From owner-freebsd-questions@FreeBSD.ORG Wed Apr 24 20:53:54 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B9F93E1F for ; Wed, 24 Apr 2013 20:53:54 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 787821E0D for ; Wed, 24 Apr 2013 20:53:54 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UV6hM-00072H-2C for freebsd-questions@freebsd.org; Wed, 24 Apr 2013 22:53:52 +0200 Received: from pool-173-79-84-117.washdc.fios.verizon.net ([173.79.84.117]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 22:53:52 +0200 Received: from nightrecon by pool-173-79-84-117.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 22:53:52 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Subject: Re: Home WiFi Router with pfSense or m0n0wall? Date: Wed, 24 Apr 2013 16:53:39 -0400 Lines: 33 Message-ID: References: <51763692.8010805@qeng-ho.org> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-84-117.washdc.fios.verizon.net X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: nightrecon@hotmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 20:53:54 -0000 Arthur Chance wrote: [snip] >> What I was pondering is some form of L2TP tunnel, or some other form of >> IPSEC tunnel to form some kind of VPN like communication between the >> client and the wifi. Just never have begun to find the time to get >> anywhere with the idea. But basically it would resemble a VPN that only >> accepts connection from a tunnel endpoint client and not pass any traffic >> from any other client lacking this VPN-like endpoint. I think such a >> thing is very possible and have read some articles by people who have >> done very similar sounding things. Indeed, this is what SSL-VPN providers >> do via a subscription service so people surfing at open wifi coffee shops >> tunnel through the local open wifi and setup an encrypted VPN tunnel. > > A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in > to it. Depending on whether all devices which are going to connect > wirelessly can run the client end of OpenVPN, this might be a quick way > to get greater security on the WiFi side. > This is along the lines of what I was thinking. I am my own CA and can generate certs that no one else has the private keys to. The problem with buying certs from a provider is the gov't has access to the private keys on demand. This was mandated back during the Clinton administration for the US. I do things like turn password auth off on my SSH and only auth via certs. Extending this to other 'connectivities' is a way to make it harder for those with no approved cert to get in. The pairing of firewall and OpenVPN together sounds interesting. Will definitely check it out. Thanks for the pointer! -Mike