Home / Howtos / WLAN Protection
WLAN Protection
IPSec WLAN protection with m0n0wall and TauVPN
Last update: 11.02.2008
This documentation describes the steps to establish a IPSec tunnel between m0n0wall 1.2 and TauVPN 0.37. I use this setup to protect my small home-wlan.
Many thanks to Manuel Kasper and Stefan Markowitz for great pieces of software!
Related Resources
Note:
With minor adjustments this setup will also work with pfSense. It is a fork of m0n0wall with a different aim. See: www.pfsense.com and "Why the fork? What's wrong with m0n0wall?".
Table of Contents
1. Network setup
2. m0n0wall configuration
2.1 IPSec - Network Settings
2.2 IPSec - Phase 1
2.3 IPSec - Phase 2
2.4 ICMP Filter rule (optional)
3. TauVPN configuration
3.1 Creating a New Connection
3.2 Other Settings (optional)
1. Network setup
To give an overview of the network setup below is a graphic that shows the used IP networks:
2. m0n0wall configuration
In m0n0wall you need to setup the IPSec connection and optionally add a filter rule to allow ICMP traffic to the DMZ IP of m0n0wall.
The ICMP filter was a requirement of TauVPN 0.36 that pings the local server IP to test connectivity and therefore must be able to reach m0n0wall via ICMP. (Per default m0n0wall drops all traffic from the DMZ subnet to its DMZ interface IP.)
In version 0.37 of TauVPN you can disable this ping. So step 2.4 is optional.
2.1 IPSec - Network Settings
- Interface: DMZ - This enables IPSec connection to the DMZ interface
- Local Subnet: LAN subnet - The network that I want to connect to. This is the destination network as seen from client view.
- Remote Subnet: 192.168.2.5 - The IP address of the Notebook
- Remote Gateway: 192.168.2.5 - ALso the IP address of the Notebook. I do not use the "Mobile Clients" tab because the IP of the notebook is well known and therefore supports this static setup.
2.2 IPSec - Phase 1
- Negotiation Mode: Main - TauVPN currently supports only this mode
- My Identifier: empty - Not needed in this configuration
- Encryption algorithm: 3DES - TauVPN currently supports only this encryption
- Hash algorithm: MD5 - TauVPN currently supports only this hash
- DH Key Group 2 - TauVPN currently supports only this group
- Lifetime: 3500 - TauVPNs default setting
- Pre-Shared Key: random string - Use a string with at least 30 characters, upper/lower cases and numbers!
2.3 IPSec - Phase 2
- Protocal: ESP - We want encryption, not only authentication
- Encryption algorithm: 3DES - TauVPN currently supports only this encryption
- Hash algorithm: MD5 - TauVPN currently supports only this hash
- PFS Key Group 2 - TauVPN currently supports only this group
- Lifetime: 3500 - TauVPNs default setting
2.4 ICMP Filter rule (optional)
Overview of the filter rule:
Detailed setup of the filter rule:
3. TauVPN configuration
The installation of TauVPN is very simple but make sure to grab (and read) the latest howto at sourceforge.
3.1 Creating a New Connection
- Prehared key: random string - Use a string with at least 30 characters, upper/lower cases and numbers!
Must match the string in 2.2 IPSec - Phase 1! - Name: A speaking name for the connection
- Server subnet: This is the network behind the VPN server - the LAN subnet
- Server IP: The IP of the VPN server - the DMZ IP of m0n0wall
- Server local IP: The LAN IP of m0n0wall
- CA subject: not needed - the tunnel uses a pre-shared key
3.2 Other Settings (optional)
Optionally you can disable the ping TauVPN sends when connecting. When disabled you don't need the filter rule of step 2.4.
The other settings can be left alone. The defaults are used and the configuration of m0n0wall assumes that these defaults are used! If the connection works you can set is as default/autoconnect via the options dialog in TauVPN.
Happy tunneling!