Setting up a very secure wireless network

[Neo]

Hi All,
I'm looking for some help in setting up an ultra secure wireless network.
I know it's not exactly a PCLinuxOS question as I've got my computer hardwired to my router and it's working great of course!

I updated my cell phone's Android firmware (now running CM 10, I upgraded from Froyo to Jelly Bean) and have to broadcast my router's SSID as the phone doesn't work well with a hidden SSID.

I am using a very long randomly generated password and WPA2 protection.

However I have heard that it is somehow possible to set up a router using OpenVPN so that only a device that you've paired with it can access it and even if someone where able to hack into your router they really couldn't do anything.

Sorry if that sounds convoluted, but the person who explained it to me took great pleasure in describing it in the most complicated manner possible (think of that one guy in school who thought he'd sound really smart by using the most obscure terms to describe something simple, eg. I'd say "Turn on the light" he'd say "Exponentially increase the luminosity").

Anyway if you haven't already guessed I know very little about networking and don't even know where to start with this.
I am hoping that there is someone here who can help me.

By the way I am currently using DD-WRT on my router but do have another router with Tomato that I can use.

As always I would greatly appreciate any help you may provide.

[muungwana]

turn off WPS[1] if your router supports it and its enabled.It can be used to easily give your WPA keys to your attacker.

Who are you trying to protect against? Is this for your personal home use or are you trying to set it up for some sort of a protected but semi public wireless network like in a small business environment.

[1]: http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

[Neo]

turn off WPS[1] if your router supports it and its enabled.It can be used to easily give your WPA keys to your attacker.

Who are you trying to protect against? Is this for your personal home use or are you trying to set it up for some sort of a protected but semi public wireless network like in a small business environment.

[1]: http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

Thanks Muungwana, the firmware on my router doesn't even list WPS so I think I am safe there.

This is something that I am setting up for home use.  There are many people around me and I just want to make my wireless connection more secure that the others around me.  I reason that if someone wants to hack a wireless connection they would move on to one that is much easier than mine.

I've heard that it is possible to obtain an extra layer or two of protection by using OpenVPN (as I mentioned before the exact details are a little fuzzy to me).

[muungwana]

use WPA2 with a long and unique wireless network name and a long unique password.

Set up your router and dhcp to accept only a list of known MAC addresses.

Use a "strange" network address with very small pool of addresses.

The above three steps will make your network pretty much beyond reach even with the best of hackers with more than ordinary computing powers.

Going VPN route is doable and certainly increases security but i think its something to do just to see if you can do it and learn a thing or two about VPN and networking and its something that belongs in the "advanced user" section.

Does your router support VPN functionality? what router do you have,what capabilities does it have?

[Neo]

use WPA2 with a long and unique wireless network name and a long unique password.

Set up your router and dhcp to accept only a list of known MAC addresses.

Use a "strange" network address with very small pool of addresses.

The above three steps will make your network pretty much beyond reach even with the best of hackers with more than ordinary computing powers.

Going VPN route is doable and certainly increases security but i think its something to do just to see if you can do it and learn a thing or two about VPN and networking and its something that belongs in the "advanced user" section.

Does your router support VPN functionality? what router do you have,what capabilities does it have?

Well I already am using WPA2, I have a very long randomly generated password, my SSID is not very long though (since it is being broadcast I didn't think it mattered).

I also have it set up to only work with my cellphone's MAC address (although I know those can be spoofed).

I'm not sure what you mean by "Strange network address".
Are you referring to the router's local IP address or the Network Address Server Settings (DHCP).
With my firmware the router's local IP address is different from the "starting IP address" in the Network Address Server Settings (DHCP) section.

And yes my router does support VPN, several versions including OpenVPN which I am told is the best of the bunch.

The firmware that I am using on this router is DD-WRT Mega Build by Brainslayer.
My other router is running Shibbly's version of Tomato 1.28, it too supports OpenVPN.

These firmwares can be used with many different routers.
If you are interested in trying it, Google them and check out their list of supported devices.

[muungwana]

for example,you can have your network with 10.245.231.x/3 network address.That will mean valid addresses are btw 10.245.231.0 and 10.245.231.8.Those are pretty strange network addresses for a local network.If your router supports setting them up is another matter.Its practically impossible for anybody to guess those addresses.How much that will protect you,i do not know.If an intruder is already on the network,they may know the network address by looking at traffic flowing around.

If your router already has openVPN functionality,then how hard it will be to set it up will depend on how easy the router makes it.I think PCC networking tools already supports openVPN connections.

[AndrzejL]

Turn off upnp (at least from WAN side) and test Your router with Shields Up to see if You're vulnerable to that "new" upnp hack... and then use it again to check if your service ports are open and if Your machine replies to icmp requests.

https://www.grc.com/x/ne.dll?bh0bkyd2

[Neo]

Just as an update, after digging through all of the router's menus and submenus it turns out that both WPS and UPNP are disabled by default (but the option does exist to enable them if you are so inclined).

I did use GRC to test my router and I'm good!
I've been using GRC since 2000 to test my firewall capabilities.

Now to find some time to try out this OpenVPN I've heard so much about.