A wireless access point / Hotspot using OpenBSD

This Guide explains how you would setup a wireless hotspot using OpenBSD and PF so you can provide internet access to wireless clients such as laptops or phones.

Introduction and Requirements

OpenBSD and its fabolous firewall “pf” make for a great wireless access point. Here is a short list of requirements to follow this post – adapt as needed. Note this is not a “copy” & “paste” style guide, thinking is required!

  • A Laptop with OpenBSD 5.2 – my test machine is a Asus EEPC.
  • Wired ethernet. My chipset is alc(8)
  • Wireless network card that supports “access point mode”. My Chipset is athn(8)
  • Internet connection. Make sure your ethernet cable is plugged in, but don’t configure internet access or routing just yet – we will do this step by step

System setup

For the most part i setup my OpenBSD box so it boots up without anything configured. This means each time i reboot this machine, i have to run a small script that configures everything. We will go trough the required steps one by one and at the end share a full script for you to adjust and run.

To get going, bootup your machine. The only system startup change we need to do is to disable the automatic start of pf, the packet filter firewall. To do that, add the following entry into /etc/rc.conf.local


We will enable PF later manually. Reboot your machine or issue pfctl -d to have a system state similar to mine.

Configure our Network Interfaces

First lets setup our main wired ethernet connection so our access point can access the internet. In my case, my wired network interface is detected as alc0 – your mileage may vary. Find out using ifconfig.

# My local LAN Network uses Subnet
# Adjust desired IP and Router, DNS Server etc. as needed

# I chose to give my AP the IP
ifconfig alc0 inet netmask up

# My LAN's default Router is at
route add default

# My local DNS Server is also at
echo nameserver > /etc/resolv.conf

Check and make sure you can “ping” your local router or some website.

Now run the following Command to setup a wireless hotspot named “FreeWifi”. I chose the network to be the network for my wireless clients.

# This command sets up an "open" access point
ifconfig athn0 inet netmask \
media autoselect mediaopt hostap nwid FreeWifi \
chan 1 up

# This command sets up a "secure" hotspot with wpa password 123456789
ifconfig athn0 inet netmask \
media autoselect mediaopt hostap nwid FreeWifi \
wpakey 123456789 chan 1 up

So far, so good. Use any wireless device to scan for new wireless networks, and “FreeWifi” should now appear. Don’t connect just yet – we are not done!

Setting up DHCPD

Lets setup DHCPD on our wireless card so that whenever someone connects he gets the right network settings assigned.

# Backup your existing dhcpd.conf, always a good idea
cp /etc/dhcpd.conf /etc/dhcpd.bak

# Make sure your dhcpd.conf looks like this or adjust as desired
option domain-name "my.domain";
option domain-name-servers "";

subnet netmask {
option routers;

Now its time to start your DHCPD Daemon – but make sure it only listens on your wireless interface!

# replace -i athn0 with your wireless interface name!
dhcpd athn0

Setup your Firewall

Now all thats left for us to do is to setup our access point so it starts to route packets between the wired and the wireless interface, and setup PF to handle it all and provide some protection

To make OpenBSD pass packets between Interfaces you have to adjust the net.inet.ip.forwarding sysctl. Run the following command as root to do that.

sysctl net.inet.ip.forwarding=1

Secondly, make your /etc/pf.conf look like the following example. Note the line breaks – because of the width of my theme, i have to denote line breaks using “\”!

wired = "alc0"
wireless = "athn0"

icmp_types = "{echoreq, unreach}"

set block-policy return
set loginterface $wireless
set skip on lo0

# to some packet scrubbing
match in all scrub (no-df max-mss 1440)

# Handles NAT for the wireless clients
match out on egress inet from !(egress:network) \
to any nat-to (egress:0)

# Block everything by default
block log all

# Let all traffic out
pass out quick

# Let all traffic in
# allowing 'gre' is useful to allow PPTP VPN traffic
pass in quick inet proto { tcp udp gre } from any to any
pass in quick inet proto icmp all icmp-type $icmp_types keep state

Now enable and load your firewall ruleset

pfctl -ef /etc/pf.conf

Connecting to your wireless hotspot!

You are pretty much done! Use some laptop with wireless or your phone to scan for the “FreeWifi” access point and connect to it. Depending on whether you choose to use a password, enter your password. The OpenBSD Box should assign you an IP Address, and you can surf away!

Automate it all

Of course much of our configuration is gone once we reboot our OpenBSD Box. You can either start all the various Daemons on boot by making the right entries in /etc/rc.conf.local and /etc/sysctl.conf etc., but because i am twiddling with this setup a fair bit i found it easier to let the machine restart to a clean state without anything started or enabled, and then run a simple shell script that sets everything up. Make a new script and name it setup_hotspot with the following contents:

# Configure network interfaces
ifconfig alc0 inet netmask up
ifconfig athn0 inet \
media autoselect mediaopt hostap nwid FreeWifi wpakey 123456789 chan 1 up
# Set default route
route add default
# Start DHCPD - configured in /etc/dhcpd.conf already
dhcpd athn0
# Enable our packet filter ruleset
pfctl -ef /etc/pf.conf

Make the script executeable and run it once after each system boot to setup your hotspot

chmod +x /usr/local/bin/setup_hotspot


I hope this article inspired you to setup your own OpenBSD based wireless hotspot. The most important of all things when choosing hardware is to make sure OpenBSD nicely supports your wireless network card, and that its chipset and driver support the hostap mode. Read up on the relevant drivers man pages!

Lastly – i tried to keep the configuration as simple as possible – there is a lot more you can do. Setup your pf.conf better. Replace your regular Netgear or what have you with OpenBSD! Build in traffic monitoring using rrdtool or even simple console applications such as ifstat etc. Go crazy and have fun expiriementing and improving, post questions or suggestions in the comments!


  1. What brand antenna are you using?

  2. Thanks for your comment fadi. This post assumes you want to setup a wireless access point inside your LAN, where regular DHCP is provided by your already existing main Router / Firewall.
    The Wireless access point has a fixed IP and provides DHCP only to clients that connect to it via the wireless Interface, hope that makes sense.


  3. Its MAC address is 00:e0:4c:03:4f:97 if you want to lookup vendor and it gets detected as a Realtek Semiconductor Corp. RTL8187 Wireless Adapter

Speak Your Mind