Chapter 18. Setting up a wireless access point with WPA

Revision History
Revision 0.22007-06-03MH
initial revision
Revision 0.12007-02-20MH
initial revision

Table of Contents

Objectives
Declare the wireless and hostapd packages
Declare the required modules
Setup for cards supported by the madwifi driver
Setup for cards supported by the hostap driver
Handling of preshared keys
Advanced setups

Objectives

We assume here that you want to create a wireless access point secured by WPA/WPA2. Instructions for using WEP will not be given (and please don't ask for them to be provided).

For now, this only includes instructions for pci-cards supported by the hostap and madwifi drivers. Feedback is welcome about what it takes to make other cards (other chipsets as well as PC-Card and USB models) to work.

Due to the size of the packages and modules required for this to work, it is unlikely you will get it to work on a single disk setup. You will either need a two disk setup, or an alternative storage media (like CD, HD, USB or Compact Flash).

Declare the wireless and hostapd packages

Those two packages (wireless.lrp and hostapd.lrp and their dependencies libssl.lrp, libcrpto.lrp and libm.lrp) are available from the bering-uclibc packages page.

Add the two packages to your storage media and add them to leaf.cfg. Check the Bering-uClibc Installation Guide to learn how to do that.

Declare the required modules

In order to build a wireless access point, you will first have to get the hardware to work, which means adding the proper modules and loading them in the right order, and then adding the configuration for hostapd.

Setup for cards supported by the madwifi driver

Adding the required modules

For setting up an AP with a pci card supported by the madwifi driver, you will need the following modules from the modules tarball available from the bering-uclibc download area:

2.4.33/net/ath_hal.o
2.4.33/net/ath_rate_sample.o
2.4.33/net/ath_pci.o
2.4.33/net/wlan.o
2.4.33/net/wlan_scan_ap.o
2.4.33/net/wlan_acl.o
2.4.33/net/wlan_ccmp.o
2.4.33/net/wlan_tkip.o
2.4.33/net/wlan_xauth.o

Copy those files to /lib/modules/ on your Bering-uClibc installation and add the following to your /etc/modules file:

ath_hal
wlan
wlan_scan_ap
ath_rate_sample
ath_pci autocreate=ap
wlan_acl
wlan_ccmp
wlan_tkip
wlan_xauth

At this point, it's probably a good idea to save both the configuration and the modules (from the lrcfg menu). And reboot your router. During the reboot (or afterwards, looking at the output of dmesg) you should see something like:

ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
wlan: 0.8.4.2 (0.9.2.1)
ath_rate_sample: 1.2 (0.9.2.1)
ath_pci: 0.9.4.5 (0.9.2.1)
wifi0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps
wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 5.9 phy 4.3 radio 3.6
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Atheros 5212: mem=0xa0010000, irq=11
wlan: mac acl policy registered

Setting the country code for the card

Some cards let you set the regulatory domain, that the card is used in. The regulatory domain specifies which channels and transmit power settings are allowed. For cards that support setting the regulatory domain, you can specify

ath_pci autocreate=ap countrycode=XXX

In /etc/modules, where XXX is the country code for the country that you are going to use the router in. See here for a list of country codes - the values from the "UN Numeric-3" column are what you need.

Not all cards allow the driver to set the country code. On such cards, you will see something like this during bootup (if you have the countrycode setting in your /etc/modules file:

wifi%d: unable to collect channel list from hal; regdomain likely 48 
country code 276

If you see this, remove the countrycode setting from /etc/modules, save the configuration and reboot.

Configuration

Declaring the interface in /etc/network/interfaces

Setup in /etc/network/interfaces is minimal, since all of the wlan specific settings will be done in the hostapd configuration. You will only need to declare the proper interface and IP address (since these instructions are for creating an access point, a static IP is assumed).

Add the following to /etc/network/interfaces

auto ath0
iface ath0 inet static
        address 192.168.253.254
        netmask 255.255.255.0
        broadcast 192.168.253.255
        wireless-channel 1

Replace the IP address and netmask with whatever you prefer, if you want to use a different net.

Setting the channel is optional. It is usually best to let the driver decide which channel to use (you never know if your neighbours are going to turn on an AP on a channel that used to work fine yesterday). But if you want to force the driver to use a specific channel, this is the place to do it

Configuring hostapd

First of all, open /etc/default/hostapd and uncomment the line

# RUN_DAEMON='yes'

If you forget to do that, hostapd will not start.

Next, open /etc/hostapd/hostapd.conf and enter the following information:

interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=2
debug=0
ctrl_interface=/var/run/hostapd
hw_mode=g
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wpa=3
wpa_psk=your_strong_preshared_key
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
eap_server=0
eapol_key_index_workaround=0

The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above.

See this site for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk

Configuring shorewall

Add

wlan   ath0           detect          dhcp

to /etc/shorewall/interfaces

add

wlan   ipv4

to /etc/shorewall/zones

update /etc/shorewall/policy and/or /etc/shorewall/rules and/or /etc/shorewall/masq to allow traffic to/from wireless network

Configuring dnsmasq

Add

interface=ath0

to /etc/dnsmasq.conf (unless you have dnsmasq listening on all devices anyway)

Add an address range to serve by DHCP to /etc/dnsmasq.conf, something like

dhcp-range=192.168.253.2,192.168.253.19,12h

Finishing up

Save the configuration and reboot - you should now have a working access point

Setup for cards supported by the hostap driver

Adding the required modules

For setting up an AP with a pci card supported by the hostap driver, you will need the following modules from the modules tarball available from the bering-uclibc download area:

2.4.33/net/hostap
2.4.33/net/hostap_pci
2.4.33/net/hostap_crypt_ccmp
2.4.33/net/hostap_crypt_tkip

Copy those files to /lib/modules/ on your Bering-uClibc installation and add the following to your /etc/modules file:

hostap
hostap_pci
hostap_crypt_ccmp
hostap_crypt_tkip

Unfortunately, unlike madwifi, hostap doesn't seem to be able to change the regulatory domain setting based on a country code. It seems to always use what is programmed into the card. If somebody has information on how to change the regulatory domain with the madwifi driver, please let the author know.

At this point, it's probably a good idea to save both the configuration and the modules (from the lrcfg menu). And reboot your router. During the reboot (or afterwards, looking at the output of dmesg) you should see something like:

hostap_pci: 0.4.9 - 2006-05-06 (Jouni Malinen <aline@cc.hut.fi>
hostap_pci: Registered netdevice wifi0
wifi0: NIC: id=0x8013 v1.0.0
wifi0: PRI: id=0x15 v1.1.1
wifi0: STA: id=0x1f v1.7.4
wifi0: Intersil Prism2.5 PCI: mem=0xa0003000, irq=11

Configuration

Declaring the interface in /etc/network/interfaces

Setup in /etc/network/interfaces is minimal, since all of the wlan specific settings will be done in the hostapd configuration. You will only need to declare the proper interface and IP address (since these instructions are for creating an access point, a static IP is assumed).

Add the following to /etc/network/interfaces

auto wlan0
iface wlan0 inet static
        address 192.168.253.254
        netmask 255.255.255.0
        broadcast 192.168.253.255
        wireless-channel 1

Replace the IP address and netmask with whatever you prefer, if you want to use a different net.

Setting the channel is optional. It is usually best to let the driver decide which channel to use (you never know if your neighbours are going to turn on an AP on a channel that used to work fine yesterday). But if you want to force the driver to use a specific channel, this is the place to do it

Configuring hostapd

First of all, open /etc/default/hostapd and uncomment the line

# RUN_DAEMON='yes'

If you forget to do that, hostapd will not start.

Next, open /etc/hostapd/hostapd.conf and enter the following information:

interface=wlan0
driver=hostap
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=2
debug=0
ctrl_interface=/var/run/hostapd
hw_mode=b
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wpa=3
wpa_psk=your_strong_preshared_key
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
eap_server=0
eapol_key_index_workaround=0

The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above.

See this site for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk

Configuring shorewall

add

wlan   wlan0           detect          dhcp

to /etc/shorewall/interfaces

add

wlan   ipv4

to /etc/shorewall/zones

Update /etc/shorewall/policy and/or /etc/shorewall/rules and/or /etc/shorewall/masq to allow traffic to/from wireless network.

Configuring dnsmasq

Add

interface=wlan0

to /etc/dnsmasq.conf (unless you have dnsmasq listening on all devices anyway)

Add an address range to serve by DHCP to /etc/dnsmasq.conf, something like

dhcp-range=192.168.253.2,192.168.253.19,12h

Finishing up

Save the configuration and reboot - you should now have a working access point

Handling of preshared keys

The WPA key you generated above and put into /etc/hostapd/hostapd.conf needs to be entered on each client that connects to the AP - so you might want to put it onto a USB stick or something like that.

But since that key is the only thing that is keeping others from logging onto your net, you should still keep it in a safe place

Advanced setups

We've only touched the mere basics of setting up an AP with this section. Especially the madwifi driver has many extremely useful features, but discussing those would be beyond the scope of this chapter. Please see the madwifi wiki for more in-depth information.