This Guide explains how you would setup a wireless hotspot using OpenBSD and PF so you can provide internet access to wireless clients such as laptops or phones.
Introduction and Requirements
OpenBSD and its fabolous firewall “pf” make for a great wireless access point. Here is a short list of requirements to follow this post – adapt as needed. Note this is not a “copy” & “paste” style guide, thinking is required!
- A Laptop with OpenBSD 5.2 – my test machine is a Asus EEPC.
- Wired ethernet. My chipset is alc(8)
- Wireless network card that supports “access point mode”. My Chipset is athn(8)
- Internet connection. Make sure your ethernet cable is plugged in, but don’t configure internet access or routing just yet – we will do this step by step
System setup
For the most part i setup my OpenBSD box so it boots up without anything configured. This means each time i reboot this machine, i have to run a small script that configures everything. We will go trough the required steps one by one and at the end share a full script for you to adjust and run.
To get going, bootup your machine. The only system startup change we need to do is to disable the automatic start of pf, the packet filter firewall. To do that, add the following entry into /etc/rc.conf.local
pf="NO"
We will enable PF later manually. Reboot your machine or issue pfctl -d to have a system state similar to mine.
Configure our Network Interfaces
First lets setup our main wired ethernet connection so our access point can access the internet. In my case, my wired network interface is detected as alc0 – your mileage may vary. Find out using ifconfig.
# My local LAN Network uses 10.0.1.1/24 Subnet # Adjust desired IP and Router, DNS Server etc. as needed # I chose to give my AP the IP 10.0.1.254 ifconfig alc0 inet 10.0.1.254 netmask 255.255.255.0 up # My LAN's default Router is at 10.0.1.2 route add default 10.0.1.2 # My local DNS Server is also at 10.0.1.2 echo nameserver 10.0.1.2 > /etc/resolv.conf
Check and make sure you can “ping” your local router or some website.
Now run the following Command to setup a wireless hotspot named “FreeWifi”. I chose the network 10.0.3.1/24 to be the network for my wireless clients.
# This command sets up an "open" access point ifconfig athn0 inet 10.0.3.1 netmask 255.255.255.0 \ media autoselect mediaopt hostap nwid FreeWifi \ chan 1 up # This command sets up a "secure" hotspot with wpa password 123456789 ifconfig athn0 inet 10.0.3.1 netmask 255.255.255.0 \ media autoselect mediaopt hostap nwid FreeWifi \ wpakey 123456789 chan 1 up
So far, so good. Use any wireless device to scan for new wireless networks, and “FreeWifi” should now appear. Don’t connect just yet – we are not done!
Setting up DHCPD
Lets setup DHCPD on our wireless card so that whenever someone connects he gets the right network settings assigned.
# Backup your existing dhcpd.conf, always a good idea
cp /etc/dhcpd.conf /etc/dhcpd.bak
# Make sure your dhcpd.conf looks like this or adjust as desired
option domain-name "my.domain";
option domain-name-servers "10.0.2.1";
subnet 10.0.3.0 netmask 255.255.255.0 {
option routers 10.0.3.1;
range 10.0.3.100 10.0.3.150;
}
Now its time to start your DHCPD Daemon – but make sure it only listens on your wireless interface!
# replace -i athn0 with your wireless interface name! dhcpd athn0
Setup your Firewall
Now all thats left for us to do is to setup our access point so it starts to route packets between the wired and the wireless interface, and setup PF to handle it all and provide some protection
To make OpenBSD pass packets between Interfaces you have to adjust the net.inet.ip.forwarding sysctl. Run the following command as root to do that.
sysctl net.inet.ip.forwarding=1
Secondly, make your /etc/pf.conf look like the following example. Note the line breaks – because of the width of my theme, i have to denote line breaks using “\”!
wired = "alc0"
wireless = "athn0"
icmp_types = "{echoreq, unreach}"
set block-policy return
set loginterface $wireless
set skip on lo0
# to some packet scrubbing
match in all scrub (no-df max-mss 1440)
# Handles NAT for the wireless clients
match out on egress inet from !(egress:network) \
to any nat-to (egress:0)
# Block everything by default
block log all
# Let all traffic out
pass out quick
# Let all traffic in
# allowing 'gre' is useful to allow PPTP VPN traffic
pass in quick inet proto { tcp udp gre } from any to any
pass in quick inet proto icmp all icmp-type $icmp_types keep state
Now enable and load your firewall ruleset
pfctl -ef /etc/pf.conf
Connecting to your wireless hotspot!
You are pretty much done! Use some laptop with wireless or your phone to scan for the “FreeWifi” access point and connect to it. Depending on whether you choose to use a password, enter your password. The OpenBSD Box should assign you an IP Address, and you can surf away!
Automate it all
Of course much of our configuration is gone once we reboot our OpenBSD Box. You can either start all the various Daemons on boot by making the right entries in /etc/rc.conf.local and /etc/sysctl.conf etc., but because i am twiddling with this setup a fair bit i found it easier to let the machine restart to a clean state without anything started or enabled, and then run a simple shell script that sets everything up. Make a new script and name it setup_hotspot with the following contents:
#!/bin/sh # Configure network interfaces ifconfig alc0 inet 10.0.1.254 netmask 255.255.255.0 up ifconfig athn0 inet 10.0.3.1 255.255.255.0 \ media autoselect mediaopt hostap nwid FreeWifi wpakey 123456789 chan 1 up # Set default route route add default 10.0.1.2 # Start DHCPD - configured in /etc/dhcpd.conf already dhcpd athn0 # Enable our packet filter ruleset pfctl -ef /etc/pf.conf |
Make the script executeable and run it once after each system boot to setup your hotspot
chmod +x /usr/local/bin/setup_hotspot ./usr/local/bin/setup_hotspot
Conclusions
I hope this article inspired you to setup your own OpenBSD based wireless hotspot. The most important of all things when choosing hardware is to make sure OpenBSD nicely supports your wireless network card, and that its chipset and driver support the hostap mode. Read up on the relevant drivers man pages!
Lastly – i tried to keep the configuration as simple as possible – there is a lot more you can do. Setup your pf.conf better. Replace your regular Netgear or what have you with OpenBSD! Build in traffic monitoring using rrdtool or even simple console applications such as ifstat etc. Go crazy and have fun expiriementing and improving, post questions or suggestions in the comments!
Nice job, thanks for share it!
thank for the good how to
but what about dhcp server on lan ip’s? in your case 10.0.1.0/24
if you have
if not how to wifi ap and lan dhcp server?
Thanks for your comment fadi. This post assumes you want to setup a wireless access point inside your LAN, where regular DHCP is provided by your already existing main Router / Firewall.
The Wireless access point has a fixed IP and provides DHCP only to clients that connect to it via the wireless Interface, hope that makes sense.
–ds
I am a student at Multimedia University College of Kenya. I peruse a bachelors degree in Telecommunication & information Eng., I’ve like this guide and i hope to have much from your tutorials, please notify of any up comings to keep in touch with current developments in Telecommunication technology
What chipset and brand is the adapter your using in your setup?
Its MAC address is 00:e0:4c:03:4f:97 if you want to lookup vendor and it gets detected as a Realtek Semiconductor Corp. RTL8187 Wireless Adapter
Ok, thank you very much. by the way, I really like your post its very well written and easy to follow.
Hi, what would I change in this guide if I have static IPs from my ADSL ISP? Thanks… love OBSD and hopefully I will give my mobile devices @ home a hotspot based on OBSD.
-Jay