Difference between revisions of "Software access point"

From ArchWiki
Jump to: navigation, search
(wikify some external links, use https for archlinux.org)
(Wireless client and software AP with a single Wi-Fi device: not all interface support wds, so just create a managed virtual interface and hostapd will change it to ap mode automatically)
 
(82 intermediate revisions by 31 users not shown)
Line 1: Line 1:
[[ru:Software Access Point]]
+
[[Category:Wireless networking]]
[[Category:Wireless Networking]]
+
[[ja:ソフトウェアアクセスポイント]]
 +
[[ru:Software access point]]
 +
[[zh-CN:Software access point]]
 +
{{Related articles start}}
 +
{{Related|Network configuration}}
 +
{{Related|Wireless network configuration}}
 +
{{Related|Ad-hoc networking}}
 +
{{Related|Internet sharing}}
 +
{{Related articles end}}
 +
A software access point is used when you want your computer to act as a Wi-Fi access point for the local network. It saves you the trouble of getting a separate wireless router.
  
A software access point is used when you want your computer to act as an access point for the local wireless network. It saves you the trouble of getting a separate wireless router.
+
== Requirements ==
  
= Overview and Requirements =
+
=== Wi-Fi device must support AP mode ===
  
Setting up an access point comprises two main parts:
+
You need a [http://wireless.kernel.org/en/developers/Documentation/nl80211 nl80211] compatible wireless device, which supports the AP [http://wireless.kernel.org/en/users/Documentation/modes operating mode]. This can be verified by running {{ic|iw list}} command, under the {{ic|Supported interface modes}} block there should be {{ic|AP}} listed:
* Setting up the '''link layer''', so that wireless clients can associate to your computer's "software access point" and send/receive IP packets from/to your computer; this is what the hostapd package will do for you
+
* Setting up the '''network configuration''' on you computer, so that your computer will properly relay IP packets from/to its own Internet connection from/to wireless clients.
+
  
The second point is actually the more complicated one, and there's two basic ways for implementing it:
+
{{hc|$ iw list|
# bridge: create a network ''bridge'' on your computer (wireless clients will appear to access the same network interface and the same subnet that's used by your computer)
+
Wiphy phy1
# NAT framework: with IP forwarding/masquerading and DHCP service (wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted -- similar to a normal WiFi router that's connected to your DSL or cable modem)
+
...
 +
Supported interface modes:
 +
* IBSS
 +
* managed
 +
* '''AP'''
 +
* AP/VLAN
 +
* WDS
 +
* monitor
 +
* mesh point
 +
...
 +
}}
  
The bridged approch is more simple, but it requires that any service that's needed by your wireless clients (like, DHCP) is available on your computers external interface. That means it will not work if you have a dialup connection (e.g., via PPPoE or a 3G modem) or if you're using a cable modem that will supply exactly one IP address to you via DHCP.
+
=== Wireless client and software AP with a single Wi-Fi device ===
  
The NAT aproach is more versatile, as it clearly separates wifi clients from your computer and it's completely transparent to the outside world. It will work with any kind of network connection, and (if needed) you can introduce traffic policies using the usual iptables approach.
+
Creating a software AP is independent from your own network connection (Ethernet, wireless, ...). Many wireless devices even support ''simultaneous'' operation both as AP and as wireless "client" at the same time. Using that capability you can create a software AP acting as a "wireless repeater" for an existing network, using a single wireless device. The capability is listed in the following section in the output of {{ic|iw list}}:
  
So, what you will need is:
+
{{hc|1=$ iw list|2=
* For the actual Wifi link layer:
+
Wiphy phy1
** prism2/2.5/3 pure pci wireless card or nl80211 compatible cards (e.g. ath9k)
+
...
** wireless_tools, hostapd from pacman
+
        valid interface combinations:
* For the network setup:
+
                * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1,
** either bridge-utils (for the bridged setup), or
+
                  total <= 2048, #channels <= 1, STA/AP BI must match
** iptables and dnsmasq (or dhcp) from pacman
+
...
 +
}}
 +
The constraint {{ic|1=#channels <= 1}} means that your software AP must operate on the same channel as your Wi-Fi client connection; see the {{ic|channel}} setting in {{ic|hostapd.conf}} below.
  
= Steps to implement =
+
If you want to use the capability/feature, perhaps because an Ethernet connection is not available, you need to create two separate ''virtual interfaces'' for using it.
 +
Virtual interfaces for a physical device {{ic|wlan0}} can be created as follows:
 +
The ''virtual interfaces'' with unique MAC address are created for the network connection ({{ic|wlan0_sta}}) itself and for the software AP/hostapd "wireless repeater":
 +
 +
# iw dev wlan0 interface add wlan0_sta type managed addr 12:34:56:78:ab:cd 
 +
# iw dev wlan0 interface add wlan0_ap  type managed addr 12:34:56:78:ab:ce
  
== Wifi Link Layer ==
+
Random MAC address can be generated using [[macchanger]].
  
The actual Wifi "link" -- including WPA2 authentication -- is established via the hostapd package:
+
== Configuration ==
  pacman -S hostapd
+
  
The config file of hostapd /etc/hostapd/hostapd.conf will help you to put your wireless device into master mode and willing to accept connection from other computers with encrypted password.
+
Setting up an access point comprises two main parts:
 +
* Setting up the '''Wi-Fi link layer''', so that wireless clients can associate to your computer's "software access point" and send/receive IP packets from/to your computer; this is what the hostapd package will do for you.
 +
* Setting up the '''network configuration''' on you computer, so that your computer will properly relay IP packets from/to its own Internet connection from/to wireless clients.
  
Here is an example from http://www.su-root.co.uk/computing/turn-your-linux-computer-in-a-wireless-access-point-using-hostapd:
+
=== Wi-Fi link layer ===
  
interface=wlan0 # must match your wifi interface
+
The actual Wi-Fi link is established via the {{Pkg|hostapd}} package, which has WPA2 support.
# bridge=br0    # uncomment only for the bridged setup
+
driver=nl80211  # change if necessary
+
logger_stdout=-1
+
logger_stdout_level=2
+
ssid=test      # set to desired WiFi network name
+
hw_mode=g
+
channel=6
+
auth_algs=3
+
max_num_sta=255 # max number of clients
+
wpa=2          # use WPA2
+
wpa_passphrase=tryyourbest
+
wpa_key_mgmt=WPA-PSK
+
wpa_pairwise=TKIP CCMP
+
rsn_pairwise=CCMP
+
  
For automatically starting hostapd, add it to the DAEMONS array in the rc.conf file:
+
Adjust the options in ''hostapd'' configuration file if necessary. Especially, change the {{ic|ssid}} and the {{ic|wpa_passphrase}}. See [http://wireless.kernel.org/en/users/Documentation/hostapd hostapd Linux documentation page] for more information.
  
{{hc|/etc/rc.conf|2=
+
{{hc|/etc/hostapd/hostapd.conf|<nowiki>
...
+
ssid=YourWiFiName
DAEMONS=( ...  hostapd ... )
+
wpa_passphrase=Somepassphrase
...
+
interface=wlan0_ap
}}
+
bridge=br0
 +
auth_algs=3
 +
channel=7
 +
driver=nl80211
 +
hw_mode=g
 +
logger_stdout=-1
 +
logger_stdout_level=2
 +
max_num_sta=5
 +
rsn_pairwise=CCMP
 +
wpa=2
 +
wpa_key_mgmt=WPA-PSK
 +
wpa_pairwise=TKIP CCMP
 +
</nowiki>}}
  
== Routing Setup ==
+
{{Tip|You can set up the SSID with UTF-8 characters, so international characters will show properly. The option to enable it is {{ic|1=utf8_ssid=1}}. Some clients may have problems with recognizing the correct encoding (e.g. [[wpa_supplicant]] or Windows 7).}}
  
=== Bridged Setup ===
+
When starting hostapd, make sure the wireless network interface is brought up first:
  
