Using raspberry pi 3 as wifi bridge and repeater and firewall

Hi again,

following my raspberry 3 router project ( and the repeater project ( , i decided to fork these into a wifi repeater and bridge.

The goal is to use this approach in hotels or public wifi, where you wish to use your own router with its pi-hole and firewall. Any device connected behind the raspberry, will be hidden behind a totally blocking firewall.

So, let’s make it simple, i assume you took the image of the router project :
I also assume you have the needed hardware ( a raspberry 3 and a wifi adapter like the canakit or panda as recommended into the linked original post)

You then replace the file /etc/rc.local (available as zip file here rc.local ) in the SD CARD rootfs partition, by the following one, in which you customize the following values :
wifissid which is your access point name, the SSID on which you will connect
wifipass which is the password you’ll have to use to this access point
existingwifissid which is the existing wifi on which the raspberry will connect to (the hotel or public wifi SSID)
existingwifipass which is the existing password of the wifi on which the raspberry will connect to (the hotel or public wifi password)

# removed -e option above, because below command returns some warnings that must be ignored
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"

# Create Access point wifi raspap other USB adapter
#/usr/bin/create_ap --isolate-clients --daemon --ieee80211n --ht_capab '[HT40+]' -c 44 -w 2 wlxe84e0651e6f6 enxb827eb9446d8 raspappriv welcomepriv2

#in this version, we connect to wan through wifi, so the onboard ethernet will be another LAN
#since we'll connect to an existing wifi
#if using panda wifi, device is called wlan1, if using canakit, device is called wlx......
#we need to know if we have a wlan1
iswlan1=`/sbin/ifconfig -a|/bin/grep wlan1`;
#defining USB wifi interface name
if [ ! -z "${iswlan1}" ]; then
#we need to extract it
onboardwan=`/sbin/ifconfig -a|/bin/grep wlx|/usr/bin/awk -F ":" '{print $1}'`;

#using the canakit wifi, only 2.4Ghz is supported, check before entering SSID in here
#we make sure default wpa-supplicant is empty
/bin/echo "" > /etc/wpa_supplicant/wpa_supplicant.conf
#we now create the one we need to be used with wlan1
#cleanup of the file
/bin/echo "" > /home/pi/wpa_supplicant.conf
#Populate the file
/bin/echo "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev" > /home/pi/wpa_supplicant.conf
/bin/echo "update_config=1" >> /home/pi/wpa_supplicant.conf
/bin/echo "network={" >> /home/pi/wpa_supplicant.conf
/bin/echo 'ssid="'${existingwifissid}'"' >> /home/pi/wpa_supplicant.conf
/bin/echo 'psk="'${existingwifipass}'"' >> /home/pi/wpa_supplicant.conf
/bin/echo "}" >> /home/pi/wpa_supplicant.conf
#initiate wifi connection
/bin/echo "" > /home/pi/
/bin/echo "#!/bin/bash" >> /home/pi/
/bin/echo "/sbin/wpa_supplicant -B -c/home/pi/wpa_supplicant.conf -i${onboardwan} -Dnl80211,wext" >> /home/pi/
/bin/chmod +x /home/pi/;
/home/pi/ &

#Identify an other NIC in the raspberry (USB plugged one, to be used as LAN, aside of wifi)

#Force dhcp on interface
/sbin/dhclient ${onboardwan}

#update the NIC interface in the pi-hole config
#drop interface (last line)
/bin/cat /etc/dnsmasq.d/01-pihole.conf| grep -v interface > /root/01-pihole.conf.tmp
#update file without interface
/bin/cat /root/01-pihole.conf.tmp > /etc/dnsmasq.d/01-pihole.conf
#Add interface
/bin/echo "interface="${onboardwan} >> /etc/dnsmasq.d/01-pihole.conf

#restart the service
#systemctl restart dnsmasq

#Define wifi SSID

#Define wifi password

#Define wifi ip-net /24 by default
# For home we keep subnet isolated (no bridge) to be able to force web filtering via pi-hole and we allow communication between devices (default IP for the AP is and we run a pi-hole on it for DNS fo we force DNS server to be itself) using embedded wifi
/usr/bin/create_ap --daemon --dhcp-dns ${wifinetip} --ieee80211n --ht_capab '[HT20+]' -c 11 -w 2 wlan0 ${onboardwan} ${wifissid} ${wifipass}

