pavement

AccessPoint

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by 200.35.188.9 (Talk) to last revision by 79.31.207.14)
(minor updates)
Line 167: Line 167:
  
 
====OpenVpn configuration====
 
====OpenVpn configuration====
We will first install all in test-mode that is to say not runnning at the boot,not running as daemon etc...
+
We will first install all in test-mode that is to say not runnning ... \n
we will run theses commands:
+
ifconfig tap0 destroy
+
ifconfig bridge0 destroy
+
ifconfig tun0 destroy
+
ifconfig bridge0 create
+
ifconfig tap0 create
+
#remplace ral0 by your card interface name
+
ifconfig bridge0 addm ral0 addm tap0 up
+
ifconfig br0 192.168.1.1
+
then here's my server configuration for openvpn:
+
ca /usr/local/etc/openvpn/keys/ca.crt
+
cert /usr/local/etc/openvpn/keys/server.crt
+
key /usr/local/etc/openvpn/keys/server.key
+
dh /usr/local/etc/openvpn/keys/dh1024.pem
+
dev tap
+
# replace 10.0.0.1 with the VPN IP
+
server-bridge 10.0.0.1 255.255.255.0 10.0.0.2 10.0.0.250
+
keepalive 10 120
+
client-to-client
+
verb 3
+
duplicate-cn
+
push "route-gateway 10.0.0.1"
+
push "dhcp-option DNS 10.0.0.1" # push DNS entries to openvpn client
+
<i>here we push the gateway to the client...if you want to push the dns in /etc/resolv.conf you need a script...if you want to use the dnsmasq server see [[openvpn and dhcp client]]</i>
+
and here's my client configuration(ubuntu GNU/Linux):
+
remote 192.168.1.1
+
client
+
dev tap
+
nobind
+
tls-client
+
ca /home/ubu/ca.crt
+
cert /home/ubu/ubu.crt
+
key /home/ubu/ubu.key
+
pull
+
verb 4
+
remote-cert-tls server
+
#auth-user-pass
+
in order to make it work do this on the server:
+
/usr/loca/sbin/openvpn server.conf
+
ifconfig tap0 10.0.0.1
+
on the client:
+
openvpn client.conf
+
route del default
+
route add default gw 10.0.0.1 tap0
+
redirect-gateway
+
here redirect-gateway pull the default gateway from the openvpn server
+
if you put wireshark on the client's wireless interface you'll see only udp packet from and to the openvpn port...so it works...
+
  
 +
== Use Your Talents Give More Receive More ==
  
in order to make our openvpn start at boot we will add this to /etc/rc.conf:
+
When I stand before God at the end of my life, I would hope that I would not have a single bit of talent left, and could say, I used everything you gave me.Erma Bombeck
#openvpn
+
cloned_interfaces="bridge0 tap0"
+
autobridge_interfaces="bridge0"
+
autobridge_bridge0="tap0 ral0"
+
openvpn_if="tap"
+
openvpn_enable="YES"
+
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
+
ifconfig_tap0="inet 10.0.0.1 netmask 255.255.255.0"
+
ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0"
+
  
so here's our final rc.conf:
+
  [[http://goodvillenews.com/Use-Your-Talents-Give-More-Receive-More-n807aT.html Use Your Talents Give More Receive More]]
# -- sysinstall generated deltas -- # Mon Oct 6 04:45:53 2008
+
# Created: Mon Oct  6 04:45:53 2008
+
# Enable network daemons for user convenience.
+
# Please make all changes to this file, not to /etc/defaults/rc.conf.
+
# This file now contains just the overrides from /etc/defaults/rc.conf.
+
keymap="us.iso"
+
sshd_enable="YES"
+
ifconfig_rl0="DHCP"
+
ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"
+
gateway_enable="YES"
+
firewall_enable="YES"
+
firewall_type="OPEN"
+
natd_enable="YES"
+
natd_interface="rl0"
+
natd_flags=""
+
#defaultrouter="192.168.1.1"
+
dnsmasq_enable="YES"
+
+
#openvpn
+
cloned_interfaces="bridge0 tap0"
+
autobridge_interfaces="bridge0"
+
autobridge_bridge0="tap0 ral0"
+
openvpn_if="tap"
+
openvpn_enable="YES"
+
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
+
ifconfig_tap0="inet 10.0.0.1 netmask 255.255.255.0"
+
ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0"
+
  
 +
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
  
 +
== Simple Ways Of Dealing With Conflict ==
  
 +
Being in control of your life and having realistic expectations about your day-to-day challenges are the keys to stress management, which is perhaps the most important ingredient to living a happy, healthy and rewarding life.
  
