Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fedora - Create a wifi hotspot with Raspberry Pi 3 and Fedora

#1
Create a wifi hotspot with Raspberry Pi 3 and Fedora

<div><p>If you’re already <a href="https://fedoramagazine.org/install-fedora-on-a-raspberry-pi/">running Fedora on your Pi</a>, you’re already most of the way to a wifi hotspot. A Raspberry Pi has a wifi interface that’s usually set up to join an existing wifi network. This interface can be reconfigured to provide a new wifi network. If a room has a good network cable and a bad wifi signal (a brick wall, foil-backed plasterboard, and even a window with a metal oxide coating are all obstacles), fix it with your Pi.</p>
<p>This article describes the procedure for setting up the hotspot. It was tested on third generation Pis – a <a href="https://www.raspberrypi.org/products/raspberry-pi-3-model-b/">Model B v1.2</a>, and a <a href="https://www.raspberrypi.org/products/raspberry-pi-3-model-b-plus/">Model B+ </a>(the older <a href="https://www.raspberrypi.org/products/raspberry-pi-2-model-b/">2</a> and the new <a href="https://www.raspberrypi.org/products/raspberry-pi-4-model-b/">4</a> weren’t tested). These are the credit-card size Pis that have been around a few years.</p>
<p> <span id="more-31526"></span> </p>
<p>This article also delves a little way into the network concepts behind the scenes. For instance, “hotspot” is the term that’s caught on in public places around the world, but it’s more accurate to use the term WLAN AP (Wireless Local Area Network Access Point).In fact, if you want to annoy your friendly neighborhood network administrator, call a hotspot a “wifi router”. The inaccuracy will make their eyes cross.</p>
<p>A few <em>nmcli</em> commands configure the Raspberry Pi as a wifi AP. The <em>nmcli</em> command-line tool controls the NetworkManager daemon. It’s not the only network configuration system available. More complex solutions are available for the adventurous. Check out the <a href="http://w1.fi/hostapd/">hostapd</a> RPM package and the <a href="https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi">OpenWRT distro</a>. Have a look at <a href="https://fedoramagazine.org/internet-connection-sharing-networkmanager/">Internet connection sharing with NetworkManager</a> for more ideas.</p>
<h2>A dive into network administration</h2>
<p>The hotspot is a routed AP (Access Point). It sits between two networks, the current wired network and its new wireless network, and takes care of the post-office-style forwarding of IP packets between them.</p>
<h3>Routing and interfaces</h3>
<p>The wireless interface on the Raspberry Pi is named <strong>wlan0</strong> and the wired one is <strong>eth0</strong>. The new wireless network uses one range of IP addresses and the current wired network uses another. In this example, the current network range is 192.168.0.0/24 and the new network range is 10.42.0.0/24. If these numbers make no sense, that’s OK. You can carry on without getting to grips with IP subnets and netmasks. The Raspberry Pi’s two interfaces have IP addresses from these ranges.</p>
<p>Packets are sent to local computers or remote destinations based on their IP addresses. This is routing work, and it’s where the <em>routed</em> part of <em>routed AP</em> name comes from. If you’d like to build a more complex router with DHCP and DNS, pick up some tips from the article <a href="https://fedoramagazine.org/use-fedora-server-create-router-gateway/">How to use Fedora Server to create a router / gateway</a>.</p>
<h3>It’s not a bridged AP</h3>
<p>Netowrk bridging is another way of extending a network, but it’s not how this Pi is set up. This routed AP is not a bridged AP. To understand the difference between routing and bridging, you have to know a little about the networking layers of the OSI network model. A good place to start is the <a href="https://www.redhat.com/sysadmin/beginners-guide-network-troubleshooting-linux">beginner’s guide to network troubleshooting in Linux</a>. Here’s the short answer.</p>
<ul>
<li>layer 3, network ← Yes, our routed AP is here. </li>
<li>layer 2, data link ← No, it’s not a bridged AP. </li>
<li>layer 1, physical ← Radio transmission is covered here.</li>
</ul>
<p>A <a href="https://wiki.linuxfoundation.org/networking/bridge">bridge</a> works at a lower layer of the network stack – it uses ethernet MAC addresses to send data. If this was a bridged AP, it wouldn’t have two sets of IP addresses; the new wireless network and the current wired network would use the same IP subnet.</p>
<h3>IP masquerading</h3>
<p>You won’t find an IP address starting with <em>10.</em> anywhere on the Internet. It’s a private address, not a public address. To get an IP packet routed out of the wifi network and back in again, packet addresses have to be changed. <strong>IP masquerading</strong> is a way of making this routing work. The masquerade name is used because the packets’ real addresses are hidden. the wired network doesn’t see any addresses from the wireless network.</p>
<p>IP masquerading is set up automatically by NetworkManager. NetworkManager adds nftables rules to handle <a href="https://en.wikipedia.org/wiki/Network_address_translation">IP masquerading</a>.</p>
<h3>The Pi’s network stack</h3>
<p>A stack of network hardware and software makes wifi work.</p>
<ul>
<li>Network hardware </li>
<li>Kernel space software </li>
<li>User space software</li>
</ul>
<p>You can see the network hardware. The Raspberry Pi has two main hardware components – a tiny antenna and Broadcom wifi chip. <a href="https://magpi.raspberrypi.org/articles/raspberry-pi-3-specs-benchmarks">MagPi magazine has some great photos</a>.</p>
<p>Kernel software provides the plumbing. There’s no need to work on these directly – it’s all good to go in the Fedora distribution.</p>
<ul>
<li><a href="https://wireless.wiki.kernel.org/en/users/drivers/brcm80211">Broadcom driver modules</a> talk to the hardware. List these with the command <em>lsmod | grep brcm</em>. </li>
<li>A TCP/IP stack handles protocols. </li>
<li>The <a href="https://www.netfilter.org/">netfilter framework</a> filters packets. </li>
<li>A network system ties these all together.</li>
</ul>
<p>User space software customizes the system. It’s full of utilities that either help the user, talk to the kernel, or connect other utilities together. For instance, the <a href="https://firewalld.org/documentation/utilities/firewall-cmd.html">firewall-cmd</a> tool talks to the <a href="https://firewalld.org/">firewalld service</a>, firewalld talks to the <a href="https://firewalld.org/2018/07/nftables-backend">nftables</a> tool, and nftables talks to the netfilter framework in the kernel. The <a href="https://developer.gnome.org/NetworkManager/stable/nmcli.html">nmcli</a> commands talk to <a href="https://wiki.gnome.org/Projects/NetworkManager">NetworkManager</a>. And NetworkManager talks to pretty much everything.</p>
<h2>Create the AP</h2>
<p>That’s enough theory — let’s get practical. Fire up your Raspberry Pi running Fedora and run these commands. </p>
<h3>Install software</h3>
<p>Nearly all the required software is included with the Fedora Minimal image. The only thing missing is the <em>dnsmasq</em> package. This handles the DHCP and IP address part of the new wifi network, automatically. Run this command <a href="https://fedoramagazine.org/howto-use-sudo/">using sudo</a>:</p>
<pre class="wp-block-preformatted">$ sudo dnf install dnsmasq</pre>
<h3>Create a new NetworkManager connection</h3>
<p>NetworkManager sets up one network connection automatically, <em>Wired connection 1</em>. Use the <em>nmcli</em> tool to tell NetworkManager how to add a wifi connection. NetworkManager saves these settings, and a bunch more, in a new config file.</p>
<p>The new configuration file is created in the directory <em>/etc/sysconfig/network-scripts/</em>. At first, it’s empty; the image has no configuration files for network interfaces. If you want to find out more about how NetworkManager uses the <em>network-scripts</em> directory, the gory details are in the <a href="https://people.freedesktop.org/~lkundrak/nm-docs/nm-settings-ifcfg-rh.html">nm-settings-ifcfg-rh man page</a>.</p>
