Wireless AP with udhcpd and NAT

From Alpine Linux
Revision as of 00:20, 3 May 2020 by Pcoppock1 (talk | contribs) (Improve grammar)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Setting up a wireless AP with udhcpd and NAT

(based largely on the raspberry pi wireless router howto)


Install the hostapd access point software, busybox-extras (for the udhcpd DHCP server), and the iptables firewall manager.

apk add hostapd busybox-extras iptables

If you want to connect clients to the internet, you need to provide some way of redirecting traffic from the AP to the rest of the internet. There are two main possibilities:

  • setting up a bridge
  • using NAT (network address translation).

If you use a bridge and get your IP via DHCP, you may have a hard time configuring it so that the bridge gets an IP address without screwing up your local internet connection. This guide only covers NAT; see Bridge for more on the alternative.

Configure hostapd

You need to write a configuration file; Alpine ships with a sample one in /etc/hostapd/hostapd.conf, but it didn't work for me (possibly because I used a pre-wireless-N card, supported by ath5k?).

Here's a sample one based on something that did work for me (I've changed ssid & wpa_passphrase):

wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
wpa_pairwise=TKIP CCMP

Change "interface" to match your wireless interface. Change "ssid" and "wpa_passphrase" to suit your desires. Set "wpa" to 3 if you want plain wpa and wpa2. or 1 for plain WPA1 only.

The example in the package uses wpa_psk_file (needed for WPS) instead of a static passphrase; this does not enable WPS.

You may want to change the channel to avoid collision with other local APs. Unfortunately, the automatic channnel selection (channel=0) is *not* currently enabled at compile time, so we can't use it; scan for channels

in use with

iwlist wlan0 scanning

or equivalent before setup.

max_num_sta is a limit to the number of clients connecting to your AP. Set it higher than you think you could have, but not much higher.

If you don't put this in /etc/hostapd/hostapd.conf, you will need to change the CONFIGS line in /etc/conf.d/hostapd to point at it. I prefer doing that, so that the default is available for reference.

Configure udhcpd

Edit /etc/udhcpd.conf. The default is very well-commented, but not perfectly ready to use. Here's a skeleton, loosely based on mine:

max_leases	64
interface	wlan0
static_lease	00:1b:de:ad:be:ef
opt	dns
opt	subnet
opt	router
opt	lease	864000

Note the following:

  • max_leases should be set to at least as many clients as you might have in

the lifetime of a lease; if you have any clients connecting via bridges, note that the bridge itself gets a dhcp address.

  • interface is the interface clients will be connecting to (wlan0 or your

wireless interface in our example)

  • router should be the static IP address you give to your wireless interface.
  • start and end should be within the same subnet as the IP you configure

wlan0 with, but the IP for wlan0 should be outside the range. (For example: and are both suitable for the router IP in this example.)

  • set the dns option to point to any nameservers you want; you can repeat it,

but there's a maximum of 3 nameservers.

  • static_lease takes two arguments: a MAC address designating a specific

network adaptor, and the IP address that should be assigned to it. It can be repeated multiple times, to assign different IPs to different users. This comes in handy for printers, if you can trust those who connect to the network to not do MAC spoofing.

Configure iptables

I used raw iptables, configuring it thus:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

  1. this saves the state somewhere that the service can restore it from

service iptables save


/etc/init.d/hostapd start

/etc/init.d/udhcpd start

sysctl net.ipv4.ip_forward=1 and try connecting from another computer.

Make changes permanent

rc-update add hostapd rc-update add udhcpd rc-update add sysctl

Configuring ifup

Now, the odd parts: iptables tries to set net.ipv4.ip_forward to 1 when it's started, but in my experience, this cannot be relied upon. You do *not* want to enable the "iptables" service; it starts before networking, and may result in your wireless interface not getting configured. (Apparently, ifup thinks that wlan0 is up and skips it. This was not something I expected, but it's the only explanation I have for how things worked...)

Rather, modify /etc/network/interfaces, commenting out any configuration for your wireless interface. Then add this:

auto wlan0
iface wlan0 inet static
	up /etc/init.d/iptables start
	up sysctl net.ipv4.ip_forward=1
	down /etc/init.d/iptables stop

(It would be possible to set everything up so that hostapd and udhcpd get started and stopped from the wlan0 stanza; I didn't bother doing that.)

Finishing touches

(See Setting_up_a_ssh-server for alternatives and more information) Add dropbear SSH server, configure it to run on only the wireless interface:

setup-sshd -c dropbear

edit /etc/conf.d/dropbear to add


(assuming that the wireless interface has the IP and you want SSH on port 22). This is optional, but if you're using a wireless router it helps to be able to administer it, and listening on all addresses is rather risky.

Things this doesn't cover but it would be nice to

This would require:

    • acf-core, acf-alpine-conf, acf-apk-tools
    • acf-iptables, or acf-awall + rewrite
    • acf-ssh + switch to openssh, or new acf-dropbear
    • acf-dhcp + switch to dhcp, or new acf-udhcpd
    • new acf-hostapd (probably hardest part!)
    • acf-tinydns after adding tinydns