On 08/10/15 23:17, Predrag Punosevac wrote:
Somebody will correct me if I am wrong but the way that Authpf works (I
have configured it in the past) is to load a new set of PF rules after
successful ssh login. My understanding is that by default the traffic
remains unencrypted unless we use more PF magic to force HTTP traffic
(HTTPS should be encrypted itself) through some kind VPN over SSH. That
way this chapter of the Book of PF was always such a mystery to me.
http://home.nuug.no/~peter/pf/en/vegard.authpf.html
authpf indeed loads rules per user, and also adds the user's IP in
authpf_users table.
This is done to allow further traffic to be routed through the ssh
gateway (from authenticated users).
It does not encrypt traffic. Usually you're doing this on the same LAN
(client/server).
The http redirect on the book is mostly a redirect to an informations
page (and maybe ssh download location).
as my understanding is that wpa2 will encrypt entire traffic (I am not
discussing how securely).
Installing ssh clients on various tablets/smart phones is non-trivial
thing for uneducated user. Since I don't want to disturb bad spirits and
bring back old flame wars fought over web interface for AuthPF I would
like to suggest something else.
Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec
VPN is a breeze as I found out by setting it up.
http://marc.info/?l=openbsd-misc&m=142791463307903&w=2
In my experience most Android/Kindel/Smart phone devices have a client
for L2TP via IPSec and it is very easy to use it. What I am trying to
say is that one could set an "unprotected" WiFi network allowing only
L2TP/IPSec authentication. Once a device is authenticated PF rules would
allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The
devices will have Internet connection. Whole traffic will be inside an
encrypted tunnel and no special software will be required on
Android/Smart phone devices.
Best,
Predrag
Have in mind that the traffic is encrypted only from client to the vpn
server and not up to the final destination.
VPN is usually used to get in the network from remote locations or
remotely use local network resources to get out.
Nevertheless it's an option :)
Another option would be 802.1x but the OP asked for a captive portal and
we're getting off topic...
regards,
G
