Ubuntu/Bespin/Second AP Tunnel/Fail

Main article: Ubuntu/Bespin
Main article: Ubuntu/Bespin/Second AP Tunnel

▄████████████▄▐█▄▄▄▄█▌
█████▌▄▌▄▐▐▌██▌▀▀██▀▀
███▄█▌▄▌▄▐▐▌▀██▄▄█▌
▄▄▄▄█████████████

We are going to extend the wifi card to create two new access points, and this procedure can be scaled to multiple networks running on multiple cards.

Hostapd Modifications

Modify the hostapd configuration file to define a second access point.

You will also need to specify a mac address for the access point to use. Just bump the last octet by one.

/etc/hostapd/hostapd.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=1
macaddr_acl=0
ignore_broadcast_ssid=0

# First LAN
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:66

# Second LAN
bss=wlan1b
ssid=YOURNETWORKNAMEHERE
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=YOURPASSPHRASEHERE
bssid=00:11:22:33:44:55:67

Note that the bss parameter is the name of the new network interface that will show up.

Dnsmasq Modifications

The dnsmasq configuration file can handle multiple interfaces, just specify them one line per interface:

/etc/dnsmasq.conf

interface=wlan1
interface=wlan1b
...

iptables rules

There are a few choices for how you can set up iptables.

You can run traffic for each wifi network through the same VPN tunnel, in which case you will create iptables rules to masquerade traffic on the new network interface wlan1b on the ssh tunnel device tun0.

Alternatively, you can create a second VPN tunnel and route the second AP's traffic through the second tunnel.

Two APs One Tunnel

To set up the APs to share the same OpenVPN tunnel (useful for troubleshooting), use the following script:

#!/bin/bash
set -e

## start by flushing all rules and setting defaults
sudo iptables -F
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

# accept all traffic coming in from tunnel
sudo iptables -A INPUT -i tun0 -j ACCEPT

# set routing rules for VPN tunnel
DEVICES="wlan1 wlan1b"
for DEV in $DEVICES; do
    sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    sudo iptables -A FORWARD -i ${DEV} -o tun0 -j ACCEPT
    sudo iptables -A FORWARD -i tun0 -o ${DEV} -m state --state ESTABLISHED,RELATED -j ACCEPT
done

# make rules persistent
sudo netfilter-persistent save

Two APs Two Tunnels

Start by preparing a new OpenVPN profile file. Coming back to the PIA example, we modify one of the OpenVPN profile files to work:

Giving Up

Am being driven crazy... I cannot, cannot, cannot for the life of me get the second wifi AP network device to get assigned a static IP address when the device comes up.

The problem is happening in the way the udev ifupdown-hotplug service is being invoked, there is an $INTERFACE variable that is not defined but is supposed to be. I'm guessing it's a bug in how hostapd brings up a second network device. I found zero other people with this problem. Lucky me!

In the future, I would like to try this again. I think it would work better if we had an existing network device, wlan1b, that was available at boot. But I just don't know.