Creative solutions for an opaque VPN endpoint

pcmoore

Active Member
Apr 14, 2018
128
41
28
New England, USA
Hello all. I'm debating a slight network tweak here at home and was hoping to solicit some feedback before I start reconfiguring things.

I've got what is essentially an opaque network device that functions as a VPN endpoint; it connects upstream via IPv4/DHCP and the behind-the-VPN clients authenticate and connect to the endpoint device with 802.1x. There is nothing special about the device other than the fact that I don't control or manage it. As I don't overly trust the device itself, it's upstream connection is on a dedicated, untagged VLAN that is routed through various switches until it hits my router/firewall/etc. and exits out to the world. My behind-the-VPN clients connect to the device over a dedicated physical wire as they are located in the same room. Think WFH setup using an employer provided VPN endpoint device.

Where it becomes somewhat interesting is when I consider relocating the VPN device and optionally allowing access over a dedicated WiFi SSID. Relocating the device should be straight-forward enough, simply create a new behind-the-vpn VLAN and reconfigure switches as necessary. However, allowing access to that behind-the-VPN VLAN over WiFi seems like it might be a challenge. I am not overly excited at the prospect of having the APs act as the 802.1x supplicant to the VPN device (if that is even possible in my setup), I would much rather pass the behind-the-VPN client's 802.1x auth through the APs and have it serviced by the VPN device. Is that possible? Is there some other option that would accomplish the same goal?

To add to the context of the discussion, the WiFi network is being run on Ruckus Unleashed APs with the wired switching run on relatively modern Dell switches. As mentioned previously I'm using pfSense as my core router, firewall, etc. system. Replacing my WiFi or wired switching hardware isn't something I'm interested in doing to make this work, so solutions that start with "If you replace X hardware with Y you can do ..." are a bit of a no-go for me.

Thanks in advance to anyone who can help steer me in the right direction and/or provide some real tips on making this work!
 

gregsachs

Active Member
Aug 14, 2018
463
139
43
Thinking out loud:
1: I would think that plugging downstream port of device into a VLAN tagged port, directing that VLAN to AP ports, and telling APs that VLANx=SSID Y is pretty simple. This VLAN would not need any routing or access to PFsense, it should only need to exist on the switch and APs
2: If this is a WFH type of setup, there may be consequences of establishing a wifi network downstream of the device. May well be a significant violation of corporate security rules. They may also be doing a downstream listing of MACs or similar and detecting an AP or switch might also set off alarm bells.
 

pcmoore

Active Member
Apr 14, 2018
128
41
28
New England, USA
1: I would think that plugging downstream port of device into a VLAN tagged port, directing that VLAN to AP ports, and telling APs that VLANx=SSID Y is pretty simple. This VLAN would not need any routing or access to PFsense, it should only need to exist on the switch and APs
I believe I tried that and ran into issues with 802.1x on the VPN box. That is really what makes this interesting, otherwise as you said it's a pretty simple of routing the VLANs to the WAPs and then mapping the VLANs to SSIDs. I do the latter now, and I suspect there are a fair number of people here who do something similar.

For reasons beyond the scope of this discussion, I no longer have the VPN device so it's a bit academic at the moment.

2: If this is a WFH type of setup, there may be consequences of establishing a wifi network downstream of the device. May well be a significant violation of corporate security rules. They may also be doing a downstream listing of MACs or similar and detecting an AP or switch might also set off alarm bells.
Thanks for your concern, but I'm well aware of what measures one might use to monitor a remote endpoint such as this and would prefer to keep the discussion on the "how would I do this" side of things and not get stuck in the weeds on side discussions about security policies and remote monitoring.
 

gregsachs

Active Member
Aug 14, 2018
463
139
43
I believe I tried that and ran into issues with 802.1x on the VPN box. That is really what makes this interesting, otherwise as you said it's a pretty simple of routing the VLANs to the WAPs and then mapping the VLANs to SSIDs. I do the latter now, and I suspect there are a fair number of people here who do something similar.

For reasons beyond the scope of this discussion, I no longer have the VPN device so it's a bit academic at the moment.



Thanks for your concern, but I'm well aware of what measures one might use to monitor a remote endpoint such as this and would prefer to keep the discussion on the "how would I do this" side of things and not get stuck in the weeds on side discussions about security policies and remote monitoring.
Totally fair, and it is an interesting problem.
I think that any device except an unmanaged switch will have a MAC address that could be detected, yes?