==== Bridged Setup with Kernel >= 2.6.33) ====
+
# ip link set dev wlan0_ap up
  
{{Out of date}}
+
Otherwise, it will fail with a nondescript error: "could not configure driver mode".
Due to changes in the kernel since version 2.6.33 [http://bugs.gentoo.org/show_bug.cgi?id=298824 bridges cannot contain an uninitialized interface].
+
Because of this we need hostapd to add the wlan interface to the bridge instead.
+
  
Requirements:
+
For automatically starting hostapd, [[Daemon|enable]] the {{ic|hostapd.service}}.
* kernel >= 2.6.33
+
{{Warning|The wireless channels allowed for access point operation differ according to geography. Depending on the wireless firmware, you may have to set the region correctly to use legal channels. '''Do not''' choose another region, as you may be illegally disturbing network traffic, affecting wireless functionality of your own device and others within its reach! To set the region see [[Wireless network configuration#Respecting the regulatory domain]].}}
* hostapd >= 0.7.1
+
* bridge-utils
+
  
One way to set this up since the [https://bbs.archlinux.org/viewtopic.php?id=120549 changes in rc.conf] because of the deprecation of [https://www.archlinux.org/news/deprecation-of-net-tools/ net-tools] is to use [[Netcfg]]:
+
{{Note|If you have a card based on RTL8192CU chipset, install {{AUR|hostapd-8192cu}}{{Broken package link|{{aur-mirror|hostapd-8192cu}}}} in the [[AUR]] and replace {{ic|1=driver=nl80211}} with {{ic|1=driver=rtl871xdrv}} in the {{ic|hostapd.conf}} file.}}
  
Setup a profile in /etc/network.d/ (for example called "bridge").
+
=== Network configuration ===
  
{{hc|/etc/network.d/bridge|2=
+
There are two basic ways for implementing this:
INTERFACE="br0"
+
# '''bridge''': create a network ''bridge'' on your computer (wireless clients will appear to access the same network interface and the same subnet that's used by your computer)
CONNECTION="bridge"
+
# '''NAT''': with IP forwarding/masquerading and DHCP service (wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted -- similar to a normal Wi-Fi router that's connected to your DSL or cable modem)
DESCRIPTION="Bridge wired and wireless connection"
+
  
# Only add wired interface here, hostapd will add wireless
+
The bridge approach is simpler, but it requires that any service that's needed by your wireless clients (like, DHCP) is available on your computers external interface. That means it will not work if you have a dial-up connection (e.g., via PPPoE or a 3G modem) or if you're using a cable modem that will supply exactly one IP address to you via DHCP.
BRIDGE_INTERFACES="eth0"
+
IP="dhcp"}}
+
  
In rc.conf make sure you do the following:
+
The NAT approach is more versatile, as it clearly separates Wi-Fi clients from your computer and it's completely transparent to the outside world. It will work with any kind of network connection, and (if needed) you can introduce traffic policies using the usual iptables approach.
  
* Add the bridge profile to the NETWORKS list.
+
Of course, it is possible to ''combine both things''. For that, studying both articles would be necessary. Example: Like having a bridge that contains both an ethernet device and the wireless device with an static ip, offering DHCP and setting NAT configured to relay the traffic to an additional network device - that can be ppp or eth.
* Make sure you are starting the profiles by adding net-profiles to the DAEMONS list.
+
* Start hostapd after net-profiles by adding it to the DAEMONS list.
+
  
{{hc|/etc/rc.conf|2=
+
==== Bridge setup ====
NETWORKS=( bridge )
+
  
...
+
You need to create a network ''bridge'' and add your network interface (e.g. {{ic|eth0}}) to it. You '''should not''' add the wireless device (e.g. {{ic|wlan0}}) to the bridge; hostapd will add it on its own.
  
