From charlesreid1

Old version (ended in failure): Ubuntu/Bespin/Second AP Tunnel/Fail


▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████

This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel.

Overview of Setup

Recall that our existing setup is as follows:

  • One hostapd process running a single AP
  • One VPN tunnel to PIA servers, tun1
  • One access point to serve clients, wlan1
  • Iptables rules to forward traffic from wlan1 to tun1 and vice-versa
  • dnsmasq running DHCP and DNS for the access point on 127.0.0.1:53

The modifications we will make are as follows:

  • Update the hostapd file so it will run two APs
  • Open second VPN tunnel to different PIA servers, tun3 (LAN 30)
  • One access point to serve clients, wlan1:0
  • Iptables rules to forward traffic from wlan1:0 to tun3 and vice-versa
  • dnsmasq will do DHCP and DNS for BOTH access points

Note on Network Names

LAN10 wlan1 refers to the first access point at 192.168.10.0/24 and uses tunnel tun1

LAN20 tun2 refers to the OpenVPN network Ubuntu/Bespin/OpenVPN Server at 192.168.20.0/24

LAN30 wlan1:0 refers to the second access point at 192.168.30.0/24 and uses tunnel tun3

LAN0 refers to the internet-connected network that Bespin is on, at 192.168.0.0/24

Hostapd Config Modifications

Modify the hostapd configuration file to define a second access point.

You will also need to specify a mac address for the access point to use.

Specify the real mac address for the first LAN. Bump the last octet by one and list that as the mac address of the second LAN.

/etc/hostapd/hostapd.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=1
macaddr_acl=0
ignore_broadcast_ssid=0

# First LAN
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:66

# Second LAN
bss=wlan1:0
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:67

Network Interface Modifications

Modify the wlan1 stanza of /etc/network/interfaces so that the new wireless device that will be created by hostapd will have a static IP address. We assign it the range 192.168.30.0/24 (LAN30 = 192.168.30.*)

It should look like the following:


allow-hotplug wlan1 wlan1:0
iface wlan1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1
iface wlan1:0 inet static
    address 192.168.30.1
    netmask 255.255.255.0
    gateway 192.168.30.1

Dnsmasq Modifications

Having a second AP means we need to provide clients of the LAN30 AP with IP addresses and serve their DNS requests.

We do that by expanding on the single dnsmasq instance that's serving DNS requests from local and LAN10 AP.

Modify the configuration file like so:

/etc/dnsmasq.conf

# don't send external traffic that is missing a domain
domain-needed
# don't send external traffic that has bogus private ip
bogus-priv
# listen on these interfaces and only these interfaces
interface=lo
listen-address=127.0.0.1
interface=wlan1
listen-address=192.168.10.1
interface=wlan1:0
listen-address=192.168.30.1
bind-interfaces
# define range of IP addresses to hand out
dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h
dhcp-range=192.168.30.100,192.168.30.150,255.255.255.0,24h
# don't read /etc/resolv.conf
no-resolv
# define what to do if no name resolution
# note: the notation for server used here is
# <dest-ip>/<src-ip>
# local dns queries use pihole dns server
server=127.53.0.1/127.0.0.1
# lan10 dns queries use pihole dns server
server=127.53.0.1/192.168.10.1
# lan30 dns queries use google
server=8.8.8.8/192.168.30.1
# send dnsmasq logs to a single place
log-facility=/var/log/dnsmasq.log

Second PIA VPN Tunnel

In the initial setup of Ubuntu/Bespin we created an initial PIA VPN tunnel to Belgium. Now we add a VPN tunnel using a West Coast IP address.

Obtain and Install Profiles

Obtain OpenVPN profiles (again), this time putting them in the home directory:

cd ~
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d pia openvpn.zip
rm -f openvpn.zip
cd pia

export PROFILE='West'
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp "US ${PROFILE}.ovpn" /etc/openvpn/{$PROFILE}.ovpn

Note the slight renaming to make this possible to start up with systemd.

Modify Profiles

PIA requires login credentials.

We have already created a credentials file at /etc/openvpn/login so tell this OpenVPN profile file to use that.

Also tell the OpenVPN profile to name the tunnel tun2.

export PROFILE='West'
sudo sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+dev tun$+dev tun3+' /etc/openvpn/${PROFILE}.ovpn

Start New OpenVPN Tunnel

Start the new OpenVPN tunnel:

sudo systemctl start openvpn@West

Test OpenVPN Tunnel

Check that the new tunnel tun3 appears when you run ifconfig.

Use curl to get the IP address for a request that is forced to go through that tunnel:

curl --interface <ip-addr-of-tun3> -4 icanhazip.com

You should get an IP that is in the US West region. Instead, I got:

$ curl --interface <ip-addr-of-tun3> -4 icanhazip.com
curl: (45) bind failed with errno 99: Cannot assign requested address

Seems to be some kind of issue with two instances of PIA running at once.

The Fail Whale For The Second Time

▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████

You can't even do this, because you can't have two PIA instances running simultaneously. PIA only expects one PIA process to run, so when you run two, the second one doesn't actually do anything, and when you kill it, it also kills the first one.

Iptables Modifications

Now that we have both our new AP (LAN30, wlan1:0) and our new VPN tunnel (tun2), we can configure iptables to forward packets between these two interfaces.