[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on
As I've not done this myself on obsd yet I can't help you with any
specifics - yet.
I've been reading the various obsd lists for the past few weeks as
preparation for migrating my own system to use obsd as a firewall++. I
expect I'll complete my project in 6-10 weeks, depending on my social
and work loads. I'll be happy to help out more by then.
For now I suggest you search the archives for firstname.lastname@example.org for "VPN"
or "IPSEC" and read it all. Be sure to read the appropriate man pages as
well [vpn(8) IPSEC(4)] as well as the OBSD FAQ on IPSEC
http://www.openbsd.org/faq/faq13.html . If this is not enough try
learning a bit more about IPSEC and VPNs first - http://www.faqs.org has
tons of reasonable content.
Deploying a VPN up and running is a complicated project. I suggest that
you start small. Try getting something working (back it up) and keep
improving it until you have what you want. Having a couple of scratch
machines to build a 'play' network is very useful for this kind of fun.
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf
Sent: Tuesday, March 05, 2002 22:53
Subject: Re: question on
Thanks for you answer. Although I am not fully understand all of them.
On Tue, 5 Mar 2002, Ram wrote:
> Hi Clarence.
> Where is the VPN in the diagram? If you run a VPN on your internal
> network then you are in good shape- simply require all access to
> to use the VPN. This is pretty good.
Yes, internal VPN should be part of the answer. For the past few days,
study the FAQ (VPN on using X509 OBSD), examples from the internet,
email, books... I tried to go through the examples with vpn (obsd) and
PGPnet. However, I finally mess up all the things about the VPN,
I think some working examples for setup the VPN using the X509 which I
going to use for my LAN. Can you show me some direction for it ? I
need the every detail of VPN using X509, but some basic and practical
working steps and examples. Thanks.
> You can also require WEP to make it a bit more difficult to connect to
> your wireless network. This is not very good, but it helps a bit.
I do think it is not my desire too.
> You can also configure your wireless access point to deny clients
> have unknown MAC addresses.
I don't have an access point. What I am using is a obsd-3.0 machine
acting like a access point using wicontrol commands. I think it could
done using pf but it would be trouble if there is machines.
> You can also configure your obsd-gw to deny internal packets from
> unknown IP addresses [then you should use static IP addresses on your
> Note that your weakest machine is your weakest link, so if you run an
> unpatched windows machine with "share C$ to all with no password" then
> your IPSEC / VPN would be useless against a "copy and paste" attack of
> your private key.
> If you don't use a VPN internally you can still use the rest of the
> Hope this helps,
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org] On Behalf
> Of Clarence
> Sent: Tuesday, March 05, 2002 05:54
> To: email@example.com
> Subject: question on
> For the couple of days, I spent most of the time to study the setup of
> VPN, X509... for the infrastructure (LAN). However, I have one
> in my mind that confuse me very much. Let me present it with the
> list below.
> internet <--> openbsd-gw <--> internal LAN (wireless / wired)
> The question is like that how can the sys admin guard the illegal user
> from the ineternal LAN to use the facilities of the openbsd-gw. He
> know the IP of the openbsd-gw, DNS server. For example, he/she may
> a laptop with a wireless LAN and setup all necessary setting to use
> facilites of the GW. How can the sys admin control it. If it is
> question, please forget me. Thanks.