Wireless VPN from WRT54GL?

Scott spbz at cox.net
Fri Jan 26 17:46:28 MST 2007 

I just started following this thread, and find it highly fascinating.  
It's definately possible to use OpenVPN in a wireless environment to 
truely secure the connections.  As for CPU overhead, YGWYPF, since the 
security trade-off makes it worth it.  Of course, YMMV.  I've only done 
such a thing using a Belkin wireless router.  It went like this:

<internet>
||
<firewall>
||
<switch>
||
<server running OpenVPN>
||
<wireless router>
...
<clients>

This works out very well, and I'm not entirely sure how SSL is less 
secure than IPsec.  From my experience and from what's out there, SSL is 
actually the victor over SSL in this situation.  The server itself can 
simply masquerade any traffic out through the firewall, so the wireless 
clients would remain on their own secure link and still be able to talk 
to the outside world.  That introduces its own challenges, so if you 
know what you're doing with the firewall, then you're pretty much set.  
And since there exists OpenVPN software for Windows 
(http://openvpn.net/INSTALL-win32.html) and OSX 
(http://chrisp.de/en/rsrc/openvpn.html), then that pretty much takes 
care of any OS compatibility issues.

It's a simple matter of turning all hardware-based encryption off, 
restricting the client list, and not broadcasting.

I don't have a WRT54GL, but may consider getting one, therefore my 
knowledge of using any VPN software with the device is extremely minimal.

If you'd like to discuss details further, you can reach me via email.

-Scott


Alan Dayley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joseph Sinclair wrote (in part):
>   
>> ---
>> It looks, from what I can find, as if the WRT CPU slows by about half running a single SSL-VPN tunnel (not unusual, SSL-VPN is a rather CPU-intensive solution).
>> If you're planning to run more than 2 clients on the VPN at a time, start with the VPN in a machine between the WRT and the wired network.  The extra CPU on even a low-end machine will be far more capable of handling the SSL-VPN load than the generally overtaxed WRT CPU.
>> In most cases, it's reasonable to expect each SSL-VPN tunnel to consume about 100-200MHz of CPU while in use.  This varies somewhat by type of CPU, but most specialized firewall systems that support SSL-VPN have accelerator cards just to handle the cryptographic overhead (and provide a hardware entropy source to stave off entropy starvation, a common problem with SSL-VPN's [and SSL in general])
>>
>> One other point, if you're requiring an OpenVPN connection to link through the WRT, then turn OFF WEP and WPA.  They add a lot of now-useless overhead to the WRT CPU, and they can actually compromise security of the VPN tunnel.
>>     
>
> The performance worries me so let me go down a different path.
>
> We have a Citrix VPN server already on the internal network.  The
> firewall directs connections from the Internet to that VPN server for
> remote access to the internal network.  The new plan would be to do the
> same on the wireless access point.
>
> - - All connections to the wireless access point, via WPA, would be routed
> to the internal VPN server.
> - - If you can log into that VPN server, you are in.  If not, you go no
> further.
>
> In other words, I would want to setup the access point such that it only
> routes to the internal VPN server and no where else.  Does that sound
> like a reasonable plan?
>
> Alan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFFulTVDQw/VSQuFZYRAkVlAJ9iSEhjMbKMpIcVumGzl0Ahl0aDDQCdHBX2
> Y9CQuKR1TirseZgVAyHqK4Q=
> =VEY7
> -----END PGP SIGNATURE-----
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>

More information about the PLUG-discuss mailing list