My mobile phone plan allows me to tether the phone, so I can access the Internet in areas where there is no WiFi but have a good 3g connection. This post explains how to set up a RaspberryPi as a wireless access point, which is tethered to a mobile phone. Users can then connect to the WiFi and access the internet.

If we are on holiday in a property that doesn't have WiFi it can be useful to set up a WiFi access point connected to a 3g mobile phone network, so family members can use the Internet. Note that not all mobile phone operators allow tethering, check first or you may end up either with a large bill, or being disconnected by your operator.

I am using a RaspberryPi with ArchLinux and an Android phone, connected to the Pi via a usb cable. I would advise using a powered hub as the phone and WiFi dongle will probably draw more current than the Pi's power supply can cope with.

I have installed a dhcp server on the Pi. This manages connections to the Ethernet and the wireless network interfaces. The ethernet interface is on a different ip range (192.168.0.x) to the wireless interface (10.0.0.x). There are a couple of reasons for doing it this way:

  • You can easily access the Pi by plugging an ethernet cable into your computer. If your computer's network card doesn't support auto crossovers, will need to use a hub to connect to the ethernet port.
  • You can use the Pi as a router to connect to the Internet as part of a wired network. I find this useful at home as our ADSL connection is unreliable. I can just plug the Pi into our wired network and use it to access the internet.

Preflight Check.

Check that Your WiFi Card Can Act as an Access Point.

Not all wireless cards can act as an access point. To check if yours can in a terminal:

iwlist

Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * WDS
		 * monitor
		 * mesh point

Look in the "Supported interface modes". If AP isn't listed your card can't act as an access point.

Power Supply.

You will almost certainly need to use a powered USB hub as the combined WiFi dongle and Android phone will take more current than the Pi can supply.

Installing Required Software.

This assumes that you have installed the base Arch packages and have a working dhcp ethernet connection. You do not require a GUI to install/configure/run the router, you can do everything via ssh. However, you can install a GUI if you wish. For the purposes of this article my Pi has been given the host name "routerpi.bantercat.co.uk"

pacman -S dhcp hostapd shorewall ppp modemmanager iw wpa_supplicant

Using an Android Phone as a usb Modem.

Some phones have the ability to tether via usb disabled by the network provider. I am assuming that your phone is able to tether. To check if you can tether plug your phone into a computer via the usb interface and go into Settings/Wireless and Networks/More/Tethering & portable hotspot. If your phone allows tethering you should be able to tick the USB tethering checkbox.

Unfortunately there is currently no method of automatically enabling tethering when you plug in the usb cable, so you will always need to enable this manually.

Configuring a Network Interface for the Android Phone.

You will need to create a netctl profile. I have called mine android-dhcp:

Description='A basic static Android tethering'
Interface=usb0
Connection=ethernet
IP=dhcp

You will need to enable the profile:

sudo netctl enable android-dhcp

You can test that the interface is working:

Configuring the dhcp server.

First we need to tell the dhcp server which interfaces to listen on.

Edit /etc/conf.d/dhcp to add the wlan0 and eth0 interfaces.

#
# Arguments to be passed to the DHCP server daemon
#

# ipv4 runtime parameters
DHCP4_ARGS="-q"

# ipv6 runtime parameters
DHCP6_ARGS="-q"

INTERFACES="wlan0 eth0"

This is the main configuration file /etc/dhcpd.conf.

ddns-update-style none;
ignore client-updates;
authoritative;
option local-wpad code 252 = text;

# This subnet is for the WiFi interface.

subnet
10.0.0.0 netmask 255.255.255.0 {
# --- default gateway
interface wlan0;
option routers
10.0.0.1;
# --- Netmask
option subnet-mask
255.255.255.0;
# --- Broadcast Address
option broadcast-address
10.0.0.255;
# --- Domain name servers, tells the clients which DNS servers to use.
option domain-name-servers
10.0.0.1, 8.8.8.8, 8.8.4.4;
option time-offset
0;
range 10.0.0.50 10.0.0.100;
default-lease-time 1209600;
max-lease-time 1814400;

    host archpiwifi {
         hardware ethernet 98:0c:82:db:5e:c8;
         fixed-address 10.0.0.1;

   }

}


# This subnet is for the ethernet interface.
# If you want to use the Pi on a wired network
# with en existing dhcp server, just comment
# this section out.

subnet
192.168.0.0 netmask 255.255.255.0 {
# --- default gateway
interface eth0;
option routers
10.0.0.1;
# --- Netmask
option subnet-mask
255.255.255.0;
# --- Broadcast Address
option broadcast-address
192.168.0.255;
# --- Domain name servers, tells the clients which DNS servers to use.
option domain-name-servers
10.0.0.1, 8.8.8.8, 8.8.4.4;
option time-offset
0;
range 192.168.0.100 192.168.0.200;
default-lease-time 1209600;
max-lease-time 1814400;
}

You can test that your file doesn't have any syntax errors by running:

dchpd -t

I am using ipv4, so we need to enable the dhcpd4 service and start it:

sudo systemctl enable dhcpd4.service
sudo systemctl start dhcpd4.service

Configuring the Wireless Interface and hostapd.

I needed to setup a basic interface on wlan0 before hostapd starts. I did this using a systemd unit. I had quite a bit of trouble getting this to work properly and was greatly helped by this post in the RaspberryPi forums. The systemd unit creates an interface with the address 10.0.0.1 on wlan0.

Create the file /lib/systemd/system/wifi-hostapd.service

[Unit]
Description=Add static ip for wireless
Before=hostapd.service
Wants=network.target
Before=network.target
BindsTo=sys-subsystem-net-devices-wlan0.device
After=sys-subsystem-net-devices-wlan0.device

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip addr add 10.0.0.1/24 dev wlan0 brd + dev wlan0

[Install]
WantedBy=multi-user.target

Don't forget to enable the service:

sudo systemctl wifi-hostapd.service

Now edit /etc/hostapd/hostapd.conf:

ssid=yourssidname
# Note must be between 8 and 63 characters long.
# Don't quote the string.
wpa_passphrase=A password with spaces
interface=wlan0
bridge=br0
auth_algs=3
channel=7
driver=nl80211
hw_mode=g
logger_stdout=-1
logger_stdout_level=2
max_num_sta=5
rsn_pairwise=CCMP
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Firewall and Routing.

I have installed shorewall which serves two purposes. It acts as a firewall and also routes traffic between the ethernet interface and the Internet.

This isn't a shorewall tutorial and I am definitely not a firewall expert. The configuration files are just a basic set of rules to get you started. All traffic for networks outside the dhcp configured network for eth0, or wlan0 will be forwarded to the Android usb interface.

The suggested configuration provides a very basic set of firewall rules that allows all traffic out of the Pi and restricts the traffic that can enter your network.

NAT.

Shorewall Configuration.

It's very easy to lock yourself out of the server while setting up Shorewall. Until you are confident that you have configured your rules correctly I suggest that you test your configuration using the try command:

shorewall try /etc/shorewall 1m

This will start shorewall and enable all the rules for a period of one minute. When this time had elapsed shorewall will stop and restore the previous configuration.

Testing.

Log in via the ethernet interface and try to ping the network address for the WiFi card:

[ian@routerpi netctl]$ sudo ping 10.0.0.1
[sudo] password for ian:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.495 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.334 ms

Now try and connect via the wireless AP that you have created. If this succeeds you should be allocated a network address in the range 10.0.0.50 to 10.0.0.100.

Shorewall.

Interfaces.

masq

Policy.

Rules.

Routestopped.

shorewall.conf.

zones.


Comments

comments powered by Disqus