How to set up Alpine as a wireless router: Difference between revisions
| Rickyrockrat (talk | contribs) | Rickyrockrat (talk | contribs)  | ||
| Line 119: | Line 119: | ||
| ===== interfaces ===== | ===== interfaces ===== | ||
| /etc/network/interfaces<br> | /etc/network/interfaces<br> | ||
| auto lo | <pre> | ||
| iface lo inet loopback | auto lo | ||
| iface lo inet loopback | |||
| auto eth0 | |||
| iface eth0 inet dhcp | auto eth0 | ||
|          hostname ANYNAME | iface eth0 inet dhcp | ||
|          hwaddress ether FE:ED:BE:EF:33:DD |          hostname ANYNAME | ||
|          hwaddress ether FE:ED:BE:EF:33:DD | |||
| iface eth1 inet manual | |||
| iface wlan0 inet manual | iface eth1 inet manual | ||
| iface wlan0 inet manual | |||
| auto br0 | |||
| iface br0 inet static | auto br0 | ||
|          pre-up ifconfig eth1 up | iface br0 inet static | ||
|          bridge-ports eth1 wlan0 |          pre-up ifconfig eth1 up | ||
|          bridge-stp off |          bridge-ports eth1 wlan0 | ||
|          address 192.168.0.3 |          bridge-stp off | ||
|          broadcaset 192.168.1.255 |          address 192.168.0.3 | ||
|          netmask 255.255.255.0< |          broadcaset 192.168.1.255 | ||
|          netmask 255.255.255.0 | |||
| </pre> | |||
| ===== Permissive iptables ===== | ===== Permissive iptables ===== | ||
Revision as of 05:25, 8 December 2022
Pi Zero W Wireless Router
This page describes building a Wireless Access Point with two wired ethernet ports for building a home router that connects to the internet with one wired port, and an internal LAN with the second wired port and the on-board WiFi.
The intent is to provide this:
                                    |<-->eth1 <-->| 
Internet <--> eth0 <-->FireWall<-->br0           Internal<--> ssh,bind,dhcp, with ssh reverse ssh connections.
                                    |<-->wlan0<-->|
Overview
I generally run Debian and  when forced by Red Hot Irons, Red Hat. This is my first foray into Alpine. So far I am very impressed. I mirrored the 3.12 armhf repos so I had things local when I needed them. Word to the wise, it comprises 13 GB of apk files.
One *really* nice feature of Alpine is apk, the yum/apt replacement:
- It is simple and to the point.
- The same tool provides *repo* level dependency reporting!
- Install of single packages without repo signing (I never did get the signing correct, but I can install).
Prepare
- Obtain a microSD card (or HDD) you can wipe the data from. We will assume it is /dev/sdc.
- Make a 256M FAT16 partition (sudo mkfs.vfat -n ALPBOOT /dev/sdc1)
- The rest of the device can be ext2 (ext3/4 on HDD) (sudo mke2fs -m1 -L alext3 /dev/sdc2).
- Untar the alpine-rpi-3.12.3-armhf.tar.gz and copy all of the files to the fat16 partition which can be as large as 2G.
- Make sure you have all the packages from the package list below installed on the SD card. This will save you lots of time.
- Add this to usercfg.txt at the root of the FAT16 partition:
enable_uart=1 gpu_mem=16 dtparam=audio=off
- This is the contents of cmdline.txt:
modules=loop,squashfs,sd-mod,usb-storage console=tty1 console=ttyAMA0,115200
First Boot
- Put the SD into the pi zero
- Connect the serial port
- Run minicom with the parameters set to 115200,n,8,1, no flow control.
- Power up the Pi.
Copy Root
- mkdir /stage
- mount /dev/sda2 /stage
- for d in $(ls -1 /|grep -v 'media\|stage\|dev\|proc\|sys'); do cp -a /$d /stage; done
- modules are loop mounted to /.modloop, and lib/modules is symlinked to that, so
- rm /stage/lib/modules
- cp -a /.modloop /stage/lib/modules
- Fix cmdline.txt
mount -o remount,rw /media/mmcblk0p1 echo 'root=/dev/mmcblk0p2' >> /media/mmcblk0p1/cmdline.txt
- reboot
Install
- verify you are now operating from the ext2 filesystem where you copied the rootfs.
