Wireless access point using Linux
Well, here is the first article in the promised series .
The first thing I will do is set up Software AP, or a computer-based wireless network. At this stage, of course, you need access to the server console with root rights. In addition, you also need to connect to the Internet NOT via the internal wifi card - cable, via a 3G modem, in short, as you wish, but not via the wifi, which we will use to create a wireless network. For the first time, I connected both the server and the laptop from which I was managing the server to the same network via cable - this is more reliable after all. I will use the hostapd package - it is quite known as a reliable solution and there are enough manuals for it, and for DHCP and DNS servers I will use dnsmasq - a solution just for home networks, it is used by DD-WRT, I wondered if anyone else.
Version:
Hmm, the source code already has 2.0. This is it, Debian stable. But in fact, it doesn’t really hurt us - version 1.0 works quite stably for me.
Edit the /etc/default/hostapd.conf file. In it to uncomment a line of type
Then go ahead - edit /etc/hostapd/hostapd.conf. I will provide the contents of my configuration file. I warn you, the configuration options parser of this daemon is very sensitive and even swears on blank lines with a space. The comment does not swear.
WPA2 advanced settings:
The config is automatically checked before launch, so boldly try running hostapd. Management commands:
What else can I say? There are no problems with mobile devices, it is extremely rare (about once or twice a month) to connect to a point with a laptop running Windows 7. It is treated by the service hostapd restart team, it is likely that this problem has been removed in new releases - there is a version of hostapd 2.0.0, but I have not tried to compile and install it yet.
')
For now. You can try to connect to the point, but ... To successfully connect to the access point, you need a DHCP server, without it you cannot fully connect to the point - the same operating systems will not allow this, because without getting the address, the connection itself does not make much sense. Here we set it up!
When I first started learning how to set up servers for my needs, the first thing I stumbled upon was the isc-dhcp-server package, I planned to offer it, and the article was ready, but ... I found dnsmasq, and my life changed for the better. Dnsmasq is both a caching DNS and DHCP server with its own set of various features. As soon as I looked into his config, my vision improved, all thoughts in the brain suddenly became orderly and I reached enlightenment. In reality, the config is very simple and straightforward. But for the time being we are preparing a platform for the work of dnsmasq. What to do?
1) Think of how the addresses in our local network will look like. I chose addresses like 192.168.51.x.
2) Configure the network interface on which dnsmasq will work. In fact, it is a very important step, which many people miss in their manuals for setting up DHCP servers. The fact is that a computer running a DHCP server must be assigned a static address — who will issue the address to the DHCP server if it cannot start without an address, and it cannot give itself the address because it is not running?
So, open the / etc / network / interfaces file for editing and add a paragraph like this:
3) It is necessary to remove any DNS and DHCP servers so that dnsmasq can safely start - otherwise it gives an error. I had bind9 and isc-dhcp-server installed, I had to get rid of them. If we are working over SSH from the network in which the late DHCP server previously distributed the addresses, we do not reboot - there is no one to issue addresses.
4) It is necessary to create conditions for the server to work - to create a user in order to run dnsmasq under it, to register in the system settings of the DNS server, to which dnsmasq will access and a couple more trifles.
We register Google's DNS server. True, the first line we will have localhost. This is done to ensure that the rest of the system applications on our server, when they need to get the address from the DNS server, appeal first to dnsmasq, and not to Google. Well, dnsmasq is smart enough to ignore this line:
You need to protect this file from being overwritten every time the system starts. Overwrites it with dhclient, if that. Honestly, a write lock is only one of the ways how to prevent overwriting =) There are others, but this one is the simplest:
What if you for some reason consider blocking a file in the wrong way, or do you also want to use DNS that dhclient so strongly suggests? Then, as merlin-vrn advises , you need to use the resolvconf program.
Add a group and user:
5) We put Dnsmasq, it starts up and is ready for work, but we disable it - it is not yet configured, there is nothing for it to do here:
6) Clean the original file from the standard config:
Well, now we are ready to customize. I’ll say right away that dnsmasq has many different options that I described in detail in the comments when writing this article ... I did not understand that the topic was bloated to indecent and unreadable sizes, as if it’s not enough that the article is already overflowed with text and formatted as . Therefore - I will leave the config with the most important ones without long comments and any additional options, and the config with additional options will be under the spoiler.
Yeah, the server is configured. Run:
and look for errors in the output of the command. If not - everything is fine! We try to connect something to our point and see how IP addresses are issued, ping and check DNS. File with the list of issued addresses: /var/lib/misc/dnsmasq.leases.
In the next article, the connection of a 3G modem and the configuration of a simple but stable NAT / firewall on iptables. Successful setting!
