Yannis blog

Use raspberry pi as an access point (single wifi card)

09 Jul 2022

Prepare raspberry boot media

Download and run rpi-imager

example for Arch Linux:

sudo pacman -Syu rpi-imager
sudo rpi-imager

Operating System

From the operating system list select ‘Raspbery Pi OS (other)’ and then ‘Raspberry Pi OS Lite (32-bit)’

Configuration

Click the setup icon and and set hostname, username/password, enable ssh and configure wireless lan.

rpi-image options

Configure Raspberry Pi

Connect to Raspberry pi

Connect to Raspberry Pi using the username/password you set earlier using SSH. You need the IP assigned to Raspberry Pi. eg:

ssh -l username rpi

Gain elevated privileges and install necessary libraries

sudo -Es
apt install -y dnsmasq hostapd

Configure hostapd for the Access Point

touch /etc/hostapd/hostapd.conf
chmod 600 /etc/hostapd/hostapd.conf
cat > /etc/hostapd/hostapd.conf <<EOF
country_code=GR
ctrl_interface=/var/run/hostapd
driver=nl80211
ssid=MY_WLAN_NAME
hw_mode=g
channel=7
auth_algs=1
wpa=2
wpa_passphrase=MY_PASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF

Note: make sure to have the same coutry code in both /etc/hostapd/hostapd.conf and /etc/wpa_supplicant/wpa_supplicant.conf

Test creation and deletion of uap0 virtual device on wlan0:

/sbin/iw dev wlan0 interface add uap0 type __ap
/sbin/iw dev uap0 del

If the previous tests to create and delete the uap0 virtual device succeeds, enable starting uap0 AP virtual interface on wlan0:

SYSTEMD_EDITOR=tee systemctl edit --force --full uap@.service <<\EOF
[Unit]
Description=IEEE 802.11 %p%i AP on wlan%i with hostapd
After=network.target

[Service]
Type=forking
PIDFile=/run/hostapd.pid
Restart=on-failure
RestartSec=2
Environment=DAEMON_CONF=/etc/hostapd/hostapd.conf
EnvironmentFile=-/etc/default/hostapd
ExecStartPre=/sbin/iw dev wlan%i interface add %p%i type __ap
ExecStart=/usr/sbin/hostapd -i %p%i -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF}
ExecStopPost=-/sbin/iw dev %p0 del

[Install]
WantedBy=multi-user.target
EOF

systemctl stop hostapd # if the default hostapd service was active before
systemctl disable hostapd # if the default hostapd service was enabled before
systemctl enable uap@0.service
rfkill unblock wlan

Define the wireless interface IP configuration

cat >> /etc/dhcpcd.conf <<EOF

interface wlan0 # these two lines are not strictly needed, as wlan0 uses the default configuration
    dhcp

interface uap0 # this defines static addressing to uap0 and disables wpa_supplicant for this interface
    static ip_address=192.168.50.1/24
    ipv4only
    nohook wpa_supplicant
EOF


systemctl disable wpa_supplicant.service

Enable routing and IP masquerading

DEBIAN_FRONTEND=noninteractive apt install -y netfilter-persistent iptables-persistent
cat >/etc/sysctl.d/routed-ap.conf <<\EOF
# https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md
# Enable IPv4 routing
net.ipv4.ip_forward=1
EOF

Update firewall rules

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE; iptables -A FORWARD -i wlan0 -o uap0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -i uap0 -o wlan0 -j ACCEPT; netfilter-persistent save

dnsmasq configuration

cat >> /etc/dnsmasq.conf <<EOF
# disables dnsmasq reading any other files like /etc/resolv.conf for nameservers
no-resolv

interface=uap0
no-dhcp-interface=lo,wlan0
domain-needed
bogus-priv
server=1.1.1.1
dhcp-range=192.168.50.50,192.168.50.199,12h
dhcp-option=3,192.168.50.1
EOF

Configuration is finished, reboot to apply all changes

reboot

Downgrade WiFi driver and pin old version

With the current WiFi driver only a couple of clients can connect to Raspberry Pi AP. Downgrading to previous version will solve this issue.

curl -O http://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20190114-1+rpt4_all.deb
sudo dpkg -i firmware-brcm80211_20190114-1+rpt4_all.deb
sudo apt-mark hold firmware-brcm80211

Schedule daile restarts of Raspberry Pi [optional]

I prefer to schedule a daily reboot for the AP

sudo -Es
cat >> /etc/crontab <<EOF
0  2    * * *   root    reboot
EOF

Add VPN functionality

When I setup an Access Point, I prefer to add VPN capabilities to it