One thing which was always been on my mind is when I go out and about, is when I initially connect to a network, Exactly how much data is leaked during the setup time of the VPN on windows?
At the time i was using a script to dial a SSTP VPN connection to my home windows server from my netbook. This script would trigger each time I connected to my university’s WiFi.
There was two problems with this. The first problem was the WiFi was open to all student devices across the whole campus. The WiFi was using a 10.32.0.0/16 subnet. This easily exceeded 500 devices when i checked it with an IP scan of the subnet. The next issue was the WiFi was not secured. Although there was secured staff WiFi and special education logins this was not open to any device and any student.
My current solution of monitoring Windows events for an “on WiFi connect” left me open for more than three different situations. The first most annoying one was windows not correctly logging events. Sometimes on a WiFi connection due to how Windows handles high latency The script will run early which causes it will fail to connect on its first try. This then leads to windows attempting to connect again 30 seconds later.
The second situation is windows split tunnel VPN routing. Due to how strict VPNs are implemented in windows there can be situations were windows for what ever reason passed packets down the wrong pipe. Leaking information due to improper forwarding is surprisingly more common than you would think.
Windows firewall being sub par was the third situation I had to deal with. Due to how large and open the wireless network was I was heavily dependent on windows firewall.
My solution was presented to me in the form of a portable USB powered WiFi router made by mikrotik. The mAP lite is a dual chain 802.11 b/g/n WiFi AP/ Router running the Linux based RouterOS. It can be powered ether off 750mA USB (two sockets worth of non-negotiable power) or Power over Ethernet. This is the smallest device they make which runs their full routing operating system. One of RouterOS’s many features is the highly customisation firewall and NAT table. This allowed me to block all of my laptop’s traffic before it reached the WiFi network. Another feature of RouterOS is the support of SSTP VPNs. Although not perfect it functions as expected with minor differences.
In my application I was powering the mAP lite from two of my three USB ports. My laptop’s ethernet would connect to the mAP lite and get an IP address. The mAP lite would then operate in station mode to connect to the campus WiFi network only forwarding my data over the WiFi as if it was connected to the VPN running on my home server.
There is only one downside to the mAP lite, the antennas are smaller than your average laptop’s antenna so occasionally moving the AP off the table to be hanging or stood up on the table achieves the best signal strength.
In my next post i’ll show how you can pair the mAP lite to a mAP to get a WiFi Hotspot with 3G support. This is my now favourite setup