0

I have several devices on a private local network - some wired (e.g PCs, laptops, SBCs) and some wireless (mobiles, tablets).

I have a Raspberry Pi on the same network, connected via Ethernet only, which acts as an OpenVPN server for connecting to this network via external public (and unsecure) networks (e.g. coffee shops, public hotspots).

I am not concerned about wired traffic on the private local network being snooped upon, but I am concerned that the traffic from the wireless (e.g. mobile) devices on the same network can be.

If I route all traffic from my wireless devices on this private network, through the OpenVPN server on the Pi, does this make such traffic any more secure from packet sniffing from other users who are on, or attempting to connect, to the same network? Or is this a fruitless exercise which provides no additional security benefits?

Improve this question
6
  • Some wifi routers support "AP isolation mode" that isolates the clients from each other. Then the only chance they have is if they break, hack, or etc your wifi password because normal wifi is encrypted with WPA2 or WPA3. "isolation mode" might have unintended side effects, if you have a printer attached via wifi nobody will be able to see it.
    – cybernard
    Commented Oct 25, 2023 at 15:29
  • @harrymc - Hence the question on how to make wireless communication more secure. Concealing wireless communication from someone who is already on the same network was an issue in itself, now combined with someone packet sniffing who is not even on the same network.
    – jimjamz
    Commented Oct 26, 2023 at 15:33
  • 1
    @harrymc - You've incorrectly assumed the rationale and environment for my question. This is a pen testing workshop exercise to discuss further possible attack vectors than the usual OpSec. My only fear (ungrounded, of course) is comments such as yours discourage others from bothering to raise questions in the first place. If it isn't asked, how would we ever know what is possible or not? If you don't know the answer, then you don't need to leave a comment - simply leave it to William in the Wood and others to provide an answer.
    – jimjamz
    Commented Oct 28, 2023 at 14:49
  • 1
    So you're trying to get us to create your ideas for you. If you don't have any concrete problem you wish us to solve, there is no point in asking it here. We don't do brainstorming.
    – harrymc
    Commented Oct 28, 2023 at 16:39
  • Brainstorming and open ended discussions are not bad or wrong: they are just not the purpose or goal of THIS site. This site is designed and set up to allow specific and generally practical (currently existing within the real world) questions and problems to get real, specific answers and solutions. The entire site is designed around this principle. There are forums where open discussion is the norm where a question like this would get the open discussion and brainstorming it deserves. Not every question fits in every site, and that is OK.
    – music2myear
    Commented Oct 30, 2023 at 17:49

1 Answer 1

Reset to default
2

If I route all traffic from my wireless devices on this private network, through the OpenVPN server on the Pi, does this make such traffic any more secure from packet sniffing from other users who are on, or attempting to connect, to the same network? Or is this a fruitless exercise which provides no additional security benefits?

It provides mostly same security as if using a VPN in other cases: the data is encrypted from your computer to the VPN server, i.e. all the way through Wi-fi to the RPi (but not from the Pi to your router or beyond).

However, the security rests on the assumption that malicious Wi-fi clients cannot perform active ARP-spoofing attacks to pretend that they're the gateway that the Pi is supposed to forward the (cleartext!) traffic to. In other words, it's secure as long as the connection between the Pi and the gateway is not compromised.

I've seen this method being used to protect traffic in corporate networks before WPA-Enterprise.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .