Hi there, I'm planning on deploying a Hotspot based on OpenWRT and have some questions on how to build a fool-proof system (because of non-techie users) which is still secure.
Here is my basic plan:
1. Setup OpenWRT on my router (IP 10.200.0.254)
2. Use WPA-PSK for security and set ESSID to "My Hotspot - Key myhotspot"
3. Set ap_isolate=1 (According to this post)
4. Enable DHCP (Range 10.200.0.100 - 10.200.0.200)
With these two simple steps everyone should be able to connect to the network and securely transmit data to the router (as far as i understand WPA, but I might be wrong!)

Those three steps were quite easy, but now I want to force the users to do some kind of authorization.
After the user connected to the wireless he should get a basic Login/Register screen with every website he opens.
5. Setup DNS to reply to any request by wireless clients with 10.200.0.250 (wired clients should be able to use DNS as usual)
6. Disable any routing of wireless client traffic to the internet (wired clients should be able to use the router to access the internet as usual)

If a unauth'd client now opens any website he should get a message "Welcome to my Hotspot, please login or register: [...]".
7. After a client successfully auth'd he should get correct DNS replies
8. Client traffic should be routed to the internet until he disconnects from the wireless (Maybe I use pinging to detect whether a client is still active or if his session should be terminated, but thats not important yet)

Creating the website, Account management and altering the routes is nothing new to me (though I've to admit the routes thing might be tricky), but I have no clue how to achieve the "Forwarding" in steps 5. and 7.
I know German T-Com uses some kind of "Forwarding" at their hotspots (and I guess most hotspots do that), but how?
Does someone know how the forwarding works or has a idea how it might work? (or maybe even as little as the name of this technique?)

Sebastian

(Last edited by archimedes on 4 Jul 2007, 23:09)

So you put the PSK in the SSID, and this is secure? Hmm.....

I don't think you have thought this cunning plan all the way through.

I use unencrypted WiFi all the time.  I look for padlock in browser, or use OpenVPN, or tunnel traffic through SSH.   Trusting your data to the encryption developed by people who make WiFi hardware, has historically not worked out very well.  End-to-end encryption is always better than client to AP encryption.

IMHO.

Of course I use VPN, ssh tunnels and https (and IMAP via SSL/TLS), but I study informatics and have some basic clue about security and systemadministration
Setting up a OpenWRT with OpenVPN would be a very easy way and if it was for my private home WLAN I'd use it, but I'd like to deploy a public (free) hotspot and I believe there will be many customers who don't know how to configure their notebook/pda with OpenVPN or OpenSWAN...

As far as I understood WPA-PSK a client only needs the key to gain access, but he only can decrypt traffic which is send to him using a key assigned to him by the AP. (Some kind of magical, wireless PKI) - But I can't find any proof/information on that, so this is only a shoot into the blue (and thats one of the reasons I'm asking here)...
Any idea?

//edit:
WPA-PSK uses TKIP and according to Wikipedia TKIP seems to prohibit sniffing of Client to AP traffic even if an intruder knows the PSK and is logged into the network...
Though: Maybe someone with two WLAN clients could check this by using wireshark on a client which is connected to an OpenWRT with ap_isolate turned on?
(I only have my notebook and some SMC Router at my flat, but I'll try to get a second client and a OpenWRT during the weekend )

//edit2:
I'm still wondering about the User Authentication? Maybe a transparent proxy?

-OR-
Can I setup two SSIDs, one without encryption for user registration (every website should be redirected to a secured registration form) and another with WPA-Enterprise and Radius authentication?

(Last edited by archimedes on 4 Jul 2007, 23:59)