Ubuntu/Bespin/Second AP Tunnel
From charlesreid1
Old version (ended in failure): Ubuntu/Bespin/Second AP Tunnel/Fail
▄████████████▄▐█▄▄▄▄█▌ █████▌▄▌▄▐▐▌██▌▀▀██▀▀ ███▄█▌▄▌▄▐▐▌▀██▄▄█▌ ▄▄▄▄█████████████
This page contains instructions for modifying the existing Access Point-to-VPN tunnel to include multiple access points and multiple tunnels, with each access point going through a different tunnel.
Contents
Overview of Setup
Recall that our existing setup is as follows:
- One hostapd process running a single AP
- One VPN tunnel to PIA servers, tun1
- One access point to serve clients, wlan1
- Iptables rules to forward traffic from wlan1 to tun1 and vice-versa
- dnsmasq running DHCP and DNS for the access point on 127.0.0.1:53
The modifications we will make are as follows:
- Update the hostapd file so it will run two APs
- Open second VPN tunnel to different PIA servers, tun3 (LAN 30)
- One access point to serve clients, wlan1:0
- Iptables rules to forward traffic from wlan1:0 to tun3 and vice-versa
- dnsmasq will do DHCP and DNS for BOTH access points
Note on Network Names
LAN10 wlan1 refers to the first access point at 192.168.10.0/24 and uses tunnel tun1
LAN20 tun2 refers to the OpenVPN network Ubuntu/Bespin/OpenVPN Server at 192.168.20.0/24
LAN30 wlan1:0 refers to the second access point at 192.168.30.0/24 and uses tunnel tun3
LAN0 refers to the internet-connected network that Bespin is on, at 192.168.0.0/24
Hostapd Config Modifications
Modify the hostapd configuration file to define a second access point.
You will also need to specify a mac address for the access point to use.
Specify the real mac address for the first LAN. Bump the last octet by one and list that as the mac address of the second LAN.
/etc/hostapd/hostapd.conf
interface=wlan1 driver=nl80211 hw_mode=g channel=1 macaddr_acl=0 ignore_broadcast_ssid=0 # First LAN ssid=YOURNETWORKNAMEHERE auth_algs=1 wpa=3 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP wpa_passphrase=YOURPASSPHRASEHERE bssid=00:11:22:33:44:55:66 # Second LAN bss=wlan1:0 ssid=YOURNETWORKNAMEHERE auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP wpa_passphrase=YOURPASSPHRASEHERE bssid=00:11:22:33:44:55:67
Network Interface Modifications
Modify the wlan1 stanza of /etc/network/interfaces so that the new wireless device that will be created by hostapd will have a static IP address. We assign it the range 192.168.30.0/24 (LAN30 = 192.168.30.*)
It should look like the following:
allow-hotplug wlan1 wlan1:0
iface wlan1 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.1
iface wlan1:0 inet static
address 192.168.30.1
netmask 255.255.255.0
gateway 192.168.30.1
Dnsmasq Modifications
Having a second AP means we need to provide clients of the LAN30 AP with IP addresses and serve their DNS requests.
We do that by expanding on the single dnsmasq instance that's serving DNS requests from local and LAN10 AP.
Modify the configuration file like so:
/etc/dnsmasq.conf
# don't send external traffic that is missing a domain domain-needed # don't send external traffic that has bogus private ip bogus-priv # listen on these interfaces and only these interfaces interface=lo listen-address=127.0.0.1 interface=wlan1 listen-address=192.168.10.1 interface=wlan1:0 listen-address=192.168.30.1 bind-interfaces # define range of IP addresses to hand out dhcp-range=192.168.10.100,192.168.10.150,255.255.255.0,24h dhcp-range=192.168.30.100,192.168.30.150,255.255.255.0,24h # don't read /etc/resolv.conf no-resolv # define what to do if no name resolution # note: the notation for server used here is # <dest-ip>/<src-ip> # local dns queries use pihole dns server server=127.53.0.1/127.0.0.1 # lan10 dns queries use pihole dns server server=127.53.0.1/192.168.10.1 # lan30 dns queries use google server=8.8.8.8/192.168.30.1 # send dnsmasq logs to a single place log-facility=/var/log/dnsmasq.log
Second PIA VPN Tunnel
In the initial setup of Ubuntu/Bespin we created an initial PIA VPN tunnel to Belgium. Now we add a VPN tunnel using a West Coast IP address.
Obtain and Install Profiles
Obtain OpenVPN profiles (again), this time putting them in the home directory:
cd ~
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d pia openvpn.zip
rm -f openvpn.zip
cd pia
export PROFILE='West'
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp "US ${PROFILE}.ovpn" /etc/openvpn/{$PROFILE}.ovpn
Note the slight renaming to make this possible to start up with systemd.
Modify Profiles
PIA requires login credentials.
We have already created a credentials file at /etc/openvpn/login so tell this OpenVPN profile file to use that.
Also tell the OpenVPN profile to name the tunnel tun2.
export PROFILE='West'
sudo sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sudo sed -i 's+dev tun$+dev tun3+' /etc/openvpn/${PROFILE}.ovpn
Start New OpenVPN Tunnel
Start the new OpenVPN tunnel:
sudo systemctl start openvpn@West
Test OpenVPN Tunnel
Check that the new tunnel tun3 appears when you run ifconfig.
Use curl to get the IP address for a request that is forced to go through that tunnel:
curl --interface <ip-addr-of-tun3> -4 icanhazip.com
You should get an IP that is in the US West region. Instead, I got:
$ curl --interface <ip-addr-of-tun3> -4 icanhazip.com curl: (45) bind failed with errno 99: Cannot assign requested address
Seems to be some kind of issue with two instances of PIA running at once.
The Fail Whale For The Second Time
▄████████████▄▐█▄▄▄▄█▌ █████▌▄▌▄▐▐▌██▌▀▀██▀▀ ███▄█▌▄▌▄▐▐▌▀██▄▄█▌ ▄▄▄▄█████████████
You can't even do this, because you can't have two PIA instances running simultaneously. PIA only expects one PIA process to run, so when you run two, the second one doesn't actually do anything, and when you kill it, it also kills the first one.
Iptables Modifications
Now that we have both our new AP (LAN30, wlan1:0) and our new VPN tunnel (tun2), we can configure iptables to forward packets between these two interfaces.