[OpenWireless Tech] No probl/ which VPN

Eugene Smiley eug.smiley at gmail.com
Wed Nov 7 08:15:34 PST 2012 

Tabs that I currently have open on the topic, all OpenWRT specific:
http://wiki.openwrt.org/doc/recipes/guest-wlan
https://forum.openwrt.org/viewtopic.php?id=28317
https://forum.openwrt.org/viewtopic.php?id=28926
http://jwalanta.blogspot.com/2012/03/multiple-ssid-on-openwrt-with-bandwidth.html



On Wed, Nov 7, 2012 at 5:27 AM, "Andy Green (林安廸)" <andy at warmcat.com> wrote:

> On 11/07/12 15:38, the mail apparently from Natanael included:
>
>
>  https://play.google.com/store/**apps/details?id=de.blinkt.**openvpn<https://play.google.com/store/apps/details?id=de.blinkt.openvpn>
>>
>> Root free OpenVPN for Android!
>>
>
> Very cool, I didn't know about that.  Thanks for pointing it out.
>
>
>  I'll just say this: No VPN or other proxy + untrusted routers = only a
>> minor security advantage against active attackers over the current way
>> of doing things. (Though much more secure against passive attackers, but
>> active attacks are easy on WiFi.)
>>
>> Please, go with VPN:s of some sort. As I suggested before, put a link in
>> the client to a database over trusted VPN:s, including free ones. Let it
>> pick one from there.
>>
>
> Right, but we probably need a reference implementation.
>
> It seems that the "Tomato" firmware might do
>
> http://www.polarcloud.com/**tomato <http://www.polarcloud.com/tomato>
>
> someone mentioned in the comments for the Android openvpn client they had
> connected to openvpn server running on that using the Android client.  And
> that runs on a bunch of cheap and widely-available routers.
>
> Or if anyone has a better idea, let us know.
>
> The bit of magic that's missing is being able to run a completely normal
> WPA network and this unencrypted one at the same time.  I think how to do
> that (and if it's possible) will depend on the chipset a lot and might
> require AP vendor manufacturer cooperation.
>
> But Tomato+cheap Broadcomm router looks like it could become a
> plug-and-play add-on type reference platform, plug it into the
>
> The missing work would be netfilter rules to restrict the WLAN interface
> to stateful VPN traffic only.
>
> Looking here
>
> https://community.openvpn.net/**openvpn/browser/sample-config-**
> files/firewall.sh?rev=**2d4e7685cd1a6d8e1eb1befa241b75**95809d3b45<https://community.openvpn.net/openvpn/browser/sample-config-files/firewall.sh?rev=2d4e7685cd1a6d8e1eb1befa241b7595809d3b45>
>
> We need something like
>
> iptables -A INPUT -i wlan0 -j DROP
> iptables -A INPUT -i wlan0 -p udp --dport 1194 -j ACCEPT
> iptables -A INPUT -i wlan0 -d 10.0.0.0/8 -p udp -j DROP
> iptables -A INPUT -i wlan0 -d 192.168.0.0/16 -p udp -j DROP
> iptables -A INPUT -i wlan0 -d 172.16.0.0/12 -p udp -j DROP
>
> However iptables can do stateful VPN inspection which is probably better,
> I have no idea how to do it though.
>
> While it's not built-in to his main ISP home router, he'll also need to
> put its local network address as forwarded for UDP 1194 or just name it as
> in the DMZ.
>
> Then, if it's configured for wlan0 unencrypted with an ssid like
> "fvo-myap" (Free Vpen-Only), people should be able to walk up to it with
> their phone and get a vpn link to their server.  At the same time, it acts
> as the VPN server for the AP owner.  That's quite a lot of the plan
> implemented.
>
> -Andy
>
>  Den 7 nov 2012 07:54 skrev Andy Green (林安廸) <andy at warmcat.com
>> <mailto:andy at warmcat.com>>:
>>
>>
>>     On 11/07/12 12:29, the mail apparently from John Gilmore included:
>>
>>             Brad> How many people are willing to be the Kent State
>>             victims...
>>
>>             Brad> Feel free to put your money where your mouth is and
>>             actively go
>>             Brad> out and seek UC Davis or Kent State type experiences
>>             and then
>>             Brad> report back to us how well this works for you to
>> encourage
>>             Brad> others to do the same.  We'll wait.
>>
>>
>>         No need to wait.  I've been running one or more open wireless
>>         networks
>>         on and in my house for many years.  I had one on my roof back
>>         when it
>>         was called "802.11b" instead of WiFi -- when you could actually
>>         hear a
>>         signal from blocks away.  (Now there's so much other WiFi traffic
>>         nearby that I can't see my access points from more than a few
>> houses
>>         away.)
>>
>>         So far nobody has sued me, broken into my house, tried to shut
>> down
>>         my internet access, etc.  Of course, I exercise discretion in
>>         choosing
>>         my ISPs - I'm not on one that claims I can't run servers or access
>>         points.
>>
>>
>>     Enough people have gotten into problems that it is now widely
>>     understood to be "dangerous and unwise".  I'm not saying it is,
>>     actually I think what you are doing is great.  However that's what
>>     the man in the street thinks and he has put WPA screens around his
>>     AP because of it.
>>
>>         Any device should be able to connect without authorization, and
>>         immediately pass real, unfiltered Internet traffic.  If your
>>         pedometer
>>
>>
>>     Agree with this... I don't like the monetization ideas at all.  If
>>     it's going to be offered, it should be as near zero hassle as
>> possible.
>>
>>         wants to report your jogging time, or your camera wants to
>>         upload the
>>         three pictures you took before you wandered into open WiFi range,
>> it
>>         should work.  These apps should all be supported without manual
>>         intervention.
>>
>>
>>     Right...
>>
>>         I think we should put our attention on solving some of the real
>>         problems in open access wireless, such as its susceptibility to
>>         radio-link wiretapping, its lack of ease of configuration, and
>>         do some
>>         negotiation with ISPs to improve their terms.  Forcing every open
>>         wireless node down a VPN strikes me as a lot of work that somebody
>>         else could do later, or "maybe never".  For example, it would
>>         require
>>         protocol changes in every client device.  Real "open wireless"
>> would
>>         work with unmodified client devices.
>>
>>
>>     I think those things are orthogonal, they can and maybe should be
>>     done but they don't really change the VPN-only advantages.
>>
>>
>>     You're right it's just talk right now.  To move it on we need to
>>     beat out some consensus leading to a short specification document
>>     for what it is and how it works.  If the EFF are behind it, we can
>>     probably get introductions to the major router manufacturers and
>>     their input to improve it.
>>
>>     One problem is what VPN protocol... Android does not support the
>>     obvious one OpenVPN out of the box.  It looks like OpenSwan is
>>     needed?  Does that make trouble on other platforms, eg, Apple or MSFT?
>>
>>     -Andy
>>
>>     ______________________________**___________________
>>     Tech mailing list
>>     Tech at srv1.openwireless.org <mailto:Tech at srv1.**openwireless.org<Tech at srv1.openwireless.org>
>> >
>>     https://srv1.openwireless.org/**__mailman/listinfo/tech<https://srv1.openwireless.org/__mailman/listinfo/tech>
>>     <https://srv1.openwireless.**org/mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>> >
>>
>>
> ______________________________**_________________
> Tech mailing list
> Tech at srv1.openwireless.org
> https://srv1.openwireless.org/**mailman/listinfo/tech<https://srv1.openwireless.org/mailman/listinfo/tech>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/tech/attachments/20121107/e9f2b338/attachment.html>

More information about the Tech mailing list