OpenWrt Forum Archive

Topic: Help: Securing WLAN with OPENVPN

The content of this topic has been archived on 3 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
fburns
19 Jun 2008, 11:39

Hi.  I read the Howto on OPENVPN with TAP devices and was wondering if anyone can help me apply this to my openwrt box (wrt54gs v. 2), but with a twist.  I want to secure the wireless connection between the wlan and clients using tap devices, with the eventual goal of having the firewall dropping all requests on the wireless interface except traffic on the tap devices as described here: http://p3f.gmxhome.de/OpenWRT/Configure-OpenVPN.html

I am struggling with how to apply rules to the firewall to, 1) permit only traffic from the tap devices through 2) drop all else on the wlan.

I appreciate it if anyone can give me some pointers.

Post #2
Wodin
19 Jun 2008, 18:36

I think the general idea would be to block all traffic from the wireless interface in the FORWARD chain and allow traffic coming from or going to "tap+" which should match all tap interfaces.

Post #3
fburns
19 Jun 2008, 19:29

Thanks for responding, Wodin.  I figured that's what I needed to do conceptually; the dificulty is in actual implementation.   I reread the openvpn and iptables document on openwrt.org.  Openvpn on the wan interface works, now I want to secure the wireless as well.  Here's what I did thus far:

1) remove the wlo from the bridge.
    config interface lan
        option type     bridge <--- By deleting or commenting out this line??
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0

2) Allow wireless VPN connections--the OPENVPN howto give the following example for the wan.
   iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
   iptables        -A input_wan      -p udp --dport 1194 -j ACCEPT

   I copied the above and relaced the *_wan with *_wlo:
   iptables -t nat -A prerouting_wlo -p udp --dport 1194 -j ACCEPT
   iptables   -A input_wlo -p udp --dport 1194 -j ACCEPT

3) Drop wlo connection.

   iptables -t nat -A prerouting_wlo -j DROP
   iptables  -A input_wlo   -j DROP
   iptables -A INPUT   -i wlo -j ACCEPT
   iptables -A FORWARD -i wlo -j ACCEPT

4) Bridge the wireless network adapter on the windows client to the openvpn network adapter.

I know I am missing something, as I can't get this to work.

Post #4
Wodin
19 Jun 2008, 23:45

Sorry, I can't give you a proper answer now, but you need to drop packets in the filter table (-t filter or no -t option since filter is the default table) instead of the nat table. Probably the FORWARD chain. Also, there is no "o" in the interface name. It is wl0 with a zero. Hope this hint helps smile

The discussion might have continued from here.