Ubuntu/Bespin/Second AP Tunnel: Difference between revisions

From charlesreid1
No edit summary
 
(37 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Main|Ubuntu/Bespin}}
{{Main|Ubuntu/Bespin}}


We are going to extend the wifi card to create two new access points, and this procedure can be scaled to multiple networks running on multiple cards.
Old version (ended in failure): [[Ubuntu/Bespin/Second AP Tunnel/Fail]]


==Hostapd Modifications==


Modify the hostapd configuration file to define a second access point.  
<pre>
▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████
</pre>
 
This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel.
 
==Overview of Setup==
 
Recall that our existing setup is as follows:
 
* One hostapd process running a single AP
* One VPN tunnel to PIA servers, tun1
* One access point to serve clients, wlan1
* Iptables rules to forward traffic from wlan1 to tun1 and vice-versa
* dnsmasq running DHCP and DNS for the access point on 127.0.0.1:53
 
The modifications we will make are as follows:
 
* Update the hostapd file so it will run two APs
* Open second VPN tunnel to different PIA servers, tun3 (LAN 30)
* One access point to serve clients, wlan1:0
* Iptables rules to forward traffic from wlan1:0 to tun3 and vice-versa
* dnsmasq will do DHCP and DNS for BOTH access points
 
==Note on Network Names==
 
LAN10 <code>wlan1</code> refers to the first access point at <code>192.168.10.0/24</code> and uses tunnel <code>tun1</code>
 
LAN20 <code>tun2</code> refers to the OpenVPN network [[Ubuntu/Bespin/OpenVPN Server]] at <code>192.168.20.0/24</code>
 
LAN30 <code>wlan1:0</code> refers to the second access point at <code>192.168.30.0/24</code> and uses tunnel <code>tun3</code>
 
LAN0 refers to the internet-connected network that Bespin is on, at <code>192.168.0.0/24</code>
 
==Hostapd Config Modifications==
 
Modify the hostapd configuration file to define a second access point.
 
You will also need to specify a mac address for the access point to use.


You will also need to specify a mac address for the access point to use. Just bump the last octet by one.
Specify the real mac address for the first LAN. Bump the last octet by one and list that as the mac address of the second LAN.


<code>/etc/hostapd/hostapd.conf</code>
<code>/etc/hostapd/hostapd.conf</code>
Line 30: Line 70:


# Second LAN
# Second LAN
bss=wlan1b
bss=wlan1:0
ssid=YOURNETWORKNAMEHERE
ssid=YOURNETWORKNAMEHERE
auth_algs=1
auth_algs=1
Line 41: Line 81:
</pre>
</pre>


Note that the <code>bss</code> parameter is the name of the new network interface that will show up.
==Network Interface Modifications==
 
Modify the wlan1 stanza of <code>/etc/network/interfaces</code> so that the new wireless device that will be created by hostapd will have a static IP address. We assign it the range <code>192.168.30.0/24</code> (LAN30 = 192.168.30.*)
 
It should look like the following:
 
<pre>
 
allow-hotplug wlan1 wlan1:0
iface wlan1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1
iface wlan1:0 inet static
    address 192.168.30.1
    netmask 255.255.255.0
    gateway 192.168.30.1
</pre>


==Dnsmasq Modifications==
==Dnsmasq Modifications==


The dnsmasq configuration file can handle multiple interfaces, just specify them one line per interface:
Having a second AP means we need to provide clients of the LAN30 AP with IP addresses and serve their DNS requests.
 
We do that by expanding on the single dnsmasq instance that's serving DNS requests from local and LAN10 AP.
 
Modify the configuration file like so:


<code>/etc/dnsmasq.conf</code>
<code>/etc/dnsmasq.conf</code>


<pre>
<pre>
# don't send external traffic that is missing a domain
domain-needed
# don't send external traffic that has bogus private ip
bogus-priv
# listen on these interfaces and only these interfaces
interface=lo
listen-address=127.0.0.1
interface=wlan1
interface=wlan1
interface=wlan1b
listen-address=192.168.10.1
...
interface=wlan1:0
listen-address=192.168.30.1
bind-interfaces
# define range of IP addresses to hand out
dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h
dhcp-range=192.168.30.100,192.168.30.150,255.255.255.0,24h
# don't read /etc/resolv.conf
no-resolv
# define what to do if no name resolution
# note: the notation for server used here is
# <dest-ip>/<src-ip>
# local dns queries use pihole dns server
server=127.53.0.1/127.0.0.1
# lan10 dns queries use pihole dns server
server=127.53.0.1/192.168.10.1
# lan30 dns queries use google
server=8.8.8.8/192.168.30.1
# send dnsmasq logs to a single place
log-facility=/var/log/dnsmasq.log
</pre>
</pre>


==iptables rules==
==Second PIA VPN Tunnel==


There are a few choices for how you can set up iptables.
In the initial setup of [[Ubuntu/Bespin]] we created an initial PIA VPN tunnel to Belgium. Now we add a VPN tunnel using a West Coast IP address.