DAEMONS=( ... net-profiles hostapd ... )
+
See [[Network bridge]].
}}
+
  
Reboot the machine and use another computer to see if you can find the "test" wireless connection.
+
{{Tip|You may wish to reuse an existing bridge, if you have one (e.g. used by a virtual machine).}}
  
If you do not want to reboot these commands should work:
+
==== NAT setup ====
  
  netcfg up bridge
+
See [[Internet sharing#Configuration]] for configuration details.
  rc.d start hostapd
+
  
==== Old way to set up bridge ====
+
In that article, the device connected to the LAN is {{ic|net0}}. That device would be in this case your wireless device (e.g. {{ic|wlan0}}).
  
before hostapd does its job, eth0, wlan0 and br0 must be up and do not have any address. we can put the following lines in /etc/rc.conf
+
== Tools ==
  
eth0="eth0 up"
+
=== create_ap ===
wlan0="wlan0 up"
+
br0="br0 192.168.0.2 netmask 255.255.255.0 up"
+
INTERFACES=(lo eth0 wlan0 br0)
+
  
in the /etc/conf.d/bridges file, uncomment the lines (change eth1 to wlan0)
+
The [https://bbs.archlinux.org/viewtopic.php?pid=1269258 create_ap] script combines {{Pkg|hostapd}}, [[dnsmasq]] and [[iptables]] to create a Bridged/NATed Access Point (available in the [[AUR]] {{Aur|create_ap}}).
  
  bridge_br0="eth0 wlan0"
+
  # create_ap wlan0 internet0 MyAccessPoint MyPassPhrase
BRIDGE_INTERFACES=(br0)
+
  
we are ready to go, just reboot the machine and use another computer to see if you can find the "test" wireless connection.
+
=== RADIUS ===
  
{{note|*untested* if your computer stops at the sign of "waiting for IP address" etc, that may be it can not find a dhcp server. so you need to set up one.}}
+
See [https://me.m01.eu/blog/2012/05/wpa-2-enterprise-from-scratch-on-a-raspberry-pi/] for instructions to run a [http://freeradius.org/ FreeRADIUS] server for [[WPA2 Enterprise]].
  
=== NAT Setup ===
+
== Troubleshooting ==
  
The description below assumes that
+
===WLAN is very slow===
* network 192.168.0.x is used for the Wifi network
+
* your computer acts as default gateway for that network (on 192.168.0.1), and
+
* hostapd is attached to interface wlan0
+
* your computer's internet connection is via ppp0
+
If you need to use a different subnet, or if your device names are different, then please change the examples below accordingly.
+
  
==== Step 1: IP Configuration ====
+
This could be caused by low entropy. Consider installing [[haveged]].
  
Ensure that hostapd is running (run /etc/rd.c/hostapd start). Then perform these commands:
+
===NetworkManager is interfering===
  
  ifconfig wlan0 192.168.0.1  # assign IP address to interface used by hostapd
+
hostapd may not work, if the device is managed by NetworkManager. You can mask the device:
  sysctl net.ipv4.ip_forward=1 # enable IP forwarding
+
  iptables -P FORWARD ACCEPT  # initialize iptables chains
+
  iptables -P OUTPUT ACCEPT
+
  iptables -P INPUT ACCEPT
+
  iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE # setup NAT
+
  
This will establish proper IP forwarding and NAT for all WiFi clients that connect via hostapd.
+
{{hc|/etc/NetworkManager/NetworkManager.conf|<nowiki>
For more advanced configuration, or if you need to setup NAT with an existing forewall, see [[Simple stateful firewall]].
+
[keyfile]
 +
unmanaged-devices=mac:<hwaddr>
 +
</nowiki>}}
  
What's missing still is a DHCP service so clients can automatically acquire the needed settings.
+
===Cannot start AP mode in 5Ghz band===
  
==== Step 2: DHCP Server ====
+
Apparently with the special country code {{ic|00}} (global), all usable frequencies in the 5Ghz band will have the [https://wireless.wiki.kernel.org/en/developers/regulatory/processing_rules#post_processing_mechanisms  {{ic|no-ir}} (''no-initiating-radiation'')] flag set, which will prevent hostapd from using them. You will need to have {{Pkg|crda}} installed and have your country code set to make frequencies allowed in your country available for hostapd.
 
+
While any DHCP server will do (like the dhcp package from pacman), the description here is based on the dnsmasq package; it is easier to configure and it provides caching for DNS queries coming from WiFi clients.
+
 
+
Install the dnsmasq package:
+
  pacman -S dnsmasq
+
Uncomment this line in /etc/dnsmasq.conf:
+
{{hc|/etc/dnsmasq.conf|2=
+
...
+
conf-dir=/etc/dnsmasq.d
+
...
+
}}
+
Create the DHCP config for dnsmasq in a new file /etc/dnsmasq.d/dhcpd
+
{{hc|/etc/dnsmasq.d/dhcpd|2=
+
interface=wlan0
+
dhcp-range=192.168.0.50,192.168.0.150,12h
+
}}
+
 
+
Then start dnsmasq by running
+
  /etc/rc.d/dnsmasq start
+
 
+
At this points, WiFi clients should be able to connect to your network, then acquire the network config via DHCP, and then send/receive data using your computer as a NATted router.
+
 
+
= Troubleshooting =
+
==WLAN is very slow==
+
This could be caused by low entropy. Consider installing [[haveged]].
+
  
= See also =
+
== See also ==
  
* [http://wireless.kernel.org/RTFM-AP hostapd Linux documentation page]
 
 
* [[Router]]
 
* [[Router]]
* [http://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ Hostapd : The Linux Way to create Virtual Wifi Access Point]
+
* [http://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/ Hostapd : The Linux Way to create Virtual Wi-Fi Access Point]
 +
* [http://xyne.archlinux.ca/notes/network/dhcp_with_dns.html tutorial and script for configuring a subnet with DHCP and DNS]

Latest revision as of 08:01, 10 July 2016

A software access point is used when you want your computer to act as a Wi-Fi access point for the local network. It saves you the trouble of getting a separate wireless router.

Requirements

Wi-Fi device must support AP mode

You need a nl80211 compatible wireless device, which supports the AP operating mode. This can be verified by running iw list command, under the Supported interface modes block there should be AP listed:

$ iw list
Wiphy phy1
...
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * WDS
		 * monitor
		 * mesh point
...

Wireless client and software AP with a single Wi-Fi device

Creating a software AP is independent from your own network connection (Ethernet, wireless, ...). Many wireless devices even support simultaneous operation both as AP and as wireless "client" at the same time. Using that capability you can create a software AP acting as a "wireless repeater" for an existing network, using a single wireless device. The capability is listed in the following section in the output of iw list:

$ iw list
Wiphy phy1
...
        valid interface combinations:
                 * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1,
                   total <= 2048, #channels <= 1, STA/AP BI must match
...

The constraint #channels <= 1 means that your software AP must operate on the same channel as your Wi-Fi client connection; see the channel setting in hostapd.conf below.

If you want to use the capability/feature, perhaps because an Ethernet connection is not available, you need to create two separate virtual interfaces for using it. Virtual interfaces for a physical device wlan0 can be created as follows: The virtual interfaces with unique MAC address are created for the network connection (wlan0_sta) itself and for the software AP/hostapd "wireless repeater":

# iw dev wlan0 interface add wlan0_sta type managed addr 12:34:56:78:ab:cd  
# iw dev wlan0 interface add wlan0_ap  type managed addr 12:34:56:78:ab:ce

Random MAC address can be generated using macchanger.

Configuration

Setting up an access point comprises two main parts:

  • Setting up the Wi-Fi link layer, so that wireless clients can associate to your computer's "software access point" and send/receive IP packets from/to your computer; this is what the hostapd package will do for you.
  • Setting up the network configuration on you computer, so that your computer will properly relay IP packets from/to its own Internet connection from/to wireless clients.

Wi-Fi link layer

The actual Wi-Fi link is established via the hostapd package, which has WPA2 support.

