Archive for janvier 21st, 2019
Using raspberry pi 3 as wifi bridge and repeater and firewall
Hi again,
following my raspberry 3 router project (https://blog.inforeseau.com/2018/06/raspberry-3-point-dacces-wifi-avec-filtrage-pub-tracking-access-point-add-tracking-filtering) and the repeater project (https://blog.inforeseau.com/2019/01/raspberry-3-create-a-wifi-repeater-with-usb-wifi-dongle) , i decided to fork these into a wifi repeater and bridge.
The goal is to use this approach in hotels or public wifi, where you wish to use your own router with its pi-hole and firewall. Any device connected behind the raspberry, will be hidden behind a totally blocking firewall.
So, let’s make it simple, i assume you took the image of the router project : https://blog.inforeseau.com/2018/06/raspberry-3-point-dacces-wifi-avec-filtrage-pub-tracking-access-point-add-tracking-filtering
I also assume you have the needed hardware ( a raspberry 3 and a wifi adapter like the canakit or panda as recommended into the linked original post)
You then replace the file /etc/rc.local (available as zip file here rc.local ) in the SD CARD rootfs partition, by the following one, in which you customize the following values :
wifissid which is your access point name, the SSID on which you will connect
wifipass which is the password you’ll have to use to this access point
existingwifissid which is the existing wifi on which the raspberry will connect to (the hotel or public wifi SSID)
existingwifipass which is the existing password of the wifi on which the raspberry will connect to (the hotel or public wifi password)
[bash]#!/bin/sh # removed -e option above, because below command returns some warnings that must be ignored # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # Print the IP address _IP=$(hostname -I) || true if [ "$_IP" ]; then printf "My IP address is %s\n" "$_IP" fi # Create Access point wifi raspap other USB adapter #/usr/bin/create_ap --isolate-clients --daemon --ieee80211n --ht_capab '[HT40+]' -c 44 -w 2 wlxe84e0651e6f6 enxb827eb9446d8 raspappriv welcomepriv2 #in this version, we connect to wan through wifi, so the onboard ethernet will be another LAN onboardlan=`/root/get-nic.sh` #since we'll connect to an existing wifi #if using panda wifi, device is called wlan1, if using canakit, device is called wlx...... #we need to know if we have a wlan1 iswlan1=`/sbin/ifconfig -a|/bin/grep wlan1`; #defining USB wifi interface name if [ ! -z "${iswlan1}" ]; then onboardwan="wlan1" else #we need to extract it onboardwan=`/sbin/ifconfig -a|/bin/grep wlx|/usr/bin/awk -F ":" '{print $1}'`; fi #using the canakit wifi, only 2.4Ghz is supported, check before entering SSID in here existingwifissid="my-wifi-ssid" existingwifipass="my-wifi-password" #we make sure default wpa-supplicant is empty /bin/echo "" > /etc/wpa_supplicant/wpa_supplicant.conf #we now create the one we need to be used with wlan1 #cleanup of the file /bin/echo "" > /home/pi/wpa_supplicant.conf #Populate the file /bin/echo "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev" > /home/pi/wpa_supplicant.conf /bin/echo "update_config=1" >> /home/pi/wpa_supplicant.conf /bin/echo "network={" >> /home/pi/wpa_supplicant.conf /bin/echo 'ssid="'${existingwifissid}'"' >> /home/pi/wpa_supplicant.conf /bin/echo 'psk="'${existingwifipass}'"' >> /home/pi/wpa_supplicant.conf /bin/echo "}" >> /home/pi/wpa_supplicant.conf #initiate wifi connection /bin/echo "" > /home/pi/start-wifi.sh /bin/echo "#!/bin/bash" >> /home/pi/start-wifi.sh /bin/echo "/sbin/wpa_supplicant -B -c/home/pi/wpa_supplicant.conf -i${onboardwan} -Dnl80211,wext" >> /home/pi/start-wifi.sh /bin/chmod +x /home/pi/start-wifi.sh; /home/pi/start-wifi.sh & #Identify an other NIC in the raspberry (USB plugged one, to be used as LAN, aside of wifi) usbnic=`/root/get-2nd-nic.sh` #Force dhcp on interface /sbin/dhclient ${onboardwan} #update the NIC interface in the pi-hole config #drop interface (last line) /bin/cat /etc/dnsmasq.d/01-pihole.conf| grep -v interface > /root/01-pihole.conf.tmp #update file without interface /bin/cat /root/01-pihole.conf.tmp > /etc/dnsmasq.d/01-pihole.conf #Add interface /bin/echo "interface="${onboardwan} >> /etc/dnsmasq.d/01-pihole.conf #restart the service #systemctl restart dnsmasq #Define wifi SSID wifissid="raspappriv" #Define wifi password wifipass="welcomepriv2" #Define wifi ip-net /24 by default wifinetip="192.168.12.1" # For home we keep subnet isolated (no bridge) to be able to force web filtering via pi-hole and we allow communication between devices (default IP for the AP is 192.168.12.1 and we run a pi-hole on it for DNS fo we force DNS server to be itself) using embedded wifi /usr/bin/create_ap --daemon --dhcp-dns ${wifinetip} --ieee80211n --ht_capab '[HT20+]' -c 11 -w 2 wlan0 ${onboardwan} ${wifissid} ${wifipass} #Now we want to protect