pavement

AccessPoint

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(configuration)
(configuration)
Line 143: Line 143:
 
  verb 3
 
  verb 3
 
  duplicate-cn
 
  duplicate-cn
and here's my client configuration(ubuntu GNU/Linux)
+
and here's my client configuration(ubuntu GNU/Linux):
 +
remote 192.168.1.1
 +
client
 +
dev tap
 +
nobind
 +
tls-client
 +
ca /home/ubu/ca.crt
 +
cert /home/ubu/ubu.crt
 +
key /home/ubu/ubu.key
 +
pull
 +
verb 4
 +
remote-cert-tls server
 +
#auth-user-pass
 +
in order to make it work do this on the server:
 +
/usr/loca/sbin/openvpn server.conf
 +
ifconfig tap0 10.0.0.1
 +
on the client:
 +
openvpn client.conf
 +
route del default
 +
route add default gw 10.0.0.1 tap0
 +
  
  
 
[[Category:FreeBSD for Servers]]
 
[[Category:FreeBSD for Servers]]

Revision as of 17:35, 2 June 2008

Contents

Introduction

FreeBSD is very well suited to be used as an access point,because it has out of the box support of the master mode for a variety of cards such as ralink,atheros cards. Under GNU/Linux you have to:

  • use a kernel that is not out yet(2.6.26-rc4)
  • patch the kernel with the patch named allow-ap-vlan-modes.patch from http://johannes.sipsolutions.net/patches/kernel/all/LATEST/
  • compile a recent libnl(i used libnl-1.1-r1 in gentoo) against the kernel
  • in gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
  • then finally you need to compile a git version of hostapd...

you have to do all that only in order to have the wifi card working as access point(otherwise the setup is pretty similar to FreeBSD) at the end i got a system that is working with broadcom not ralink ones(made my computer freeze) under FreeBSD it's a lot more easy and more stable(we don't use git or patches)

The hardware

i used:

  • 2 realtech pci 10/100 cards,in FreeBSD they are recognized as rl0 and rl1(maybe there is the possibility to use interfaces aliasing but as i had 2 cards...)
  • a ralink rt2500 pci card,in FreeBSD it's recognized as ral0

The installation and configuration

  • install FreeBSD as usual(i used FreeBSD 7.0)
  • enable ssh logins during the installation or add this in your /etc/rc.conf:
sshd_enable="YES"
  • if you have got a dhcp modem you can use add the following in your /etc/rc.conf(remplacing ral0 by your wired card interface name)
ifconfig_rl0="DHCP"

otherwise we'll see pppoe later...

Wireless

  • then type the following command as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4

note that in the FreeBSD handbook inet is placed incorrectly,pay also attention to the channel 4...i tried it without it and it didn't work then try to associate with a client running an operating system such as *BSD or GNU/Linux and ping it: if something goes wrong(ping doesn't work) simply type dmesg and look for message about your wifi card(such as associations messages) under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):

ifconfig wlan0 up
iwlist wlan0 scan
iwconfig wlan0 essid "freebsdap"
ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
ping 192.168.1.1

under FreeBSD type as root(remplacing ral0 by your wifi card interface name):

ifconfig ral0 up
ifconfig ral0 list scan
ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap
ping 192.168.1.1

then if you can see the wireless and can ping it simply add the following to /etc/rc.conf:

ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"

dns and dhcp

your wireless is now working...so we can install a dns and dhcp server... for simplicity we will use dnsmasq type the following as root:

cd /usr/ports/dns/dnsmasq
make config

then unselect ipv6 unless you need it and unselect dbus because we won't use it then type the following as root:

make
make install

then we will need to configure dnsmasq: edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:

# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=workgroup
expand-hosts
#resolv-file=/tmp/resolv.conf.auto

dhcp-authoritative
#dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers

# other useful options:
# default route(s):
dhcp-option=3,192.168.1.1
#    dns server(s):
dhcp-option=6,192.168.1.1
dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h

the file don't need to be explained but read-ethers... read ethers permit you to assign static ip to certain mac address so edit /etc/ethers with entries like this:

00:14:85:11:EF:02 192.168.1.106

and in order to give a dns name to this entry edit /etc/hosts and add an entry like this:

192.168.1.106 Ralink

then in order to start your dnsmasq server at boot you need to add the following to /etc/rc.conf: dnsmasq_enable="YES"

you can now test the wifi connection with any graphical tool(like NetworkManager in GNU/linux or even test it with a windows computer) you can even try to ping a website...but you will only get his ip and no response...that's because we didn't set up the NAT yet...

Nat and firewall

in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::

gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl0"
natd_flags=""

if you wish to redirect ports add this to natd_flags="" in /etc/rc.conf:

-redirect_port tcp 192.168.0.6:80 80

now normally the access point should work...

OpenVPN

Introduction

now that we have wireless we could choose between theses choices:

  • having a full open wireless(not great for security)
  • having a wpa wireless(not compatible with all drivers,devices doesn't always work),no guests...
  • having an open wireless while encrypting the data sent to to wireless access point...yes that is possible...with the help of openvpn

i chose the third possibility.

installation

here the commands to run in order to install openvpn:

cd /usr/ports/security/openvpn
make
make install

configuration

We will first install all in test-mode that is to say not runnning at the boot,not running as daemon etc... we will run theses commands:

ifconfig tap0 destroy
ifconfig bridge0 destroy
ifconfig tun0 destroy
ifconfig bridge0 create
ifconfig tap0 create
#remplace ral0 by your card interface name
ifconfig bridge0 addm ral0 addm tap0 up
ifconfig br0 192.168.1.1

then here's my server configuration for openvpn:

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
dev tap
# replace 10.0.0.1 with the VPN IP
server-bridge 10.0.0.1 255.255.255.0 10.0.0.2 10.0.0.250
keepalive 10 120
client-to-client
verb 3
duplicate-cn

and here's my client configuration(ubuntu GNU/Linux):

remote 192.168.1.1
client
dev tap
nobind
tls-client
ca /home/ubu/ca.crt
cert /home/ubu/ubu.crt
key /home/ubu/ubu.key
pull
verb 4
remote-cert-tls server
#auth-user-pass

in order to make it work do this on the server:

/usr/loca/sbin/openvpn server.conf
ifconfig tap0 10.0.0.1

on the client:

openvpn client.conf
route del default
route add default gw 10.0.0.1 tap0
Personal tools