Penguin

Don't rely on WEP to secure your network. Even with 128-bit or 256-bit keys it is trivial to crack.

If you want to ignore this because you are testing or don't care you can pass the WEP key to the driver as follows:

iwconfig eth2 enc yourhexkey

VPN/tunnel

Use a secure tunnel/VPN from wireless clients over the wireless network onto your real network.

Put your WLAN hosts behind a firewall to protect your wired LAN from wireless intruders. Install pptpd(8)? on this firewall box and force wireless hosts to securely tunnel into your wired LAN. See the WirelessNetworkSecurityHowto.

WPA

To use the more secure WPA encryption rather than WEP, install the wpasupplicant package. This provides a program that encrypts data sent to your wireless card. Unfortunately it can be difficult to set up, partly because it uses a lot of acronyms that you need to understand, and partly because of incompatibilities between wireless equipment. There is a good mailing list accessible from the previous wpasupplicant link which is very helpful.

WPA-PSK means use a Pre-Shared Key - ie both the AccessPoint and the client know a shared secret.

The main config file is /etc/wpa_supplicant.conf.

Here is an example config file.


# my wireless card (Atheron-based) and AP (Asus 6030) don't get on very
# well if this is set to 2
eapol_version=1

# some default settings - see the example
# /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz (debian) file
ap_scan=1
fast_reauth=1

network={
  ssid="MY SSID"

  # priority that wpasupplicant should try to connect to this
  # network block (out of all blocks listed in this config file)
  # 9 is highest, 0 is lowest
  priority=9

  # my AP is set up to require WPA-PSK authentication
  # defaults to WPA-PSK WPA-EAP
  key_mgmt=WPA-PSK

  # The password to use for WPA-PSK authentication.
  # this has to match the password on the AP, obviously
  psk="shared secret password"

  # the order to try encryption algorithms in.
  #pairwise=AES TKIP

  # broadcast/multicast group ciphers for WPA
  # default is CCMP(AES counter) TKIP WEP104 WEP
  # but my card/AP combination doesn't seem to work if it tries CCMP
  # so I'll override this setting
  group=TKIP
}

Now after your card is running (but not configured), you can set up your connection/configuration to use WPA encryption by running

wpa_supplicant -B -iath0 -Dmadwifi

replacing ath0 with the correct interface (eth0, eth1, and so on) for your machine, and madwifi with the correct driver for your wireless card. -B means fork and go into the background. "wpa_supplicant -h" lists the following supported drivers:

  • hostap
  • prism54
  • madwifi
  • atmel
  • wext
  • ndiswrapper
  • ipw
If you want to try and debug why things aren't working, you can try the following from the command line
wpa_supplicant -dd -t -K -iinterface -Ddevice

Configuring your distro for WPA

Debian Sarge/Sid (and Ubuntu?)

apt-get install wpasupplicant

Create /etc/wpa_supplicant.conf either from the example above, or based on /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz.

Here is a snippet from my /etc/network/interfaces file. (This replaces the snippet for WEP you can find on the WirelessSetupNotes page.)

iface ath0 inet dhcp
  pre-up wpa_supplicant -B -iath0 -Dmadwifi
  down skill wpa_supplicant

Note that it probably isn't necessary to get rid of the wpa process after removing the interface, but it means that there aren't multiple processes if you remove/insert the card several times.

Ubuntu 6.06 (Dapper)

Instead of doing "pre-up wpa_supplicant ...", ubuntu starts wpa on boot. Edit the /etc/default/wpasupplicant file:

ENABLED=1
OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf"

changing the option for -D and -i as appropriate.

In 6.06, my old config of using "-Dipw" for my Centrino-based laptop no longer worked - I had to use "-Dwext" instead for the generic wireless driver.

You could also try installing the network-manager package, but this is a bit flaky for now.

Other distros

People who use other distros should put stuff here.


Part of CategoryWireless