OpenHarbors - Dynamic Tunneling of WPA over IP/L2TP
Johannes Berg
johannes at sipsolutions.net
Wed Jun 19 02:28:03 PDT 2024
On Wed, 2024-06-19 at 11:03 +0200, Linus Lüssing wrote:
>
> If a user uses user123 at my-home.net they'd be forwarded to
> my-home.net. If customer333 at vpn-provider.org then to
> vpn-provider.org. These domains wouldn't need to be added to a
> config on the AP due to being determined/parsed on-demand from EAPoL.
This seems ... problematic, to say the least? Who knows they won't
authenticate to pretend at evil-provider.org? Might want to have an allow-
list or so somewhere? That sort of defeats the purpose though, but seems
somewhat needed?
> 2) Get hostapd + Linux kernel to emit WPA CCMP frames encapsulated
> in an ethernet frame on the Wifi interface.
> 3) Get hostapd to use a wifi AP interface per STA for this, similar
> to WDS mode.
You forgot to mention the part where you _don't_ want the wireless side
to actually have the keys and decrypt the packet, I think? But that's
... tricky, hardware often requires the keys to do a proper connection
in the first place, and once you have management frame encryption you
also really need it. But then hardware will decrypt your data frames
too.
> 2) Get hostapd to create a special mac80211_hwsim virtual wifi
> interface based on received EAPoL, use it to receive and decrypt the
> WPA CCMP frames from the Linux kernel's WPA encryption/decryption
> code, have hostapd install the PMK to it.
You're confusing the key architecture and how it all works in Linux
enough that I don't even know how to comment on this.
johannes
More information about the Hostap
mailing list