Can i host OPENvpn on my gateway server here and connect all the computers through the vpn server so everything sent through the network is secured.

Regardless of speed loss, is this a good way of doing it? My actual file server is on the gateway for now so how can i protect the files on the server. Documents are pretty important on it. The server is running linux.

Can i host OPENvpn on my gateway server here and connect all the computers through the vpn server so everything sent through the network is secured.

Regardless of speed loss, is this a good way of doing it? My actual file server is on the gateway for now so how can i protect the files on the server. Documents are pretty important on it. The server is running linux.

Hey spearball, are you looking to get a few questions answered for the price of 1? :D

You want to make sure that you have the firewall setup on the gateway (ipchains). Having the gateway the file server is not the best config, but we do things because its what we have to do.


Again having the VPN server on the file server is less than ideal. If you can manage it, run the VPN on the gateway and use another machine for the file server.

SOme quick questions at this time. Why are you looking to get a VPN running? Are you coming in from the internet? It sounds like you want to run your LAN traffic through a VPN.

Was trying to run lan traffic through vpn yea so its encrypted. Some people just can't resists and try to intercept our traffic. This is why im asking is vpn the right way or is there something else i can use to enrypt the network?

Are you talking about a wireless network? Or are people breaking into your building and physically jacking into a wired network? If it's the latter, you have bigger problems that require more than encryption to solve. Kerberos is great, but it's not magic...

Yea I'm talking my wireless connected computers since that signal is sent through the air. I did use WPA2 to encrypt the password to log into the router but is this enough to keep users from seeing what is being sent from the wireless connections?

EDIT: OK here is the setup i got at work. In this order...

Internet modem
hardware router/firewall
gateway server with firewall (Just as en extra protection)
Wireless access point/switch
Other networked pcs (Both wired and wireless)

Basically i want to really make sure that no one can get into one of my pcs form the internet and gain access to the network and also to make sure the wireless networks are encrypted properly so any hacker around the area that decides to sniff my traffic won't be able to or it will make it really hard.

Or i was think is there a way to make the network unaccessible to someone even if he hacks through the gateway server?

Yea I'm talking my wireless connected computers since that signal is sent through the air. I did use WPA2 to encrypt the password to log into the router but is this enough to keep users from seeing what is being sent from the wireless connections?That, and MAC filtering, and not broadcasting SSID. If the data you need to transfer is sensitive enough that people will want to crack WPA2 to get at it, you shouldn't be using wireless at all.


Basically i want to really make sure that no one can get into one of my pcs form the internet and gain access to the network and also to make sure the wireless networks are encrypted properly so any hacker around the area that decides to sniff my traffic won't be able to or it will make it really hard.

Or i was think is there a way to make the network unaccessible to someone even if he hacks through the gateway server?Be aware that gaining unauthorized access to the network, and hacking a PC, are completely different issues. Someone with access to your network does not necssarily have full access to the connected machines, that would require exploiting a separate flaw.

That, and MAC filtering, and not broadcasting SSID. If the data you need to transfer is sensitive enough that people will want to crack WPA2 to get at it, you shouldn't be using wireless at all.

Be aware that gaining unauthorized access to the network, and hacking a PC, are completely different issues. Someone with access to your network does not necssarily have full access to the connected machines, that would require exploiting a separate flaw.

I'm not looking to start a debate hear, but MAC filters and disabling SSID broadcast will deter someone from gaining access, WPA2 encryption does that much better. Changing a MAC address on a machine to pass through a MAC filter is a trivial task and disabling SSID broadcast really will just make it harder for authorized users to find the WAP. Wireless Access Points (and routers) will still expose their SSID even if SSID broadcast is disabled. Getting a WAP to respond with its SSID is a trivial exercise. Even using something as basic as netstumbler you will see the SSIDs of WAPs that don's have broadcast enabled come and go. I also believe that the wireless config tool in Vista will show the SSIDs of WAPs that aren't broadcasting their SSID.