[[Category:FreeBSD for Servers]]
+
[[http://goodvillenews.com/Simple-Ways-Of-Dealing-With-Conflict-n0JxBe.html Simple Ways Of Dealing With Conflict]]
 +
 
 +
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 +
 
 +
== Researchers Nurture Innovative Biofuel Crops in Israels Desert ==
 +
 
 +
Fears of global warming and its impact on our environment have left scientists scrambling to decrease levels of atmospheric carbon we humans produce. Now, Tel Aviv University researchers are doing their part to reduce humanitys carbon footprint by successfully growing forests in the most unlikely place deep in Israels Aravah Desert.
 +
 
 +
[[http://goodvillenews.com/Researchers-Nurture-Innovative-Biofuel-Crops-in-Israels-Dese-DJR.html Researchers Nurture Innovative Biofuel Crops in Israels Desert]]
 +
 
 +
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 +
 
 +
== Seeking Silence & Stillness in the Rush of Business Life ==
 +
 
 +
Pico Iyer -- essayist, author, travel writer and thinker -- has a unique perspective on many things. His physical domain ranges from California (where he lived as a child) and England (where he studied) to Cuba, North Korea and Ethiopia (which he visited) and Japan (where he resides). His mental domain knows no limiting boundaries. In this interview with Wharton associate dean and chief information officer Deirdre Woods and Knowledge@Wharton
 +
 
 +
[[http://goodvillenews.com/Seeking-Silence-Stillness-in-the-Rush-of-Business-Life-LCK85X.html Seeking Silence & Stillness in the Rush of Business Life]]
 +
 
 +
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 +
 
 +
== Worth Our Weight: The Taste of Compassion ==
 +
 
 +
Its a sunny Saturday morning, and my wife and I turn into a residential neighborhood of Santa Rosa, California the only sign of commerce is a beleaguered shopping mall a few hundred feet away. I glance down at my GPS to make sure this is where we want to be and in doing so I almost pass my destination. There it is tucked away to the left, sandwiched between two homes: Worth our Weight (W.O.W)
 +
 
 +
[[http://goodvillenews.com/Worth-Our-Weight-The-Taste-of-Compassion-qYcZwK.html Worth Our Weight: The Taste of Compassion]]
 +
 
 +
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]

Revision as of 17:11, 29 July 2012

Contents

Introduction

FreeBSD is very well suited for use as a wifi access point as it has 'master mode' support for a variety of wifi network cards, out of the box. Some of these include ralink and Atheros cards.

There are many difficulties setting up a wireless network access point on linux. Some of the problems(with non madwifi cards) include:

  • You must use a kernel that is yet-to-be released (2.6.26-rc4).
  • You must patch the kernel. Download Patch
  • You must compile a recent libnl(I used libnl-1.1-r1, on Gentoo) against the custom kernel.
  • On Gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
  • Finally, you need to compile a git version of hostapd...

All of the above steps must be completed for maximum support of various wireless network cards. Most other sets are fairly similar to those on FreeBSD.

On this Howto we will assume that your modem gives you a dhcp address,see AccessPoint using pppoe if you need to setup PPPOE

The hardware

For my setup, and the instructions included here, I used:

  • 2 Realtech PCI 10/100 cards, on FreeBSD. These cards are recognized as rl0 and rl1. (Perhaps there is the possibility to use interfaces aliasing, but as i had 2 cards...)
  • 1 Ralink rt2500 PCI card, on FreeBSD. This card is recognized as ral0.

Installation and Configuration

  • Install FreeBSD as usual. This example uses FreeBSD 7.0.
  • Enable ssh logins during the installation, or add the following line to your /etc/rc.conf:
sshd_enable="YES"
  • If you have a DHCP-enabled modem, you can add the following to your /etc/rc.conf:
ifconfig_rl0="DHCP"

Note, make certain you replace rl0 with your wired network interface name.

Wireless

To configure the wireless card, the following commands need to be executed:

ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4

Note that, in the FreeBSD Handbook, inet is placed incorrectly. Also, make certain to include a channel number. Without it, I was unable to get this working.

Next, try to associate to the new AP from a client. If something goes wrong (i.e. ping doesn't work), look to dmesg for debugging output. Specifically, look for association messages.


Finally, if you can see the wireless network, and can ping it, simply add the following to /etc/rc.conf:

ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"

Useful Association Commands

Under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):

ifconfig wlan0 up
 iwlist wlan0 scan
 iwconfig wlan0 essid "freebsdap"
 ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
 ping 192.168.1.1

Under FreeBSD type as root(remplacing ral0 by your wifi card interface name):

ifconfig ral0 up
 ifconfig ral0 list scan
 ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap
 ping 192.168.1.1

DNS and DHCP

Once the wireless AP is working, we can install DNS and DHCP servers. For simplicity, we will use dnsmasq. As root, execute the following command:

cd /usr/ports/dns/dnsmasq && make config && make install

On the configuration menu, deselect the followingn options:

  • ipv6
  • dbus

Once installed, we need to configure dnsmasq:

Edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:

# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries
 
# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=workgroup
expand-hosts
#resolv-file=/tmp/resolv.conf.auto
 
dhcp-authoritative
#dhcp-leasefile=/tmp/dhcp.leases
 
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers
 
# other useful options:
# default route(s):
dhcp-option=3,192.168.1.1
#    dns server(s):
dhcp-option=6,192.168.1.1

dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h

The option, read-ethers, permits you to assign statics IPs to certain MAC addresses. Edit /etc/ethers with entries as follows:

00:14:85:11:EF:02 192.168.1.106

In order to give a DNS name to this entry, edit /etc/hosts and add an entry like this:

192.168.1.106 Ralink

To start your dnsmasq server at boot, add the following to /etc/rc.conf:

dnsmasq_enable="YES"

You can now test the wifi connection with any graphical tool (like NetworkManager in GNU/linux or even test it with a windows computer) you can even try to ping a website... but you will only get his ip and no response...that's because we didn't set up the NAT yet...

Nat and firewall

in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::

gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl0"
natd_flags=""

if you wish to redirect ports add this to natd_flags="" in /etc/rc.conf:

-redirect_port tcp 192.168.0.6:80 80

now normally the access point should work...

OpenVPN

Introduction

now that we have wireless we could choose between theses choices:

  • having a full open wireless(not great for security)
  • having a wpa wireless(not compatible with all drivers,devices doesn't always work),no guests...
  • having an open wireless while encrypting the data sent to to wireless access point...yes that is possible...with the help of openvpn

i chose the third possibility.

installation

here the commands to run in order to install openvpn:

cd /usr/ports/security/openvpn
make
make install

configuration

EasyRsa

install bash:

cd /usr/ports/shells/bash
make
make install
ln -s /usr/local/bin/bash /bin/bash 

run theses commands:

cp -r /usr/local/share/doc/openvpn/easy-rsa/2.0/ /root/easy-rsa-2.0

here we will copy it in order not to have our keys erased by an update... then we will need bash run:

/bin/bash
cd /root/easy-rsa-2.0

then we will make the certificates: modify the vars script in order to suit your needs,then run:

source ./vars
./clean all
./build-ca ca

then we will build the server key:

./build-key-server server

then we will build the clients key:

./build-key client1
./build-key client2

then we genreate diffie helman parameters:

./build-dh

in order to build a new client just do:

source ./vars
./build-key client2

then copy the keys at the keys location:

cp -r keys /usr/local/etc/openvpn/keys

alternatively you can do the following:

mkdir /usr/local/etc/openvpn/keys/
cd /root/easy-rsa-2.0/keys
cp ca.crt /usr/local/etc/openvpn/keys/ca.crt
cp server.crt /usr/local/etc/openvpn/keys/server.crt
cp server.key /usr/local/etc/openvpn/keys/server.key
cp dh1024.pem /usr/local/etc/openvpn/keys/dh1024.pem

OpenVpn configuration

We will first install all in test-mode that is to say not runnning ... \n

Use Your Talents Give More Receive More

When I stand before God at the end of my life, I would hope that I would not have a single bit of talent left, and could say, I used everything you gave me.Erma Bombeck

[Use Your Talents Give More Receive More]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Simple Ways Of Dealing With Conflict

Being in control of your life and having realistic expectations about your day-to-day challenges are the keys to stress management, which is perhaps the most important ingredient to living a happy, healthy and rewarding life.

[Simple Ways Of Dealing With Conflict]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Researchers Nurture Innovative Biofuel Crops in Israels Desert

Fears of global warming and its impact on our environment have left scientists scrambling to decrease levels of atmospheric carbon we humans produce. Now, Tel Aviv University researchers are doing their part to reduce humanitys carbon footprint by successfully growing forests in the most unlikely place deep in Israels Aravah Desert.

[Researchers Nurture Innovative Biofuel Crops in Israels Desert]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Seeking Silence & Stillness in the Rush of Business Life

Pico Iyer -- essayist, author, travel writer and thinker -- has a unique perspective on many things. His physical domain ranges from California (where he lived as a child) and England (where he studied) to Cuba, North Korea and Ethiopia (which he visited) and Japan (where he resides). His mental domain knows no limiting boundaries. In this interview with Wharton associate dean and chief information officer Deirdre Woods and Knowledge@Wharton

[Seeking Silence & Stillness in the Rush of Business Life]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Worth Our Weight: The Taste of Compassion

Its a sunny Saturday morning, and my wife and I turn into a residential neighborhood of Santa Rosa, California the only sign of commerce is a beleaguered shopping mall a few hundred feet away. I glance down at my GPS to make sure this is where we want to be and in doing so I almost pass my destination. There it is tucked away to the left, sandwiched between two homes: Worth our Weight (W.O.W)

[Worth Our Weight: The Taste of Compassion]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Personal tools