the connected interface assuming this is WAN, and nothing from there should come in #create_ap brings its own rules already #I accept only packets that were initiated by the device iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #If you want to allow ping from outside to your device, uncomment below #iptables -A INPUT -p icmp -j ACCEPT #We fix slowlyness due to pi-hole as explained here : https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable #If you want to route/NAT a port from outside to an internal machine (which has static IP or reserved IP in /root/udhcpd.conf.master like 192.168.12.200 for the example below) to export a service (if you host nextcloud on a machine in your lan and want to make it available) : #iptables -t nat -A PREROUTING -j DNAT -i ${onboardwan} -p tcp --dport 9443 --to-destination 192.168.12.200:9443 #now, while your service above is available from outside, like https://your-public-ip:9443, it is sadly not responding from internal wifi, so we allow it as well this way #iptables -t nat -A PREROUTING -j DNAT -i wlan0 -p tcp --deport 9443 --to-destination 192.168.12.200:9443 #if you want to allow SSH to your device from outside (be careful, you'll get a lot of dictionary attacks and hacking attempts), you may want to uncomment below to open port 22 from outside #iptables -A INPUT -p tcp -m state --state NEW -m tcp --deport 22 -j ACCEPT #If we have a second interface (usbnic) then, we assign an IP to it, and we start dhcp server, and add propoer firewall rules if [ ! -z "${usbnic}" ]; then #we have an USB NIC, we set it up to handle the LAN connections as well #defining IP /sbin/ifconfig ${usbnic} 192.168.13.1 netmask 255.255.255.0 broadcast 192.168.13.255 #starting dhcp server on it #copy the master config file as base (no interface designed) /bin/cp /root/udhcpd.conf.master /root/udhcpd.conf #adding the proper interface /bin/echo "interface ${usbnic}">>/root/udhcpd.conf #sending DNS request to the pi-hole on pi-hole proper IP iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p tcp --dport 53 --to-destination ${wifinetip}:5353 iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p udp --dport 53 --to-destination ${wifinetip}:5353 #Assuming you opened the port 9443 above on wan and wifi, you also want, if connected your LAN machines to be able to access the service, so you would uncomment #iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p tcp --dport 9443 --to-destination 192.168.12.200:9443 #allow ip forward from this LAN iptables -A FORWARD -s 192.168.13.0/24 -i ${usbnic} -j ACCEPT #We NAT the traffic from this LAN iptables -t nat -A POSTROUTING -s 192.168.13.0/24 -j MASQUERADE #starting udhcpd /usr/sbin/udhcpd -S /root/udhcpd.conf fi #################### #Because we use the WIFI as WAN, we can use the onbard NIC ($onboardlan) as second LAN CARD #################### #configure onboard LAN IP /sbin/ifconfig ${onboardlan} 192.168.15.1 netmask 255.255.255.0 broadcast 192.168.15.255 #create dedicated dhcp server config file /bin/echo "" > /root/udhcpd2.conf /bin/echo "start 192.168.15.10" >> /root/udhcpd2.conf /bin/echo "end 192.168.15.254" >> /root/udhcpd2.conf /bin/echo "lease_file /var/lib/misc/udhcpd2.leases" >> /root/udhcpd2.conf /bin/echo "pidfile /var/run/udhcpd2.pid" >> /root/udhcpd2.conf /bin/echo "opt dns 192.168.15.1" >> /root/udhcpd2.conf /bin/echo "option subnet 255.255.255.0" >> /root/udhcpd2.conf /bin/echo "opt router 192.168.15.1" >> /root/udhcpd2.conf /bin/echo "option domain local" >> /root/udhcpd2.conf /bin/echo "option lease 864000" >> /root/udhcpd2.conf /bin/echo "# Static leases map" >> /root/udhcpd2.conf /bin/echo "#static_lease 00:60:08:11:CE:4E 192.168.15.54" >> /root/udhcpd2.conf /bin/echo "#static_lease 00:60:08:11:CE:3E 192.168.15.44" >> /root/udhcpd2.conf /bin/echo "interface ${onboardlan}" >> /root/udhcpd2.conf iptables -t nat -A PREROUTING -j DNAT -i ${onboardlan} -p tcp --dport 53 --to-destination ${wifinetip}:5353 iptables -t nat -A PREROUTING -j DNAT -i ${onboardlan} -p udp --dport 53 --to-destination ${wifinetip}:5353 iptables -A FORWARD -s 192.168.15.0/24 -i ${onboardlan} -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -j MASQUERADE /usr/sbin/udhcpd -S /root/udhcpd2.conf #If you decided to open the port for your service on 9443 above (NAT), you need to accept it on the router too, so uncomment below #iptables -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT #I refuse any connection otherwise iptables -A INPUT -i ${onboardwan} -j DROP #We also load all the iptables helpers modules /sbin/modprobe ip_nat_ftp nf_conntrack_netbios_ns xt_conntrack xt_multiport ip_nat_sip ip_conntrack_sip nf_conntrack_ftp nf_nat_ftp exit 0[/bash]
Then, when the raspberry boots, it will connect to the existing wifi with the information you’ve configure in the file, and will broadcast your own SSID.
