[OpenWireless Tech] Allow only open VPN traffic

Natanael natanael.l at gmail.com
Wed Jul 27 22:54:04 PDT 2011 

The router could also run something like Tor or connect to a VPN itself, but
that might not be optimal (Tor can be "a bit slow", setting up a VPN of your
own as the router's owner might not be that fun (additional costs)).
If IPv6 were dominating already (for the sake of having public IP:s), most
people could have been running their own VPN servers at home for themselves
to connect to when out of home.

- Sent from my phone
Den 28 jul 2011 07.45 skrev Andy Green (林安廸) <andy at warmcat.com>:
> Hi -
>
> I gave this some thought a couple of years ago while working at
> Openmoko, they were considering a phone focused on using open Wifi
> connections opportunistically.
>
> The issue is less about security on the air it seems to me since TLS
> (https) can solve that well.
>
> The practical issue for running open APs is liability because of what
> the random users are doing while leaving your IP in the logs.
>
> The proposal is that APs remain encrypted for their user traffic as
> normal, yet accepted unencrypted associations additionally. On the
> unencrypted connections, the AP will only allow VPN traffic to pass on
> UDP and well-known ports for it.
>
> This means that the AP's IP address is removed from the equation, the
> unauthenticated users can only use the AP IP to connect to a VPN "proxy"
> that is under their credentials; it's the VPN IP that then goes out to
> the third party. He can use that to touch other servers, but only on,
> eg, port 500 UDP or 1701 and absolutely nothing on, eg, port 25, 80 tcp
etc.
>
> Since this needs changes at the AP / router firmware, at the same time
> it can make available VPN serving capability at the AP / router. So
> guys making use of this use the unencrypted WLAN connection to VPN back
> to their own router and use their own internet connection.
>
> So it looks like this:
>
> Travelling user -->
> Unencrypted WLAN link -->
> Donor's AP -->
> ONLY VPN traffic passes -->
> Leecher's home router VPN or rented VPN -->
> Internet using VPN's IP
>
> If the unencrypted connectivity was rate-limited, along with the simple
> explanation that the anonymous users are no longer accessing the
> internet "in your name", I think many people would consider deploying
this.
>
> -Andy
> _______________________________________________
> Tech mailing list
> Tech at openwireless.org
> http://srv1.openwireless.org/mailman/listinfo/tech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20110728/91b82ff5/attachment.html>

More information about the Tech mailing list