OpenBSD Journal

How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD

Contributed by grey on from the stretching authpf's legs and not forgetting about w32/putty dept.

Thanks to Jose Nazario for pointing out to following article by Rosli Sukri:

(Comments are closed)

  1. By Ben Goren ( on

    ...or is the article nothing more than an excessively verbose introduction to authpf?



  2. By Matt Van Mater ( on

    Such as
    Once upon a time I thought did something similar too. (i think it was run by don bailey, one of the shmoo guys, who was an obsd user once upon a time)

    I think for regular joe sixpack types, a SSL enabled gateway would be much more user friendly, similar to the commercial offerings that you find in hotels. Does anyone have any other examples like this?

    1. By bert ( thrashbluegrass at antisocial dot com on

      It's been done before, but the URL doesn't work; googling for "phpauthpf" only turned up references to the same URL. Perhaps you'll have better luck locating it than I did.

      1. By Anonymous Coward ( on

    2. By Brian ( on

      They usually don't work so well because http doesn't maintain a conection. There are ways around this, but they're all messy.

  3. By Anonymous Coward ( on

    I like this story better, because it also uses OpenVPN for privacy on the wireless network.

    1. By Luiz Gustavo ( on

      1. By sthen ( on

        "OpenVPN uses OpenSSL's SSL/TLS for its control channel, and so should be as secure as SSL/TLS in general. For the data channel it uses something based on IPsec's ESP, with IPsec-style sliding window replay detection. The key management step (that is, how to get from the SSL control channel to the data channel) is documented only in the source code, which I don't feel like reverse-engineering, but a quick look through it indicates that the author knows what he's doing."

        Doesn't sound too bad... This article is of course only describing things from a cryptographic point-of-view, it doesn't mention anything about whether the code is secure, well-designed etc. I'd be interested to hear comments about this, if anyone cares to make them... (I've generally been using ipsec vpn, but there have been occasions, e.g. over some GPRS networks, where this wasn't possible, however OpenVPN is working fairly reliably).

    2. By X ( on

      the idea of openvpn is good, but this gateway showing in this howto is secure like a porno star ass...the clear data will not stop ! u must block the clear data even u are authenticated with authpf, if not u will have a possibilie of clear data flowing. u must have rules for tun1 too.

  4. By Anonymous Coward ( on

    Does anybody know of a similar solution for NuFW ( on any BSD?
    Especially the two points outlined in the FAQ comparing authpf to NuFW are of interest to me (just posting an excerpt):

    How different is NuFW from authpf ?

    With authpf, a user authenticates when he connects to the gateway through ssh and rules are added at this moment. Thus there are two points :

    1. The rules are added once and cannot change dynamically after the user has logged in.

    2. Rules are linked to the IP the user has connected from. Thus, authpf is not resistant to either multiple logins on the same machine or either network address translation that can mask a ton of users behind an IP.

    With NuFW :
    Rules can be changed dynamically at any time (with the limitation that active (established, related) connexions are not closed)
    NuFW is tolerant to computers with multiple simultaneous users because each user authenticates his own connexions. NuFW is resistant to NAT because the real source IP address is contained in the encrypted authentication packet.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]