How to setup an Access Point

This article might be entitled “How to convert an $800 laptop into a $40 wireless router”, which indicates why doing this might not be desirable. There are, however, at least two cases where this might make sense: (1) You want to provide or test some feature that is not supplied by your AP. One example is 802.11a (5 GHz) channels. (2) your need for an AP is temporary such as network sharing of a 3G broadband modem.

To accomplish the task, several pieces of software will be needed including hostapd, a DHCP server for the AP’s clients, and an iptables rules for Network Address Translation (NAT). The requirements for these are discussed in turn.

I. Hostapd

Hostapd runs in user space and interacts with the device driver to handle most of the things that an AP does, such as transmitting of beacons, authentication, etc. The version included with the “hostapd” package of openSUSE 11.1 (0.5.10) works with a limited number of devices and drivers. For modern drivers that use mac80211, a newer version is needed, which can be downloaded from hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator. Building this will require that the make, libnl, libnl-devel, openssl-devel and gcc packages are installed. I recommend installing the package from the repository and then doing a download, make and install of the later version. If your kernel is older than 2.6.28 (check uname -r), then you will need the compat-wireless code that is downloaded from Download - Linux Wireless. For this option, you will also need to install the kernel source, and prepare it for use. To prepare the source, issue the following commands:


cd /usr/src/linux
sudo cp /proc/config.gz .
sudo gunzip config.gz
sudo cp config .config
sudo make prepare

Configuration of hostapd is accomplished with a configuration file named hostapd.conf. There are a number of options in that file, but a working AP with WPA2 encryption can be setup with the following:


interface=wlan0
driver=nl80211
hw_mode=g
channel=1
ssid=test
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=123456789

II. Dhcpd

The standard dhcpd package in openSUSE 11.1 works just fine. To use it, you need to modify its configuration file dhcpd.conf. Again, there are a number of options available, but you can get a working DHCP server with the following:


option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none; ddns-updates off;
subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.200 192.168.0.229;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
}

The above configuration assumes that the AP will be connected to the outside world with an IP address of 192.168.1.X and that the AP’s clients will have addresses 192.168.0.X. If other addresses are used, adjust the above info accordingly.

III. Iptables Network Address Translation rules

For this example, the NAT rules will be only those necessary to get the AP operational. Although iptables is used to write firewalls, the only protection in this code is to allow only established connections. The rules are shown in the script below.

IV. A script to start and stop the Access Point

The following code will start and stop the AP. To make any changes easier, the locations of the various utilities, the interface names, and the IP address to be used are defined by symbols at the start of the script. I also use configuration files that are stored in root’s home directory, not in /etc as would normally be done. This script must be executable and be run as root.


#!/bin/sh
# Script to start/stop a hostapd-based access point
#
# Symbols for needed programs

IPTABLES=/usr/sbin/iptables
IFCONFIG=/sbin/ifconfig
DHCPD=/usr/sbin/dhcpd
HOSTAPD=/usr/local/bin/hostapd

# Symbols for internal and external interfaces

NET_INT=wlan0
NET_EXT=eth0

# IP address for the AP

INT_ADDR=192.168.0.1

case "$1" in
start)
        echo "Starting AP mode for $NET_INT at address $INT_ADDR"
        # Disable packet forwarding
        echo 0 > /proc/sys/net/ipv4/ip_forward
        # Stop any existing hostapd and dhcpd daemons
        killproc hostapd
        killproc dhcpd
        #Set up forwarding
        $IPTABLES -t nat -A POSTROUTING -o $NET_EXT -j MASQUERADE
        $IPTABLES -A FORWARD -i $NET_EXT -o $NET_INT -m state \
		--state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -A FORWARD -i $NET_INT -o $NET_EXT -j ACCEPT
        # Enable packet forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward
        # Get the internal interface in the right state
        $IFCONFIG $NET_INT down
        $IFCONFIG $NET_INT up
        $IFCONFIG $NET_INT $INT_ADDR
        # dhcpd needs to have a leases file available - create it if needed
        if  ! -f /var/lib/dhcp/db/dhcpd.leases ]; then
                touch /var/lib/dhcp/db/dhcpd.leases
        fi
        # Bring up the DHCP server
        $DHCPD -cf /root/dhcpd.conf $NET_INT
        # Bring up hostapd
        $HOSTAPD -B /root/hostapd.conf
        ;;
stop)
        echo "Stopping AP mode on $NET_INT"
        # Stop hostapd and dhcpd daemons
        killproc hostapd
        killproc dhcpd
        ;;
*)
        echo "Usage: $0 {start|stop}"
        exit 1
        ;;
esac

Hi Larry,
Yes, This is JUST what I was hoping for. Thank you.
Now, this is not nit-picking - it just highlights my ignorance in this area!