You can run traffic for each wifi network through the same VPN tunnel, in which case you will create iptables rules to masquerade traffic on the new network interface wlan1b on the ssh tunnel device tun0.
===Obtain and Install Profiles===


Alternatively, you can create a second VPN tunnel and route the second AP's traffic through the second tunnel.
Obtain OpenVPN profiles (again), this time putting them in the home directory:


===Two APs One Tunnel===
<pre>
cd ~
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d pia openvpn.zip
rm -f openvpn.zip
cd pia
 
export PROFILE='West'
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp "US ${PROFILE}.ovpn" /etc/openvpn/{$PROFILE}.ovpn
</pre>
 
Note the slight renaming to make this possible to start up with systemd.
 
===Modify Profiles===
 
PIA requires login credentials.
 
We have already created a credentials file at <code>/etc/openvpn/login</code> so tell this OpenVPN profile file to use that.


To set up the APs to share the same OpenVPN tunnel (useful for troubleshooting), use the following script:
Also tell the OpenVPN profile to name the tunnel tun2.


<pre>
<pre>
#!/bin/bash
export PROFILE='West'
set -e
sudo sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+dev tun$+dev tun3+' /etc/openvpn/${PROFILE}.ovpn
</pre>
 
===Start New OpenVPN Tunnel===


## start by flushing all rules and setting defaults
Start the new OpenVPN tunnel:
sudo iptables -F
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X


# accept all traffic coming in from tunnel
<pre>
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo systemctl start openvpn@West
</pre>


# set routing rules for VPN tunnel
===Test OpenVPN Tunnel===
DEVICES="wlan1 wlan1b"
for DEV in $DEVICES; do
    sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    sudo iptables -A FORWARD -i ${DEV} -o tun0 -j ACCEPT
    sudo iptables -A FORWARD -i tun0 -o ${DEV} -m state --state ESTABLISHED,RELATED -j ACCEPT
done


# make rules persistent
Check that the new tunnel <code>tun3</code> appears when you run <code>ifconfig</code>.
sudo netfilter-persistent save
 
Use curl to get the IP address for a request that is forced to go through that tunnel:
 
<pre>
curl --interface <ip-addr-of-tun3> -4 icanhazip.com
</pre>
 
You should get an IP that is in the US West region. Instead, I got:
 
<pre>
$ curl --interface <ip-addr-of-tun3> -4 icanhazip.com
curl: (45) bind failed with errno 99: Cannot assign requested address
</pre>
 
Seems to be some kind of issue with two instances of PIA running at once.
 
=The Fail Whale For The Second Time=
 
<pre>
▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████
</pre>
</pre>


===Two APs Two Tunnels===
You can't even do this, because you can't have two PIA instances running simultaneously. PIA only expects one PIA process to run, so when you run two, the second one doesn't actually do anything, and when you kill it, it also kills the first one.


Start by preparing a new OpenVPN profile file. Coming back to the PIA example, we modify one of the OpenVPN profile files to work:
==Iptables Modifications==


==Giving Up==
Now that we have both our new AP (LAN30, wlan1:0) and our new VPN tunnel (tun2), we can configure iptables to forward packets between these two interfaces.


Am being driven crazy... I cannot, cannot, cannot for the life of me get the second wifi AP network device to get assigned a static IP address when the device comes up.


The problem is happening in the way the udev ifupdown-hotplug service is being invoked, there is an $INTERFACE variable that is not defined but is supposed to be. I'm guessing it's a bug in how hostapd brings up a second network device. I found zero other people with this problem. Lucky me!


In the future, I would like to try this again. I think it would work better if we had an existing network device, wlan1b, that was available at boot. But I just don't know.






[[Category:Machines]]
[[Category:Machine]]
[[Category:Linux]]
[[Category:Linux]]
[[Category:Ubuntu]]
[[Category:Ubuntu]]
[[Category:Bespin]]
[[Category:Bespin]]

Latest revision as of 23:40, 8 July 2020

Main article: Ubuntu/Bespin

Old version (ended in failure): Ubuntu/Bespin/Second AP Tunnel/Fail 


▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████

This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel.

