[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
howtos:network_services:running_an_access_point_from_a_slackware_box [2016/10/21 07:44 (UTC)] – [4.7.1 Wired Clients] louigi600 | howtos:network_services:running_an_access_point_from_a_slackware_box [2022/11/13 04:21 (UTC)] – [5.5 Virtual AP] louigi600 | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Setting up a WiFi Access Point on your Slackware Box ====== | ====== Setting up a WiFi Access Point on your Slackware Box ====== | ||
You should read this, regardless of whether you are a Slackware enthusiast or not, because you will find most of it applicable to other distributions too. | You should read this, regardless of whether you are a Slackware enthusiast or not, because you will find most of it applicable to other distributions too. | ||
+ | I have recently reused most of this on a debian/ | ||
====== 1 Preamble ====== | ====== 1 Preamble ====== | ||
There are endless reasons for wanting to run an AP from a standard Linux environment as opposed to the crippled ones that come in most AP appliances, we're not here to discuss them all but if you're reading this you've found your own motivation for doing it. | There are endless reasons for wanting to run an AP from a standard Linux environment as opposed to the crippled ones that come in most AP appliances, we're not here to discuss them all but if you're reading this you've found your own motivation for doing it. | ||
Line 15: | Line 16: | ||
Look at the section | Look at the section | ||
| | ||
- | software | + | Supported |
* AP/VLAN | * AP/VLAN | ||
* monitor | * monitor | ||
- | AP need to be amongst | + | AP needs to be among the Supported |
+ | |||
+ | Ok there is still some Wireless NICs that support hardware master mode but that's 3 against all the rest I'm not going to bother going into any detail with those 3 exceptions, google is your friend if you want to insist in the hardware master mode way. | ||
+ | |||
+ | |||
+ | Should you want to have Virtual Access Poits (more than one AP on a single physical wireless NIC) you will want to look at the section "valid interface combinations" | ||
+ | Here's the output from two cards : | ||
+ | |||
+ | [root@nuc8i5 ~]# for Phy in $(iw dev |grep ^phy); do echo " | ||
+ | phy#1 | ||
+ | valid interface combinations: | ||
+ | * #{ AP, mesh point } <= 8, | ||
+ | total <= 8, #channels <= 1 | ||
+ | phy#0 | ||
+ | valid interface combinations: | ||
+ | * #{ managed } <= 1, #{ AP, P2P-client, P2P-GO } <= 1, #{ P2P-device } <= 1, | ||
+ | total <= 3, #channels <= 2 | ||
+ | [root@nuc8i5 ~]# | ||
+ | |||
+ | The first one would allow more than on vAP (up to a maximum of 8) but they all got to be on the same channel. | ||
+ | The second one would allow for one AP and one managed client to be used at the same time even of different channels but the total number of live APs need to be no more than one. | ||
====== 3 Software Requirements ====== | ====== 3 Software Requirements ====== | ||
Line 71: | Line 92: | ||
* rp-pppoe (*) | * rp-pppoe (*) | ||
- | (*) only if you want your AP to actually manage your internet connection. | + | (*) only if you want your AP to actually manage your internet connection |
===== 3.3 Other Software ===== | ===== 3.3 Other Software ===== | ||
* hostapd | * hostapd | ||
+ | * miniupnpd (only required if you have appliances that require upnp) | ||
- | Hostapd is not shipped with Slackware | + | Neither of these are included in the slackare installation |
To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/ | To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/ | ||
- | Hostapd sources can be downloaded from [[http:// | + | Hostapd sources can be downloaded from [[http:// |
Compiling hostapd is really simple: | Compiling hostapd is really simple: | ||
- extract the sources | - extract the sources | ||
Line 87: | Line 109: | ||
- edit the defconfig file and enable any optional features you need (default is fine for a simple setup) | - edit the defconfig file and enable any optional features you need (default is fine for a simple setup) | ||
- copy the defconfig file to .config | - copy the defconfig file to .config | ||
+ | - make a softlink for netlink includes (cd / | ||
- make | - make | ||
- make install (or optionally just put in / | - make install (or optionally just put in / | ||
Line 95: | Line 118: | ||
If your AP also acts a router it's probably going to be exposed to malware and even if you do your best to keep malicious users out of your work they might still find a way in. If your router is exposed to internet you might want to consider some sort of file integrity tool that would alert you if files have been tampered with. File integrity checking could be a whole article so I'm not going to go into any detail beyond advising to read more about it on security oriented communities like [[http:// | If your AP also acts a router it's probably going to be exposed to malware and even if you do your best to keep malicious users out of your work they might still find a way in. If your router is exposed to internet you might want to consider some sort of file integrity tool that would alert you if files have been tampered with. File integrity checking could be a whole article so I'm not going to go into any detail beyond advising to read more about it on security oriented communities like [[http:// | ||
====== 4 Configuring ====== | ====== 4 Configuring ====== | ||
- | Now let's have a look at how to configure everything | + | Now let's have a look at how to configure everything |
===== 4.1 Hostapd ===== | ===== 4.1 Hostapd ===== | ||
Line 114: | Line 137: | ||
* hw_mode=g | * hw_mode=g | ||
* channel=6 | * channel=6 | ||
+ | * ieee80211d=1 | ||
+ | * country_code=IT | ||
+ | * ieee80211n=1 | ||
+ | * auth_algs=1 | ||
* macaddr_acl=1 # see notes below | * macaddr_acl=1 # see notes below | ||
* # 0 = accept unless in deny list (iptables mac filtering and optionally have a ban list) | * # 0 = accept unless in deny list (iptables mac filtering and optionally have a ban list) | ||
Line 121: | Line 148: | ||
* wpa=2 | * wpa=2 | ||
* wpa_psk_file=/ | * wpa_psk_file=/ | ||
- | * wpa_key_mgmt=WPA-PSK | + | * wpa_key_mgmt=WPA-PSK |
- | * wpa_pairwise=TKIP | + | |
* rsn_pairwise=CCMP | * rsn_pairwise=CCMP | ||
* wpa_group_rekey=600 | * wpa_group_rekey=600 | ||
Line 177: | Line 203: | ||
* interface=br0 | * interface=br0 | ||
+ | * bogus-priv | ||
+ | * local=/ | ||
+ | * domain=local | ||
* except-interface=lo | * except-interface=lo | ||
- | * bind-interfaces | ||
* listen-address=192.168.0.1 | * listen-address=192.168.0.1 | ||
* dhcp-range=192.168.0.2, | * dhcp-range=192.168.0.2, | ||
* dhcp-leasefile=/ | * dhcp-leasefile=/ | ||
* conf-dir=/ | * conf-dir=/ | ||
+ | The options local and domain allow dnsmasq to tell clients they belong to a domain and in return serve as authoritative for that domain. Some distributions that use NetworkManager will not get local resolution to work unless yo define these 2 options. | ||
The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq. | The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq. | ||
Line 192: | Line 221: | ||
Now is a good time to configure your firwall protection. | Now is a good time to configure your firwall protection. | ||
Supposing that the box will be routing packages thought it I'll show some rules that you might find helpfull. | Supposing that the box will be routing packages thought it I'll show some rules that you might find helpfull. | ||
+ | |||
+ | Newer kernels nswitched to nftables but you can still use iptables to manipulate the kernel netfilter tables. | ||
+ | Actually if you want to move to using nftables but you are not familiar with the syntax you can save the kernel netfilter tables in netfilter format like this: | ||
+ | |||
+ | nft list ruleset > nftables.conf | ||
+ | |||
+ | Personally I'm still struggling with nft syntax so I will keep the rest of this chapter in iptabls syntax: you can convert, like I showed above, after you are done. | ||
+ | |||
This is the output of iptables-save, | This is the output of iptables-save, | ||
The iptables-save/ | The iptables-save/ | ||
Line 396: | Line 433: | ||
It should then be possible to restart rc.inet1 (or just rc.inet1 wlan0_down and rc.inet1 wlan0_up) and the client should associate. | It should then be possible to restart rc.inet1 (or just rc.inet1 wlan0_down and rc.inet1 wlan0_up) and the client should associate. | ||
+ | |||
+ | There' | ||
+ | |||
+ | # wpa_supplicant -B -W -Dwext -i wlan0 -c / | ||
+ | # wpa_cli | ||
+ | wpa_cli v2.4 | ||
+ | Copyright (c) 2004-2015, Jouni Malinen < | ||
+ | | ||
+ | This software may be distributed under the terms of the BSD license. | ||
+ | See README for more details. | ||
+ | | ||
+ | Selected interface ' | ||
+ | | ||
+ | Interactive mode | ||
+ | | ||
+ | > scan | ||
+ | OK | ||
+ | < | ||
+ | > scan_results | ||
+ | bssid / frequency / signal level / flags / ssid | ||
+ | 02: | ||
+ | a4: | ||
+ | 00: | ||
+ | > add_network | ||
+ | 0 | ||
+ | > set_network 0 ssid " | ||
+ | OK | ||
+ | > set_network 0 psk " | ||
+ | OK | ||
+ | > enable_network 0OK | ||
+ | OK | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | > save_config | ||
+ | OK | ||
+ | > quit | ||
+ | # | ||
+ | | ||
+ | If all went right and your wpa_supplicant.conf file had | ||
+ | update_config=1 | ||
+ | in it the above snippet would have saved the new network to wpa_supplicant.conf and associated you with it. | ||
+ | |||
+ | Remember that if you're associating with an non secured AP you need to use this: | ||
+ | > set_network 0 ssid " | ||
+ | OK | ||
+ | > set_network 0 key_mgmt NONE | ||
+ | OK | ||
+ | > | ||
+ | |||
==== 4.7.3 Other Linux Distributions Wireless Clients ==== | ==== 4.7.3 Other Linux Distributions Wireless Clients ==== | ||
- | I've tried various other flavor distributions ... most don't use wpa_gui for associating to AP but some sort of other tool that generally pops up when you click on the icon that notifies the presence of an Access Point. After a few headaches I found that best association success is achieved by forcing setup for hidden AP even if the AP I'm configuring has not the hidden essid. | + | I've tried various other flavor distributions ... most don't use wpa_gui for associating to AP but some sort of other tool that generally pops up when you click on the icon that notifies the presence of an Access Point. After a few headaches I found that best association success is achieved by forcing setup for hidden AP even if the AP I'm configuring has not the hidden essid. You can always use wpa_cli on the command line if it's shipped with whatever distro you prefer. |
Line 453: | Line 542: | ||
You can dump dnsmasq' | You can dump dnsmasq' | ||
- | root@router: | + | root@router: |
1411875361 00: | 1411875361 00: | ||
1411874427 0a: | 1411874427 0a: | ||
Line 507: | Line 596: | ||
Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist. | Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist. | ||
- | ====== 6 Wrapping It Up ====== | + | ===== 5.5 Virtual AP ===== |
+ | If your wireless NIC supports it you might like to run multiple virtual APs. As mentioned in Chapter 2 to be able to do this | ||
+ | you will need the "valid interface combinations" | ||
+ | If this is the case then you can add virtual AP like this | ||
+ | |||
+ | iw phy0 interface add vap0 type __ap | ||
+ | or | ||
+ | iw wlan0 interface add vap0 type __ap | ||
+ | |||
+ | this will create a new virtual AP, arbitrarily called vap0 on which you will need to activate a separate instance of hostapd as explained in Chapter 4. | ||
+ | Incidentally the type can be any of of these (as long as your wireless NIC supports them): | ||
+ | |||
+ | * monitor | ||
+ | * managed | ||
+ | * wds | ||
+ | * mesh | ||
+ | * ibss | ||
+ | * __ap | ||
+ | |||
+ | |||
+ | if you subsequentlt want to remove the virtual AP toy can terminate the hostapd running on it, optionally put the nick in down state and then tell iw you want to delete the virtual device: | ||
+ | |||
+ | iw vap0 del | ||
+ | |||
+ | |||
+ | ====== 6 Remote Administration ====== | ||
+ | I'm not advocating that allowing remote administration from your WAN connection is a good thing but there are times where it may be necessary so here are some tips for minimizing the risk of having your router suffering brute force attacks or other bad things happen to it. | ||
+ | |||
+ | I'm an old fashioned system administrator so for me remote administration is done via ssh, if you've added a nice web administration tool to your AP/Router keep in mind that running apache just for the sake of having remote web administration will expose you to a whole lot of security issues that need to be addressed and maintained over time. | ||
+ | |||
+ | - use non standard ports | ||
+ | - disallow password authentication | ||
+ | - minimize your attack surfaces | ||
+ | Let me give you a little reasoning for the list. | ||
+ | |||
+ | ===== 6.1 Use Non Standard Ports ===== | ||
+ | Whatever is your remote administration tool of choice it's a good idea not to leave access to it from WAN on it's well known port, making it less obvious that you run such a service. If you do this there' | ||
+ | |||
+ | ===== 6.2 Disallow Password Authentication ===== | ||
+ | Allowing password authentication is a welcome for brute force attacks so avoid it wherever possible (ie for ssh administrations only allow authentication with keys). If you're doing web based remote administration you could send in a key via get and then set a cookie or something like that along with password protected htaccess. | ||
+ | |||
+ | ===== 6.3 Minimize Your Attack Surfaces ===== | ||
+ | Your AP/Router should expose to the WAN connection nothing more then what is really needed. Scanning your own AP/Router and closing or disabling unnecessary services to WAN is something you should allays do so that you minimize the attack surfaces should you ever get unwanted attention. | ||
+ | |||
+ | ==== 6.3.1 Avoid Running Remote Administration 24x7 ==== | ||
+ | If you can have remote administration active only when you need it you're not leaving the attack surface available all the time but then you need an easy way to turn it on when you're away from home. | ||
+ | I've two means of doing so: | ||
+ | * If any family member is home it can be temporarily activated by pressing a specific button on the router itself (it's the second button under the blue led in the images below). | ||
+ | * If nobody is home I've modified a 200 line minimal web server (nweb) to listen to requests on a non standard port and temporarily allow remote administration if a specific url is requested. | ||
+ | |||
+ | Whichever way the temporary remote admin is enabled it also get's automatically turned off after some time (should you ever forget to turn it off once you're done). | ||
+ | |||
+ | Nweb is a really basic webserver that only servers static html images and a few archive formats, it does not even allow directory listing. Besides that I have it parse and enable before serving the page ... so if you don't physically have the page that enables the remote administration a 403 is returned anyway leaving no clue as to waht was done in response to that request. | ||
+ | |||
+ | If you're interested in nweb you can get it by googling "nweb tiny web server" | ||
+ | |||
+ | |||
+ | |||
+ | ====== 7 Wrapping It Up ====== | ||
Now that you've done the configuration maybe next time you want to start the AP you want to do it surely more efficiently. | Now that you've done the configuration maybe next time you want to start the AP you want to do it surely more efficiently. | ||
- | ===== 6.1 Simple Starter Script ===== | + | ===== 7.1 Simple Starter Script ===== |
Just put a few commands in a script to start it up really quickly: | Just put a few commands in a script to start it up really quickly: | ||
Line 529: | Line 676: | ||
If you want a neater solution totally integrated in the init scripts read on. | If you want a neater solution totally integrated in the init scripts read on. | ||
- | ===== 6.2 Modifying Slackware Init Scripts | + | ===== 7.2 Modifying Slackware Init Scripts |
I've not yet done this but I can suggest a possible way of doing it. | I've not yet done this but I can suggest a possible way of doing it. | ||
Line 564: | Line 711: | ||
- | ===== 6.3 Automating AP Startup For USB WiFi Dongles ===== | + | ===== 7.3 Automating AP Startup For USB WiFi Dongles ===== |
Udev is very powerful and can do a variety of actions upon detecting certain events, like the appearance of a NIC. In fact it already does that and renames interfaces according to MAC address (have a look at / | Udev is very powerful and can do a variety of actions upon detecting certain events, like the appearance of a NIC. In fact it already does that and renames interfaces according to MAC address (have a look at / | ||
Apart from renaming NICs and creating device files it can also execute commands or external helper scripts ... this is particularly handy if, for example, you wish that upon plugging a USB Ethernet dongle it automatically assigns an address via DHCP. | Apart from renaming NICs and creating device files it can also execute commands or external helper scripts ... this is particularly handy if, for example, you wish that upon plugging a USB Ethernet dongle it automatically assigns an address via DHCP. | ||
Line 683: | Line 830: | ||
I used to devote 2 usb dongle for this: one that would be left inserted most of the time and has random generated WAP-PSK (only for family use) and one that would get temporarily plugged in for guests with a much simple WPA-PSK to aid them accessing my home network. | I used to devote 2 usb dongle for this: one that would be left inserted most of the time and has random generated WAP-PSK (only for family use) and one that would get temporarily plugged in for guests with a much simple WPA-PSK to aid them accessing my home network. | ||
- | ==== 6.3.1 Automation With Custom Scripts ==== | + | ==== 7.3.1 Automation With Custom Scripts ==== |
Over the years trying to maintain modified rc scripts functional across updates that involved the rc scripts themselves became cumbersome so I started moving away from modifying the stock scripts and started developing my own stuff. Don't get me wrong I still use and appreciate the stock stuff for my desktop systems. | Over the years trying to maintain modified rc scripts functional across updates that involved the rc scripts themselves became cumbersome so I started moving away from modifying the stock scripts and started developing my own stuff. Don't get me wrong I still use and appreciate the stock stuff for my desktop systems. | ||
The idea behind my own scripts is based on udev detecting the interfaces (even at boot time). The basic idea is still the same: upon detection udev executes nethelper.sh script that looks for and executes / | The idea behind my own scripts is based on udev detecting the interfaces (even at boot time). The basic idea is still the same: upon detection udev executes nethelper.sh script that looks for and executes / | ||
Line 822: | Line 969: | ||
If you've gone so far you might want a neater way to deal with unplugging dongles as anything udev could possibly do would be too late. One possible approach is to use gpio pins with buttons attached to them and a script that monitors the button status and takes appropriate action when each button is pressed. I've done this on mi RPi2 with 5 buttons and 5 leds indicating whether the button press has been caught by the monitor script: one shuts down the RPI2 while the other 4 are for deactivating whatever is in the respective usb port to prepare it for unplugging. | If you've gone so far you might want a neater way to deal with unplugging dongles as anything udev could possibly do would be too late. One possible approach is to use gpio pins with buttons attached to them and a script that monitors the button status and takes appropriate action when each button is pressed. I've done this on mi RPi2 with 5 buttons and 5 leds indicating whether the button press has been caught by the monitor script: one shuts down the RPI2 while the other 4 are for deactivating whatever is in the respective usb port to prepare it for unplugging. | ||
Here's a [[http:// | Here's a [[http:// | ||
- | ====== | + | ====== |
Supposing you want all this but you don't want to leave a laptop or desktop on all the time you might want to put in on an embedded ARM system that will only use a fraction of the power required to run an X86 laptop/ | Supposing you want all this but you don't want to leave a laptop or desktop on all the time you might want to put in on an embedded ARM system that will only use a fraction of the power required to run an X86 laptop/ | ||
Well the official ARM Slackware port userland runs on almost any ARM device out in the market today. There is a number of machines that are officially supported from the ARM port and a god deal of [[http:// | Well the official ARM Slackware port userland runs on almost any ARM device out in the market today. There is a number of machines that are officially supported from the ARM port and a god deal of [[http:// | ||
Line 849: | Line 996: | ||
* save the random-seed to unused sector on flash when shutting down (rc.0 ... well it's a link to rc.6) and load it back to / | * save the random-seed to unused sector on flash when shutting down (rc.0 ... well it's a link to rc.6) and load it back to / | ||
- | You could optionally have fstab specify that root should be mounted ro like this: | + | You could optionally have fstab specify that root should be mounted ro like this: (example below is relative to when I was using ubifs on the DocStar) |
- | / | + | |
- | You will also haveto | + | You will also have to make some links in various places so that they end up writing in /run that has been mounted tmpfs. I do that manually just once with / mounted rw and then remount it ro. |
If you're interested in actually making such changes to the init scripts I've shared how I go about it on [[http:// | If you're interested in actually making such changes to the init scripts I've shared how I go about it on [[http:// | ||
- | ====== | + | ====== |
When you start doing your own stuff you may run into problems that are hard to debug because the cause is pretty much unexpected. | When you start doing your own stuff you may run into problems that are hard to debug because the cause is pretty much unexpected. | ||
Line 867: | Line 1014: | ||
Obviously there may be innumerable other trouble source you may run into (some of which you have no control ... like when your ISP makes clumsy NAT for you) but if you're doing your own stuff be prepared to put up and debug them. | Obviously there may be innumerable other trouble source you may run into (some of which you have no control ... like when your ISP makes clumsy NAT for you) but if you're doing your own stuff be prepared to put up and debug them. | ||
- | ====== | + | ====== |
You have set up an AP with entry level security and the most common options available in the low end appliances but you have gained: | You have set up an AP with entry level security and the most common options available in the low end appliances but you have gained: | ||
* ability to easily keep your AP software up-to date | * ability to easily keep your AP software up-to date | ||
Line 884: | Line 1031: | ||
I'm not going to miss my old low end AP, are you ? | I'm not going to miss my old low end AP, are you ? | ||
I replaced it with home-brew stuff from which this article is derived. | I replaced it with home-brew stuff from which this article is derived. | ||
- | Over the years I've done several remakes adding some new features. The last upgrade was 8 programmable | + | Over the years I've done several remakes adding some new features. The last upgrade was using a Friendlyelec NanoPi R1S with integrated wifi and 2 ethernet nics requiring no extra usb dongles. |
+ | |||
+ | Gen 5 (Friendlyelec NanoPI R1S) | ||
+ | |||
+ | {{howtos: | ||
+ | |||
+ | The original case has 2 issues: cappy internal antenna and tendency to overheat ... so I 3d-printed my own [[https:// | ||
+ | |||
+ | {{howtos: | ||
+ | |||
+ | Gen 4 (RPi2 with display) | ||
+ | |||
+ | {{howtos: | ||
+ | |||
+ | |||
+ | Gen 3 (RPi2 with buttons and leds) | ||
+ | |||
+ | {{howtos: | ||
+ | |||
+ | Gen 2 (RPi2 in aluminum Sandwich) | ||
+ | |||
+ | {{howtos: | ||
+ | |||
+ | Gen 1 (Seagate DocStar in aluminum Sandwich) | ||
- | {{http:// | + | {{howtos:network_services:g1_seagate_docstar.jpg| Seagate DocStart}} |
- | {{http:// | + | |
- | {{http:// | + | |