You’ll also be able to connect a device on the LAN port, AND the USB LAN adapter if you have the one used for the router project. It means, 2 clients in ethernet (or more if using a switch) and wifi.
From there, you may consider the use of a VPN on the raspberry itself, yet to be tested, i’ll add comments later on, planning to test sshuttle, openvpn (compatibles with protonvpn), and potentially expressvpn. All are working, just to be tested against existing iptables rules basically.
As usual, this is a post to keep a track, and it should work for you as well.
Links
Recherche
Derniers articles
Tresronours Twitter
Keywords cloud topic
Membre de la FSF
Liens qui vont bien
Mots clés vrac – keyword cloud
License du contenu – CC By NC SA
Archives
- Resumed posting and expanding on X
- Linkedin Access to your account has been restricted – Final debrief and resilience plan
- I’m thankful for the support I get in rough time
- Cyber security news of the day – 2024 May 31
- Alexandre Blanc Cyber Kicked out from Linkedin
- You’ll most likely find me on LinkedIn
- The Russian roulette landing page !
- RTSP, Debian, VLC, not playing, IP Camera
- 5G network hosted in the cloud, no internet, no phone ! So smart ! And I ended on TV, This week in cyber
- They lock the door for privacy… but they keep a copy of the key, and couple of backdoors
- Worst is yet to come, but they all warned you
- Migrating an old WordPress and handling character set, UTF8, latin1, latin1_swedish_ci
- From a broken TLS CA, to Facebook, to FIN12 hit and run
- Yes we can fix this mess, but do we want to ? That’s another story
- Criminals are still dominating the game, why are we doing so wrong, and what can we learn in this tech ocean ?
- Riding cloud can be tricky, don’t fall from it, in the weekly cyber !
- The threat landscape is very dynamic – Cyber news this week
- Cybersecurity is not obvious even for this newsletter !
- Install Slack desktop app on Kali rolling fixing libappindicator3-1 missing dependency
- How to delete all resources in azure to avoid charges after trial on your forced credit card registration
- Proxmox – ZFS – Dead drive on active VM, recover from replicated disk
- Restrict access to proxmox web admin interface
- Migrate your ESXI VMs to proxmox ZFS
- Install your VPN server with pi-hole on OVH VPS in 30 min
- Using raspberry pi 3 as wifi bridge and repeater and firewall
- Raspberry 3 – create a wifi repeater with USB wifi dongle
- raspberry 3 – routeur pare feu point d’acces wifi avec filtrage pub et tracking – router firewall access point with ads and tracking filtering
- Dell XPS 13 touchpad – corriger la sensibilité
- Utiliser Zazeen set top box depuis une connexion videotron
- Fermeture de mon compte facebook – la dernière goutte
- Choisir un kernel par defaut au demarrage de Centos 7.2 – configuration grub2
- Openvpn access server 2.0.25 et android
- Régler la luminosité du laptop par ligne de commande
- chromium outlook web app version complete sous linux
- Nexus 7 2012 – android 5 lollipop solution au probleme de lenteur
- HDD led sur Xubuntu – xfce
- xubuntu 14.04 verrouiller ecran de veille et desactiver mise en veille a la fermeture de l’ecran
- Authentification avec Radmin en utilisant Wine sur Gentoo
- Patcher bash sur une distribution plus supportee comme fedora 11
- Zimbra desktop sous xubuntu 14.04 64bit – fix
- xubuntu 12.10 probleme de son avec VLC – pulse audio – alsa – toshiba L855D – solution
- Evolution sous xubuntu 12.10 – bug affichage a la configuration – solution temporaire
- Booster son acces internet en changeant de DNS pour opendns
- Serveur DLNA sous ubuntu – minidlna
- sshfs sous windows – dokan sshfs
- xubuntu 11.10 Installer le plugin java pour firefox
- Installer Google Earth sur Xubuntu 11.10
- Installer nagios sur Fedora 11 depuis les sources
- Configurer varnish-cache avec des virtualhosts, apache, fedora, redhat, centos
- Installer Varnish depuis les sources sur Fedora 11