[script] create_ap: Create a NATed or Bridged WiFi Access Point

OBLiQUE · 2015-03-31 14:57:12

@batzi2014 firewall rules look fine. What PPTP client do you use and in what OS? I want to do a test and see if it's create_ap fault.

batzi2014 · 2015-03-31 16:57:31

OBLiQUE wrote:

What PPTP client do you use and in what OS?

hi iam using the builtin osx (10.10) pptp client connecting to ipredator.se.

thanks

OBLiQUE · 2015-03-31 21:00:48

@b4nst0n do you use create_ap + mesohunt? can you explain your setup?

b4nst0n · 2015-04-01 02:00:41

@OBLiQUE
/lib/systemd/system/wifi.service

[Unit]
Description=Create AP Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/bash create_ap wlp3s0 enp0s25 arch_ap xxxxxxxx
KillSignal=SIGINT
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

/etc/mentohust.conf

[MentoHUST]
Username=xxxxxxxxx
Password= xxxxxxxxx
Nic=enp0s25
IP=10.100.125.212
Mask=255.255.255.0
Gateway=0.0.0.0
DNS=114.114.114.114
PingHost=0.0.0.0
Timeout=8
EchoInterval=30
RestartWait=15
MaxFail=8
StartMode=0
DhcpMode=3
DaemonMode=0
ShowNotify=5
Version=4.49
DataFile=/etc/mentohust/
DhcpScript=dhclient

/lib/systemd/system/mentohust.service

[Unit]
Description=start mentohust
After=network.target dhcpcd.service

[Service]
Type=simple
#Type=oneshot
#RemainAfterExit=yes
ExecStart=/usr/bin/mentohust -b0
ExecStop=/usr/bin/mentohust -k
Restart=on-failure
RestartSec=3

[Install]
Alias=multi-user.target.wants/mentohust.service

/etc/iptables/iptables.rules

*filter
:INPUT ACCEPT [276:27482]
:FORWARD ACCEPT [3947:4415494]
:OUTPUT ACCEPT [378:32476]
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 192.168.12.0/24 -i enp0s25 -j ACCEPT
-A FORWARD -s 192.168.12.0/24 -i ap0 -j ACCEPT
COMMIT
# Completed on Wed Oct  1 02:43:03 2014
# Generated by iptables-save v1.4.21 on Wed Oct  1 02:43:03 2014
*nat
:PREROUTING ACCEPT [300:20476]
:INPUT ACCEPT [154:11086]
:OUTPUT ACCEPT [147:9796]
:POSTROUTING ACCEPT [1:328]
-A POSTROUTING -o enp0s25 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

thanks for your help.

EDIT: iptables.rules

Last edited by b4nst0n (2015-04-04 03:07:38)

OBLiQUE · 2015-04-01 20:06:05

@batzi2014 Run the following commands and then try to connect to PPTP again.

modprobe nf_nat_pptp
modprobe nf_conntrack_pptp

Please reply if it works or not.

batzi2014 · 2015-04-01 20:38:07

works perfectly.

thanks for your help!

OBLiQUE · 2015-04-01 20:40:33

Thanks for the confirmation. I will add the commands in create_ap.

EDIT: Added in github repo

Last edited by OBLiQUE (2015-04-01 20:56:44)

b4nst0n · 2015-04-04 02:49:58

Hey, could you help to fix that bug what I mention at #179 ?
I'm pretty sure that is something wrong between mentohust and create_ap,
if you need any other message, please tell me.
thank you!

OBLiQUE · 2015-04-04 08:59:16

@b4nst0n Keep in mind that create_ap is just a bash script. If the whole system crashes it's probably something in the kernel. create_ap use hostapd to establish WiFi AP, so probably you can search if hostapd and mentohust cause this crash.

We can try few things:
1) Try to run mentohust only and see if it cause any crashes.
2) In wifi.service change After=network.targe to After=mentohust.service and reboot.

Please explain me what mentohust is. As I understand is something like a VPN, correct? Do you want create_ap to share that VPN connection?
If yes, then change enp0s25 to ppp0 and try again.

Also something else: Your /etc/iptables/iptables.rules contains some rules that create_ap automatically add to iptables. Please remove that rules.
This is how you can do it:

systemctl stop wifi
iptables -D INPUT -p udp -m udp --dport 67 -j ACCEPT
iptables -D INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -D INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -D FORWARD -d 192.168.12.0/24 -i enp0s25 -j ACCEPT
iptables -D FORWARD -s 192.168.12.0/24 -i ap0 -j ACCEPT
iptables -D POSTROUTING -o enp0s25 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules
systemctl start wifi

Also while both create_ap and mentohust are running, please post the output of:

ip route

b4nst0n · 2015-04-04 09:46:20

@OBLiQUE Thanks for your reply.
And I've try:
1) run mentohust only, system works fine
2) run DSL and create_ap, system works fine
3) run mentohust and create_ap, system works fine only a while, and it suddenly crash, everything freezing and I could only push power button.

About mentohust, it's just like a authentication, I don't know how to explain it, but I think it's not a VPN

Finally, the out put of ip route while both create_ap and mentohust are running:

default via 10.100.125.1 dev enp0s25 
default via 10.100.125.1 dev enp0s25  metric 203 
10.100.125.0/24 dev enp0s25  proto kernel  scope link  src 10.100.125.212  metric 203 
192.168.12.0/24 dev wlp3s0  proto kernel  scope link  src 192.168.12.1

OBLiQUE · 2015-04-04 10:01:05

Can you also post:

ip addr

Since, I don't know how mentohust works (and it doesn't have any documentation in english), I will check its code a bit. If I find anything useful I will let you know.
I suggest you to do the following:
1) Make sure that your kernel is updated
2) If this was working before, then try to downgrade the kernel to that version

BTW, I'm a bit busy these days. So, it can take some days to check mentohust code.

Last edited by OBLiQUE (2015-04-04 10:06:56)

OBLiQUE · 2015-04-04 10:15:17

I notice that mentohust send packets raw packets ethernet. Probably NAT subsystem in the kernel has a bug and it cause the run.
Run only mentohust and then this command:

iptables -t nat -I POSTROUTING -o enp0s25 -j MASQUERADE

Does it cause any crashes?

Last edited by OBLiQUE (2015-04-04 10:41:25)

OBLiQUE · 2015-04-04 10:21:21

Also try the following:

iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE
systemctl start wifi
iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE

Your wifi client will be able to use internet, but connect to the wifi and let it run. Does it crash?

Last edited by OBLiQUE (2015-04-04 10:41:45)

b4nst0n · 2015-04-04 10:32:29

The out put of ip addr while both create_ap and mentohust running:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether b8:76:3f:d0:bd:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.12.1/24 brd 192.168.12.255 scope global wlp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::9676:3639:fad0:7933/64 scope link 
       valid_lft forever preferred_lft forever
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 3c:97:0e:ae:be:40 brd ff:ff:ff:ff:ff:ff
    inet 10.100.125.212/24 brd 10.100.125.255 scope global enp0s25
       valid_lft forever preferred_lft forever
    inet 10.100.125.213/24 brd 10.100.125.255 scope global secondary enp0s25
       valid_lft forever preferred_lft forever
    inet6 fe80::7667:df0a:e91e:7074/64 scope link 
       valid_lft forever preferred_lft forever

Run only mentohust and then command iptables -I POSTROUTING -o enp0s25 -j MASQUERADE doesn't make any crash but it report

iptables: No chain/target/match by that name.

And when I run iptables -D POSTROUTING -o enp0s25 -j MASQUERADE it report iptables: Bad rule (does a matching rule exist in that chain?).

BTW, really thank you for helping even while you are busy, please take your time:)

OBLiQUE · 2015-04-04 10:44:31

Sorry I forgot to add -t nat in the iptables commands. I edited my previous posts, try them again.

Also, try if with the following have any crashes:

systemctl start wifi
# wait until the wifi is up
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 192.168.12.0/24 -o enp0s25 -j MASQUERADE

Last edited by OBLiQUE (2015-04-04 10:46:23)

b4nst0n · 2015-04-04 11:05:23

mentohust run only:
iptables -t nat -I POSTROUTING -o enp0s25 -j MASQUERADE doesn't make any crash.

iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE
systemctl start wifi
iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE

it doesn't make crash but my phone could not connect Internet.

systemctl start wifi
# wait until the wifi is up
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 192.168.12.0/24 -o enp0s25 -j MASQUERADE

it works fine for now, but I'm not sure whether it crash after a while.
because what I mention crash before, that crash doesn't happen immediately.It works fine for 15 to 30 minutes, and then maybe something wrong happen and it crash.

b4nst0n · 2015-04-04 11:53:43

Okay, atfer 40 mins, it finally crash again

b4nst0n · 2015-04-04 15:45:55

I do some search and I found this:
https://bbs.archlinux.org/viewtopic.php?id=192580
https://bugzilla.redhat.com/show_bug.cg … id=1203241

I doubt myself now. Maybe that's the real problem? Cause I also use RTL8188CE as them.
I'm not sure, will continue following.

OBLiQUE · 2015-04-04 17:51:35

Realtek drivers have many problems in general. So, yes maybe this is the problem. You can follow my guide here to install another driver: https://github.com/oblique/create_ap/bl … realtek.md

b4nst0n · 2015-04-07 07:28:46

I've changed my wireless card and it works fine:) so yes that's a bug between rtl8192ce driver and kernel.

OBLiQUE · 2015-04-07 07:59:05

thanks for letting me know

Canoa · 2015-04-11 14:42:12

Thank you for this script!!! It worked out of the box for my cubietruck installation.

Connected to to the AP I have internet access and all works fine.

Now my question ( as beginner):

Connected to the AP I like to have access to other adresses of my network . Applications on connected clients should have access to servers of this network.

Is it possible to configure iptables for that?

I do not know how (and could not find a hint right now).

My config:

eth0 static 192.168.2.108 (router: 192.168.2.1, DHCP)
wlan0: 192.168.12.1

Last edited by Canoa (2015-04-11 14:51:59)

OBLiQUE · 2015-04-11 14:52:54

I don't isolate the NAT network that create_ap creates. So, you can access all the networks that can be accessed from the computer you run create_ap.
If you can't, then probably you have iptables rules that restrict this.

EDIT:
BTW, I'm thinking to change this in the near future and have an option to not isolate the create_ap NAT. If I change it, I will post it here.

Last edited by OBLiQUE (2015-04-11 14:55:03)

xfreeze · 2015-04-20 12:52:01

Thanks for a great script OBLiQUE, this saved me a lot of time configuring hostapd manually.

I'm a little new to linux so pardon my dumb questions. Currently I am running RPi 2 with raspbian installed and I want it to run as an ap/client router (I have TP-Link WN722, which is capable of running softap mode). Managed to get your script to work - at first I had some trouble because it was connected to eth0+wlan0 to the same network (took 3 reinstalls and hours of table-headbanging to realize where the mistake is hehe). Now it works properly, but there is one thing:

When I start my RPi, it automatically connects to wpa_supplicant configured network. After running create_ap, it disconnects me from wlan0 network (means i get disconnected from xrdp aswell) so I always need to connect manually again. Is there some kind of solution so this won't happen? I tried running a .sh script:

#!/bin/bash
sudo killall dnsmasq
sleep 1
sudo create_ap wlan0 wlan0 router password
sleep 15
sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf
sleep 3
sudo dhclient -r
sudo dhclient wlan0

Not sure if it's wrong, but it seems to me that the script stops running after create_ap starts up. And here comes one more dumb question - how can i make create_ap start every time after LXDE boots up?

Thanks

Last edited by xfreeze (2015-04-20 12:52:40)

OBLiQUE · 2015-04-20 13:33:42

Paste me the output of the following command:

iw list

Probably your wifi adapter doesn't support virtual interfaces, so you cannot have an AP and Internet at the same time.
We can check from the above command if this is the reason. The only solution to this is to buy an adapter that supports this feature,
or use two separated adapters.

Another thing that you need is to call creata_ap after wpa_supplicant, because adapters can be at one channel at a time. If you run create_ap before then wpa_supplicant will fail to connect to a different channel other than the one you have the AP.
So, if your adapter supports virtual interfaces then try to move create_ap after the sleep of wpa_supplicant and increase the sleep just to be safe.

Arch Linux

#176 2015-03-31 14:57:12

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#177 2015-03-31 16:57:31

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#178 2015-03-31 21:00:48

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#179 2015-04-01 02:00:41

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#180 2015-04-01 20:06:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#181 2015-04-01 20:38:07

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#182 2015-04-01 20:40:33

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#183 2015-04-04 02:49:58

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#184 2015-04-04 08:59:16

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#185 2015-04-04 09:46:20

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#186 2015-04-04 10:01:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#187 2015-04-04 10:15:17

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#188 2015-04-04 10:21:21

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#189 2015-04-04 10:32:29

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#190 2015-04-04 10:44:31

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#191 2015-04-04 11:05:23

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#192 2015-04-04 11:53:43

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#193 2015-04-04 15:45:55

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#194 2015-04-04 17:51:35

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#195 2015-04-07 07:28:46

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#196 2015-04-07 07:59:05

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#197 2015-04-11 14:42:12

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#198 2015-04-11 14:52:54

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#199 2015-04-20 12:52:01

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

#200 2015-04-20 13:33:42

Re: [script] create_ap: Create a NATed or Bridged WiFi Access Point

Board footer