Ubuntu/Bespin/Second AP Tunnel: Difference between revisions
From charlesreid1
| Line 158: | Line 158: | ||
Also tell the OpenVPN profile to name the tunnel tun2. | Also tell the OpenVPN profile to name the tunnel tun2. | ||
NOTE: Run these commands as root. | |||
<pre> | <pre> | ||
Revision as of 22:52, 8 July 2020
Old version (ended in failure): Ubuntu/Bespin/Second AP Tunnel/Fail
This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel.
Overview of Setup
Recall that our existing setup is as follows:
- One hostapd process running a single AP
- One VPN tunnel to PIA servers, tun1
- One access point to serve clients, wlan1
- Iptables rules to forward traffic from wlan1 to tun1 and vice-versa
- dnsmasq running DHCP and DNS for the access point on 127.0.0.1:53
The modifications we will make are as follows:
- Update the hostapd file so it will run two APs
- Open second VPN tunnel to different PIA servers, tun2
- One access point to serve clients, wlan2
- Iptables rules to forward traffic from wlan2 to tun2 and vice-versa
- dnsmasq will do DHCP and DNS for BOTH access points
Note on Network Names
LAN10 refers to the first access point at 192.168.10.0/24
LAN30 refers to the second access point at 192.168.30.0/24
LAN0 refers to the internet-connected network that Bespin is on, at 192.168.0.0/24
Hostapd Config Modifications
Modify the hostapd configuration file to define a second access point.
You will also need to specify a mac address for the access point to use.
Specify the real mac address for the first LAN. Bump the last octet by one and list that as the mac address of the second LAN.
/etc/hostapd/hostapd.conf
interface=wlan1 driver=nl80211 hw_mode=g channel=1 macaddr_acl=0 ignore_broadcast_ssid=0 # First LAN ssid=YOURNETWORKNAMEHERE auth_algs=1 wpa=3 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP wpa_passphrase=YOURPASSPHRASEHERE bssid=00:11:22:33:44:55:66 # Second LAN bss=wlan1:0 ssid=YOURNETWORKNAMEHERE auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP wpa_passphrase=YOURPASSPHRASEHERE bssid=00:11:22:33:44:55:67
Network Interface Modifications
Modify the wlan1 stanza of /etc/network/interfaces so that the new wireless device that will be created by hostapd will have a static IP address. We assign it the range 192.168.30.0/24 (LAN30 = 192.168.30.*)
It should look like the following:
allow-hotplug wlan1 wlan1:0
iface wlan1 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.1
iface wlan1:0 inet static
address 192.168.30.1
netmask 255.255.255.0
gateway 192.168.30.1
Dnsmasq Modifications
Having a second AP means we need to provide clients of the LAN30 AP with IP addresses and serve their DNS requests.
We do that by expanding on the single dnsmasq instance that's serving DNS requests from local and LAN10 AP.
Modify the configuration file like so:
/etc/dnsmasq.conf
# don't send external traffic that is missing a domain domain-needed # don't send external traffic that has bogus private ip bogus-priv # listen on these interfaces and only these interfaces interface=lo listen-address=127.0.0.1 interface=wlan1 listen-address=192.168.10.1 interface=wlan1:0 listen-address=192.168.30.1 bind-interfaces # define range of IP addresses to hand out dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h dhcp-range=192.168.30.100,192.168.30.150,255.255.255.0,24h # don't read /etc/resolv.conf no-resolv # define what to do if no name resolution # note: the notation for server used here is # <dest-ip>/<src-ip> # local dns queries use pihole dns server server=127.53.0.1/127.0.0.1 # lan10 dns queries use pihole dns server server=127.53.0.1/192.168.10.1 # lan30 dns queries use google server=8.8.8.8/192.168.30.1 # send dnsmasq logs to a single place log-facility=/var/log/dnsmasq.log
Second PIA VPN Tunnel
In the initial setup of Ubuntu/Bespin we created an initial PIA VPN tunnel to Belgium. Now we add a VPN tunnel using a West Coast IP address.
Obtain and Install Profiles
Obtain OpenVPN profiles (again), this time putting them in the home directory:
cd ~
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d pia openvpn.zip
rm -f openvpn.zip
cd pia
PROFILE='West'
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp "US ${PROFILE}.ovpn" /etc/openvpn/{$PROFILE}.ovpn
Note the slight renaming to make this possible to start up with systemd.
We have already created a credentials file at /etc/openvpn/login so tell this OpenVPN profile file to use that.
Also tell the OpenVPN profile to name the tunnel tun2.
NOTE: Run these commands as root.
sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+dev tun$+dev tun2+' /etc/openvpn/${PROFILE}.ovpn
Iptables Modifications
Now that we have both our new AP (LAN30, wlan1:0) and our new VPN tunnel (tun2), we can configure iptables to forward packets between these two interfaces.