<pre class="wp-block-preformatted">[nick@raspi ~]$ ls /etc/sysconfig/network-scripts/
[nick@raspi ~]$</pre>
<p>The first <em>nmcli</em> command, to create a network connection, looks like this. There’s more to do — the Pi won’t work as a hotspot after running this.</p>
<pre class="wp-block-preformatted">nmcli con add \ type wifi \ ifname wlan0 \ con-name 'raspi hotspot' \ autoconnect yes \ ssid 'raspi wifi'</pre>
<p>The following commands complete several more steps:</p>
<ul>
<li>Create a new connection. </li>
<li>List the connections. </li>
<li>Take another look at the <em>network-scripts</em> folder. NetworkManager added a config file. </li>
<li>List available APs to connect to.</li>
</ul>
<p>This requires running several commands as root <a href="https://fedoramagazine.org/howto-use-sudo/">using <em>sudo</em></a>:</p>
<pre class="wp-block-preformatted">$ <strong>sudo nmcli con add type wifi ifname wlan0 con-name 'raspi hotspot' autoconnect yes ssid 'raspi wifi'</strong>
Connection 'raspi wifi' (13ea67a7-a8e6-480c-8a46-3171d9f96554) successfully added.
$ <strong>sudo nmcli connection show</strong>
NAME UUID TYPE DEVICE
Wired connection 1 59b7f1b5-04e1-3ad8-bde8-386a97e5195d ethernet eth0
raspi wifi 13ea67a7-a8e6-480c-8a46-3171d9f96554 wifi wlan0
$ <strong>ls /etc/sysconfig/network-scripts/</strong>
ifcfg-raspi_wifi
$ <strong>sudo nmcli device wifi list</strong>
IN-USE BSSID SSID MODE CHAN RATE SIGNAL BARS SECURITY 01:0B:03:04:C6:50 APrivateAP Infra 6 195 Mbit/s 52 ▂▄__ WPA2 02:B3:54:05:C8:51 SomePublicAP Infra 6 195 Mbit/s 52 ▂▄__ --</pre>
<p>You can remove the new config and start again with this command:</p>
<pre class="wp-block-preformatted">$ sudo nmcli con delete 'raspi hotspot'</pre>
<h3>Change the connection mode</h3>
<p>A NetworkManager connection has many configuration settings. You can see these with the command <em>nmcli con show ‘raspi hotspot’</em>. Some of these settings start with the label <em>802-11-wireless</em>. This is to do with industry standards that make wifi work – the IEEE organization specified many protocols for wifi, named <a href="https://en.wikipedia.org/wiki/IEEE_802.11">802.11</a>. This new wifi connection is in <em>infrastructure</em> mode, ready to connect to a wifi access point. The Pi isn’t supposed to connect to another AP; it’s supposed to be the AP that others connect to.</p>
<p>This command changes the mode from infrastructure to AP. It also sets a few other <a href="https://developer.gnome.org/NetworkManager/stable/settings-802-11-wireless.html">wireless properties</a>. The <strong>bg</strong> value tells NetworkManager to follow two old IEEE standards – <a href="https://en.wikipedia.org/wiki/IEEE_802.11#802.11b">802.11b</a> and <a href="https://en.wikipedia.org/wiki/IEEE_802.11#802.11g">802.11g</a>. Basically it configures the radio to use the 2.4GHz frequency band, not the 5GHz band. <strong>ipv4.method shared</strong> means this connection will be shared with others.</p>
<ul>
<li>Change the connection to a hotspot by changing the mode to <em>ap</em>.</li>
</ul>
<pre class="wp-block-preformatted">sudo nmcli connection \ modify "raspi hotspot" \ 802-11-wireless.mode ap \ 802-11-wireless.band bg \ ipv4.method shared</pre>
<p>The connection starts automatically. The <em>dnsmasq</em> application gives the wlan0 interface an IP address of 10.42.0.1. The manual commands to start and stop the hotspot are:</p>
<pre class="wp-block-preformatted">$ sudo nmcli con up "raspi hotspot"
$ sudo nmcli con down "raspi hotspot"</pre>
<h3>Connect a device</h3>
<p>The next steps are to:</p>
<ul>
<li>Watch the log. </li>
<li>Connect a smartphone. </li>
<li>When you’ve seen enough, type
<div class="codecolorer-container text default" style="overflow:auto;border:1px solid #9F9F9F;width:435px">
<div class="text codecolorer" style="padding:5px;font:normal 12px/1.4em Monaco, Lucida Console, monospace">^C</div>
</div>
<p> ([control][c]) to stop watching the log.</li>
</ul>
<pre class="wp-block-preformatted">$ <strong>journalctl --follow</strong>
