OpenBSD Journal

Linksys VPN Router to OpenBSD IPSec + Wireless

Contributed by Dengue on from the howto dept.

Beetle writes :
"WEP got you down? Me too. I wanted a way to encourage neighbors to use my wireless access point, but I didn't want to leave them hangin' in terms of security. Since I didn't have a Cisco LEAP-capable WAP and several thousand dollars to spend on RADIUS software, I started to think of a different solution. I figured I would just run IPSec on the OpenBSD firewall that is on the backend of my WAP11 and require the neighbors to use IPSec also.

However, VPN clients can be a pain to configure for Windows 2000 / XP folks or VPN software for other Windows variants (or Mac OS even) cost $150 or more. I wanted something a bit more simple, so for the heck of it, I tested out the new Linksys BEFVP41 VPN router as an OpenBSD IPSec client. Turns out, the BEFVP41 is pretty darn cool and works with OpenBSD! I came up with a WAP11 + BEFVP41 combo / configuration that keeps the neighbors' expenses down, is OS agnostic, plug and play for their home networks, and still lets me run my OpenBSD firewall off the backend of my WAP11. Read the mini how-to HERE !"

(Comments are closed)

  1. By Not Really Anonymous () on

    The mini-howto is great. At least someone out there is trying to find an easy secure wirless solution.

  2. By skullY () on

    It seems to me that all you're doing is setting up an IPSEC link between the openbsd box and the linksys vpn box? How is this different from just dropping another nic into your openbsd box and plugging the wap11 directly into it?

    At least, that's assuming your clients are connecting via 802.11. When they're hard wired such as you describe in section 5, another openbsd box can take the place of the BEFVP41 and would be arguably more secure, from the standpoint that the code is open and has been audited. There's also better debugging information when "random" hangups happen. I don't want to deploy equipment I have to maintain because it's locking up and I have no information to go on to figure out why.

    Don't get me wrong, the info is mildly useful, I just think you should have thought it out a little better. It seems to me that what you have now is the result of spending an hour thinking about it, and a few hours implementing it, when the opposite should have been the case. You should also explain what you're doing a bit better. The only time I can figure out where the wap11 fits in is all the way in section 5, after you've explained everything else.

  3. By Mike Ripley () on

    I took over administration of the server earlier this year, and I've noticed a lot of requests with this article as the referrer. Beetle no longer has an account on the system, and you may find his write-up at his new site:


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]