Build a VPN network for WiFi users 

Background

Now. many hotel, cafes provides Internet access service (Hot-Spot) for WiFi users. These organizations usually have their own web site, so they want that all WiFi users can browse it freely. When WiFi users want to access Internet, they shall pay for it.

Theory

In order to provide WiFi users a friendly feeling, these organizations want to let all users access their WLAN freely. But when they want to access Internet, they shall pay for it. Thus we designed 2 network for the 2 kinds of services.

WLAN network: This network is free, all WiFi users will be allowed to access WLAN, no authentication needed. The IP range assigned to this network is 192.168.*.*, this IP arrange can ONLY browse 192.168.*.*.

VPN network: WiFi users shall pay for this network. These organizations will provide username/password for the WiFi users who want to access this network. After a successful dia-in, WiFi users will be access the VPN network. The IP range assigned to this network is 172.16.*.*, this IP range CAN browse Internet.

Network Architecture

In this architecture, we need WiFi APs to construct WLAN and a Cisco router to construct a VPN.

Here, all WiFi users can access the WLAN via WiFi APs.
All APs, WiFi users, router, web server, RADIUS server will be assigned an IP of WLAN.
The IP address of VPN will be virtually assigned in the VPN network.

WiFi users

WiFi users will be able to access WLAN without any settings or dial-in operation. When they powered on the notebook, they will get an IP, such as 192.168.0.31, and be able to browse the WLAN network, such as your internal web site, for example 192.168.0.10.

WiFi users shall use Microsoft dial-in application to dial in VPN network when they want to access Internet. The VPN server is the Router. After their dial-in, they will get a new IP address, such as 172.16.0.31, then they can browse Internet now.

Creating an icon for the VPN - connection
Click Start - Settings - Control Panel - Network and Dial Up Connections - Make New Connection to add a new connection. This will start the Network Connection Wizard where you enter the following settings : 

  • Connect to a private network through the Internet
  • Do not dial initial connection (if you have a permanent connection, e.g. Telenet or ADSL) or select the dial-in connection to your Internet Provider. 
  • Host name or IP address: 192.168.0.1 
  • Select For All Users or Only for Myself depending on the number of users for that PC and their use of VPN. Usually Only for Myself will suffice. 
  • Finally, enter a name for the connection, e.g. VPN rug.

Using the VPN - connection

  • Click My Computer - Control Panel - Network and Dial Up Connections and select VPN rug. Enter your login (username) and your VPN-password and click OK.
  • If the connection is successful you will see an additional icon in the bottom right corner of your screen (in the system tray). Now internal UGent information will be accessible to you. 
  • If you want to close the VPN-connection, doubleclick on the icon in the system tray and select Disconnect. Disconnect the VPN connection if you don't need it at that time. 

WiFi AP

WiFi AP only acts like a hub, so it needs no authentication here. You can disable authentication, such as 802.1x, here.

Router

Cisco router will work like DHCP server that provides IP address for WLAN, and work like VPN server, here is PPTP, for VPN clients. You shall configure the following rules to router.

  • assign 192.168.*.* for DHCP users;
  • 192.168.*.* can only access 192.168.*.*;
  • Assign 172.16.0.*.* to VPN users;
  • Only VPN users can access Internet.
  • All VPN users shall be authenticated by RADIUS server.

Radius server

PowerRadius (provided by www.new-saga.com) can support this model. You can use PowerRadius to authenticate VPN users username/password, and can bind to their MAC address.

For business, you can sale prepaid card services, 24 hours services, 10 MB services, etc. In a word, you have many choices.

Benefits

  • Windows WiFi users can always access WLAN with default settings and they always doesn't know how to configure 802.1x and so on. This solution will make the default settings of Windows OS workable.
  • Windows WiFi users can access WLAN for free service.
  • Windows WiFi users can access Internet after the payment. It's easy to use because VPN dial-in application has the traditional GUI. It's safe because VPN is based on safe TCP/IP.

กก