#Now we want to protect the connected interface assuming this is WAN, and nothing from there should come in
#create_ap brings its own rules already
#I accept only packets that were initiated by the device
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#If you want to allow ping from outside to your device, uncomment below
#iptables -A INPUT -p icmp -j ACCEPT
#We fix slowlyness due to pi-hole as explained here :
iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable
#If you want to route/NAT a port from outside to an internal machine (which has static IP or reserved IP in /root/udhcpd.conf.master like for the example below) to export a service (if you host nextcloud on a machine in your lan and want to make it available) :
#iptables -t nat -A PREROUTING -j DNAT -i ${onboardwan} -p tcp --dport 9443 --to-destination

#now, while your service above is available from outside, like https://your-public-ip:9443, it is sadly not responding from internal wifi, so we allow it as well this way
#iptables -t nat -A PREROUTING -j DNAT -i wlan0 -p tcp --deport 9443 --to-destination

#if you want to allow SSH to your device from outside (be careful, you'll get a lot of dictionary attacks and hacking attempts), you may want to uncomment below to open port 22 from outside
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --deport 22 -j ACCEPT

#If we have a second interface (usbnic) then, we assign an IP to it, and we start dhcp server, and add propoer firewall rules
if [ ! -z "${usbnic}" ]; then
#we have an USB NIC, we set it up to handle the LAN connections as well
#defining IP
/sbin/ifconfig ${usbnic} netmask broadcast
#starting dhcp server on it
#copy the master config file as base (no interface designed)
/bin/cp /root/udhcpd.conf.master /root/udhcpd.conf
#adding the proper interface
/bin/echo "interface ${usbnic}">>/root/udhcpd.conf
#sending DNS request to the pi-hole on pi-hole proper IP
iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p tcp --dport 53 --to-destination ${wifinetip}:5353
iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p udp --dport 53 --to-destination ${wifinetip}:5353
#Assuming you opened the port 9443 above on wan and wifi, you also want, if connected your LAN machines to be able to access the service, so you would uncomment
#iptables -t nat -A PREROUTING -j DNAT -i ${usbnic} -p tcp --dport 9443 --to-destination
#allow ip forward from this LAN
iptables -A FORWARD -s -i ${usbnic} -j ACCEPT
#We NAT the traffic from this LAN
iptables -t nat -A POSTROUTING -s -j MASQUERADE
#starting udhcpd
/usr/sbin/udhcpd -S /root/udhcpd.conf


#Because we use the WIFI as WAN, we can use the onbard NIC ($onboardlan) as second LAN CARD
#configure onboard LAN IP
/sbin/ifconfig ${onboardlan} netmask broadcast
#create dedicated dhcp server config file
/bin/echo "" > /root/udhcpd2.conf
/bin/echo "start" >> /root/udhcpd2.conf
/bin/echo "end" >> /root/udhcpd2.conf
/bin/echo "lease_file	/var/lib/misc/udhcpd2.leases" >> /root/udhcpd2.conf
/bin/echo "pidfile	/var/run/" >> /root/udhcpd2.conf
/bin/echo "opt	dns" >> /root/udhcpd2.conf
/bin/echo "option	subnet" >> /root/udhcpd2.conf
/bin/echo "opt	router" >> /root/udhcpd2.conf
/bin/echo "option	domain	local" >> /root/udhcpd2.conf
/bin/echo "option	lease	864000" >> /root/udhcpd2.conf
/bin/echo "# Static leases map" >> /root/udhcpd2.conf
/bin/echo "#static_lease 00:60:08:11:CE:4E" >> /root/udhcpd2.conf
/bin/echo "#static_lease 00:60:08:11:CE:3E" >> /root/udhcpd2.conf
/bin/echo "interface ${onboardlan}" >> /root/udhcpd2.conf
iptables -t nat -A PREROUTING -j DNAT -i ${onboardlan} -p tcp --dport 53 --to-destination ${wifinetip}:5353
iptables -t nat -A PREROUTING -j DNAT -i ${onboardlan} -p udp --dport 53 --to-destination ${wifinetip}:5353
iptables -A FORWARD -s -i ${onboardlan} -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE
/usr/sbin/udhcpd -S /root/udhcpd2.conf

#If you decided to open the port for your service on 9443 above (NAT), you need to accept it on the router too, so uncomment below
#iptables -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT

#I refuse any connection otherwise
iptables -A INPUT -i ${onboardwan} -j DROP

#We also load all the iptables helpers modules
/sbin/modprobe ip_nat_ftp nf_conntrack_netbios_ns xt_conntrack xt_multiport ip_nat_sip ip_conntrack_sip nf_conntrack_ftp nf_nat_ftp

exit 0[/bash]

Then, when the raspberry boots, it will connect to the existing wifi with the information you’ve configure in the file, and will broadcast your own SSID.
You’ll also be able to connect a device on the LAN port, AND the USB LAN adapter if you have the one used for the router project. It means, 2 clients in ethernet (or more if using a switch) and wifi.

