Software, technology, sysadmin war stories, and more. Feed
Wednesday, December 28, 2011

The VPN-only wireless network: phone home to get online

I want to see a different approach to providing public wireless access. There are just too many places where things can go wrong right now. If it's wide open, then all of your traffic is unencrypted and is just flying around in the clear. Anyone with FireSheep can give you a seriously bad day if you go to a http version of a site.

Even a shared password is no good, since the other clients can just sniff the per-client key transaction and then go to town. Further, spoofing control frames to force clients to start over can be used to increase the odds of hooking a given target.

What I'd like to see is a network which runs DHCP to assign addresses and hand out DNS server IP addresses. Then the only thing you can get out to the rest of the world is port 1194 for OpenVPN. The only way to do anything would be to tunnel back to some place you have already set up and go from there.

The key is for the network provider to stop the activities which might be compromised. By not allowing you to transit the network with traditional means, the odds of having you do something which might get attacked are far less.

Of course, if this takes off, I expect that people will want a new feature in their usual home access point/router box: a VPN endpoint on their public IP address. I assume that most people have a little Linksys box or similar right now, but they can't get back into it while out in the world.

Instead, imagine if your devices would tunnel back home and then go out from there when on untrusted networks. It would add latency, but I'd suffer a bit to keep people out of my accounts.

In a world where everyone has a tunnel back home no matter where they go, the whole notion of "cloud storage" starts falling apart. Why park your data with someone else when you can just sync between your devices? It shrinks right back down to being a backup possibility.

Finally, if people started cross-connecting these little boxes over their commodity Internet connections, it might become very interesting. I sort of hinted at this in a previous post about store and forward systems, but that was talking about software. This flavor of it would be rooted in those little blue boxes with antennas that everyone seems to own now.