You know how insecure 802.11x wireless networks are. In this article we’ll create an OpenBSD-based secure wireless access point that prevents unauthorized access and encrypts every packet using a VPN tunnel. OpenBSD is one of the most secure operating systems available, is easy to use, and includes almost everything you need for this project in the base installation.
…and it wants this article back. VPN-over-insecure-802.11 is an obsolete and user-hostile way to secure an access point. WPA with hostapd ought to be easier to configure, just as secure, and is actually user-friendly.
Unfortunately, OpenBSD only supports the easily cracked WEP. Last time I checked, they had no plans to support WPA any time soon, either. Weird, given how security-obsessed those folk tend to be. They might be importing the FreeBSD stuff now though, I don’t know.
OpenVPN can be a pain to set up, but it worked pretty well for me in the past. I can never get the new WPA features in FreeBSD 6 working properly for an access point such that it will work with my iBook. The documentation for all that new stuff wasn’t completed for the 6.0 release and OS X doesn’t seem to play very nicely with FreeBSD with regards to wireless stuff in general.
“Last time I checked, they had no plans to support WPA any time soon, either”
http://reyk.wlsec.net/auug-2005/slide_21.html
>WPA with hostapd ought to be easier to configure,
Well, unless you want to use 802.11b which much well supported by many platforms, then running a VPN over wireless is an easy to do choice to make it secure.
This would be a poor way of going about it, if I read the article correctly (I don’t have access to a system to test it all out on right now, and I’m too busy studying for finals to think – yes, that makes sense at my school ). As long as the user can get an IP address (Either by just connecting, or by spoofing a mac address), and can send traffic through ICMP, they have ‘net access. They just need a box on the outside to act as a proxy (much like an SSH SOCKS proxy, sans encryption). Not really too difficult to set up.
Who blocks ping, anyway?
A lot of companies block pings (ICMP and UDP).
Why give someone an easy way to map a network? Or know that your host is alive?
blocking pings won’t magically hide your host off the network, its stupid and only brakes things
Blocking PING, ie icmp echo request and reply, is totally pointless. They exist for a reason. Ever tried troubleshooting with a remote server that blocks ping? Yea, that’s REALLY funny. Good luck solving your customers problems when they “cant access <site X>”.
Good luck with MTU discovery too.
Its 2005, noone (not even MS) makes ip stacks so weak that a ping will break them. This is the bad kind of paranoia that doesnt solve a single problem but instead creates new ones. People who think blocking ping is awesome arent fit to manage networks.
I hope this will get integrated into the next OpenSSH release:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/README.tun?re…
The new features will provide the same VPN functionality like OpenVPN (in case of a TCP tunnel setup), but will probably be even more easy to configure.