I just started following this thread, and find it highly fascinating. It's definately possible to use OpenVPN in a wireless environment to truely secure the connections. As for CPU overhead, YGWYPF, since the security trade-off makes it worth it. Of course, YMMV. I've only done such a thing using a Belkin wireless router. It went like this: || || || || ... This works out very well, and I'm not entirely sure how SSL is less secure than IPsec. From my experience and from what's out there, SSL is actually the victor over SSL in this situation. The server itself can simply masquerade any traffic out through the firewall, so the wireless clients would remain on their own secure link and still be able to talk to the outside world. That introduces its own challenges, so if you know what you're doing with the firewall, then you're pretty much set. And since there exists OpenVPN software for Windows (http://openvpn.net/INSTALL-win32.html) and OSX (http://chrisp.de/en/rsrc/openvpn.html), then that pretty much takes care of any OS compatibility issues. It's a simple matter of turning all hardware-based encryption off, restricting the client list, and not broadcasting. I don't have a WRT54GL, but may consider getting one, therefore my knowledge of using any VPN software with the device is extremely minimal. If you'd like to discuss details further, you can reach me via email. -Scott Alan Dayley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Joseph Sinclair wrote (in part): > >> --- >> It looks, from what I can find, as if the WRT CPU slows by about half running a single SSL-VPN tunnel (not unusual, SSL-VPN is a rather CPU-intensive solution). >> If you're planning to run more than 2 clients on the VPN at a time, start with the VPN in a machine between the WRT and the wired network. The extra CPU on even a low-end machine will be far more capable of handling the SSL-VPN load than the generally overtaxed WRT CPU. >> In most cases, it's reasonable to expect each SSL-VPN tunnel to consume about 100-200MHz of CPU while in use. This varies somewhat by type of CPU, but most specialized firewall systems that support SSL-VPN have accelerator cards just to handle the cryptographic overhead (and provide a hardware entropy source to stave off entropy starvation, a common problem with SSL-VPN's [and SSL in general]) >> >> One other point, if you're requiring an OpenVPN connection to link through the WRT, then turn OFF WEP and WPA. They add a lot of now-useless overhead to the WRT CPU, and they can actually compromise security of the VPN tunnel. >> > > The performance worries me so let me go down a different path. > > We have a Citrix VPN server already on the internal network. The > firewall directs connections from the Internet to that VPN server for > remote access to the internal network. The new plan would be to do the > same on the wireless access point. > > - - All connections to the wireless access point, via WPA, would be routed > to the internal VPN server. > - - If you can log into that VPN server, you are in. If not, you go no > further. > > In other words, I would want to setup the access point such that it only > routes to the internal VPN server and no where else. Does that sound > like a reasonable plan? > > Alan > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFFulTVDQw/VSQuFZYRAkVlAJ9iSEhjMbKMpIcVumGzl0Ahl0aDDQCdHBX2 > Y9CQuKR1TirseZgVAyHqK4Q= > =VEY7 > -----END PGP SIGNATURE----- > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss