Make a Wi-Fi Access Point with Raspberry Pi 3

The Raspberry Pi 3 is the third generation of the famous 35$ nano PC with the size of a credit card. For this latest evolution, a Wi-Fi controller has been integrated which opens a lot of new possibilities, including creating a Wi-Fi access point.

black_raspberry

Here are the specs of the Raspberry Pi 3:

  • AMRv8 64-bit CPU, 4x Cores, 1.2GHz
  • 1GB RAM
  • 4x USB ports
  • 1x Ethernet por
  • 1x Full HDMI port
  • 802.11n Wireless LAN
  • Bluetooth 4.1
  • 3.5mm audio jack / composite video
  • Micro SD card slot

Step 1 – Install Raspbian on your Raspberry Pi 3

Download and install Raspbian on your Raspberry Pi 3. I am using a 8 GB SDHC card and Win32DiskImager under Windows 10 to write the image of the Linux OS on it.

Once done, boot your Raspberry Pi on your local network, assuming it has DHCP, and remote connect to it (the default password for the pi account is raspberry):

ssh pi@192.168.1.108
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.4.21-v7+ #911 SMP Thu Sep 15 14:22:38 BST 2016 armv7l GNU/Linux

Update your pi:

pi@raspberrypi:~ $ sudo apt-get update
pi@raspberrypi:~ $ sudo apt-get upgrade

Once the system is up-to-date, we install the applications we will need:

pi@raspberrypi:~ $ sudo apt-get install -y vim hostapd dnsmasq nginx
  • hostapd, the daemon to create a wifi hotspot,
  • dnsmasq, a dhcp/dns server to reroute the queries
  • nginx, a small web server to present modified webpages
  • vim, because it’s better 😉

Step 2 – Configure the WLAN interface with a static IP

In the latest version of Raspbian, the networking is managed by dhcpcd service and not with networking. Since we want to assign a static IP to our wifi interface, we will ask dhchcp to ignore this interface and assign the static IP in the interfaces config file:

Edit the dhcpcd.conf file:

pi@raspberrypi:~ $ sudo vim /etc/dhcpcd.conf

Add the following line at the end of the file:

denyinterfaces wlan0

Edit the interfaces file:

pi@raspberrypi:~ $ sudo vim /etc/network/interfaces

Change the wlan0 configuration as follows:

allow-hotplug wlan0
iface wlan0 inet static
    address 172.16.0.1
    netmask 255.255.0.0
    network 172.16.0.0
    broadcast 172.16.255.255
#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Now we restart all the services and check the result:

pi@raspberrypi:~ $ sudo service dhcpcd restart
pi@raspberrypi:~ $ sudo ifdown wlan0
pi@raspberrypi:~ $ sudo ifup wlan0
pi@raspberrypi:~ $ ifconfig

Now the status of the interfaces should be like this:

ifconfig.png

Step 3 – Configure the Wi-Fi Access Point

We are going to create a configuration file for hostapd:

pi@raspberrypi:~ $ sudo vim /etc/hostapd/hostapd.conf

Enter the following configuration lines, which will create a Wi-Fi access point named ‘HoneyPot’ using the Wi-Fi controller:

interface=wlan0
driver=nl80211
ssid=HoneyPot
hw_mode=g
channel=1
wmm_enable=1
ht_capab=[HT40][SHORT-GI-20][DSSS-CK-40]
macaddr_acl=0
ignore_broadcast_ssid=0

Now we will edit the interfaces configuration file to load hostapd with this configuration:

pi@raspberrypi:~ $ sudo vim /etc/network/interfaces

Add the line with hostapd at the end for wlan0:

allow-hotplug wlan0
iface wlan0 inet static
    address 172.16.0.1
    netmask 255.255.0.0
    network 172.16.0.0
    broadcast 172.16.255.255
    hostapd /etc/hostapd/hostapd.conf
#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Then edit the dnsmasq configuration file:

pi@raspberrypi:~ $ sudo vim /etc/dnsmasq.conf

Add the following lines at the end of the file, this will enable the DNS service on the Wi-Fi interface and translate any query to the IP address of the Raspberry Pi. It will also enable the DHCP service to provide addresses between 172.16.0.10 and 172.16.0.250 for a duration of 12h.

resolv-file=/var/run/dnsmasq/resolv.conf
log-facility=/var/log/dnsmasq.log
address=/*/172.16.0.1
interface=wlan0 dhcp-range=172.16.0.10,172.16.0.250,12h
log-queries

As you noticed, we point dnsmasq to a specific resolv.conf file which will contain the upstream DNS servers. This file will be generated by the resolvconf service, and we need to configure it accordingly:

pi@raspberrypi:~ $ sudo vim /etc/resolvconf.conf

It should look like this:

resolv_conf=/etc/resolv.conf
name_servers=127.0.0.1
dnsmasq_resolv=/var/run/dnsmasq/resolv.conf
pdnsd_conf=/etc/pdnsd.conf
unbound_conf=/var/cache/unbound/resolvconf_resolvers.conf

Restart the Rasperry Pi to test, and you should see the SSID ‘HoneyPot’ being broadcast around, and that the network is not secured, so anyone can connect to our access point. See how it looks like in a Windows 10 laptop nearby:

ssid-honeypot

Step 4 – Routing traffic

We need to enable packet forwarding by editing the following file:

pi@raspberrypi:~ $ sudo vim /etc/sysctl.conf

and uncomment the line:

net.ipv4.ip_forward=1

We can also enter this extra command to activate immediately the packet forwarding sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”. Then, we configure the firewall to route traffic between wlan0 and eth0:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

And we save this configuration in a file:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

That we will load during boot:

pi@raspberrypi:~ $ sudo vim /etc/rc.local

by adding a line before exit 0:

_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
iptables-restore < /etc/iptables.ipv4.nat
exit 0

At this stage, you should have a nice working Wi-Fi Access Point based on your Raspberry Pi 3 connected to your ISP router, and where you can browse internet normally and safely. But we will not stop here, if you noticed in the article we named the SSID “HoneyPot“, and in the next post, we will show you how to do nasty things with your unsecured Access Point.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s