P2P block and WPA2/3

Installing and Using OpenWrt Network and Wireless Configuration
1

Firstly, which WPA will you recommend to use?
I have read some information about this two protocols and both are vulnerable. WPA2 to death WPA3 to TunnelCrack. Wich vulnerability is most dangerous and wich will you recommend to use?
Secondly, how to block P2P traffic? I don't want to be fined just because someone from guests downloaded something. It will be absolute best if I will be able to block gambling and 18+ sites.

Platform RPI4

2

WPA2/WPA3 -> you can have different by protocol only access points with same name and password, being more interoperable than SAE-mixed mode.

1 Like
3

Did you mean Dragonblood?

TunnelCrack is a VPN vulnerability. In any case a WPA3-only SSID is not vulnerable to this attack.

You misunderstand how the process works, but in any case (it's your ISP that would be fined, you would get disconnected), only allow ports like 53, 80 and 443. It will seriously degrade the ability of P2P software.

4

https://openwrt.org/docs/guide-user/services/captive-portal/opennds

Have a look at walled garden? But then you need a huge DNS list. I guess the alternative use some of the adblock stuff to the IP address lookup for domains for the p2p/18+ stuff?
https://opennds.readthedocs.io/en/stable/walledgarden.html

There will always be a workaround IMO. You just need to mitigate and/or figure out what your liability actually is and then go with that. Need to be careful about however you're doing this? What sort of "guests" are these?

Captive portal, with terms of service, perhaps bandwidth accounting, and some other simple limits with firewall should be sufficient. Plus maybe some QoS stuff?

Captive portal and then only allowing certain sites over http/https is certainly possible with openwrt?

I've had a play with inline "intrusion prevention systems" and packet inspection. For blocking P2P traffic. Haven't run it in the wild though.... I've helped a client doing whack a mole with third party contractors with a proprietary IDS though hahaha. Similarly if it's a corporate environment you can enforce an (https) proxy and also have "endpoint" software that effectively rootkits the device and monitor everything.....

But IMO that only really works when you can "motivate" your users (and legally do the traffic inspection) to behave in the first place.