1. Introduction

802.11 wireless networks (particularly 802.11b) are becoming more and more common in homes, in businesses, in coffee shops, and pretty much anywhere mobile computers are used. By default, however, 802.11 has little security; in fact, security features have to be disabled for a consumer product to work right out of the box. The original security for 802.11 isn't strong in any event; cracking Wired Equivalent Privacy (WEP) is trivial, and while the newer Wi-Fi Protected Access (WPA) subset of 802.11i is much better, the most reliable way to secure a wireless network (in my not-at-all-humble opinion) is to ignore the built-in features and use a Virtual Private Network (VPN) and firewall instead.

There are several VPN solutions to choose from; the inclusion of the KAME IPSec stack in Linux 2.6 has made IPSec an obvious/lazy choice. Another system that uses a similar security model is OpenVPN (http://openvpn.net). Configurations for both will be described below.

1.1. Scope and Assumptions

The IPSec configuration described in this document has only been tested between two computers running Linux 2.6. Using IPSec with Microsoft's client for Windows requires software on the non-Windows machine to deal with the Layer 2 Tunneling Protocol (L2TP), which I do not cover below.

OpenVPN requires no extra software for cross-platform operation, and the OpenVPN configuration described below has been tested with a server running Linux 2.6, and clients running Linux 2.6 and Windows XP Professional.

This document is oriented towards the moderately experienced Linux user. "Moderately experienced" assumes that:

  • you are comfortable at the Linux command line

  • you either a) understand the package manager for your particular distribution or b) know how to build and install packages that use GNU autotools for configuration.

  • you know how to recompile your kernel

  • you are familiar with setting up and using Linux networking

In addition, I assume that:

  • you have succeeded in making your 802.11a/b/g card work under Linux

I don't assume you know anything about generating and using X.509 certificates, the component parts of a VPN, or configuring any of the related tools; all that will be covered below.

1.2. A Note About "Security"

Before continuing, it should be noted that the only absolutely secure network is one that doesn't exist, and this applies with even greater force to wireless systems than it does to wired systems. The software mentioned in this document will help increase the security of your network if used judiciously. It can also do nothing for you, or even leave you more vunlnerable, if used injudiciously. Security, in the end, does not depend on machines; rather, it depends on people.