Let me put it this way. Are you familiar with the kid's game Marco Polo? [the person that is it closes their eyes and tries to find the others that are playing. They do this by saying 'MARCO' and the others that are playing respond 'POLO']

You can think of having SSID broadcasting enabled as saying 'POLO' every few seconds even if the person isn't looking for you and doesn't say 'MARCO'. Having SSID broadcast disabled is like only saying 'POLO' when 'MARCO' is called. Now that sounds like it may be quite a bit better, but if someone is looking for you and they are saying 'MARCO' every second it is at least as easy for them to find them as if you were saying 'POLO' on your own every FEW seconds. There are wireless packets that can be constructed and easily broadcast, that requires a router to respond and this response includes the SSID.

Be aware that gaining unauthorized access to the network, and hacking a PC, are completely different issues. Someone with access to your network does not necssarily have full access to the connected machines, that would require exploiting a separate flaw.

Basically, you mean if someone were to hack info the gateway server from the WAN side they wouldn't be able to see the network?

I'm not looking to start a debate hear, but MAC filters and disabling SSID broadcast will deter someone from gaining access, WPA2 encryption does that much better. Changing a MAC address on a machine to pass through a MAC filter is a trivial task and disabling SSID broadcast really will just make it harder for authorized users to find the WAP. Wireless Access Points (and routers) will still expose their SSID even if SSID broadcast is disabled. Getting a WAP to respond with its SSID is a trivial exercise. Even using something as basic as netstumbler you will see the SSIDs of WAPs that don's have broadcast enabled come and go. I also believe that the wireless config tool in Vista will show the SSIDs of WAPs that aren't broadcasting their SSID.I know MAC filtering and disabling SSID broadcasts are hardly foolproof. They are only minor barriers. But, they certainly don't present any disadvantages, which is why I suggested using them in addition, not as a replacement, to WPA2. Potential hackers still have to obtain a trusted MAC in order to disguise as it - which you can secure with physical security. Also, changing the SSID is always a good idea when using WPA, seeing as the SSID is used to salt the PSK hash.

It comes down to a question of which is better: a 3inch-thick steel wall; or a 3inch-thick steel wall with an inch of concrete in front of it?

Basically, you mean if someone were to hack info the gateway server from the WAN side they wouldn't be able to see the network?They'd see the network. But "seeing the network" and "having full remote administrative access to all machines on the network" are completely different things.

I know MAC filtering and disabling SSID broadcasts are hardly foolproof. They are only minor barriers. But, they certainly don't present any disadvantages, which is why I suggested using them in addition, not as a replacement, to WPA2. Potential hackers still have to obtain a trusted MAC in order to disguise as it - which you can secure with physical security. Also, changing the SSID is always a good idea when using WPA, seeing as the SSID is used to salt the PSK hash.

It comes down to a question of which is better: a 3inch-thick steel wall; or a 3inch-thick steel wall with an inch of concrete in front of it?

They'd see the network. But "seeing the network" and "having full remote administrative access to all machines on the network" are completely different things.

I think a better analogy would be a 3inch steel door with paper over it. Anyone capable of or even inclined to try breaking into a WPA encrypted network would most likely be through the MAC filter in under 5 minutes. And yes there is a downside to using MAC filters and disabling SSID broadcast. Doing either of these makes it more difficult for authorized users to gain access.

Also, while I agree its a good idea to change the SSID, its definitely not for security reasons. Changing your SSID makes it easier for authorized users to identify it and access it. Whether you use the default SSID or a custom SSID does not affect the robustness of the encryption, either value is easily known to a potential network intruder as your SSID is always broadcast.

Less than 5 minutes is a pretty good grace period considering it takes about that long to crack WPA2.

Less than 5 minutes is a pretty good grace period considering it takes about that long to crack WPA2.
5 minutes if you use a passphrase like 'oracle123', its a bit longer if you use something more complex and random.