# Planning home router [WiFi + VPN + multi-plataform]

## krani1

Hi there!

I'm planning (bought the hardware already) a new configuration for my home network but need some tips to finnish the job.

I've bought a MiniITX EPIA 533Mhz Fanless, 2 NICs (one comes with the mobo), a 2Gb CF (with a CF to IDE adaptor), 128Mb RAM.

I already have my Ethernet Modem and a great Cisco AP. And my ideia was this:

The AP is completly open to all users. When a user connects it receives (from the EPIA router) a IP from the 192.168.0.0/24 range. However, the user as no connectivity at all to the outside world. It just can connect to other clients on the same network.

If the user wants to connect to the internet, it connects to a VPN (running on EPIA router), that does the authentication and starts a tunnel on the range 10.0.0.0/24. The user connected to the VPN has transparent access to the outside world (NAT). Because he's using a VPN, all the packets are secured, so no problems with WiFi network.

The user can come from Windows, MacOS or Linux, so the VPN solution should be easy to use on all OS and should not require the instalation of aditional software (Windows XP or Vista clients, latest MacOS X and latest Linux).

I've been thinking on how to implement this stuff. But I'm really lost in two things:

- how to route to the outside world *only* the 10.0.0.0/24 network?

- what vpn solution? openvpn + kerberos? does this work in windows?

Please give me some hints if you know something  :Smile:  Any help is apreciated  :Smile: 

----------

## truc

1) I can be wrong, but, the router will NAT/MASQUERADE (not sure which word I'm suppose to use here ?) only the 10.0.0.0/24 subnet to the outside world, and won't NAT anything else. So there should not be any problem with this, 192.168.0.0/24 won't have access to anything but itself (no route for this subnet)

2) openvpn works on linux *BSD, OSX, windows and many others, but it requires the users to install it and configure it. 

What is the kerberos thing for?

----------

## krani1

 *truc wrote:*   

> 1) I can be wrong, but, the router will NAT/MASQUERADE (not sure which word I'm suppose to use here ?) only the 10.0.0.0/24 subnet to the outside world, and won't NAT anything else. So there should not be any problem with this, 192.168.0.0/24 won't have access to anything but itself (no route for this subnet)

 

I thought that both 10.0.0.0/24 and 192.168.0.0/24 are both private networks, and the router will masquerade both. Please someone correct me if I'm wrong.

 *Quote:*   

> 
> 
> 2) openvpn works on linux *BSD, OSX, windows and many others, but it requires the users to install it and configure it. 
> 
> 

 

I've heard that it's possible to configure openvpn so windows can use the builtin vpn funcionality (something like PPTP, maybe I'm wrong). Gotta dig on this.

 *Quote:*   

> What is the kerberos thing for?

 

Authentication basicly. I could use LDAP, or simply a basic plain text file I supose.... I'm really noob on this  :Smile: 

----------

## truc

 *krani1 wrote:*   

>  *truc wrote:*   1) I can be wrong, but, the router will NAT/MASQUERADE (not sure which word I'm suppose to use here ?) only the 10.0.0.0/24 subnet to the outside world, and won't NAT anything else. So there should not be any problem with this, 192.168.0.0/24 won't have access to anything but itself (no route for this subnet) 
> 
> I thought that both 10.0.0.0/24 and 192.168.0.0/24 are both private networks, and the router will masquerade both. Please someone correct me if I'm wrong.

 

It is you who tell the router which subnet you want to NAT, so you should be able to do what you want.

 *Quote:*   

>  *Quote:*   2) openvpn works on linux *BSD, OSX, windows and many others, but it requires the users to install it and configure it. 
> 
>  I've heard that it's possible to configure openvpn so windows can use the builtin vpn funcionality (something like PPTP, maybe I'm wrong). Gotta dig on this.

 

From the people on #openvpn, it may be possible, but, they just don't see why you would want that, since configuring this risk to be harder than to give users a pre-made openvpn configuration file

 *Quote:*   

>  *Quote:*   What is the kerberos thing for? 
> 
> Authentication basicly. I could use LDAP, or simply a basic plain text file I supose.... I'm really noob on this 

 

You can use openvpn itself for the authentification part, it can work with ssl certification and/or user/passwd

----------

## Monkeh

Running a VPN over your wireless is an excellent idea, and exactly how I do it.

You don't need kerberos or anything else, just sign your own SSL certs (NOT on the router, so if it gets breached, people can't sign their own certs).

For routing, it'll only route what you tell it to. It won't automagically route every single private subnet to the outside world. And there's no need to use NAT for the VPN, I bridge mine with my local NIC and let VPN clients have an address in the same range as my local wired network.

You will need OpenVPN on the client machines (and a securely transfered cert), but it's a quick job to install and configure.

----------

## nom de plume

All VPNs require you to install client software.

----------

## truc

 *Monkeh wrote:*   

> And there's no need to use NAT for the VPN

 

The NAT is not 'for' the VPN to work, it is for the VPN subnet to access to the internet, I was ,probably wrongly, assuming here that the VPN server was also the getway.  Your cisco router can do the job for you

 *Quote:*   

>  I bridge mine with my local NIC and let VPN clients have an address in the same range as my local wired network.

