I'm seeking for advice how to connect two locations which are around 800m apart. I played already with some CPE outdoor devices and got a stable connection between the two devices.
One problem is that one of the remote locations does need to have the AP just beside the road without any possible protection. Therefor I want to configure this device as locked down as possible so that even with the possibility of a theft it should not allow network access.
So the situation is something like this:
Location 1 AP ------eth------ CPE () ------wifi------ CPE ------eth------ Location 2 AP ------
All devices are OpenWRT capable and the idea is to allow Location 1 access to the world wide web without giving access to LAN from Location 2. A nice bonus would be to have access to the Location 1 LAN from Location 2 (as all administrations happens there!)
Any thoughts, ideas or prayers how to approach this? I prefer a rather simpler solution when possible!
The approach would probably be to consider the road-side APs and their WLAN credentials to be compromised. That does not imply you shouldn't try physical hardening or using a good encryption, just that these devices and their wireless link need to be considered untrusted, no kind of software settings can really change that.
Treat the link as untrusted in your topology, as part of the open web, and run a VPN (e.g. wireguard) link over it (not on the devices that are potentially accessible to the public, but on the routers/ APs behind that) - and don't allow any unencrypted (non-VPN) traffic at all.
Essentially running a wireguard link from Location 1 AP to the CPE on Location 2 or even down the way to Location 2 AP (maybe better because this is the device with the WAN interface).
Regarding the wireless connection between the two CPE's - what would be the best way to harden that software wise? The usual thing coming to my head is a dedicated SSID on the CPE2 Location and some MAC reservation (obviously could be easily spoofed). Other things than long/strong password for the local device to take in consideration?
Me thinking if it is possible to don't save any settings (include WIFI key etc.) to flash but only keep it in RAM. The moment a person would take the CPE away it will be nothing than a factory default openwrt device without any "knowledge"....
Best would be if the Location 1 AP which is connected via ethernet to the road side CPE actually would (temporary) provision the device (like described) so it could recovery outmagically after a power fault
Does something in this direction exist (yet) or is this just a weird thought that shouldn't be investigated further?
Location 1 AP ------eth------ CPE (
) ------wifi------ CPE ------eth------ Location 2 AP ------ 
