[OpenWireless Tech] Securing an OpenWireless.org Access Point

Russell Senior russell at personaltelco.net
Wed Jan 14 14:48:32 PST 2015 

>>>>> "Tom" == Tom Hanan <tom.hanan at switchcomputing.com> writes:

Tom> Here is a short summary of many previous e-mail from contributors
Tom> to OpenWireless.org regarding best practices for standing up and
Tom> securing an OpenWireless.org SSID on an open access point.

Tom> [...]

Tom> 1) Use a dedicated access point, on its own subnet, to stand up
Tom> OpenWireless.org access. This "Ensures WiFi Password Protected
Tom> Equivalent isolation" between unencrypted OpenWireless Traffic and
Tom> your other encrypted & password secure Traffic and thus minimizes
Tom> your additional exposure by standing up an OpenWireless SSID. Using
Tom> an old access point you already have or buying a modern one with
Tom> VPN tunneling capability for <$15 will provide gracious providers
Tom> of OpenWireless access with the best possible protection against
Tom> malicious abusers of their hospitality with the least possible
Tom> hassle from their ISP and Copyright Trolls.

On first read, that sounds like a dedicated piece of hardware, which
generally isn't necessary with modern hardware.  A modern router with
the right radio(s) can create multiple virtual interfaces with their own
SSIDs and attachable to seperate subnets on each radio.  With firewall
rules, it's trivial to keep traffic separated.

In general this does not protect you against complaints, as you
typically will have one pubilc IP address, and the complaints will come
back to that address, either directly or indirectly.

The purpose of the separate subnets is for local security of your
private network, so that people on the public network are not allowed to
reach hosts on the private network.

If you want to segregate complaints, you need another public IP
address.  There is usually a cost tradeoff to achieve this, and
for most people it's not worth the cost.

Tom> 2) Limit your exposure to your ISPs Six Strikes IP monitoring,
Tom> Extortion actions by Copyright Trolls or potentially unprovoked Law
Tom> Enforcement action by limiting ALL OpenWireless access via your IP
Tom> address to VPN. [...]

In my jurisdiction (the US), this is excessive and paranoid.  In other
jurisdictions, it might not be.  It would certainly limit the
availability of openwireless.org networks to a tiny fraction of
potential users.  In our 14+ years of experience, we have not found this
necessary.

Tom> 3) Upgrade your Router or Router Software to support routing of all
Tom> Non VPN Tunneling OpenWireless traffic to a No/Low cost VPN Lite or
Tom> full VPN service that you setup and or pay for. [...] The only way
Tom> an OpenWireless user can ensure their own security is by using
Tom> their own VPN!

End-to-end encryption and valid public keys are the way for users to
ensure the privacy of the content of their communications.

A users VPN is going to protect the content of the communication only as
far as the other end of the VPN tunnel.  It's primary utility is to
redirect complaints from the openwireless.org network operator to the
user.

An openwireless.org provided VPN is going to redirect complaints to the
end point of that VPN tunnel.  They are likely to get forwarded to you
anyway.  Just learn to deal with the (few) complaints and your life gets
much less complicated.

We help manage about 60 networks, and see one or two complaints a year,
total.  None of them, ever, has had any significant consequences.


-- 
Russell Senior, President
russell at personaltelco.net

More information about the Tech mailing list