https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=NegromaxAlpine Linux - User contributions [en]2026-05-03T05:53:17ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Wireless_AP_with_udhcpd_and_NAT&diff=16864Wireless AP with udhcpd and NAT2020-02-07T17:46:21Z<p>Negromax: /* Dependencies */</p>
<hr />
<div>[[Category:Networking]]<br />
Setting up a wireless AP with udhcpd and NAT<br />
<br />
(baseed largley on the [http://elinux.org/RPI-Wireless-Hotspot raspberry pi wireless router howto])<br />
<br />
= Dependencies =<br />
<br />
{{Cmd|apk add hostapd busybox-extras iptables}}<br />
<br />
hostapd provides the AP.<br />
udhcpd is the dhcp server.<br />
<br />
If you want to connect clients to the internet, you need to provide some way<br />
of redirecting traffic from the AP to the rest of the internet.<br />
There are two main possibilities:<br />
*setting up a bridge<br />
*using NAT (network address translation).<br />
<br />
If you use a bridge and get your IP via DHCP, you may have a hard time<br />
configuring it so that the bridge gets an ip without screwing up your<br />
local internet connection.<br />
This guide only covers NAT; see [[Bridge]] for more on the alternative.<br />
<br />
= Configure hostapd =<br />
You need to write a configuration file; Alpine ships with a sample one in<br />
/etc/hostapd/hostapd.conf, but it didn't work for me (possibly because I<br />
used a pre wireless-N card, supported by ath5k?).<br />
<br />
Here's a sample one based on something that did work for me <br />
(I've changed ssid & wpa_passphrase):<br />
ctrl_interface=/var/run/hostapd<br />
ctrl_interface_group=0<br />
interface=wlan0<br />
driver=nl80211<br />
logger_syslog=-1<br />
logger_syslog_level=2<br />
logger_stdout=-1<br />
logger_stdout_level=2<br />
ssid=alpine-test<br />
hw_mode=g<br />
channel=6<br />
max_num_sta=32<br />
rts_threshold=2347<br />
fragm_threshold=2346<br />
macaddr_acl=0<br />
auth_algs=3<br />
ignore_broadcast_ssid=0<br />
wpa=2<br />
wpa_passphrase=supertopsecret<br />
wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256<br />
wpa_pairwise=TKIP CCMP<br />
<br />
Change "interface" to match your wireless interface.<br />
Change "ssid" and "wpa_passphrase" to suit your desires.<br />
Set "wpa" to 3 if you want plain wpa and wpa2. or 1 for plain WPA1 only.<br />
<br />
The example in the package uses wpa_psk_file (needed for WPS) instead of a<br />
static passphrase; this does not enable WPS.<br />
<br />
You may want to change the channel to avoid collision with other local APs.<br />
Unfortunately, the automatic channnel selection (channel=0) is *not*<br />
currently enabled at compile time, so we can't use it; scan for channels<br />
in use with {{Cmd|iwlist wlan0 scanning}} or equivalent before setup.<br />
<br />
max_num_sta is a limit to the number of clients connecting to your AP.<br />
Set it higher than you think you could have, but not much higher.<br />
<br />
If you don't put this in /etc/hostapd/hostapd.conf, you will need to change<br />
the CONFIGS line in /etc/conf.d/hostapd to point at it.<br />
I prefer doing that, so that the default is available for reference.<br />
<br />
<br />
= Configure udhcpd =<br />
<br />
Edit /etc/udhcpd.conf.<br />
The default is very well-commented, but not perfectly ready to use.<br />
Here's a skeleton, loosely based on mine:<br />
start 192.168.2.2<br />
end 192.168.2.254<br />
max_leases 64<br />
interface wlan0<br />
static_lease 00:1b:de:ad:be:ef 192.168.2.100<br />
opt dns 192.168.0.1 8.8.8.8<br />
opt subnet 255.255.255.0<br />
opt router 192.168.2.1<br />
opt lease 864000<br />
<br />
Note the following:<br />
*max_leases should be set to at least as many clients as you might have in<br />
the lifetime of a lease; if you have any clients connecting via bridges,<br />
note that the bridge itself gets a dhcp address.<br />
*interface is the interface clients will be connecting to (wlan0 or your<br />
wireless interface in our example)<br />
*router should be the static IP address you give to your wireless interface.<br />
*start and end should be within the same subnet as the IP you configure<br />
wlan0 with, but the IP for wlan0 should be outside the range.<br />
(For example: 192.168.2.1 and 192.168.2.255 are both suitable for the router<br />
IP in this example.)<br />
*set the dns option to point to any nameservers you want; you can repeat it,<br />
but there's a maximum of 3 nameservers.<br />
*static_lease takes two arguments: a MAC address designating a specific<br />
network adaptor, and the IP address that should be assigned to it.<br />
It can be repeated multiple times, to assign different IPs to different<br />
users.<br />
This comes in handy for printers, if you can trust those who connect to<br />
the network to not do MAC spoofing.<br />
<br />
= Configure iptables =<br />
<br />
I used raw iptables, configuring it thus:<br />
{{Cmd|iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT<br />
# this saves the state somewhere that the service can restore it from<br />
service iptables save}}<br />
<br />
= Test =<br />
<code><br />
/etc/init.d/hostapd start<br />
<br />
/etc/init.d/udhcpd start<br />
<br />
sysctl net.ipv4.ip_forward=1<br />
</code><br />
and try connecting from another computer.<br />
<br />
= Make changes permanent =<br />
<br />
{{Cmd|rc-update add hostapd<br />
rc-update add udhcpd<br />
rc-update add sysctl}}<br />
<br />
== Configuring ifup ==<br />
Now, the odd parts:<br />
iptables tries to set net.ipv4.ip_forward to 1 when it's started, but in<br />
my experience, this cannot be relied upon.<br />
You do *not* want to enable the "iptables" service; it starts before<br />
networking, and may result in your wireless interface not getting configured.<br />
(Apparently, ifup thinks that wlan0 is up and skips it. This was not something I expected, but it's the only explanation I have for how things worked...)<br />
<br />
Rather, modify /etc/network/interfaces, commenting out any configuration for<br />
your wireless interface. Then add this:<br />
<br />
<pre><br />
auto wlan0<br />
iface wlan0 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
up /etc/init.d/iptables start<br />
up sysctl net.ipv4.ip_forward=1<br />
down /etc/init.d/iptables stop<br />
</pre><br />
<br />
(It would be possible to set everything up so that hostapd and udhcpd get<br />
started and stopped from the wlan0 stanza; I didn't bother doing that.)<br />
<br />
<br />
= Finishing touches =<br />
<br />
(See [[Setting_up_a_ssh-server]] for alternatives and more information)<br />
Add dropbear SSH server, configure it to run on only the wireless interface:<br />
{{Cmd|setup-sshd -c dropbear}}<br />
edit /etc/conf.d/dropbear to add<br />
<br />
DROPBEAR_OPTS="-p 192.168.2.1:22"<br />
<br />
(assuming that the wireless interface has the IP 192.168.2.1 and you<br />
want SSH on port 22).<br />
This is optional, but if you're using a wireless router it helps to be able<br />
to administer it, and listening on all addresses is rather risky.<br />
<br />
<br />
= Things this doesn't cover but it would be nice to =<br />
*Some way to get more entropy (see [[Entropy_and_randomness]])<br />
*DNS server, publishing device names ([[TinyDNS_Format]] looks most useful)<br />
*use awall instead of raw iptables (and/or switch to nftables)<br />
*[[Setup-acf]] to manage the router<br />
This would require:<br />
**acf-core, acf-alpine-conf, acf-apk-tools<br />
**acf-iptables, or acf-awall + rewrite<br />
**acf-ssh + switch to openssh, or new acf-dropbear<br />
**acf-dhcp + switch to dhcp, or new acf-udhcpd<br />
**new acf-hostapd (probably hardest part!)<br />
**acf-tinydns after adding tinydns</div>Negromax