After your Code: section describing “To prepare the source, . .” you move on to discussing the configuration of hostapd.conf. I seem to remember that in a thread in “another place”, after the download of hostapd-0.6.6, I needed to unzip it and run “make”. Is that still necessary? Can you take me through that step. And again, I assume that the hostapd.conf that you talk about is the one in the unpacked hostapd-0.6.8 eg. ./hostapd-0.6.8/hostapd/hostapd.conf?

~Martin

martinprowe wrote:
> Hi Larry,
> Yes, This is JUST what I was hoping for. Thank you.
> Now, this is not nit-picking - it just highlights my ignorance in this
> area!
>
> After your Code: section describing “-To prepare the source, . .-” you
> move on to discussing the configuration of hostapd.conf. I seem to
> remember that in a thread in “another place”, after the download of
> hostapd-0.6.6, I needed to unzip it and run “make”. Is that still
> necessary? Can you take me through that step. And again, I assume that
> the hostapd.conf that you talk about is the one in the unpacked
> hostapd-0.6.8 eg. ./hostapd-0.6.8/hostapd/hostapd.conf?

Whenever you download a file that has a name like …tar.gz, or …tgz, it is a
gzipped tar archive. You unpack it with ‘tar zxvf <filename>’. If it has a name
like …tar.bz2’, it is unpacked with ‘tar jxvf <filename>’’. Once it is
unpacked, you then cd to the appropriate directory and run make. These steps are
necessary to build from source, no matter what program is being built.

The hostapd.conf in the unpacked sources is a template for the one you need. As
stated in my howto, this file should modified as needed for your AP, then it can
be put wherever you want it.

Thank you Larry,
Okay. Got that. More questions, however!
Why would I want to put the hostapd.conf file anywhere?

What will/can I see/do to confirm that the new hostapd-0.6.8 is installed correctly after running “make”? The YaST | Software Manager still only reports hostapd version 0.5.10-18?

If I do not want to obfuscate the issue by binding the wlan0 to the DHCP server as in your script in section IV, can you advise on how to just start/stop/configure the wlan0 AP? There are only two executables in the hostapd directory. Are these useful?

A very appreciative, ~Martin

PS - If all this is getting too much for you (Minefields? Ring any bells?), can you advise on what hardware SuSE 11.1 CAN use as an AP, and I’ll just go and buy one of them!!!

martinprowe wrote:
> lwfinger;1961162 Wrote:
>> As stated in my howto, this file should modified as needed for your AP,
>> then it can be put wherever you want it.
>
> Thank you Larry,
> Okay. Got that. More questions, however!
> Why would I want to put the hostapd.conf file anywhere?

Because you need it and it has to go somewhere. If you are asking why not put it
in /etc, that would be a matter of preference.

> What will/can I see/do to confirm that the new hostapd-0.6.8 is
> installed correctly after running “make”? The YaST | Software Manager
> still only reports hostapd version 0.5.10-18?

Run ‘hostapd -v’. Incidentally, either a -v or a --version switch is the most
common way to get version information from any utility. When you modify a
program outside Software Manager, it has no idea what you have done. You could
always create an rpm for the new code and install it that way, but I think this
is more trouble than it is worth.

> If I do not want to obfuscate the issue by binding the wlan0 to the
> DHCP server as in your script in section IV, can you advise on how to
> just start/stop/configure the wlan0 AP? There are only two executables
> in the hostapd directory. Are these useful?

You can delete the part of the script that deals with setting up the DHCP
server; however, you will also need to assign a unique address in your LAN to
the wlan0 interface and modify the iptables rules to not do masquerading. Unless
you know what you are doing, you will have less trouble if you use all of my script.

The two executables are hostapd, which is the program that controls the AP, and
hostapd_cli - a command-line interface to control hostapd. I don’t use the
latter program, but the former is absolutely essential.

Dho . . . This is getting me down!


router:/home/remote/hostapd-0.6.8/hostapd # tar zxvf hostapd-0.6.8
/**
* End of unzip
**/
dhostapd-0.6.8/src/wps/wps_i.h
hostapd-0.6.8/src/wps/wps_registrar.c
hostapd-0.6.8/src/wps/wps_upnp.c
hostapd-0.6.8/src/wps/wps_upnp.h
hostapd-0.6.8/src/wps/wps_upnp_event.c
hostapd-0.6.8/src/wps/wps_upnp_i.h
hostapd-0.6.8/src/wps/wps_upnp_ssdp.c
hostapd-0.6.8/src/wps/wps_upnp_web.c
router:/home/remote # cd hostapd-0.6.8/hostapd
router:/home/remote/hostapd-0.6.8/hostapd # vi .config
router:/home/remote/hostapd-0.6.8/hostapd # make
cc -MMD -O2 -Wall -g -DHOSTAPD_DUMP_STATE -I../src -I../src
/**
* First and last lines from "make"
**//
cc -o hostapd_cli hostapd_cli.o ../src/common/wpa_ctrl.o ../src/utils/os_unix.o
router:/home/remote/hostapd-0.6.8/hostapd # hostapd -v
hostapd v0.5.10   <<<====================================  Dho . . . .!!!!!
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi> and contributors
router:/home/remote/hostapd-0.6.8/hostapd #

Any advice? ~Martin

Did you also install the new hostapd after building it?

