Raspberry Pi: Wifi AP-client

You have a wifi connection but need an Ethernet connection or need to share it with several computers over Ethernet? That can be easily accomplished with a Raspberry Pi. Sometimes I need two different internet connection for testing different setups. In addition to my own internet connection there is community wifi in public areas in my apartment complex. Since I live right my the pool I can connect to that wifi at my window. To make it easy to use I wanted a router that I could use as my default gateway on any computer or server to access the secondary internet connection. To accomplish this I used a Raspberry Pi 2 with the latest version of Raspian.

Basic setup

I presume that people interesting in doing this kind of setup have the basic knowledge in setting up the Raspberry Pi, like expanding the file system and setting the root password. There are enough guides out there so I’m not going to cover that in this post. Instead we jump right into configuring the wifi. If you use a Raspberry Pi 3 you can use the built in wifi but this guide will work with any Raspberry Pi compatible dongle. Depending on the distance and quality of the signal you might need to opt for one with a better antenna.

If we run cat /etc/network/interfaces we can see that wlan0 refers to /etc/wpa_supplicant/wpa_supplicant.conf for configuration. So let’s go ahead and edit that configuration file with sudo nano /etc/wpa_supplicant/wpa_supplicant.conf. The contents looks something like this:

[bash]country=GB
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1[/bash]

You can change the country to where ever you are but in most cases you can just leave it be. Some countries use different channels and might need additional configuration. I went with the basic GB even though I’m in the US and it works fine. Then we need to add the configuration for our network, just append it at the end. This guide is for a WPA2 secured network and you should not use anything else for security reasons.

[bash]
network={
ssid="xxxxxx"
psk="xxxxxx"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
auth_alg=OPEN
}
[/bash]

Here is a basic outline of what these parameters are for:

SSID – Name of the network you want to connect to.
PSK – Password for the network.
PROTO – RSN = WPA2, WPA = WPA1.
KEY_MGMT – WPA-PSK = Preshared key (regular wifi password setup), WPA-EAP = Authentication via enterprise authentication server.
PAIRWISE – CCMP = AES cipher (WPA2), TKIP = TKIP cipher (WPA1).
AUTH_ALG – OPEN = WPA2

Save that file and exit nano, now we can restart the connection and see that it works.

[bash]sudo wpa_action wlan0 stop
sudo ifup wlan0[/bash]

It will take a while for the DHCP to finish. Then we can check the status in with sudo wpa_cli status. Now we want to make sure that the Raspberry Pi actually uses the internet connection from the wifi and not the local one. Also I want a static ip-address on the Raspberry Pi since it’s going to be a router. In raspbian jessie this can’t be done from /etc/network/interfaces anymore so we need to add these two lines to /etc/dhcpcd.conf.

[bash]interface eth0
static ip_address=192.168.0.2/24[/bash]

This will make the IP-address 192.168.0.2, subnet mask will be 255.255.255.0 and the lack of default gateway will route all internet traffic over the wifi. I also disable ipv6 since my internal network uses that and I don’t want any traffic to spill over that connection. sudo nano /etc/sysctl.conf and add this line at the end:

[bash]net.ipv6.conf.all.disable_ipv6 = 1[/bash]

Then reload the settings and reboot the Raspberry Pi to get the new network settings.

[bash]sudo sysctl -p
sudo reboot[/bash]

Setup forwarding

After reconnecting to the new ip-address we need to enable forwarding. sudo nano /etc/sysctl.conf again and add this line:

[bash]nnet.ipv4.ip_forward = 1[/bash]

And then reload the settings

[bash]sudo sysctl -p[/bash]

Configure IPtables

Then we need to setup iptables to take care of forwarding, NAT and also security.

[bash]sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE[/bash]

Setup NAT from internal network (eth0) out onto the wifi (wlan0).

[bash]sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT[/bash]

Allow all traffic from inside to outside.

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT[/bash]

Allow all established connection back in (let the response through).

[bash]sudo iptables -A INPUT -i lo -j ACCEPT[/bash]

Allow loopback traffic. This is very important otherwise some services will not work on the Raspberry Pi.

[bash]sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT[/bash]

Allow ping from the local network.

[bash]sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT[/bash]

Allow SSH from internal network.

[bash]sudo iptables -A INPUT -i eth0 -p tcp –dport 10000 -j ACCEPT[/bash]

Allow webmin from local network (see below).

[bash]sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT[/bash]

Allow responses to traffic we initialized.

[bash]sudo iptables -P FORWARD DROP
sudo iptables -P INPUT DROP[/bash]

Lock it down, disallowing all traffic we didn’t specify above

[bash]sudo apt-get install iptables-persistent
sudo systemctl enable netfilter-persistent[/bash]

We make the iptable rules we just added persistent after reboot, just answer yes on the questions in the install. The second command will make it persistent after reboot. If you change any iptable rules after this just run the command below to save them. A reference to iptables can be found here http://ipset.netfilter.org/iptables.man.html

[bash]sudo netfilter-persistent save[/bash]

Now our new router is ready to rock! Just change the local clients default gateway to 192.168.0.2 and you will go out to the internet over the new connection.

Install additional packages

Since I’m going to use this for testing purposes I want quick access to config of iptables for example. For this I want to install webmin which is a web based UI for configuring different services on Linux systems. First we need to add the webmin repository to our sources list, so sudo nano /etc/apt/sources.list and add these two lines at the end.

[bash]deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib[/bash]

Install the repository key so the packages can be verified.

[bash]wget http://www.webmin.com/jcameron-key.asc
sudo apt-key add jcameron-key.asc[/bash]

Then update and install.

[bash]sudo apt-get update
sudo apt-get install webmin[/bash]

Now you can browse to https://192.168.0.2:10000 and login with your pi account. There are extensive documentation for this software online so I’m not going deeper into it in this post but it’s an easy way to change the configuration of your box without the need to SSH into it each time. I also want speedtest-cli installed so I can test the speed of the connection. It’s just a CLI implementation of the speedtest.net website so you can test the connection speed.

[bash]install speedtest-cli for testing as well[/bash]

 

Category: Raspberry Pi     Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Donate

Like what you read?

If this helped you solve a problem or inspired you please help me keep the lights on by donate a few dollars!

$1.00

%d bloggers like this: