Securing Residential Wireless LAN networks with VPN overlay

Posted by avasaralak on Aug 6, 2005 1:16 PM EDT
; By Venkata Avasarala 		Mail this story
Print this story

The security of WLAN networks has been a major concern that is impeding their widespread use. The methods for securing the network like WEP and WPA have been shown to be vulnerable if the the encryption keys chosen is weak. The use of VPN overlay in WLAN networks can provide an additional layer of encryption and dramatically enhance the security of the network. Presented below is a review of my experiences implementing VPN overlay over a WLAN network using SuSE Linux as the server as well as the client platform.

Software and equipment used



Hardware

  1. Netgear WCP624G wireless router


  2. Old P3 based Dell Optiplex desktop for use as the VPN server
  3. HP ze5155 laptop as the VPN client.

Software

  1. SuSE 9.2 on the server
  2. SuSE 9.3 on the laptop


  3. OpenVPN VPN server and client. The software can be installed through Yast on SuSE 9.3. However, in SuSE 9.2 the installed software did not have the server. Hence, I downloaded a private build for SuSE 9.2 from the SuSE ftp website.

Basic network

The basic network consisted of

  1. The Netgear router connected to the Internet and acting as the DHCP server for the internal network.
  2. The server connected to the router through Ethernet on one of it switch ports.
  3. The laptop connected through the WLAN network.
Normal
The normal path for traffic from the laptop would be over the WLAN network (secured with WPA) and out through the router. The security provided by WPA is the only protection in the normal WLAN network.

Implementation



After installing the required software on the server and the laptop, I followed the detailed instructions given at http://openvpn.net/howto.html. After establishing the VPN traffic from the client can be routed either solely thorugh the tunnel or through both the WLAN interface and the tunnel. I opted to route all the traffic from the laptop through the VPN connection and modified the server configuration file accordingly. The installation includes init scripts which I copied to the /etc/init.d directory after modifying them appropriately (paths to certificate files etc.) and using Yast runlevel editor enabled them in runlevel 5. The only problem I faced was in getting the server to NAT the traffic from the tunnel, somehow the SuSE firewall was interfering with the NAT operation. I had to disable the SuSE firewall to get the NAT working.
The configuration has been working flawlessly and I automatically get a tunnel between the laptop and the server on boot.


Network with VPN

VPN
In the network with VPN overlay implemented the path for traffic from the laptop would be over the logical VPN connection (represented by the broken line) to the server and from the server over the Ethernet to the router. The logical connection is essentially another layer of encryption applied before the packets are handed over to the WLAN interface (which has it own WPA security). Hence, in a WLAN network with VPN overlay there are 2 layers of security. The outer layer is provided by the WLAN security protocol and the inner layer is provided by the VPN.


The packets undergo network address translation twice, once at the VPN server and the second time at the router.  The extra encapsulations and decapsulations coupled with the extra processing could impact the throughput of the network. However, I have not experienced any noticeable change in the throughput.





There are primarily two benefits of having even a basic VPN overlay over an already secured WLAN
  1. With VPN overlay there are two independent levels of protection and bugs in one level will not effect the security provided by the other level.


  2. Unauthorized access to data will be extremely difficult if not impossible.






Conclusion









The use of VPN overlay over WLAN networks might look like an overkill especially for residential use. However, the rampant possibility of personal information and identity being stolen and the disastrous consequences that follow, should make the extra security provided by the overlay well worth the effort.








  Nav
» Read more about: Groups: HP, SUSE; Story Type: News Story

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.