[OpenWireless Tech] On VPNs

"Andy Green (林安廸)" andy at warmcat.com
Thu Jul 28 12:50:39 PDT 2011 

On 07/28/2011 08:25 PM, Somebody in the thread at some point said:
> As others have noted, there are some practical problems with current VPN
> implementations (hard to configure, OSes may send insecure traffic while
> waiting for a VPN to be established).
>
> None of these are /necessary/ problems with VPNs.  With work, it should in
> theory be possible to offer easy-to-setup VPNs that protect clients
> against malicious APs.  If APs wish to transmit nothing but VPN traffic, it
> could also protect the APs against clients that do questionable things with
> the network.
>
> The big question with VPNs is, can we get cheap enough bulk VPN provision that
> anyone can get a VPN connection that is free or very cheap, and extremely easy
> to configure?

ACK on all of that.

Again while at Openmoko, in Taiwan, it became clear that to get these 
new technologies deployed, you had to sell it as a marketable initiative 
to the companies making the products.

So provide a reference implementation, a logo programme, and support, 
and if they see value in adding it, it will gradually become very widely 
available at no extra cost.  But the vendors themselves likely wouldn't 
take on all the R&D from scratch just for their own products.


However, I think the biggest issue for this and the other solutions 
being adopted at a reasonable pace is can current WLAN hardware cope 
with both unencrypted and WEP / WPA encrypted packets coming easily 
without having to drop back to listening to everything and filtering in 
software.

The reason is that if a software solution is overlaid like VPN or some 
form of SSL, in fact the raw wireless transport itself is unencrypted 
then, the encryption being done at a higher level.

That means weaker devices that only support WPA and not the new SSL type 
or VPN solution actually go backwards because the only way they can 
connect to the AP is unencrypted alone.

So both these solutions really want the AP hardware to continue to 
accept and operate in WPA for compatibility, while accepting unencrypted 
connections under tough constraints.  Some WLAN hardware is capable of 
this (most are able to inject unencrypted TX frames while being in WPA 
mode) but I guess some or most are not capable to do it for RX.

-Andy

More information about the Tech mailing list