Doesn’t look like it.

Also remove old hostapd-package with YaST/zypper.

(In your last thread I linked you ready made packages for hostapd and your wireless driver, but you chose to ignore that.)

martinprowe wrote:
> lwfinger;1961536 Wrote:
>> Run ‘hostapd -v’.
>
> Dho . . . This is getting me down!
>
>
> Code:
> --------------------
>
> router:/home/remote/hostapd-0.6.8/hostapd # tar zxvf hostapd-0.6.8
> /**
> * End of unzip
> /
> dhostapd-0.6.8/src/wps/wps_i.h
> hostapd-0.6.8/src/wps/wps_registrar.c
> hostapd-0.6.8/src/wps/wps_upnp.c
> hostapd-0.6.8/src/wps/wps_upnp.h
> hostapd-0.6.8/src/wps/wps_upnp_event.c
> hostapd-0.6.8/src/wps/wps_upnp_i.h
> hostapd-0.6.8/src/wps/wps_upnp_ssdp.c
> hostapd-0.6.8/src/wps/wps_upnp_web.c
> router:/home/remote # cd hostapd-0.6.8/hostapd
> router:/home/remote/hostapd-0.6.8/hostapd # vi .config
> router:/home/remote/hostapd-0.6.8/hostapd # make
> cc -MMD -O2 -Wall -g -DHOSTAPD_DUMP_STATE -I…/src -I…/src
> /

> * First and last lines from “make”
> **//
> cc -o hostapd_cli hostapd_cli.o …/src/common/wpa_ctrl.o …/src/utils/os_unix.o
> router:/home/remote/hostapd-0.6.8/hostapd # hostapd -v
> hostapd v0.5.10 <<<==================================== Dho . . . .!!!
> User space daemon for IEEE 802.11 AP management,
> IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
> Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi> and contributors
> router:/home/remote/hostapd-0.6.8/hostapd #
> --------------------
>
>
> Any advice? ~Martin

Yes. Running make only builds the new program in a directory that belongs to
you. To get it where it will be executed, you need to install it. Normally, this
would be done with a ‘sudo make install’ as you need root privilege. In this
case, use the command


sudo cp hostapd /usr/sbin/.

Now ‘hostapd -v’ will give you 0.6.8.

Yppeee . . . Yes, it does. But only if I switch to root - is that okay?

I guess I need to get your Sect. IV script to run next? But that is for another night. But I think I will have to try and do it step-by-step because I already have DHCP, DNS & mail servers running on my LAN. I just need the AP to eth0 bridge.

Thank you, once again Larry for your help, ~Martin

Hello Akoellh,

How can I have two hostapd installations? Hasn’t the new one overwritten the old one (as Larry has pointed out, YaST knows nothing about what has been going-on outside of its scope? Or should I have removed 0.5.10 first?

(In your last thread I linked you ready made packages for hostapd and your wireless driver, but you chose to ignore that.)

I’m sorry that it seems that I have ignored your help. However, as you now know, I am not able to understand such cryptic advice as this:
Creating an Access Point in 11.1 - Page 2 - openSUSE Forums
It sound that, if I knew what you were telling me, it would have made my task easer? If you could take a moment or two to be a little more verbose, I’m sure I would benefit greatly from your help.

Looking forward to hearing from you, ~Martin

  • Add the repository (URL was given) via YaST/zypper

  • Install hostapd via YaST/zypper

martinprowe wrote:
> lwfinger;1961642 Wrote:
>> Now ‘hostapd -v’ will give you 0.6.8.
>
> Yppeee . . . Yes, it does. But only if I switch to root - is that
> okay?

Whenever the path to the program has sbin (for system bin) rather than bin, it
will not be in the path for any user but root. You can execute it as an
unprivileged user as long as you specify the “fully qualified path”, i.e. the
complete path from /. For hostapd that path is /usr/sbin/hostapd.
>
> I guess I need to get your Sect. IV script to run next? But that is for
> another night. But I think I will have to try and do it step-by-step
> because I already have DHCP, DNS & mail servers running on my LAN. I
> just need the AP to eth0 bridge.

