If you have a WLAN router that runs DD-WRT (or OpenWRT), you probably want to protect your wireless LAN with WPA2. However, there are some devices that only support WEP (for instance, some old wireless NICs that even don’t support WPA or don’t support it with Linux - the D-Link G520+ is such a bad example).

It’s possible to get WPA2 while using WEP for some devices at the same time

First, it’s important to know that you can set your router to support WPA2 and WEP at the same time. If you use DD-WRT, you can go to Wireless / Basic Settings and create two networks - a primary one (it will be used for WPA2), then add a “virtual interface” and set it to another SSID.

Then go to Wireless / Wireless Security and set WPA2 Personal (or whatever you like) for the primary interface, WEP for the virtual interface. Set the passwords as you like. Make sure that the credentials are very different because the WEP keys can be cracked easily.

Now, you have configured:

1. a secure way to connect (your WPA2 network)
2. an insecure way to connect that can be cracked easily (WEP network)

Introducing VPN for the WEP network

To secure communication on the WEP network, we will use a VPN. First of all, we define a new subnet for our WEP network:

“Wireless” / “Basic settings” / Virtual interface wl0.1: Choose

• AP isolation: enabled (this will prevent hackers who cracked the WEP key from hacking into other WEP devices in your network)
• network configuration: unbridged (otherwise the WEP WLAN would be connected to your default one)
• multicast forwarding: disabled
• masquerade / NAT: disabled
• IP address: your router’s IP address in the new subnet (shouldn’t be an existing address), for instance 192.168.2.1
• subnet mask: for instance 255.255.255.0 (choose another one only if you know what it is)

Then activate the VPN server: “Services” / “VPN” / “PPTP Server”:

• PPTP Server: enable
• Force MPPE encryption (will ensure that the VPN is really encrypted, otherwise it won’t bring any additional security)
• Server IP: use the IP address of the wl0.1 interface (in our example: 192.168.2.1)
• Client IPs: use the IP range of your default subnet, but not in the DHCP range. For instance, if your normal network has 192.168.1.* addresses (default) and the DHCP server gives addresses beginning from .100 (default), you could use “192.168.1.20-192.168.1.49” for this setting. This would allow 29 VPN clients in your network and doesn’t collide with DHCP leases.
• CHAP secrets: Enter at least one line in the format “username * password *” (without ” but with *, replace username and password with your values).

VPN client on your WEP-only device (assuming it’s running Ubuntu Linux 10.04):

• Connect to the WEP network, but set the IP address for the connection manually (for instance, 192.168.2.2 in our example)
• In the network manager, create a new VPN connection. Use these settings:
  Gateway: your VPN server’s address (192.168.1.2 in our example)
  User name and password as set in CHAP secrets
  Advanced: Use point-to-point encryption (MPPE) , security: 128-bit (most secure)
• Then you can connect to the VPN as soon as your are connected to the WEP network.
• As soon as you are connected to the VPN server, your data can’t be read anymore by anyone using the weakly secured WEP connection!
• Unfortunately, you can’t use the “Automatically connect” feature for the VPN because of a bug in NetworkManager. You can get a script and place it in the dispatcher directory. For more information, see https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/280571

Protecting your network from WEP intruders

If somebody hacks the WEP connection, the intruder shouldn’t be able to access the Internet using the WEP network. So, go to “Administration” / “Commands”, enter:

echo "0" > /proc/sys/net/ipv4/conf/wl0.1/forwarding

Click on “Save startup”, then reboot the router (or run this command)