- install openssh, openssh-server, openssh-client, openssh-server-common,
- install dnsmasq, ethtool, hostapd*, busybox extras, iptables*, iw,net-tools, tree, wireless-tools.
- edit all the configurations supplied here.
ssh config
The allowed users are not normal names since I want the names to be a little obfuscated. Not that it really matters, since this is a key driven setup
AddressFamily inet
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_rsa_key
LogLevel INFO
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
AllowUsers Som123X Extern4524User
PubkeyAuthentication yes
AuthorizedKeysFile	/etc/ssh/authorized_keys
HostbasedAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding no
dnsmasq.conf
/etc/dnsmasq.conf
This has two subnets. One for normal dhcp, the other for pseudo static - dhcp provided by MAC. One example here.
interface=br0 except-interface=eth0 dhcp-range=subnet0,192.168.0.10,192.168.0.100,255.255.255.0,24h dhcp-range=subnet1,192.168.0.4,192.168.0.6,255.255.255.0,24h bind-interfaces #log-queries #log-dhcp dhcp-host=70:85:66:c4:48:55,192.168.0.4,nas
/etc/hosts
dnsmasq provides DNS answers from the hosts file. Nice. 
127.0.0.1 localhost localhost.localdomain ::1 localhost localhost.localdomain 192.168.0.3 wireless 192.168.0.4 nas 192.168.0.5 mpd
hostapd.conf
/etc/hostapd/hostapd.conf
interface=wlan0
bridge=br0
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=Whatever
wpa_passphrase=YouMakeItUp
interfaces
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
        hostname ANYNAME
        hwaddress ether FE:ED:BE:EF:33:DD
iface eth1 inet manual
iface wlan0 inet manual
auto br0
iface br0 inet static
        pre-up ifconfig eth1 up
        bridge-ports eth1 wlan0
        bridge-stp off
        address 192.168.0.3
        broadcaset 192.168.1.255
        netmask 255.255.255.0
Permissive iptables
Do NOT use this connected to the internet! There is NO protection.
This is my stopopen in my replacement iptables
iptables -P INPUT ACCEPT
<
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -F -t nat
iptables -F
References
apk notes:
- Create, index and check dependencies on a list of apk files: apk index -o APKINDEX.unsigned.tar.gz *.apk
- Install a package: apk add iw OR apk add /path/to/iw-5.4-r0.apk
- remove a package: apk del iw
- repository lists are in: /etc/apk/repositories
* Local URL: /media/mmcblk0p1/apks * Remote URL: http://dl-cdn.alpinelinux.org/alpine/v3.12/main
FAT16/32 limits
udhcpc
ez-ipupdate
Dynamic_DNS
Alpine Linux Bridge
Connect to wireless AP
dnsmasq listen restrictions
Disable IPV6
dnsmasq Docs
HostApd Docs
[rsync://rsync.alpinelinux.org/alpine Alpine Repos]
Set Static DNS names
Reverse SSH tunnel
Pi Specific
Pi Wifi Repeater
