To secure the wireless connection we would like to put a VPN server between the access point and our network. Every WLAN client needs to establish a tunnel into the network via VPN.
We connected the VPN server directly to the LAN and tried to connect to our servers. It seems that we have only incoming traffic. When a server tries to answer WLAN client requests then those answers goes over the gateway (firewall/router) to the Internet instead of through the VPN server back to the WLAN client (an analysis whit ethereal shows this).
Is there a basic misunderstanding of the architecture of this configuration? Do we need to set a route somewhere?
You have added a VPN Server and AP to your network like this:
Internet----Router/Firewall----+----AppServers | +----VPN Server---WLAN Clients
Your AppServers currently use your Router/Firewall as their default route. They need to know to use the VPN Server as the next hop when returning traffic to VPN Clients. Let's assume that your WLAN Clients have IP addresses in the subnet 192.168.1.0. Let's assume that your Router/Firewall is 192.168.0.1, your AppServer is 192.168.0.2, and your VPN Server is 192.168.0.3. When a packet arrives from 192.168.1.1 (a WLAN client), the AppServer sends the response to its default gateway, 192.168.0.1. You want it to go instead to the VPN Gateway at 192.168.0.3. On the AppServer, add a route for 192.168.1.0 mask 255.255.255.0 via gateway 192.168.0.3. Also add this new route to your Router/Firewall so that it will know to redirect any packets it might receive to your VPN Server instead of forwarding them on to the Internet.
This was first published in March 2004