San Sebastián de los Reyes, Madrid, Spain. May 30, 2010.
Mi WiFi es mi WiFi
San Sebastián de los Reyes, Madrid, Spain. April 17, 2010.

Mi WiFi es mi WiFi

How to set up a secure (WiFi) guest network using an outdated Airport Express, a cheap EdgeRouter, a top-secret VPN, and a delicious watermelon.

So I have an older model Apple Airport Express, a Ubiquiti EdgeRouter, and an OpenVPN connection. I also have people visiting my house whom I don’t trust. Or rather, I don’t trust their devices to be free of garbage, and I don’t trust my devices to not be susceptible to garbage.

Seems like an easy thing to fix. Almost.

Since I run my Airport Express in bridge mode it only shows up as a single network interface on the EdgeRouter. There isn’t really an obvious, or documented, way to differentiate between the guest network and the “main” network. Of course, a quick think will lead you to the conclusion that Apple are probably using VLANs. And since this is an older device the VLAN ID is only a short web search away. Spoiler: it’s 1003.

Okay, so after configuring the guest network on the Airport Express, which is straightforward, we can assign an address on the EdgeRouter:

set interfaces ethernet eth1 vif 1003 address 10.0.2.1/24

The next obvious step is to set up an extra DHCP subnet and pool on the EdgeRouter:

service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name GuestWifi {
            subnet 10.0.2.0/24 {
                default-router 10.0.2.1
                dns-server 10.0.2.1
                lease 86400
                start 10.0.2.100 {
                    stop 10.0.2.200
                }
            }
        }
    }
}

Of course the name server has to be reconfigured to also listen on the new VLAN interface:

set service dns forwarding listen-on eth1.1003

Right now you should have working Internet access on the guest network. However, in most setups, the EdgeRouter will do what it does best and start routing traffic between your internal networks. You’ll also, most likely, be able to access other devices and the EdgeRouter itself. No bueno.

Let’s fix the Internet access first. The way I did this was by creating an .ovpn configuration file for the VPN. Of course all this can also apply to L2TP/IPSec VPNs, or whatever other (virtual) interface provider. Using an .ovpn configuration file with inline certificates configuration is as simple as uploading the file to your /config and running:

set interfaces openvpn vtun0 config-file /config/vpn-service.ovpn

Note: If the OpenVPN server pushes routes, make sure the configuration contains the route-noexec flag.

After committing the change, the interface should be up without routing active. You can either use a route-up script from within the OpenVPN configuration, or you can set up a static routing table for it:

protocols {
    static {
         table 2 {
            interface-route 0.0.0.0/0 {
                next-hop-interface vtun0 {
                }
            }
            interface-route 10.0.2.0/24 {
                next-hop-interface eth1.1003 {
                }
            }
        }
    }
}

Note that this is not the default routing table. So we’ll have to tell the EdgeRouter to use this table for the guest VLAN:

firewall {
    modify GUEST_MODIFY {
        rule 10 {
            description "Guest Network to VPN"
            modify {
                table 2
            }
            source {
                address 10.0.2.0/24
            }
        }
    }
}
set interfaces ethernet eth1 vif 1003 firewall in modify GUEST_MODIFY

And that should get you Internet access through the VPN without being able to access your “main” network devices. Except for your EdgeRouter. So let’s just firewall it some more.

firewall {
    group {
        network-group RFC1918 {
            network 10.0.0.0/8
            network 192.168.0.0/16
            network 172.16.0.0/12
    }
    name GUEST_IN {
        default-action accept
        description "Incoming traffic from Guest network"
        rule 10 {
            action reject
            destination {
                group {
                    network-group RFC1918
                }
            }
        }
    }
}
set interfaces ethernet eth1 vif 1003 firewall in name GUEST_IN

This is very permissive, but still makes sure we don’t (accidentally) route private addresses. This still leaves the EdgeRouter itself. Making sure we do still allow DNS and ICMP:

firewall {
     name GUEST_LOCAL {
         default-action drop
         description "Connections to router from Guest network"
         enable-default-log
         rule 10 {
             action accept
             protocol all
             state {
                 established enable
                 related enable
             }
         }
         rule 30 {
             action accept
             protocol icmp
         }
         rule 40 {
             action accept
             destination {
                 port 53
             }
             protocol udp
         }
     }
}
set interfaces ethernet eth1 vif 1003 firewall local name GUEST_LOCAL

And that’s that. Do note that this setup does not guarantee total privacy and security. The main obvious hole is the DNS server. Lookups will still pass through your EdgeRouter, and it will forward requests to whatever name server you already had configured.

If you run an open WiFi service, or you have people visiting your house who are into highly illegal things, you are definitely going to want to close that hole too. If, like me, your main concern is your cousin’s Android 4 tablet being part of a botnet this should do nicely to not make it your problem.

P.S.: I lied about the watermelon, except for the part where it was delicious.