From there, you may consider the use of a VPN on the raspberry itself, yet to be tested, i’ll add comments later on, planning to test sshuttle, openvpn (compatibles with protonvpn), and potentially expressvpn. All are working, just to be tested against existing iptables rules basically.

As usual, this is a post to keep a track, and it should work for you as well.


lundi, janvier 21st, 2019 Technologie

Ajouter un commentaire

Not f'd — you won't find me on Facebook
janvier 2019

Suivez moi sur twitter - follow me on twitter
Follow on LinkedIn
[FSF Associate Member]
Free Software, Free Society
Compacter une image virtualbox VDI
Bon petit tutoriel esxi
Marche d'appliances vmware
Installer ESXi sur un disque IDE
Installer ESXi 3.5 sur un disque USB
Installer proxmox avec DRBD et migration / réplication à chaud
Installer OSSEC avec VMware
Information sur le VDI
Ouvrir des ports dynamiquement iptables - knockd
Autre tres bon tuto knockd
Docs Arp poisoning - Anglais
Metasploit test de pénétration
Zone H - sites piratés en temps réel
Blog invisible things
Tips protection sécurité wordpress
Pfsense - distribution firewall opensource - adsl internet failover
Iproute 2 mini how to - linux advanced routing
ClearOS - la passerelle sécuritaire lan - wan
CDN - Accélération de la distribution de données
drbd iscsi ocfs2 dm multipath tutoriel
Load balancing LVS
Load balancing opensource list
HA-Proxy :
HAproxy - http load balancer
Simple tutoriel HAproxy
HAproxy - debian tutoriel
Centos - Ip failover
Configuratoin DM-Multipath Redhat
VMware Doubletake - continuité
Quelques liens sur la réplication MySQL : Manuel MySQL, chapitre sur la réplication
Manuel MySQL, Tutoriel clair sur la mise en place
Autre tuto sur la mise en place de la réplication MySQL
Références pour optimisation du serveur MySQL
Utilisation de EXPLAIN mysql pour optimiser vos bases
optimiser vos bases - requetes et index
Un outil de clonage disque en reseau
Internet NAS 250Go 250 accès VPN
Server ISCSI avec Ubuntu tuto
ISCSI centos redhat tutoriel
Gérer et étendre un LVM
Créer sa piratebox ! trop cool
Deaddrops, les clés USB dans les murs, aussi cool !
Télécharger Xenu
Comment utiliser Xenu
optimisation hébergement wordpress
Super howto wordpress (En)
Test de charge serveur web - Load impact
Zeroshell - le mini-routeur wifi tout en un
Retroshare, votre réseau d'échange crypté!
Openvpn sur centos redhat
Intégrer Linux dans active directory
Routage inter-vlan avec Linux
Routage avec OSPF
Network Weathermap
Boutons twitter
Analyser les tendances des recherches Google
Protocole sitemap - robots.txt
Creer des animations CSS3
Code php pour interagir avec twitter
E reputation
TRUCS ET ASTUCES GNU/LINUX : - Actus et tips linux
Configurer GRUB2 et grub2 ici
Panoet - en anglais - tips & tricks
Readylines tips and trick pertinents
Squid Clamav - proxy antivirus
Apprendre Unix en 10 minutes
13 tips sur les expressions régulières
IE Sous linux IES
LDAP 2.4 Quickstart guide
Tutoriel LDAP
Installation annuaire LDAP
Serveur Mail Postfix - Dovecot - LDAP - MDS
Créer un linux personnalisé en ligne - custom linux
Super site sur linux - en
Capistrano - déploiement automatisé
Nagios tutoriel et doc
Nagios plugin NRPE tuto
Nagios plugin NRPE autre tuto
Nagios plugin NRPE officiel
Zabbix - fonctionnalités
Zabbix - installation
Guide MRTGsys - grapher la charge locale
MRTGsys - ajouter des graphs
MRTGsys - interpréter les données
Shinken - Monitoring
Thruk Monitoring webinterface
Shinken - Tutoriel
Shinken - Référence chez Nicolargo
RemixJobs IT jobs
USB Multiboot
Reset mot de passe windows
Java python et autres tips, intéressant !
Forum inforeseau
Open Clipart
Excellent comic en ligne