|
|
| Line 1: |
Line 1: |
| {{Main|Ubuntu/Bespin}} | | {{Main|Ubuntu/Bespin}} |
|
| |
|
| <pre>
| | Old version (ended in failure): [[Ubuntu/Bespin/Second AP Tunnel/Fail]] |
| ▄████████████▄▐█▄▄▄▄█▌
| |
| █████▌▄▌▄▐▐▌██▌▀▀██▀▀
| |
| ███▄█▌▄▌▄▐▐▌▀██▄▄█▌
| |
| ▄▄▄▄█████████████
| |
| </pre>
| |
|
| |
|
| We are going to extend the wifi card to create two new access points, and this procedure can be scaled to multiple networks running on multiple cards.
| | This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel. |
|
| |
|
| ==Hostapd Modifications== | | =Overview= |
|
| |
|
| Modify the hostapd configuration file to define a second access point.
| |
|
| |
|
| You will also need to specify a mac address for the access point to use. Just bump the last octet by one.
| |
|
| |
| <code>/etc/hostapd/hostapd.conf</code>
| |
|
| |
| <pre>
| |
| interface=wlan1
| |
| driver=nl80211
| |
| hw_mode=g
| |
| channel=1
| |
| macaddr_acl=0
| |
| ignore_broadcast_ssid=0
| |
|
| |
| # First LAN
| |
| ssid=YOURNETWORKNAMEHERE
| |
| auth_algs=1
| |
| wpa=3
| |
| wpa_key_mgmt=WPA-PSK
| |
| wpa_pairwise=TKIP
| |
| rsn_pairwise=CCMP
| |
| wpa_passphrase=YOURPASSPHRASEHERE
| |
| bssid=00:11:22:33:44:55:66
| |
|
| |
| # Second LAN
| |
| bss=wlan1b
| |
| ssid=YOURNETWORKNAMEHERE
| |
| auth_algs=1
| |
| wpa=2
| |
| wpa_key_mgmt=WPA-PSK
| |
| wpa_pairwise=TKIP
| |
| rsn_pairwise=CCMP
| |
| wpa_passphrase=YOURPASSPHRASEHERE
| |
| bssid=00:11:22:33:44:55:67
| |
| </pre>
| |
|
| |
| Note that the <code>bss</code> parameter is the name of the new network interface that will show up.
| |
|
| |
| ==Dnsmasq Modifications==
| |
|
| |
| The dnsmasq configuration file can handle multiple interfaces, just specify them one line per interface:
| |
|
| |
| <code>/etc/dnsmasq.conf</code>
| |
|
| |
| <pre>
| |
| interface=wlan1
| |
| interface=wlan1b
| |
| ...
| |
| </pre>
| |
|
| |
| ==iptables rules==
| |
|
| |
| There are a few choices for how you can set up iptables.
| |
|
| |
| You can run traffic for each wifi network through the same VPN tunnel, in which case you will create iptables rules to masquerade traffic on the new network interface wlan1b on the ssh tunnel device tun0.
| |
|
| |
| Alternatively, you can create a second VPN tunnel and route the second AP's traffic through the second tunnel.
| |
|
| |
| ===Two APs One Tunnel===
| |
|
| |
| To set up the APs to share the same OpenVPN tunnel (useful for troubleshooting), use the following script:
| |
|
| |
| <pre>
| |
| #!/bin/bash
| |
| set -e
| |
|
| |
| ## start by flushing all rules and setting defaults
| |
| sudo iptables -F
| |
| sudo iptables -P INPUT ACCEPT
| |
| sudo iptables -P FORWARD ACCEPT
| |
| sudo iptables -P OUTPUT ACCEPT
| |
| sudo iptables -t nat -F
| |
| sudo iptables -t mangle -F
| |
| sudo iptables -F
| |
| sudo iptables -X
| |
|
| |
| # accept all traffic coming in from tunnel
| |
| sudo iptables -A INPUT -i tun0 -j ACCEPT
| |
|
| |
| # set routing rules for VPN tunnel
| |
| DEVICES="wlan1 wlan1b"
| |
| for DEV in $DEVICES; do
| |
| sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
| |
| sudo iptables -A FORWARD -i ${DEV} -o tun0 -j ACCEPT
| |
| sudo iptables -A FORWARD -i tun0 -o ${DEV} -m state --state ESTABLISHED,RELATED -j ACCEPT
| |
| done
| |
|
| |
| # make rules persistent
| |
| sudo netfilter-persistent save
| |
| </pre>
| |
|
| |
| ===Two APs Two Tunnels===
| |
|
| |
| Start by preparing a new OpenVPN profile file. Coming back to the PIA example, we modify one of the OpenVPN profile files to work:
| |
|
| |
| ==Giving Up==
| |
|
| |
| Am being driven crazy... I cannot, cannot, cannot for the life of me get the second wifi AP network device to get assigned a static IP address when the device comes up.
| |
|
| |
| The problem is happening in the way the udev ifupdown-hotplug service is being invoked, there is an $INTERFACE variable that is not defined but is supposed to be. I'm guessing it's a bug in how hostapd brings up a second network device. I found zero other people with this problem. Lucky me!
| |
|
| |
| In the future, I would like to try this again. I think it would work better if we had an existing network device, wlan1b, that was available at boot. But I just don't know.
| |
|
| |
|
|
| |
|