OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP

Linus Lüssing linus.luessing at c0d3.blue
Wed Jun 19 02:03:29 PDT 2024


Hi,

It's been a while I've last been posting here. But wanted to share
a small project idea which has been on my mind for quite a while
now, especially for wireless community mesh networks like Freifunk,
which I'm now finally able to work on thanks to some nlnet
funding:

https://nlnet.nl/project/OpenHarbors/
https://www.open-mesh.org/projects/open-mesh/wiki/OpenHarbors

The idea is to dynamically tunnel WPA frames over IP/L2TP to some
remote host based on the domain part / realm in the outer, unencrypted
identity in EAPoL. So basically moving the authenticator away from
the wireless AP to some remote site chosen by the user:

If a user uses user123 at my-home.net they'd be forwarded to
my-home.net. If customer333 at vpn-provider.org then to
vpn-provider.org. These domains wouldn't need to be added to a
config on the AP due to being determined/parsed on-demand from EAPoL.

This of course will involve changes to hostapd, which I'm
hoping to get upstream. So I wanted to pitch this idea here
first before I start coding next month, as I think it's generally
nice for OpenSource projects to do so, to avoid that maybe just by
coincidence someone is working on something similar at the same
time. And to avoid going in some direction upstream maintainers
would not like.

My plans for hostapd more specifically are the following:

AP side:

1) Get hostapd to set up an ESSID "OpenHarbors" for the AP
(longterm should probably better use some vendor information
elements? but that would need client side/supplicant support/changes)
2) Get hostapd + Linux kernel to emit WPA CCMP frames encapsulated
in an ethernet frame on the Wifi interface.
3) Get hostapd to use a wifi AP interface per STA for this, similar
to WDS mode.
4) Get hostapd to create an L2TP interface depending on the domain
it found in EAPoL / EAP-TTLS.
5) Get hostapd to create a bridge interface over the per-STA AP wifi
interface and according L2TP interface.


Remote authenticator server side:

1) Get hostapd to listen on an L2TP interface for incoming EAPoL
2) Get hostapd to create a special mac80211_hwsim virtual wifi
interface based on received EAPoL, use it to receive and decrypt the
WPA CCMP frames from the Linux kernel's WPA encryption/decryption
code, have hostapd install the PMK to it.
( 3) either have hostapd create extra L2TP + mac80211_hwsim + bridge interfaces
  per client, or only use this single L2TP interface and apply
  according filters to the bridge?)


If anyone has any thoughts, ideas, suggestions or considerations
on this rough, initial plan, I'd be happy to hear about it.

Regards, Linus



More information about the Hostap mailing list