Overview of Setup

Recall that our existing setup is as follows:

  • One hostapd process running a single AP
  • One VPN tunnel to PIA servers, tun1
  • One access point to serve clients, wlan1
  • Iptables rules to forward traffic from wlan1 to tun1 and vice-versa
  • dnsmasq running DHCP and DNS for the access point on 127.0.0.1:53

The modifications we will make are as follows:

  • Update the hostapd file so it will run two APs
  • Open second VPN tunnel to different PIA servers, tun3 (LAN 30)
  • One access point to serve clients, wlan1:0
  • Iptables rules to forward traffic from wlan1:0 to tun3 and vice-versa
  • dnsmasq will do DHCP and DNS for BOTH access points

Note on Network Names

LAN10 wlan1 refers to the first access point at 192.168.10.0/24 and uses tunnel tun1

LAN20 tun2 refers to the OpenVPN network Ubuntu/Bespin/OpenVPN Server at 192.168.20.0/24

LAN30 wlan1:0 refers to the second access point at 192.168.30.0/24 and uses tunnel tun3

LAN0 refers to the internet-connected network that Bespin is on, at 192.168.0.0/24

Hostapd Config Modifications

Modify the hostapd configuration file to define a second access point.

You will also need to specify a mac address for the access point to use.

Specify the real mac address for the first LAN. Bump the last octet by one and list that as the mac address of the second LAN.

/etc/hostapd/hostapd.conf 

interface=wlan1
driver=nl80211
hw_mode=g
channel=1
macaddr_acl=0
ignore_broadcast_ssid=0

# First LAN
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:66

# Second LAN
bss=wlan1:0
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:67

Network Interface Modifications

Modify the wlan1 stanza of /etc/network/interfaces so that the new wireless device that will be created by hostapd will have a static IP address. We assign it the range 192.168.30.0/24 (LAN30 = 192.168.30.*)

It should look like the following: 


allow-hotplug wlan1 wlan1:0
iface wlan1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1
iface wlan1:0 inet static
    address 192.168.30.1
    netmask 255.255.255.0
    gateway 192.168.30.1

Dnsmasq Modifications

Having a second AP means we need to provide clients of the LAN30 AP with IP addresses and serve their DNS requests.

We do that by expanding on the single dnsmasq instance that's serving DNS requests from local and LAN10 AP.

Modify the configuration file like so:

/etc/dnsmasq.conf 

# don't send external traffic that is missing a domain
domain-needed
# don't send external traffic that has bogus private ip
bogus-priv
# listen on these interfaces and only these interfaces
interface=lo
listen-address=127.0.0.1
interface=wlan1
listen-address=192.168.10.1
interface=wlan1:0
listen-address=192.168.30.1
bind-interfaces
# define range of IP addresses to hand out
dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h
dhcp-range=192.168.30.100,192.168.30.150,255.255.255.0,24h
# don't read /etc/resolv.conf
no-resolv
# define what to do if no name resolution
# note: the notation for server used here is
# <dest-ip>/<src-ip>
# local dns queries use pihole dns server
server=127.53.0.1/127.0.0.1
# lan10 dns queries use pihole dns server
server=127.53.0.1/192.168.10.1
# lan30 dns queries use google
server=8.8.8.8/192.168.30.1
# send dnsmasq logs to a single place
log-facility=/var/log/dnsmasq.log

Second PIA VPN Tunnel

In the initial setup of Ubuntu/Bespin we created an initial PIA VPN tunnel to Belgium. Now we add a VPN tunnel using a West Coast IP address.

Obtain and Install Profiles

Obtain OpenVPN profiles (again), this time putting them in the home directory: 

cd ~
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d pia openvpn.zip
rm -f openvpn.zip
cd pia

export PROFILE='West'
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp "US ${PROFILE}.ovpn" /etc/openvpn/{$PROFILE}.ovpn

Note the slight renaming to make this possible to start up with systemd.

Modify Profiles

PIA requires login credentials.

We have already created a credentials file at /etc/openvpn/login so tell this OpenVPN profile file to use that.

Also tell the OpenVPN profile to name the tunnel tun2. 

export PROFILE='West'
sudo sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+dev tun$+dev tun3+' /etc/openvpn/${PROFILE}.ovpn

Start New OpenVPN Tunnel

Start the new OpenVPN tunnel: 

sudo systemctl start openvpn@West

Test OpenVPN Tunnel

Check that the new tunnel tun3 appears when you run ifconfig.

Use curl to get the IP address for a request that is forced to go through that tunnel: 

curl --interface <ip-addr-of-tun3> -4 icanhazip.com

You should get an IP that is in the US West region. Instead, I got: 

$ curl --interface <ip-addr-of-tun3> -4 icanhazip.com
curl: (45) bind failed with errno 99: Cannot assign requested address

Seems to be some kind of issue with two instances of PIA running at once.

The Fail Whale For The Second Time

▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████

You can't even do this, because you can't have two PIA instances running simultaneously. PIA only expects one PIA process to run, so when you run two, the second one doesn't actually do anything, and when you kill it, it also kills the first one.

Iptables Modifications

Now that we have both our new AP (LAN30, wlan1:0) and our new VPN tunnel (tun2), we can configure iptables to forward packets between these two interfaces.

Retrieved from "https://charlesreid1.com/w/index.php?title=Ubuntu/Bespin/Second_AP_Tunnel&oldid=28182"