Adjust the options in hostapd configuration file if necessary. Especially, change the ssid and the wpa_passphrase. See hostapd Linux documentation page for more information.

/etc/hostapd/hostapd.conf
ssid=YourWiFiName
wpa_passphrase=Somepassphrase
interface=wlan0_ap
bridge=br0
auth_algs=3
channel=7
driver=nl80211
hw_mode=g
logger_stdout=-1
logger_stdout_level=2
max_num_sta=5
rsn_pairwise=CCMP
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
Tip: You can set up the SSID with UTF-8 characters, so international characters will show properly. The option to enable it is utf8_ssid=1. Some clients may have problems with recognizing the correct encoding (e.g. wpa_supplicant or Windows 7).

When starting hostapd, make sure the wireless network interface is brought up first:

# ip link set dev wlan0_ap up

Otherwise, it will fail with a nondescript error: "could not configure driver mode".

For automatically starting hostapd, enable the hostapd.service.

Warning: The wireless channels allowed for access point operation differ according to geography. Depending on the wireless firmware, you may have to set the region correctly to use legal channels. Do not choose another region, as you may be illegally disturbing network traffic, affecting wireless functionality of your own device and others within its reach! To set the region see Wireless network configuration#Respecting the regulatory domain.
Note: If you have a card based on RTL8192CU chipset, install hostapd-8192cuAUR[broken link: archived in aur-mirror] in the AUR and replace driver=nl80211 with driver=rtl871xdrv in the hostapd.conf file.

Network configuration

There are two basic ways for implementing this:

  1. bridge: create a network bridge on your computer (wireless clients will appear to access the same network interface and the same subnet that's used by your computer)
  2. NAT: with IP forwarding/masquerading and DHCP service (wireless clients will use a dedicated subnet, data from/to that subnet is NAT-ted -- similar to a normal Wi-Fi router that's connected to your DSL or cable modem)

The bridge approach is simpler, but it requires that any service that's needed by your wireless clients (like, DHCP) is available on your computers external interface. That means it will not work if you have a dial-up connection (e.g., via PPPoE or a 3G modem) or if you're using a cable modem that will supply exactly one IP address to you via DHCP.

The NAT approach is more versatile, as it clearly separates Wi-Fi clients from your computer and it's completely transparent to the outside world. It will work with any kind of network connection, and (if needed) you can introduce traffic policies using the usual iptables approach.

Of course, it is possible to combine both things. For that, studying both articles would be necessary. Example: Like having a bridge that contains both an ethernet device and the wireless device with an static ip, offering DHCP and setting NAT configured to relay the traffic to an additional network device - that can be ppp or eth.

Bridge setup

You need to create a network bridge and add your network interface (e.g. eth0) to it. You should not add the wireless device (e.g. wlan0) to the bridge; hostapd will add it on its own.

See Network bridge.

Tip: You may wish to reuse an existing bridge, if you have one (e.g. used by a virtual machine).

NAT setup

See Internet sharing#Configuration for configuration details.

In that article, the device connected to the LAN is net0. That device would be in this case your wireless device (e.g. wlan0).

Tools

create_ap

The create_ap script combines hostapd, dnsmasq and iptables to create a Bridged/NATed Access Point (available in the AUR create_apAUR).

# create_ap wlan0 internet0 MyAccessPoint MyPassPhrase

RADIUS

See [1] for instructions to run a FreeRADIUS server for WPA2 Enterprise.

Troubleshooting

WLAN is very slow

This could be caused by low entropy. Consider installing haveged.

NetworkManager is interfering

hostapd may not work, if the device is managed by NetworkManager. You can mask the device:

/etc/NetworkManager/NetworkManager.conf
[keyfile]
unmanaged-devices=mac:<hwaddr>

Cannot start AP mode in 5Ghz band

Apparently with the special country code 00 (global), all usable frequencies in the 5Ghz band will have the no-ir (no-initiating-radiation) flag set, which will prevent hostapd from using them. You will need to have crda installed and have your country code set to make frequencies allowed in your country available for hostapd.

See also