-- Logs begin at Wed 2020-04-01 18:23:45 BST. --
...</pre>
<p>Use a wifi-enabled device, like your phone. The phone can find the new <em>raspi wifi</em> network. </p>
<p>Messages about an associating client appear in the activity log:</p>
<pre class="wp-block-preformatted">Jun 10 18:08:05 raspi wpa_supplicant[662]: wlan0: AP-STA-CONNECTED 94:b0:1f:2e:d2:bd
Jun 10 18:08:05 raspi wpa_supplicant[662]: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 10 18:08:05 raspi dnsmasq-dhcp[713]: DHCPREQUEST(wlan0) 10.42.0.125 94:b0:1f:2e:d2:bd
Jun 10 18:08:05 raspi dnsmasq-dhcp[713]: DHCPACK(wlan0) 10.42.0.125 94:b0:1f:2e:d2:bd nick</pre>
<h2>Examine the firewall</h2>
<p>A new security zone named <em>nm-shared</em> has appeared. This is stopping some wifi access.</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --get-active-zones</strong>
[sudo] password for nick:
nm-shared interfaces: wlan0
public interfaces: eth0</pre>
<p>The new zone is set up to accept everything because the target is <em>ACCEPT</em>. Clients are able to use web, mail and SSH to get to the Internet. </p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --zone=nm-shared --list-all</strong>
nm-shared (active) target: ACCEPT icmp-block-inversion: no interfaces: wlan0 sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject</pre>
<p>This big list of config settings takes a little examination.</p>
<p>The first line, the innocent-until-proven-guilty option <em>target: ACCEPT</em> says all traffic is allowed through, unless a rule says otherwise. It’s the same as saying these types of traffic are all OK.</p>
<ul>
<li>inbound packets – requests sent from wifi clients to the Raspberry Pi</li>
<li>forwarded packets – requests from wifi clients to the Internet</li>
<li>outbound packets – requests sent by the PI to wifi clients</li>
</ul>
<p>However, there’s a hidden gotcha: requests from wifi clients (like your workstation) to the Raspberry Pi may be rejected. The final line — the mysterious rule in the <em>rich rules</em> section — refers to the <a href="https://www.man7.org/linux/man-pages/man8/ip-rule.8.html">routing policy database</a>. The rule stops you from connecting from your workstation to your Pi with a command like this: <em>ssh 10.42.0.1</em>. This rule only affects traffic sent to to the Raspberry Pi, not traffic sent to the Internet, so browsing the web works fine.</p>
<p>If an inbound packet matches something in the <em>services</em> and <em>protocols</em> lists, it’s allowed through. NetworkManager automatically adds ICMP, DHCP and DNS (Internet infrastructure services and protocols). An SSH packet doesn’t match, gets as far as the <a href="https://firewalld.org/2018/12/rich-rule-priorities">post-processing</a> stage, and is rejected — <em>priority=”32767″</em> translates as “do this after all the processing is done.”</p>
<p>If you want to know what’s happening behind the scenes, that rich rule creates an nftables rule. The nftables rule looks like this.</p>
<pre class="wp-block-preformatted">$ <strong>sudo nft list chain inet firewalld filter_IN_nm-shared_post</strong>
table inet firewalld { chain filter_IN_nm-shared_post { reject }
}</pre>
<h3>Fix SSH login</h3>
<p>Connect from your workstation to the Raspberry Pi using SSH.This won’t work because of the rich rule. A protocol that’s not on the list gets instantly rejected.</p>
<p>Check that SSH is blocked:</p>
<pre class="wp-block-preformatted">$ <strong>ssh 10.42.0.1</strong>
ssh: connect to host 10.42.0.1 port 22: Connection refused</pre>
<p>Next, add SSH to the list of allowed services. If you don’t remember what services are defined, list them all with <em>firewall-cmd ‐‐get-services</em>. For SSH, use option <em>‐‐add-service ssh</em> or <em>‐‐remove-service ssh</em>. Don’t forget to make the change permanent.</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --add-service ssh --permanent --zone=nm-shared</strong>
success</pre>
<p>Now test with SSH again.</p>
<pre class="wp-block-preformatted">$ <strong>ssh 10.42.0.1</strong>
The authenticity of host '10.42.0.1 (10.42.0.1)' can't be established.
