Chapter 10
Those who remember how Opportunistic Encryption works (see Chapter 5) know that the client is now fully set up to use OE. Of course, the default gateway already has its public key in the reverse DNS zone for its own IP address. The client then initiates an OE connection that is the equivalent of:
conn wavesec left=IP.obtained.from.DHCP.server right=IP.of.WaveSEC.server rightsubnet=0.0.0.0/0 leftrsasigkey=YOUR-PUBLIC-KEY rightrsasigkey=%dnsondemand auto=start
When this connection is started, the client will perform a DNS lookup for the IP address of the WaveSEC server's reverse zone to see if it can obtain a public key from an IPSECKEY, TXT, or KEY record. The WaveSEC server, which is configured for full OE, will receive an incoming connection request, and perform a similar DNS lookup for the client's IP address. The result at this point is that both client and server have each other's public key, and they both can proceed to set up an IPsec connection throught which to tunnel all the client's traffic.
Catch 22 Traffic
There is one catch though. We left out a little detail. If the WaveSEC tunnel is up, then all the client's traffic will go through the tunnel. This unfortunately includes DHCP requests. When the client's DHCP lease expires, it will ask for an extension of the lease. These DHCP packets either need to be exempted from the tunnel, or they need to be relayed to the DHCP server and back. The first method is the easiest to implement, since it only requires a small script that uses the iptables fwmark option, and the ip command.
To make things a little easier, we will also exempt DNS traffic to prevent bootstrap problems. We have also found that it is very useful to exempt ICMP echo requests and replies, so that people can tell the difference between the wireless failing, and WaveSEC failing.
Building a WaveSEC Server
The components that are needed on the WaveSEC server are the DHCP service, the DNS service, and the IPsec service. We have used the Internet Software Consortium's DHCP server (and DHCP client), and their BIND-9 name server software. For the IPsec service, we naturally use Openswan. We also need to set up some iptables rules on the WaveSEC server.
DHCP Server Setup
You will need a patched ISC DHCP 3.0.1rc9 server. You can either download the patch, or the patched sources from the WaveSEC website at http://www.wavesec.org/.
You need to configure DHCP to use dynamic DNS. An example configuration for
/etc/dhcpd.conf is listed below:
ddns-update-style interim;
# option definitions common to all supported networks...
option domain-name "wavesec.openswan.org";
option domain-name-servers ns.wavesec.openswan.org; default-lease-time 2400;
max-lease-time 7200;
243
Encrypting the Local Network
key update.1.168.192.in-addr.arpa. { algorithm hmac-md5;
secret "TheSecretIsWithXenu"
}
zone 1.168.192.in-addr.arpa. {
key update.1.168.192.in-addr.arpa.; primary 192.168.1.1;
}
subnet 192.168.1.0 netmask 255.255.255.0 { authoritative;
range 192.168.1.50 192.168.1.199; option broadcast-address 192.168.1.255; option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
} |
|
|
|
|
option oe-key |
code |
159 |
= |
string; |
option oe-gateway code |
160 |
= |
ip-address; |
|
on commit {
if (not static and
((config-option server.ddns-updates = null) or (config-option server.ddns-updates != 0))) {
if exists oe-key { set ddns-rev-name =
concat (binary-to-ascii (10, 8, ".",
reverse (1, leased-address)), ".", pick (config-option server.ddns-rev-domainname,
"in-addr.arpa.")); set full-oe-key = option oe-key;
switch (ns-update (delete (IN, 25, ddns-rev-name, null),
add (IN, 25, ddns-rev-name, full-oe-key, lease-time / 2)))
{
default:
unset ddns-rev-name; break;
case NOERROR:
on release or expiry {
switch (ns-update (delete (IN, 25, ddns-rev-name, null))) { case NOERROR:
unset ddns-rev-name; break;
}
}
}
}
}
}
You can download this configuration file from www.wavesec.org.
If you were not already running a DHCP service on the WaveSEC machine, you will need to create an empty DHCP lease file. The exact location depends on your distribution, but is usually
/var/lib/dhcp/dhcpd.leases or /var/state/dhcp/dhcpd.leases. If you do not know where
your distribution expects this file, just start dhcpd and check the error log. If you switched from a distribution dhcpd to a compiled dhcpd, you might want to move the lease file from one location to the other, or symlink them.
244
Chapter 10
DNS Server Setup
The name server should be configured as a recursive name server. It should also be the primary name server for the IP range used on your WiFi network, which in our example is 192.168.1.0/24. Add the following section to your named.conf to allow the DHCP server to send dynamic DNS updates for the local network:
key update.1.168.192.in-addr.arpa. { algorithm hmac-md5;
secret "TheSecretIsWithXenu"
};
Also change or add the local zone so it will allow dynamic updates. The location of the BIND data files depends on the distribution, and could also be stored in /var/named. Our example uses /etc/bind/:
zone "1.168.192.in-addr.arpa" { type master;
file "/etc/bind/db.1.168.192.in-addr.arpa"; allow-update { key update.1.168.192.in-addr.arpa; };
};
You will also need to create the /etc/bind/db.1.168.192.in-addr.arpa file that contains the DNS information of your LAN's reverse zone:
$ORIGIN .
$TTL 604800; 1 week
1.168.192.in-addr.arpa IN SOA 1.168.192.in-addr.arpa. root\@wavesec.openswan.org. (
|
2005081613 |
; serial |
|
604800 |
; refresh (1 week) |
|
86400 |
; retry (1 day) |
|
2419200 |
; expire (4 weeks) |
|
604800 |
; minimum (1 week) |
|
) |
|
|
NS ns.wavesec.openswan.org. |
|
$ORIGIN 1.168.192.in-addr.arpa. |
||
$TTL 1200 |
; 20 minutes |
|
127 |
PTR localhost.wavesec.openswan.org. |
|
$TTL 604800; 1 week |
|
|
1PTR wavesec.openswan.org. KEY 16896 4 1 (
AQNzGEFs18VKT00sA+4p+GUKn9C55PYuPQca6C+9Qhj0
jfMdQnTRTDLeI+lp9TnidHH7fVpq+PkfiF2LHlZtDwMu
rLlwzbNOghlEYKfQ080WlOTTUAmOLhAzH28MF70q3hzq
0m5fCaVZWtxcV+LfHWdxceCkjBUSaTFtR2W12urFCBz+
SB3+OM33aeIbfHxmck2yzhJ8xyMods5kF3ek/RZlFvgN
8VqBdcFVrZwTh0mXDCGN12HNFixL6FzQ1jQKerKBbjb0
m/IPqugvpVPWVIUajUpLMEmi1FAXc1mFZE9x1SFuSr0N
zYIu2ZaHfvsAZY5oN+I+R2oC67fUCjgxY+t7 ) ; key id = 25579
The key record listed here is the key record of the WaveSEC server itself. It needs to be in the DNS so that WaveSEC clients can look it up. All the clients' KEY records, or IPSECKEY/TXT records if that is what you are using, will appear dynamically when the clients register these through the DHCP protocol. BIND stores these dynamic DNS records in a separate journal file,
/etc/bind/db.1.168.192.in-addr.arpa.jnl.
Do not edit or remove the journal file while the BIND name server is running.
245