[SOLVED] Looking for a VPN solution.

mikesd · 2009-09-26 01:59:39

I'm in the process of setting up a wireless access point on my home network. While the access point will be secured I do have a couple of servers on my home network and don't want to take any chances. I'm planning my setup so that if someone cracks my wireless network they still don't have access to my wired network. To do this I'm putting the access point on it's own subnet which has a dedicated NIC in the router. Using IPTABLES I am going to block all traffic on this interface *except* for VPN traffic. This way even if someone does manage to crack the wireless network they would still need to tackle the VPN to gain access to my wired network. This would also obviously block their access to the internet as well making the now compromised access point next to useless for an atacker.

I realise this may be overkill but I will sleep easier. Having said that, if anyone has an alternative idea speak up.

I haven't done much with VPN's. We use OpenVPN as point to point bridges in our WAN at work but I am also looking at IPSEC based OpenSwan. Both OpenVPN and OpenSwan look good to me. What are other people using for VPNs?

Last edited by mikesd (2009-09-27 05:53:37)

ataraxia · 2009-09-26 02:36:18

OpenVPN is much saner than any IPsec-based VPN (which includes OpenSwan and strongSwan). And that's coming from a regular user of strongSwan...

cactus · 2009-09-26 20:18:38

I also recommend openvpn.

OpenVPN has much nice 'protocol behavior' than IPSec. You don't have to deal with isakmp/ike requirements for not NAT munging the source port, NAT-T workarounds, firewall restrictions on raw IP packets (ESP), or any of the other oddities that come from using IPSec in a world with NAT devices. OpenVPN 'just works'.
Add to this the availability of clients for many OSs, and you have a pretty decent mix of support.

If you are looking for 'baked in' OS support, you might consider L2TP. It is effectively PPTP over IPSec. While it suffers from many of the problems of IPSec itself, it can be a bit easier to configure on the client side.

Pudge · 2009-09-26 21:44:27

I'm in the process of setting up a wireless access point on my home network. While the access point will be secured I do have a couple of servers on my home network and don't want to take any chances.

How about something like this?

Scroll down to almost the bottom of the page and look at Isolating an open or low-security wireless access point:

Of course, the whole page is interesting reading.

Pudge

Last edited by Pudge (2009-09-26 21:46:22)

mikesd · 2009-09-27 05:53:03

Thanks all. I have decided on OpenVPN. It looks good, has good documentation and seems popular. We use it extensively at work, though I didn't set it up, and it seems to be solid. We actually trialled an IPSEC based VPN and had nothing but trouble. May have been the appliances we were using. Not sure.

@Pudge: Yeah I though about sticking the access point outside my router in a similar setup to that shown. I didn't, as while this would protect my home network it would still give an attacker access to the internet allowing them to use up my precious bandwidth. I would still need a VPN as *I* still need access to my network, I just don't want anyone else to have access. I have a spare NIC in my router so it's easy to stick the access point on that on its own subnet.

Arch Linux

#1 2009-09-26 01:59:39

[SOLVED] Looking for a VPN solution.

#2 2009-09-26 02:36:18

Re: [SOLVED] Looking for a VPN solution.

#3 2009-09-26 20:18:38

Re: [SOLVED] Looking for a VPN solution.

#4 2009-09-26 21:44:27

Re: [SOLVED] Looking for a VPN solution.

#5 2009-09-27 05:53:03

Re: [SOLVED] Looking for a VPN solution.

Board footer