Chapter 16. Securing a wireless network with openvpn

Revision History
Revision 0.82003-05-23SM
initial revision

Table of Contents

Step 1: declare the appropriate packages and modules
Step 2: configure openvpn
Step 3: configure Shorewall
Step 3: configure your linux wireless clients
Useful references


You can use OpenVPN to create a slim, secure tunnel between two subnets. OpenVPN has several key benefits:

  • does not require kernel patching

  • uses a single UDP port for all secured communications

  • uses OpenSSL cryptographic routines

My specific reaons for using OpenVPN were to easily secure the wireless portion of my home LAN. WEP (Wireless Encryption Protocol) is a good start for securing wireless communications, but it's not enough.

The configuration steps listed below are those I used to achieve my goals. They should be easily modified for other situations (most notably subnet-to-subnet connections across the internet).

Comments on this section should be addressed to its maintainer Scott Merrill .

Step 1: declare the appropriate packages and modules

Download the openvpn.lrp and the ifconfig.lrp packages on your boot media and declare them in the syslinux.cfg file.

Download the tun.o module in the /lib/modules Bering directory. Be sure to download it from the directory corresponding to the version you are using!

Declare the tun.o module in /etc/modules and backup modules.lrp.


If you use Bering 1.0 or 1.1 you will need to create first the /net/dev/tun device at boot time by adding the following statement in the /var/lib/lrpkg/

#Tun device
mknod net/tun c 10 200 >null 2>&1

Then backup initrd.lrp, reboot and check that your device is now created (ls -la /dev/net/tun).

Step 2: configure openvpn

Create a pre-shared key:

  cd /etc/openvpn
  openvpn --genkey --secret secret.key

Edit the /etc/openvpn/openvpn.conf file:

  # I use the tun device
  dev tun
  # local  =
  # remote =
  # the pre-shared key must reside in /etc/openvpn
  secret secret.key
  # ping every 15 seconds to keep the tunnel up (probably unnecessary)
  ping 15

Step 3: configure Shorewall

Read the Shorewall documentation Openvpn section.

Define a new Shorewall Zone:


Define the VPN policy:

# if they're on the VPN, we can trust them -- can't we?
vpn	all	ACCEPT

Define the masquerading policy:

# we can't use the interface name here because Shorewall will choke if it's not up yet

Step 3: configure your linux wireless clients

Load the tun.o module:

sudo insmod tun

You may need to make the tun device:

sudo mkdir /dev/net
sudo mknod /dev/net/tun c 10 200

Copy the pre-shared key from LEAF/Bering:

scp root@ .

Start openvpn

sudo openvpn --dev tun --ifconfig --remote --secret secret.key --daemon

Use the tunnel as the default route:

sudo /sbin/route add default gw

Test the tunnel:


Useful references