version 4 (I think), but I've known some people that have given
glowing reports of both the Buffalo hardware as well as their
customizability.
> The key to forwarding your entire connection is to make sure you're > not stomping on your ethernet device's route to the openvpn server. > This happens when you're relying on a default route to get the server. > The developers may have programatically addressed this by now, but the > last time I configured this sort of link with openvpn, it required > scriptage to read the default route, drop the default route, set a > static (host) route to the IP address of the vpn server, then execute > openvpn. With the redirect-gateway option, it then sets the remote > end-point as the default route--with the static host route in place, > the actual vpn connection doesn't get interrupted.
You've confirmed what I was looking at. I saw some config variables, but they didn't appear to work. I can almost do what I need via lynx. I'm thinking it might be easier to set up something that just lets me proxy surf on 80 and 443. so the request comes from the allowed IP address.
--------------------------------------------------------------------------- ----- Karl Schmidt EMail K...@xtronics.com Transtronics, Inc. WEB http://xtronics.com 3209 West 9th Street Ph (785) 841-3089 Lawrence, KS 66049 FAX (785) 841-0434
|