 

I don't understand, how can you prevent non VPN users from going outside if there are on the same subnet thanthe VPN users? 

And, second question: with this configuration, the VPN users traffic is not crypted ? (non VPN users can see VPN users?) I don't get it, please could you explain? TIA

----------

## Monkeh

 *truc wrote:*   

>  *Monkeh wrote:*   And there's no need to use NAT for the VPN 
> 
> The NAT is not 'for' the VPN to work, it is for the VPN subnet to access to the internet, I was ,probably wrongly, assuming here that the VPN server was also the getway.  Your cisco router can do the job for you

 

I meant, there's no need to seperate the VPN subnet and the local subnet. Didn't come out right.

 *Quote:*   

>  *Quote:*    I bridge mine with my local NIC and let VPN clients have an address in the same range as my local wired network. 
> 
> I don't understand, how can you prevent non VPN users from going outside if there are on the same subnet thanthe VPN users?

 

When you connect to my wireless network, you get assigned an IP from 192.168.1.0/24, and then must connect to my VPN to go anywhere else (only VPN and SSH can be accessed on my server from the wireless interface). Once connected to the VPN, you get an IP from 192.168.0.0/24 (my wired subnet), specifically from 192.168.0.225 to 192.168.0.235. That way, no extra configuration is required for wired clients to talk to those connected via wireless.

 *Quote:*   

> And, second question: with this configuration, the VPN users traffic is not crypted ? (non VPN users can see VPN users?) I don't get it, please could you explain? TIA

 

VPN traffic is fully encrypted over the wireless connection. The 'virtual private' section of my network is just my wired network.

----------

## truc

 *Quote:*   

> VPN traffic is fully encrypted over the wireless connection. The 'virtual private' section of my network is just my wired network.

 

My bad, you said wired network, while I understood wifi network before...

thank you  :Smile: 

----------

## think4urs11

 *Quote:*   

>  *Quote:*    *Quote:*   2) openvpn works on linux *BSD, OSX, windows and many others, but it requires the users to install it and configure it. I've heard that it's possible to configure openvpn so windows can use the builtin vpn funcionality (something like PPTP, maybe I'm wrong). Gotta dig on this. From the people on #openvpn, it may be possible, but, they just don't see why you would want that, since configuring this risk to be harder than to give users a pre-made openvpn configuration file

 

Nearly sure thats not possible without an OpenVPN client installed.

Windows has PPTP and IPSec capabilities builtin but OpenVPN is based on SSL - totally different story.

----------

## krani1

requiring the installation of any software on windows or mac is a no go for me... even if it as simple as "install this and copy this files", I can't afford that...

so probably I'll stick with WPA-PSK or WPA-Enterprise with a FreeRADIUS running on my EPIA router...

edit Could OpenSWAN be a possibility? IPSec works on windows... but don't know if it supports authentication...

----------

## truc

Just came across Chilispot : http://www.chillispot.org/

http://gentoo-wiki.com/HOWTO_Chillispot_with_FreeRadius_and_MySQL

----------

## krani1

 *truc wrote:*   

> Just came across Chilispot : http://www.chillispot.org/
> 
> http://gentoo-wiki.com/HOWTO_Chillispot_with_FreeRadius_and_MySQL

 

maybe I'm wrong but chillispot doesn't solve my problem with send clear packets over the air. I need some kind of encryption.

but anyway, chilispot seems a GREAT project  :Smile:  thank you

----------

## defenderBG

the solution we have here on the university is pretty basic. When u connect (without autorisation) u can get a 129.168.x.x address, dns, default gateway per dhcp. So u can see the 192.168.x.x. When you write an address u get directly redicerted to http://192.168.0.1. there u must autorize yourself and begin an ssl sesion. If you manige to autorise yourself, then u will go to a site witch gives you the option to download the neaded packages for win/lin/mac os x.

Theoreticly it looks easy, yet it will be somewhan a small challange to make it...

----------

## krani1

 *defenderBG wrote:*   

> the solution we have here on the university is pretty basic. When u connect (without autorisation) u can get a 129.168.x.x address, dns, default gateway per dhcp. So u can see the 192.168.x.x. When you write an address u get directly redicerted to http://192.168.0.1. there u must autorize yourself and begin an ssl sesion. If you manige to autorise yourself, then u will go to a site witch gives you the option to download the neaded packages for win/lin/mac os x.
> 
> Theoreticly it looks easy, yet it will be somewhan a small challange to make it...

 

that seems cool indeed... In my university either you connect to a non natted network and use a Cisco VPN Client, or you use WPA2-Enterprise. All this options require the installation of specific software on windows and MacOS, but it's a very secure approach.

----------

## nom de plume

 *nom de plume wrote:*   

> All VPNs require you to install client software.

 

Hey, I was wrong. Poptop works with WinXP's built in pptp vpn client and OSX 10.2's built in pptp vpn client. You still have to install a client for linux.

----------

