Networking - Tunneling VPN
Using freely available programs like airodump + aircrack attackers can easily gain access to your WEP encrypted network in less than 60 seconds (Ideal Situations). WPA can be cracked in hours with weak passwords. Tunneling a VPN connection through a WPA wireless connection allows you to control who has access to your network while adding an extra layer of encryption and security.
Disclaimer: This is for reference purposes only do not use on a production system. The following tutorial assumes knowledge of networking, and systems administration.
Network hardware overview
You will need a Wireless Access Point (AP)
You will need a firewall or server with two network interfaces (NICs).
And finally you will also need an internet connection (ISP)
Wireless Tunnel Network Overview (fig. 1)
Note: When setting up a wireless AP you should never configure using a unencrypted wireless connection.
Example setup of a wireless AP using standard security techniques (ref fig. 1)
Wireless AP LAN Setup
Static LAN (eth1) IP: 10.2.0.254 netmask 255.255.255.0 or /24
Static LAN (eth1) Network: 10.2.0.0 netmask 255.255.255.0 or /24
DHCP Server (Optional)
Example Client Config
IP: 10.2.0.100
Netmask: 255.255.255.0
Gateway: 10.2.0.254
Wireless AP WAN Setup
Static WAN (eth0) IP: 10.1.0.1 netmask 255.255.255.0
Static WAN (eth0) GW: 10.1.0.254 netmask 255.255.255.0
Note: You could use a point-to-point netmask for point-to-point on the WAN to WAN link.
Wireless Setup
WPA/WPA2 minimum key length 8 characters ideal 32 characters
generic SSID example not your company name
no broadcast SSID
Once the wireless AP is setup, and you can ping 10.1.0.1 from a wireless client device you can now move onto the next step setting up RRAS on Windows Server 2003 (ref fig. 2)
Routing and Remote Access - RRAS (fig. 2)
Before setting up RRAS make sure you have two NICs installed on Firewall/VPN and you can ping WAN Router eth1 - 192.168.1.1 from Firewall/VPN eth0 - 192.168.1.254 (ref fig. 1)
When configuring Firewall/VPN(eth0) it is considered the LAN link in this situation and Firewall/VPN(eth1) (connected to AP) is the WAN link when setting up RRAS (ref fig. 3)
Configuring RRAS (fig. 3)
Note: Do a quick port scan and see if any ports are open the only open port you should see is port 1723 if not, bring up the RRAS mmc and configure access policy.
If the above is working your now ready to setup your clients to access the VPN on each client configure a new connection (VPN) and make sure the connection is set to the Firewall/VPN eth1 10.1.0.254
Note: Don't forget to allow dial-in access for the the VPN user
Creating IT Harmony
Disclaimer: This is for reference purposes only do not use on a production system. The following tutorial assumes knowledge of networking, and systems administration.
Network hardware overview
You will need a Wireless Access Point (AP)
You will need a firewall or server with two network interfaces (NICs).
And finally you will also need an internet connection (ISP)
Wireless Tunnel Network Overview (fig. 1)
Note: When setting up a wireless AP you should never configure using a unencrypted wireless connection.
Example setup of a wireless AP using standard security techniques (ref fig. 1)
Wireless AP LAN Setup
Static LAN (eth1) IP: 10.2.0.254 netmask 255.255.255.0 or /24
Static LAN (eth1) Network: 10.2.0.0 netmask 255.255.255.0 or /24
DHCP Server (Optional)
Example Client Config
IP: 10.2.0.100
Netmask: 255.255.255.0
Gateway: 10.2.0.254
Wireless AP WAN Setup
Static WAN (eth0) IP: 10.1.0.1 netmask 255.255.255.0
Static WAN (eth0) GW: 10.1.0.254 netmask 255.255.255.0
Note: You could use a point-to-point netmask for point-to-point on the WAN to WAN link.
Wireless Setup
WPA/WPA2 minimum key length 8 characters ideal 32 characters
generic SSID example not your company name
no broadcast SSID
Once the wireless AP is setup, and you can ping 10.1.0.1 from a wireless client device you can now move onto the next step setting up RRAS on Windows Server 2003 (ref fig. 2)
Routing and Remote Access - RRAS (fig. 2)
Before setting up RRAS make sure you have two NICs installed on Firewall/VPN and you can ping WAN Router eth1 - 192.168.1.1 from Firewall/VPN eth0 - 192.168.1.254 (ref fig. 1) When configuring Firewall/VPN(eth0) it is considered the LAN link in this situation and Firewall/VPN(eth1) (connected to AP) is the WAN link when setting up RRAS (ref fig. 3)
Configuring RRAS (fig. 3)
Note: Do a quick port scan and see if any ports are open the only open port you should see is port 1723 if not, bring up the RRAS mmc and configure access policy.
If the above is working your now ready to setup your clients to access the VPN on each client configure a new connection (VPN) and make sure the connection is set to the Firewall/VPN eth1 10.1.0.254
Note: Don't forget to allow dial-in access for the the VPN user
Creating IT Harmony
