Show by Label

Friday, April 8, 2016

How-To: Simple Wireless Repeater - Jessie

For my Netflix Geo-unblock project, I needed a way to test my VPN connection without getting up from my chair and travel to another SOHO location.

Normally, you can only test the correct setup of a VPN link when you go to the public internet, outside of your SOHO local network, and let the VPN client knock on the door of the router and firewall to see if it can get access and connect to the VPN server on the local network.

To build a test-rig that would allow me to setup and test the VPN without moving about, I needed a wireless repeater. 

There are several how-to’s and tutorials on the web, all a bit different, and most not suitable for Jessie. In a nut-shell, it’s not much different from setting up a wireless Access Point, and I already figured that out. 

You can follow my project and the instructions for the AP on the raspberrypi forums here:

Just follow steps 1 through 8 as a reference. Because the wireless repeater is a little different, I’ll go though the steps quickly here, and only elaborate on the differences.

What we’ll need :
·       A Raspberry Pi. I will use a Model (1) B.
·       A USB WiFi Adapter (I use the Edimax Wireless 802.11b/g/n nano USB adapter) ID 7392:7811.This is the same Edimax adapter I used for the AP, because I know it works with a special hostapd.
·       A second USB WiFi Adapter. This second adapter one can be of a different type, as long as it is supported by Jessie and the Pi. If it is also an Edimax, all the better.
·       An SD card, 2 GB is enough for Jessie-lite. Speed is not important.
·       Power supply that is capable of powering the Pi and two USB wireless devices.

First step is to put a working and up-to-date version of Jessie-Lite on the SD card.  When you boot it up the first time, put both WiFi adapters in USB slots. Connect the Pi with a LAN cable to your SOHO network. If you have a monitor/TV, connect the Pi with an HDMI cable to the monitor. When you boot the Pi, you’ll see an IP address appearing that you can use to get headless access to the Pi through PuTTY.

If you don’t have a console connected, I suggest you do the following. On your PC, start a command prompt and run ipconfig. Note the IPv4 Address and that of the Default Gateway. They will give you an indication of the subnet of your router. 

Put the SD card in your PC slot, or use a USB to SD adapter, and through the File Explorer go to and edit the /boot/cmdline.txt file. At the end of this one-line-command, add ip=192.168.XXX.XXX where the XXX.XXX is an address in the range of what you got from ipconfig. When you boot the Pi, you can use this IP address to use PuTTY and get head-less access to the Pi.

Now run run raspi-config (important: create a new strong! password, and create a different hostname (rpt-rpi), after that do an update/upgrade of everything. Look at the other post for details if you need that.

Get that done first before you continue.

1Setting the Wireless Interfaces wlan0 & wlan1
As a first step, we need to figure out what WiFi USB adapter was assigned to what interface by Jessie. If you have two Edimax adapters that are the same, you can skip this step.

We must use the interface the Edimax is assigned to for the Access Point (AP), and the other adapter to communicate to the Router. The Ethernet interface (eth0) will be used to SSH into the Pi so we can run it headless. It would be nice if you could assign a particular interface to an adapter by using the MAC address. 
You were able to do that earlier with “hwaddress ether MAC-address” in /etc/network/interfaces, but I could not get that to work. All other procedures were too complex or cumbersome, so I decided to bend with the wind, rather than fight it.

Run iwconfig and note the “Nickname” of the adapters to get an idea of what adapter was assigned to wlan0 and wlan1. My Edimax adapter reported "<WIFI@REALTEK>" in the wlan1 field, so I need to use wlan1 as the AP interface and use wlan0 as the Router interface.

If Jessie assigned things differently for you, you need to swap wlan0 and wlan1 in all the instructions below.

2Installing a Host Access Data Point Daemon (hostapd)
The hostapd module package from Debian/Jessie cannot handle the so called managed mode of the Edimax WiFi adapter, so we’re going to install one that is working with that adapter.

Run the following commands to get, compile and install the hostapd package from Jens Segers:

tar -zxvf v2.0.tar.gz
cd RTL8188-hostapd-2.0/hostapd
sudo make
sudo make install

Freeze the automatic updating of this package:
sudo apt-mark hold hostapd
Installing and Setting up a DHCP server for the AP

Install the package.

sudo apt-get install isc-dhcp-server

Edit the two configuration files /etc/dhcp/dhcpd.conf and /etc/default/isc-dhcp-server which we will need to configure.
sudo nano /etc/dhcp/dhcpd.conf
Find the following two lines and comment them out by putting a ‘#’ in front of them.
#option domain-name "";
#option domain-name-servers,;
Find the line that has authoritative , and make it active by removing the ‘#’ in front of it.

Now we need to setup the DHCP server with the subnet information for our access point.

Go to the end of the file and add this by copy & paste:

subnet netmask {
 option broadcast-address;
 option routers;
 default-lease-time 600;
 max-lease-time 7200;
 option domain-name "RPT-RPi";
 option domain-name-servers,;

Note that I used the same name as the hostname (hostname name is lower case though)
Save the file and close the editor.

Edit the isc-dhcp-server configuration file and assign the AP wlan interface:

sudo nano /etc/default/isc-dhcp-server

Save the file and close the editor.

Installing the Network Interfaces

Edit /etc/network/interfaces and make the following changes:

sudo nano /etc/network/interfaces

Either copy & paste the data below or make the changes in the file.

source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual

# Ralink adapter (Router i/f)
allow-hotplug wlan0
   iface wlan0 inet manual
   wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

# Edimax adapter (AP)
allow-hotplug wlan1
   iface wlan1 inet manual
#   wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Note that we disabled the wpa_supplicant for the AP, it does not need it, but we do need it for the Router i/f.

Save and close the file.

Edit the supplicant file to add info for the Router interface:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

Add this so the Router interface can connect to the Router:

   ssid="Your Router SSID"
   psk="Your Router’s password"

Save and close the file.

Configuring dhcpcd

Edit the dhcpcd (dhcp-client-daemon) configuration file.

sudo nano /etc/dhcpcd.conf

Add this:

# Repeater settings
# Static IP configuration for eth0
interface eth0
static ip_address=
static routers=

# static IP configuration for AP
# this is the Edimax adapter
interface wlan1
static ip_address=
static domain_name_servers=

The static routers IP address for eth0 must be the Default Gateway IP address you got from your PC and wrote down earlier. “/24” is shorthand for the mask. Make sure the IP address for the eth0 interface is the same one you assigned to the cmdline.txt file earlier. If you decide to change it, change both places, or remove the ip= portion of the cmdline.txt file.

Save and close the file.

Setting up hostadp

 We’re now going to setup the hosting part of the wireless AP network.

sudo nano /etc/hostapd/hostapd.conf

It will look like this:

# Basic configuration
# WPA and WPA2 configuration
wpa_passphrase= My_passphrase
# Hardware configuration
# Other Settings
Make the following changes:

  • Change interface=wlan1
  • Change ssid=RPT-RPi
  • Change wpa_passphrase=to your AP password
  • Optional, change the channel= to the least congested one if you know how to.

Save the file and close the editor.
5 Setting up the Network Address Translation & Filtering

The last step we need to do before we can start to use the Repeater is setting up the address translation and filtering for all three interfaces.

Create the file we will use to load the rules from at boot time.

sudo touch /etc/iptables/rules.v4

Flush the rules currently in iptables memory:

sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

Load the new rules for the repeater:
Do that one line at a time to see the possible errors (MS-Word messes with the ‘-‘)
(second line is one line, no break)

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan1 -o wlan0 -j ACCEPT

sudo iptables -A FORWARD -i wlan0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT

To also allow the use of the eth0 interface next to the wlan0 & wlan1 interfaces to SSH into the Pi, load these rules too:  One line at a time (second line is one line, no break)

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED  -j ACCEPT

And save them from memory into a file so then can be loaded at boot.

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

The next step is to install IP forwarding. Edit the the following file:

sudo nano /etc/sysctl.conf

Un-comment this line :


Save the file and close the editor

6Setting up the Boot Sequence

There is a race situation messing with the order of the boot process for the packages we just installed. There are other ways, this is simple and works. Run the following to avoid the automatic starting at boot:

sudo update-rc.d hostapd remove
sudo update-rc.d isc-dhcp-server remove

Add the right startup sequence to /etc/rc.local:

sudo nano /etc/rc.local

Copy & paste this just before the exit 0 :

# start the Repeater packages here so everything will start in order
printf "Reloading iptables"
iptables-restore < /etc/iptables/rules.v4
sleep 1
printf "Starting hostapd"
service hostapd start
sleep 1
printf "Starting the DHCP server"
service isc-dhcp-server start

Save and close the file.

We’re done, so reboot the Pi. Carefully watch the console boot messages for clues.

Log in and run ifconfig to see if you have the correct IP addresses for wlan0 and wlan1.

Run iwconfig to check if wlan0 is indeed connected to the router. Run route to see if the defaults for wlan0 and eth0 are the same.

Ping and then ping an outside website or server by using the hostname.

If everything is OK at this point, grab a wireless client, like an iPAD. Switch the SSID on your iPAD to the new RPT-RPi and supply the password. If you have the Ping app, ping to an outside IP address or use Safari to load a new website or reload one.

If that is all successful, you just created a simple pass-through wireless Repeater that can also be used to extend the wireless router range for your clients in bad wireless spots. You can also use this Repeater to give visitors to your home access the internet without giving out your own main SSID password.

This Repeater solution is simple, because there are no sophisticated rules and filters for iptables, so browsing complex websites may not work, and there is no protection other than the SSID password. The good news is that the range for snooping is limited.

This Repeater setup will hopefully do the job in my VPN test-rig, but that is another step in the Geo-Unblock process, and I will describe that experience and setup in a future post.

No comments:

Post a Comment