[OpenWireless Tech] Allow only open VPN traffic

["Andy Green (林安廸)"]

Hi -

I gave this some thought a couple of years ago while working at 
Openmoko, they were considering a phone focused on using open Wifi 
connections opportunistically.

The issue is less about security on the air it seems to me since TLS 
(https) can solve that well.

The practical issue for running open APs is liability because of what 
the random users are doing while leaving your IP in the logs.

The proposal is that APs remain encrypted for their user traffic as 
normal, yet accepted unencrypted associations additionally.  On the 
unencrypted connections, the AP will only allow VPN traffic to pass on 
UDP and well-known ports for it.

This means that the AP's IP address is removed from the equation, the 
unauthenticated users can only use the AP IP to connect to a VPN "proxy" 
that is under their credentials; it's the VPN IP that then goes out to 
the third party.  He can use that to touch other servers, but only on, 
eg, port 500 UDP or 1701 and absolutely nothing on, eg, port 25, 80 tcp etc.

Since this needs changes at the AP / router firmware, at the same time 
it can make available VPN serving capability at the AP / router.  So 
guys making use of this use the unencrypted WLAN connection to VPN back 
to their own router and use their own internet connection.

So it looks like this:

  Travelling user -->
    Unencrypted WLAN link -->
      Donor's AP -->
        ONLY VPN traffic passes -->
          Leecher's home router VPN or rented VPN -->
            Internet using VPN's IP

If the unencrypted connectivity was rate-limited, along with the simple 
explanation that the anonymous users are no longer accessing the 
internet "in your name", I think many people would consider deploying this.

-Andy