The example network for which a configuration will be described (my own home network) is set up according to the following diagram:
In order for wireless clients to be able to access the Internet, a static route will have to be added on the router with the following parameters:
The 802.11g AP is an off-the-shelf Netgear WG602, with no security features (WEP, MAC filtering, disabling SSID broadcast, etc.) turned on. All security will be offloaded to our server/wireless firewall machine.
The multihomed host shown between the Ethernet switch and the wireless network is the wired endpoint referred to in subsequent discussion. For hardware I recommend no less than a Pentium-class/300 MHz CPU with 64 MB RAM; my own system is a 1 GHz Athlon with 640 MB RAM, and easily handles the VPN software simultaneously with other services for my network. While it is hard to find hard disks smaller than 20 GB these days, that much storage is overkill for this machine; between binaries, logs, and ancillary configuration data, I would be very much surprised if it takes more than 2 GB.
No IP address is given in the diagram for the eth1 interface of the wired endpoint. The reason for this is that the IP address assigned will be determined by which VPN solution you choose; how this determination is made will be explained in the sections devoted to each VPN system.
The segment of network we are worried about securing is between all hosts on the 10.42.1.0/24 network and the wired endpoint. In our discussion below we will use 10.42.1.100 as a nominal IP address for our wireless node; where required, adaptations for DHCP will be introduced.