Configure VPN server on firewall to secure local WiFi connection

0brand · June 30, 2019, 10:00am

Both WPA2 and WPA3 have numerous vulnerabilities (known and likely unknown). Lets assume:

The attacker somehow already has the WPA2(3) encryption key.
You have an firewall distribution on which you can configure a VPN (server) for you laptop VPN (client) to secure local WiFi connections.

If the VPN is configured properly, and the firewall is locked down, can the attacker gain access to the firewall?
Could an OTP (for expample, Google Authenticator ) be used to further lock down the VPN?
Note: its possible to set up I’m just curious if it would be worth the effort.

Why do this?

I’m assuming not everyone sits at a desk with their laptop plugged into an ethernet port. Actually I bet most people don’t. This could enhance security for the majority of end users.

And it looks like it would be fun to experiment with. So lets keep this on topic. i.e. not about how bad WPA is.

Patrick · June 30, 2019, 11:50am

0brand via Whonix Forum:

The WPA2 and WPA3 has numerous vulnerabilities (known and likely unknown). Lets assume:

The attacker somehow already has the WPA2(3) encryption key.

You have an firewall distribution on which you can configure a VPN (server) for you laptop VPN (client) to secure local WiFi connections.

If the VPN is configured properly, and the firewall is locked down, can the attacker gain access to the firewall?

I don’t think so. Connections between VPN clients and VPN servers should
be secure. Whether a tiny part (in destination) of the connection is
properly secured or not (from notebook to home router) should not
influence anything.

Could an OTP (for expample, Google Authenticator ) be used to further lock down the VPN?

Not directly, not that I know. 2FA (perhaps yubikey) can be used as a
second factor for 2FA authentication to the VPN and/or SSH.

Attempts on describing the threat model for 2FA: