AccessPoint
Contents |
Introduction
FreeBSD is very well suited for use as a wifi access point as it has 'master mode' support for a variety of wifi network cards, out of the box. Some of these include ralink and Atheros cards.
There are many difficulties setting up a wireless network access point on linux. Some of the problems include:
- You must use a kernel that is yet-to-be released (2.6.26-rc4).
- You must patch the kernel. Patch
- You must compile a recent libnl(I used libnl-1.1-r1, on Gentoo) against the custom kernel.
- On Gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
- Finally, you need to compile a git version of hostapd...
All of the above steps must be completed for maximum support of various wireless network cards. Most other sets are fairly similar to those on FreeBSD.
The hardware
I used:
- 2 Realtech PCI 10/100 cards, on FreeBSD. These cards are recognized as rl0 and rl1. (Perhaps there is the possibility to use interfaces aliasing, but as i had 2 cards...)
- 1 Ralink rt2500 PCI card, on FreeBSD. This card is recognized as ral0.
The installation and configuration
- install FreeBSD as usual(i used FreeBSD 7.0)
- enable ssh logins during the installation or add this in your /etc/rc.conf:
sshd_enable="YES"
- if you have got a dhcp modem you can use add the following in your /etc/rc.conf(remplacing ral0 by your wired card interface name)
ifconfig_rl0="DHCP"
otherwise we'll see pppoe later...
Wireless
- then type the following command as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4
note that in the FreeBSD handbook inet is placed incorrectly,pay also attention to the channel 4...i tried it without it and it didn't work then try to associate with a client running an operating system such as *BSD or GNU/Linux and ping it: if something goes wrong(ping doesn't work) simply type dmesg and look for message about your wifi card(such as associations messages) under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):
ifconfig wlan0 up iwlist wlan0 scan iwconfig wlan0 essid "freebsdap" ifconfig wlan0 192.168.1.100 netmask 255.255.255.0 ping 192.168.1.1
under FreeBSD type as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 up ifconfig ral0 list scan ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap ping 192.168.1.1
then if you can see the wireless and can ping it simply add the following to /etc/rc.conf:
ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"
dns and dhcp
your wireless is now working...so we can install a dns and dhcp server... for simplicity we will use dnsmasq type the following as root:
cd /usr/ports/dns/dnsmasq make config
then unselect ipv6 unless you need it and unselect dbus because we won't use it then type the following as root:
make make install
then we will need to configure dnsmasq: edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:
# filter what we send upstream domain-needed bogus-priv filterwin2k localise-queries # allow /etc/hosts and dhcp lookups via *.lan local=/lan/ domain=workgroup expand-hosts #resolv-file=/tmp/resolv.conf.auto dhcp-authoritative #dhcp-leasefile=/tmp/dhcp.leases # use /etc/ethers for static hosts; same format as --dhcp-host # <hwaddr> <ipaddr> read-ethers # other useful options: # default route(s): dhcp-option=3,192.168.1.1 # dns server(s): dhcp-option=6,192.168.1.1
dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h
the file don't need to be explained but read-ethers... read ethers permit you to assign static ip to certain mac address so edit /etc/ethers with entries like this:
00:14:85:11:EF:02 192.168.1.106
and in order to give a dns name to this entry edit /etc/hosts and add an entry like this:
192.168.1.106 Ralink
then in order to start your dnsmasq server at boot you need to add the following to /etc/rc.conf: dnsmasq_enable="YES"
you can now test the wifi connection with any graphical tool(like NetworkManager in GNU/linux or even test it with a windows computer) you can even try to ping a website...but you will only get his ip and no response...that's because we didn't set up the NAT yet...
Nat and firewall
in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::
gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="rl0" natd_flags=""
if you wish to redirect ports add this to natd_flags="" in /etc/rc.conf:
-redirect_port tcp 192.168.0.6:80 80
now normally the access point should work...
OpenVPN
Introduction
now that we have wireless we could choose between theses choices:
- having a full open wireless(not great for security)
- having a wpa wireless(not compatible with all drivers,devices doesn't always work),no guests...
- having an open wireless while encrypting the data sent to to wireless access point...yes that is possible...with the help of openvpn
i chose the third possibility.
installation
here the commands to run in order to install openvpn:
cd /usr/ports/security/openvpn make make install
configuration
EasyRsa
install bash:
cd /usr/ports/shells/bash make make install ln -s /usr/local/bin/bash /bin/bash
run theses commands:
cp -r /usr/local/share/doc/openvpn/easy-rsa/2.0/ /root/easy-rsa-2.0
here we will copy it in order not to have our keys erased by an update... then we will need bash run:
/bin/bash cd /root/easy-rsa-2.0
then we will make the certificates: modify the vars script in order to suit your needs,then run:
source ./vars ./clean all ./build-ca ca
then we will build the server key:
./build-key-server server
then we will build the clients key:
./build-key client1 ./build-key client2
then we genreate diffie helman parameters:
./build-dh
in order to build a new client just do:
source ./vars ./build-key client2
then copy the keys at the keys location:
cp -r keys /usr/local/etc/openvpn/keys
alternatively you can do the following:
mkdir /usr/local/etc/openvpn/keys/ cd /root/easy-rsa-2.0/keys cp ca.crt /usr/local/etc/openvpn/keys/ca.crt cp server.crt /usr/local/etc/openvpn/keys/server.crt cp server.key /usr/local/etc/openvpn/keys/server.key cp dh1024.pem /usr/local/etc/openvpn/keys/dh1024.pem
OpenVpn configuration
We will first install all in test-mode that is to say not runnning at the boot,not running as daemon etc... we will run theses commands:
ifconfig tap0 destroy ifconfig bridge0 destroy ifconfig tun0 destroy ifconfig bridge0 create ifconfig tap0 create #remplace ral0 by your card interface name ifconfig bridge0 addm ral0 addm tap0 up ifconfig br0 192.168.1.1
then here's my server configuration for openvpn:
ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh1024.pem dev tap # replace 10.0.0.1 with the VPN IP server-bridge 10.0.0.1 255.255.255.0 10.0.0.2 10.0.0.250 keepalive 10 120 client-to-client verb 3 duplicate-cn
and here's my client configuration(ubuntu GNU/Linux):
remote 192.168.1.1 client dev tap nobind tls-client ca /home/ubu/ca.crt cert /home/ubu/ubu.crt key /home/ubu/ubu.key pull verb 4 remote-cert-tls server #auth-user-pass
in order to make it work do this on the server:
/usr/loca/sbin/openvpn server.conf ifconfig tap0 10.0.0.1
on the client:
openvpn client.conf route del default route add default gw 10.0.0.1 tap0
if you put wireshark on the client's wireless interface you'll see only udp packet from and to the openvpn port...so it works...
in order to make our openvpn start at boot we will add this to /etc/rc.conf:
#openvpn cloned_interfaces="bridge0 tap0" autobridge_interfaces="bridge0" autobridge_bridge0="tap0 ral0" openvpn_if="tap" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" ifconfig_tap0="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0"
so here's our final rc.conf:
# -- sysinstall generated deltas -- # Mon Oct 6 04:45:53 2008 # Created: Mon Oct 6 04:45:53 2008 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. keymap="us.iso" sshd_enable="YES" ifconfig_rl0="DHCP" ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4" gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="rl0" natd_flags="" #defaultrouter="192.168.1.1" dnsmasq_enable="YES" #openvpn cloned_interfaces="bridge0 tap0" autobridge_interfaces="bridge0" autobridge_bridge0="tap0 ral0" openvpn_if="tap" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" ifconfig_tap0="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0"