The first thing I will do is set up Software AP, or a computer-based wireless network. At this stage, of course, you need access to the server console with root rights. In addition, you also need to connect to the Internet NOT via the internal wifi card - cable, via a 3G modem, in short, as you wish, but not via the wifi, which we will use to create a wireless network. For the first time, I connected both the server and the laptop from which I was managing the server to the same network via cable - this is more reliable after all. I will use the hostapd package - it is quite known as a reliable solution and there are enough manuals for it, and for DHCP and DNS servers I will use dnsmasq - a solution just for home networks, it is used by DD-WRT, I wondered if anyone else.
The very first step, of course:
apt-get install hostapd Version:
hostapd -v >hostapd v1.0 Hmm, the source code already has 2.0. This is it, Debian stable. But in fact, it doesn’t really hurt us - version 1.0 works quite stably for me.
Setup:
Edit the /etc/default/hostapd.conf file. In it to uncomment a line of type
DAEMON_CONF="/etc/hostapd/hostapd.conf" This is the path to the hostapd daemon configuration file.Then go ahead - edit /etc/hostapd/hostapd.conf. I will provide the contents of my configuration file. I warn you, the configuration options parser of this daemon is very sensitive and even swears on blank lines with a space. The comment does not swear.
interface=wlan0 Wireless card network interface driver=nl80211 The network card driver - nl80211 works fine for hostapd, I see no reason to change, and they say that it works in most cases. ssid=CRWiFi The name of the access point, so-called. SSID hw_mode=g The mode of operation of the network card is 801.11b / g / n. In fact - there should always be g there, even if the card is capable of n, to adjust the mode n you have to change something, look further: #ieee80211n=1 # n #ht_capab=[HT40-][SHORT-GI-40] # n channel=6 Wireless channel - from 1 to 13. For best performance, 1, 6 or 11 channels are recommended. wpa=2 WPA version wpa_passphrase=11111111 Wireless point passwordWPA2 advanced settings:
wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP auth_algs=1 The following option sets MAC address blocking. I don’t know how to set it up yet, and the thing is pretty useless, but everyone says that without blocking this option should be set to zero - which I did: macaddr_acl=0 Full config one block for copy-paste to file:
interface=wlan0 driver=nl80211 ssid=CRWiFi hw_mode=g #ieee80211n=1 # n #ht_capab=[HT40-][SHORT-GI-40] # n channel=6 wpa=2 wpa_passphrase=11111111 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP auth_algs=1 macaddr_acl=0 The config is automatically checked before launch, so boldly try running hostapd. Management commands:
# /etc/init.d/hostapd start # /etc/init.d/hostapd stop # /etc/init.d/hostapd restart Let me remind you - also in Debian, you can use commands like service hostapd start, which is easier to write.A couple of steps for sustainability:
- We must not forget that to encrypt WPA / WPA2, the password must be at least 8 characters. If you change your password on the fly using an SSH session over a wireless channel, you can suddenly cut yourself off from the server - hostapd will not want to start and the only means of communication with the server will be lost. Works - do not touch, but if you touch - touch carefully.
- In the case of a multi-user system, I advise you to set read rights for files like 700, so that ordinary users could not find out the password for the access point - if you care, of course.
What else can I say? There are no problems with mobile devices, it is extremely rare (about once or twice a month) to connect to a point with a laptop running Windows 7. It is treated by the service hostapd restart team, it is likely that this problem has been removed in new releases - there is a version of hostapd 2.0.0, but I have not tried to compile and install it yet.
')
For now. You can try to connect to the point, but ... To successfully connect to the access point, you need a DHCP server, without it you cannot fully connect to the point - the same operating systems will not allow this, because without getting the address, the connection itself does not make much sense. Here we set it up!
When I first started learning how to set up servers for my needs, the first thing I stumbled upon was the isc-dhcp-server package, I planned to offer it, and the article was ready, but ... I found dnsmasq, and my life changed for the better. Dnsmasq is both a caching DNS and DHCP server with its own set of various features. As soon as I looked into his config, my vision improved, all thoughts in the brain suddenly became orderly and I reached enlightenment. In reality, the config is very simple and straightforward. But for the time being we are preparing a platform for the work of dnsmasq. What to do?
1) Think of how the addresses in our local network will look like. I chose addresses like 192.168.51.x.
2) Configure the network interface on which dnsmasq will work. In fact, it is a very important step, which many people miss in their manuals for setting up DHCP servers. The fact is that a computer running a DHCP server must be assigned a static address — who will issue the address to the DHCP server if it cannot start without an address, and it cannot give itself the address because it is not running?
So, open the / etc / network / interfaces file for editing and add a paragraph like this:
auto _ iface _ inet static address 192.168..1 netmask 255.255.255.0 gateway 192.168..1 We save and restart our network interface, on which DHCP is configured: ifdown ifup We check the status, check the settings with those that should be: ifconfig 3) It is necessary to remove any DNS and DHCP servers so that dnsmasq can safely start - otherwise it gives an error. I had bind9 and isc-dhcp-server installed, I had to get rid of them. If we are working over SSH from the network in which the late DHCP server previously distributed the addresses, we do not reboot - there is no one to issue addresses.