You will still need the DHCP server running on the AP host as well. My script
puts the Access Point on a new subnet and you will need to issue addresses to
the computers connecting wirelessly. This is not necessary, but I set up my
scripts that way, and you would have to understand every step in the Section IV
script and change them to use the same subnet. As I said before, it will be a
lot less work to use the script as I wrote it. Your AP clients will be able to
use all the other servers on your LAN as those packets will be passed through.

Larry

Hi again Akoellh,

Thanks for coming back:

Do you mean the URLs listed in this post:Creating an Access Point in 11.1 - Page 2 - openSUSE Forums?

If so, I still have the same problem as earlier. What are you trying to tell me? If I follow the links, neither are self explanatory to me. What repository (url) do I add to the YaST | Software Repositories utility?

  • Install hostapd via YaST/zypper

I guess that should be simple, once I’ve achieved step one above?
Will this achieve anything over and above what Larry has advised me to do? You talked about “…ready made packages for hostapd and your wireless driver …” (my emboldening). What does this mean?
Or is it just an easier way to get to the same position? And can I do the above after having installed hostapd-0.6.8 Larry’s way?

Regards, ~Martin

Maybe you should start with the basics before trying clearly “advanced users”-stuff.

One of the basics would be to use search engines.

You don’t know how to add a repository to YaST?

Add Repository to YaST - Google Search

Gosh, that was quick. Thank you.

Oh, I don’t think that this is “advanced”, its just detail. And yes, I think I can add a repository to YaST. The question was (obviously badly put), which URL and more importantly - why.

I’m sure it would have been quicker just to say: Use this …

Best regards, ~Martin

And I’m sure it would have been even quicker to just try the posted URL instead of asking.

Hi Larry.

I tried your script, and it works fine in the sense that I can establish a connection and run e.g. skype on the client computer. However I am not able to browse the internet on the client computer (I get page not found). Could this have something to do with the iptables statement? Does an extra line need to be added for browsing?

Hans

PS: I run your script as root under suse 11.3, hostapd was retrieved via yast adn is consequently in /usr/sbin/, the conf-files are saved in a directory /home/Accesspoint_Files, you script was adapted accordingly.

On 01/28/2011 06:06 AM, hvandore wrote:
>
> Hi Larry.
>
> I tried your script, and it works fine in the sense that I can
> establish a connection and run e.g. skype on the client computer.
> However I am not able to browse the internet on the client computer (I
> get page not found). Could this have something to do with the iptables
> statement? Does an extra line need to be added for browsing?
>
> Hans
>
> PS: I run your script as root under suse 11.3, hostapd was retrieved
> via yast adn is consequently in /usr/sbin/, the conf-files are saved in
> a directory /home/Accesspoint_Files, you script was adapted accordingly.

I’m not sure what is wrong. From what I remember, everything worked with my
test, but that was a long time ago.

To debug it, I woould make certain that the firewall in the host is not getting
in the way. Turn it off for testing. Next I would try to ping the AP computer
from the client. If that does not work, then look at routing in the client with
‘/sbin/route -n’. Is there an entry with the “UG” flags set? Does it point at
the right interface and network? Also check that the host can ping the client.

Once the host and client can ping each other, then try to ping from the client
to something upstream such as Google’s nameserver using ‘ping -c 5 8.8.8.8’. If
that is OK, then try ‘ping -c www.google.com’. If the first works and the second
fails, then it is a nameserver problem.

Hi Larry, thank you for your answer.

I cannot ping Google from the client, pinging google’s ip (ping 66.102.13.147) works fine. Moreover putting Google in the browser url filed brings up the google page without any problems. I get this same result with several clients (including googles nexus s phone) which otherwise do not show any problems with other access points.

I am afraid I do not know what a name server problem is.

Hans

PS: The command “ping -c www.google.com” returns “bad number of packets to transmit”.

On 01/28/2011 04:06 PM, hvandore wrote:
>
> Hi Larry, thank you for your answer.
>
> I cannot ping ‘Google’ (http://www.google.com) from the client, pinging
> google’s ip (ping 66.102.13.147) works fine. Moreover putting ‘Google’
> (http://66.102.13.147) in the browser url filed brings up the google
> page without any problems. I get this same result with several clients
> (including googles nexus s phone) which otherwise do not show any
> problems with other access points.
>
> I am afraid I do not know what a name server problem is.
>
> Hans
>
> PS: The command “ping -c www.google.com” returns “bad number of packets
> to transmit”.

My bad. There should be a number after the -c.

The name server is the component that converts names such as www.google.com into
an IP. The easiest way to fix this is to use the command


kdesu kwrite /etc/resolv.conf

on the client and add the following two lines to the bottom of the file


nameserver 8.8.8.8
nameserver 8.8.4.4

With this change, you will be using the public name servers at Google instead of
those of your ISP. It should now work. If not, then a firewall is blocking TCP
and UDP port 42.