Recently decided to attempt to use wifi + dhcp instead of static ethernet just for the learning experience. The openbsd networking FAQ, and the ifconfig man pages are pretty good resources for this.
There are many different wireless adapter brands/lines, and in bsd systems, they get their own name. So instead of all wireless adapters getting "wan0, wan1, etc", there could be ral0, ap0, etc. I had to create a hostname.if file for the wireless interface that included the nwid of the network I wanted to connect to (this can be scanned for with ifconfig) and the password in the format: "nwid MYWIFI wpakey MYPASSWORD", and then a second line with dhcp. Make sure you back up your original resolv.conf file: dhclient will overwrite it, though can control the dhclient's behavior with a /etc/dhclient.conf. For example, say you wanted to use a different name server, you could add a line to the dhclient.conf: "supersede domain-name-servers XXX.XXX.XXX.XXX". I have an openvpn up script that replaces this anyways, so I'm not concerned about it.
I then had to edit my pf.conf. I made a backup of the old one for the ethernet interface, then did the following: created a $wi_if variable for the wireless interface device, commented out the $ext_if lines, added "pass out on $wi_if to $lan_net" since the wireless network uses the same 192.168.1.X subnet, then changed the pass in and out rules on udp port 1197 (for VPN to establish) from the $ext_if to the $wi_fi. That's all. The "pass out on $wi_if to $lan_net" rule is necessary because the openvpn needs to be able to communicate over the original internet channel before establishing a connection (for DNS for example). I can comment this out and reload after the VPN channel is established. In fact, I should probably figure out some way cancel that rule once the VPN is established and then to only allow traffic to certain $lan_net IPs for ssh, scp, etc. That'd be more secure. pf can't discriminate based on program, but it can based on user. If a program was only used by a particular user, then it'd be even better to limit allowed connections to that user. Anyways, clearly there are some general improvements I could make to the firewall. I'll probably end up having to experiment with them.
Finally, I needed to run "sh /etc/netstart", which restarts all of the network connections, including starting openvpn. This brought the wifi interface up and started the openvpn connection, which takes longer because it keeps retrying until the wifi connection is established. After getting the firewall rules above correct, it worked. If the wireless connection drops, the vpn connection doesn't register it has been disconnected. I'm not sure how to go about fixing that. Every time it happens, I have to stop openvpn, then run "sh /etc/netstart" again. If you plan to use your openbsd laptop + openvpn with a wireless connection, I suggest writing some sort of script that monitors the wireless connection and does the above automatically.
"tcpdump -i wifi0 -y IEEE802_11_RADIO" (where wifi0 is your wireless adapter) is a nifty one-liner that will output current signal strength and noise of the wireless connection. Useful for finding a good place in the room to use your laptop.
No comments:
Post a Comment