4) It is necessary to create conditions for the server to work - to create a user in order to run dnsmasq under it, to register in the system settings of the DNS server, to which dnsmasq will access and a couple more trifles.
We register Google's DNS server. True, the first line we will have localhost. This is done to ensure that the rest of the system applications on our server, when they need to get the address from the DNS server, appeal first to dnsmasq, and not to Google. Well, dnsmasq is smart enough to ignore this line:
nano /etc/resolv.conf nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 8.8.8.4 You need to protect this file from being overwritten every time the system starts. Overwrites it with dhclient, if that. Honestly, a write lock is only one of the ways how to prevent overwriting =) There are others, but this one is the simplest:
chattr +i /etc/resolv.conf What if you for some reason consider blocking a file in the wrong way, or do you also want to use DNS that dhclient so strongly suggests? Then, as merlin-vrn advises , you need to use the resolvconf program.
Configure resolvconf
If the resolvconf package is not installed yet, install it. The only thing that is needed in order to register a static DNS address for the system is to edit /etc/resolvconf/resolv.conf.d/base, adding there everything we would write in /etc/resolv.conf:
service resolvconf reload - done!
nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 8.8.4.4 service resolvconf reload - done!
Add a group and user:
groupadd -r dnsmasq useradd -r -g dnsmasq dnsmasq 5) We put Dnsmasq, it starts up and is ready for work, but we disable it - it is not yet configured, there is nothing for it to do here:
apt-get install dnsmasq service dnsmasq stop 6) Clean the original file from the standard config:
echo "">/etc/dnsmasq.conf Well, now we are ready to customize. I’ll say right away that dnsmasq has many different options that I described in detail in the comments when writing this article ... I did not understand that the topic was bloated to indecent and unreadable sizes, as if it’s not enough that the article is already overflowed with text and formatted as . Therefore - I will leave the config with the most important ones without long comments and any additional options, and the config with additional options will be under the spoiler.
# dnsmasq dnsmasq user=dnsmasq group=dnsmasq ## # DNS. - . ## # DNS - DNS, 0. # DNS - , . port=53 # . . cache-size=1000 # DNS homeserver, user-pc - # , , ... domain-needed # - , DNS- bogus-priv # DHCP DNS . interface=wlan0 # , : except-interface=ppp0 # , ppp0, dhcp-authoritative. ## # DHCP. - . ## # : # DHCP-, # # 12h , - 12 . # , 12m - 12 , . dhcp-range=192.168.51.50,192.168.51.150,12h # . MAC IP: dhcp-host=11:22:33:44:55:66,192.168.51.60 # . MAC, hostname, IP . # -, =) : dhcp-host=11:22:33:44:55:66,fred,192.168.51.60,45m # IP- MAC-: dhcp-host=11:22:33:44:55:66,ignore # - , ! # , - . # , - # , IP- # , IP . dhcp-authoritative Advanced options:
# , DNS. # IPv4-only. # 1.2.3.4 5.6.7.8! alias=1.2.3.4,5.6.7.8 # 1.2.3.x 5.6.7.x? ! alias=1.2.3.0,5.6.7.0,255.255.255.0 # 192.168.0.10->192.168.0.40 10.0.0.10->10.0.0.40? alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 # , Spamhaus , - . # . Dnsmasq - # . . # , , . - , # . # dnsmasq , # . bind-interfaces # ! DNS, - # , , . # , ? address=/vk.com/127.0.0.1 # ! "It works!" # , . # , ? =D # , , DNS, # , . # , ? # dnsmasq DNS-: # /etc/hosts DNS-. # KMS Microsoft Office # -, # , . # hosts? ! ! addn-hosts=/etc/banner_add_hosts # , hosts. # c hosts, , , ? # . no-hosts # , - . # , MAC- IP-. # , , - # , MAC . # - MA:CA:DD:RE:SS:00,MA:CA:DD:RE:SS:01,12.34.56.78 dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 # lease c hostname bert. dhcp-host=bert,192.168.0.70,infinite # - " ". # - , . # DHCPDISCOVER . dhcp-ignore=tag:!known # DHCP-. , address range. dhcp-lease-max=640 #640 # - 100, . # . DHCP # : script add MA:CA:DD:RE:SS:00 12.34.56.78 hostname( ) ( ) # script del MA:CA:DD:RE:SS:00 12.34.56.78 hostname( ) ( ) dhcp-script=/bin/echo # - . =D # NTP- . - , -. dhcp-option=42,192.168.51.1 Yeah, the server is configured. Run:
service dnsmasq start and look for errors in the output of the command. If not - everything is fine! We try to connect something to our point and see how IP addresses are issued, ping and check DNS. File with the list of issued addresses: /var/lib/misc/dnsmasq.leases.
In the next article, the connection of a 3G modem and the configuration of a simple but stable NAT / firewall on iptables. Successful setting!
Criticism on the content, readability and formatting of the article is more than appropriate.
Source: https://habr.com/ru/post/188274/
All Articles