WiFi Bridge
Alpine Install
Classic Sys Install on Pi
Not Related, but Interesting
AP and Managed Mode
AP and MQTT
Package List
Put these in the apks/armhf directory on the 256M Fat partition:
iptables-1.8.4-r2.apk openssh-8.3_p1-r1.apk iptables-openrc-1.8.4-r2.apk openssh-client-8.3_p1-r1.apk abuild-3.6.0-r1.apk iw-5.4-r0.apk openssh-keygen-8.3_p1-r1.apk alpine-base-3.12.3-r0.apk kbd-bkeymaps-2.2.0-r2.apk openssh-server-8.3_p1-r1.apk alpine-baselayout-3.2.0-r7.apk libacl-2.2.53-r0.apk openssh-server-common-8.3_p1-r1.apk alpine-conf-3.9.0-r1.apk libattr-2.4.48-r0.apk openssh-sftp-server-8.3_p1-r1.apk alpine-keys-2.2-r0.apk libblkid-2.35.2-r0.apk openssl-1.1.1i-r0.apk alpine-mirrors-3.5.10-r0.apk libc-utils-0.7.2-r3.apk patch-2.7.6-r6.apk apk-tools-2.10.5-r1.apk libcap-2.27-r0.apk pcsc-lite-libs-1.8.26-r0.apk attr-2.4.48-r0.apk libcom_err-1.45.6-r0.apk pkgconf-1.7.2-r0.apk bash-5.0.17-r0.apk libcrypto1.1-1.1.1i-r0.apk ppp-atm-2.4.8-r2.apk bash-completion-2.10-r0.apk libcurl-7.69.1-r3.apk ppp-chat-2.4.8-r2.apk bonding-2.6-r4.apk libedit-20191231.3.1-r0.apk ppp-daemon-2.4.8-r2.apk bridge-1.5-r4.apk libev-4.33-r0.apk ppp-l2tp-2.4.8-r2.apk bridge-utils-1.6-r0.apk libgcc-9.3.0-r2.apk ppp-minconn-2.4.8-r2.apk busybox-1.31.1-r19.apk libmnl-1.0.4-r0.apk ppp-passprompt-2.4.8-r2.apk busybox-extras-1.31.1-r19.apk libnftnl-1.1.6-r0.apk ppp-passwordfd-2.4.8-r2.apk busybox-initscripts-3.2-r2.apk libnftnl-libs-1.1.6-r0.apk ppp-pppoe-2.4.8-r2.apk busybox-suid-1.31.1-r19.apk libnl3-3.5.0-r0.apk ppp-radius-2.4.8-r2.apk c-ares-1.16.1-r0.apk libpcap-1.9.1-r2.apk ppp-winbind-2.4.8-r2.apk ca-certificates-20191127-r4.apk libssl1.1-1.1.1i-r0.apk readline-8.0.4-r0.apk ca-certificates-bundle-20191127-r4.apk libstdc++-9.3.0-r2.apk scanelf-1.2.6-r0.apk chrony-3.5.1-r0.apk libtls-standalone-2.9.1-r1.apk signature.tar.gz chrony-openrc-3.5.1-r0.apk libusb-1.0.23-r0.apk ssl_client-1.31.1-r19.apk curl-7.69.1-r3.apk libuuid-2.35.2-r0.apk tar-1.32-r1.apk dbus-libs-1.12.18-r0.apk lzip-1.21-r0.apk tcpdump-4.9.3-r2.apk dnsmasq-2.81-r0.apk mii-tool-1.60_git20140218-r2.apk tree-1.8.0-r0.apk e2fsprogs-1.45.6-r0.apk musl-1.1.24-r10.apk tzdata-2020c-r1.apk e2fsprogs-libs-1.45.6-r0.apk musl-utils-1.1.24-r10.apk usb-modeswitch-2.6.0-r1.apk ethtool-5.6-r0.apk ncurses-libs-6.2_p20200523-r0.apk vlan-2.2-r0.apk ez-ipupdate-3.0.10-r9.apk ncurses-terminfo-base-6.2_p20200523-r0.apk wireless-tools-30_pre9-r1.apk fakeroot-1.24-r0.apk net-tools-1.60_git20140218-r2.apk wpa_supplicant-2.9-r5.apk haveged-1.9.8-r1.apk network-extras-1.2-r0.apk wpa_supplicant-openrc-2.9-r5.apk haveged-openrc-1.9.8-r1.apk nghttp2-1.41.0-r0.apk zlib-1.2.11-r3.apk hostapd-2.9-r2.apk nghttp2-libs-1.41.0-r0.apk hostapd-openrc-2.9-r2.apk openrc-0.42.1-r11.apk