ECDSA key fingerprint is SHA256:dDdgJpDSMNKR5h0cnpiegyFGAwGD24Dgjg82/NUC3Bc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? <strong>yes</strong>
Warning: Permanently added '10.42.0.1' (ECDSA) to the list of known hosts.
Last login: Tue Jun 9 18:58:36 2020 from 10.0.1.35
[email protected]'s password:</pre>
<p>SSH access is no longer blocked.</p>
<h2>Test as a headless computer</h2>
<p>The raspberry pi runs fine as a <a href="https://en.wikipedia.org/wiki/Headless_computer">headless computer</a>. From here on, you can use SSH to work on your Pi.</p>
<ul>
<li>Power off.</li>
<li>Remove keyboard and video monitor. </li>
<li>Power on. </li>
<li>Wait a couple minutes. </li>
<li>Connect from your workstation to the Raspberry Pi using SSH. Use either the wired interface or the wireless one; both work. </li>
</ul>
<h2>Increase security with WPA-PSK</h2>
<p>The WPA-PSK (Wifi Protected Access with Pre-Shared Key) system is designed for home users and small offices. It is password protected. Use nmcli again to add WPA-PSK:</p>
<pre class="wp-block-preformatted">$ sudo nmcli con modify "raspi hotspot" wifi-sec.key-mgmt wpa-psk
$ sudo nmcli con modify "raspi hotspot" wifi-sec.psk "hotspot-password"</pre>
<h2>Troubleshooting</h2>
<p>Here are a couple recommendations:</p>
<ul>
<li>Mine journalctl, Google and forums. </li>
<li>Join the <a href="https://lists.fedoraproject.org/admin/lists/arm.lists.fedoraproject.org/">Fedora ARM mailing list</a>.</li>
</ul>
<p>The bad news is, there are no troubleshooting tips here. There are so many things that can go wrong, there’s no way of covering them.</p>
<p>Troubleshooting a network stack is tricky. If one component goes wrong, it may all go wrong. And making changes like reloading firewall rules can upset services like NetworkManager and sshd. You know you’re in the weeds when you find yourself running <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking">nftables commands</a> like <em>nft list ruleset</em> and <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalld_configuring-and-managing-networking">firewalld commands</a> like <em>firewall-cmd ‐‐set-log-denied=all</em>.</p>
<h2>Play with your new platform</h2>
<p>Add value to your new AP. Since you’re running a Pi, there are many hardware add-ons. Since it’s running Fedora, you have thousands of packages available. Try turning it into a mini-NAS, or adding battery back-up, or perhaps a music player.</p>
<hr class="wp-block-separator" />
<p><em>Photo by <a href="https://unsplash.com/@urielsc26?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Uriel SC</a> on <a href="https://unsplash.com/s/photos/network?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></em>.</p>
</div>


https://www.sickgaming.net/blog/2020/08/...nd-fedora/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016