Yes, I think it will be a standard feature. What was stopping it from becoming commonplace was:
- Limitations in CPU horsepower and available memory. VPN encryption and processing is a rather large resource hog. However, recent advances in processor performance, dedicated encryption chips, and cheap DRAM have made VPN more accessible to the GUM (great unwashed masses).
- Lack of a standardized and free client. Windoze XP supports both IPSec and PPTP out of the box. With a little effort, L2TP also. However, configuration is complex, and Microsloth offers no diagnostics worthy of the name. 3rd party VPN clients work just fine, but cost money. I expect some dramatic improvements in the quality and ease of installation for VPN clients to come from the file sharing crowd, as they seem to be pioneering the technology at this time.
Nope. VPN encryption and replay prevention does a nice job of securing a wireless LAN. The local hospitals have such a system, where there is no encryption key, but you need a VPN client or SSL browser to use the system.
There are a few places where it's benificial.
- If you want to protect the initial connection to the VPN or SSL server URL or IP address. This is sent unencrypted.
- If your access point has no provisions for preventing its use as a repeater. The local brats converted my neighborhood wireless LAN into their personal game network. None of the traffic hit the internet so the router was useless. They didn't even use TCP/IP as any protocol will go through a bridge. I eventually solved the problem by enabling "AP Protection" (which is really "client protection") and left encryption off.
- Accidental connections are common. They don't really do any damage but they sure mess up my log files. Encryption will keep them out.
- WPA Encryption is intimately entangled with authentication. If you need or want authentication outside the VPN, via perhaps a RADIUS server, then encryption might be a good idea to prevent sniffing and password recovery. Strictly speaking, VPN provides more than enough authentication so it's not really necessary unless you want both public and private access via a single access point. If you authentiate with the RADIUS server, you go to the internet but not the internal LAN. If you authenticate with the VPN, then you go to the internal LAN with a different gateway to the internet.