With the Raspberry PI you can create a Wi-Fi access point (AP) in a very short time. It is also known as the Evil Twin or Rogue access point, which mimics legitimate access points.
The aim is to create a simple (open) access point through 2 Wi-Fi interfaces.
- eth0 (not used in this tutorial, but simply possible)
- wlan0 (Raspberry as STA, internet from Gateway)
- wlan1 (provide AP for STA's with network 192.168.0.1/24)
You should already have read (and successful carried out) the following tutorials.
Install (or ensure they are installed) following packages.
# update system (optional)
$ sudo apt update -y && sudo apt upgrade -y
# install optional packages (optional)
$ sudo apt install -y vim net-tools wireless-tools
# install needed packages
$ sudo apt install -y iptables dhcpcd5 dnsmasq hostapd# backup default dhcpcd configuration (optional)
$ sudo mv /etc/dhcpcd.conf /etc/dhcpcd.conf.bak
# modify dhcpcd configuration
$ sudo vim /etc/dhcpcd.confUncomment and/or add the following lines in /etc/dhcpcd.conf configuration file.
# interface configuration
interface wlan1
# static IP (CIDR)
static ip_address=192.168.0.1/24
# don't call the wpa_supplicant hook
nohook wpa_supplicant
# don't send DHCP requests to interface (optional)
# denyinterfaces eth0
Note: read this manual page for more information.
# restart dhcpcd service
$ sudo systemctl restart dhcpcd
# check status of dhcpcd service (optional)
$ sudo systemctl status dhcpcd# backup default dnsmasq configuration (optional)
$ sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
# modify dnsmasq configuration
$ sudo vim /etc/dnsmasq.confAdd the following lines in /etc/dnsmasq.conf configuration file.
# listen for DHCP/DNS requests only on specified interfaces
interface=wlan1
# disable DHCP/TFTP on interface
no-dhcp-interface=wlan0
# supply the range of addresses available for lease and lease time
dhcp-range=192.168.0.100,192.168.0.200,255.255.255.0,24h
# DNS
dhcp-option=option:dns-server,192.168.0.1
# enable logging (optional)
log-queries
log-dhcp
log-facility=/tmp/dnsmasq.log
# upstream DNS server addresses
server=8.8.8.8
# do not read hosts file (optional)
# no-hosts
# do not read resolv.conf file (optional)
# no-resolv
# set the cachesize (optional)
# cache-size=150
Note: read this manual page for more information.
# verify dnsmasq configuration (optional)
$ sudo dnsmasq --test -C /etc/dnsmasq.conf
# restart dnsmasq service
$ sudo systemctl restart dnsmasq
# enable dnsmasq service
$ sudo systemctl enable dnsmasq
# check status of dnsmasq service (optional)
$ sudo systemctl status dnsmasqYou can read dnsmasq log files (if enabled), later if everything works.
# read log file (optional)
$ sudo tail -f /tmp/dnsmasq.log# create hostapd configuration
$ sudo vim /etc/hostapd/hostapd.confAdd the following lines in /etc/hostapd/hostapd.conf configuration file. The value for SSID in my example is WuTangLan, change for your needs.
# interface
interface=wlan1
# SSID
ssid=WuTangLan
# Channel (optional)
# default: 0, i.e., not set
channel=6
# operation mode
# a = IEEE 802.11a (5 GHz)
# b = IEEE 802.11b (2.4 GHz)
# g = IEEE 802.11g (2.4 GHz)
# ad = IEEE 802.11ad (60 GHz)
# a/g = IEEE 802.11n (HT)
hw_mode=g
# maximum number of stations allowed (optional)
max_num_sta=100
# country code
country_code=CH
# station MAC address -based authentication
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=0
# send empty SSID in beacons and ignore probe request frames
# 0 disabled
# 1 = send empty
# 2 = clear SSID but keep the original length
ignore_broadcast_ssid=0
Note: read this manual page for more information.
Change permissions, test and modify hostapd init script.
# change file permissions
$ sudo chmod 600 /etc/hostapd/hostapd.conf
# test hostapd configuration (optional)
$ sudo hostapd -dd /etc/hostapd/hostapd.conf
# modify hostapd init script
$ sudo vim /etc/default/hostapdModify the following lines in /etc/default/hostapd init script
RUN_DAEMON=yes
DAEMON_CONF="/etc/hostapd/hostapd.conf"
# unmasking hostapd service
$ sudo systemctl unmask hostapd
# start hostapd service
$ sudo systemctl start hostapd
# enable hostapd service
$ sudo systemctl enable hostapd
# check status of hostapd service (optional)
$ sudo systemctl status hostapdThe default log location is /var/log/syslog.
# read log file (optional)
$ sudo tail -f /var/log/syslog
# read log file and pipe through grep (optional)
$ sudo tail -f /var/log/syslog | grep hostapd# backup default sysctl configuration (optional)
$ sudo mv /etc/sysctl.conf /etc/sysctl.conf.bak
# modify sysctl configuration
$ sudo vim /etc/sysctl.confAdd the following lines in /etc/sysctl.conf configuration file.
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Add new iptables rules (store them and reload after the boot).
# add new iptables rules
$ sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
$ sudo iptables -A FORWARD -i wlan0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT
# save iptables firewall rules permanently
$ sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
# modify rc.local
$ sudo vim /etc/rc.localAdd restore iptables commands to run on the startup (add before exit 0).
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi
iptables-restore < /etc/iptables.ipv4.nat
exit 0Restart the Raspberry PI and verify that STA's can connect to your AP (incl. internet connection).
# reboot system
$ sudo rebootIf something don't work, following commands will help. Also check your configuration files again! Sometimes errors creep into the IP addresses.
# show IP addresses of specific interfaces
$ ip -4 addr show dev wlan0
$ ip -4 addr show dev wlan1
$ iw phy phy0 info
$ iw phy phy1 info
# show route
$ route
# or
$ ip route list
# show status of specific services
$ systemctl status hostapd
$ ps ax | grep hostapd
$ systemctl status dnsmasq
$ ps ax | grep dnsmasq
$ systemctl status dhcpcd
$ ps ax | grep dhcpcdPlease also note that the tutorial did not go into more depth on security (e.g. OS hardening, firewall, etc.)!