8 Dec 2008

Configuring OpenBSD as a Wi-Fi access point

Goal

Now that my Wi-Fi dongle works, I want to configure an access point with it so I could connect to my network and to the internet using Wi-Fi.

My router is still an OpenBSD 4.4 fit-PC box, with the following network interfaces:

rl0 (ethernet) connected to my broadband modem, configured by my ISP's DHCP
rl1 (ethernet) connected to my network switch, static configuration (192.168.1.254)
rum0 (Wi-Fi) static configuration (192.168.2.254)

So I have two local networks and I want them to be able to communicate with each other and connect to the internet.

Ethernet configuration

/etc/hostname.rl0

dhcp NONE NONE NONE

/etc/hostname.rl1

inet 192.168.1.254 255.255.255.0 NONE

Setting up the Wi-Fi dongle

The Wi-Fi dongle needs to be configured as an access point. Network configuration is done in /etc/hostname.rum0 (it can also be configured with ifconfig but in order to keep the configuration after the next reboot it must be written in that file).

/etc/hostname.rum0

inet 192.168.2.254 255.255.255.0 NONE media autoselect mode 11g mediaopt hostap nwid [SSID] wpa wpaprotos wpa2 wpaakms psk wpapsk [shared key]

The beginning is a typical static configuration with 192.168.2.254 as IP address and 255.255.255.0 netmask. Detailed information for each parameter can be find in ifconfig's manpage.

mode 11g tells the dongle to use IEEE 802.11g standard (by default the dongle was using IEEE 802.11b)
mediaopt hostap tell the driver to use the dongle as an access point
nwid [SSID] set network's name, the one showed when scanning Wi-Fi access points ([SSID] must be replaced with the name of the network)
wpa use WPA protocol to protect the Wi-Fi network
wpaprotos wpa2 tells that I only want to use wpa2, no wpa1
wpaakms psk set the authentication protocol to PSK (Pre Shared Key)
wpapsk [shared key] set the pre shared key (256 bits). It's generated with the following command: wpa-psk [SSID] [passphrase] (where [passphrase] is the secret pass phrase, the one to type in the client devices to connect to the access point)

DHCP

I want Wi-Fi clients to have their network configuration set automatically. So I need to set up a DHCP server.

DHCP configuration is in /etc/dhcpd.conf:

shared-network WLAN {
  option  domain-name "example.net";
  option  domain-name-servers xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;

  subnet 192.168.2.0 netmask 255.255.255.0 {
    option routers 192.168.2.254;
    range 192.168.2.32 192.168.2.127;
  }
}

I want DHCP to give addresses only for Wi-Fi devices, so only on rum0 interface. The list of interfaces to work on is stored in /etc/dhcpd.interfaces, I just have to write rum0 in it.

Activating the DHCP server is done by adding the following line to /etc/rc.conf.local:

/etc/rc.conf.local

(…)
dhcpd_flags=""

PF

A major feature of OpenBSD is Packet Filter (aka PF). This is the tool to filter TCP/IP traffic and do mostly anything on network packets. The official PF's FAQ is very useful.

Here is an small configuration to get the described network to work. Configuration is done in /etc/pf.conf:

# PF options
set skip on lo

# Set variables
ext_if="rl0"
int_if="rl1"
wlan_if="rum0"

# Normalize packets
scrub all random-id fragment reassemble reassemble tcp

# NAT
nat on $ext_if inet from $int_if:network to any -> $ext_if
nat on $ext_if inet from $wlan_if:network to any -> $ext_if

block log all
antispoof log quick for { lo $int_if $wlan_if }
pass quick on $int_if no state
pass quick on $wlan_if no state

# Allow outgoing traffic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all modulate state

Activating PF is done by adding the following line to /etc/rc.conf.local:

(…)
pf=YES

Conclusion

Reboot to take all the changes into account and check that the configuration is still set. I tried to connect with my laptop and my phone, it works.

Of course I had several problems, the main one was to forgot a parameter in Wi-Fi configuration, so I had to read the documentation. When you do so (and ask a bit Google for help), OpenBSD is quite easy to configure (well, considering that I don't have a GUI with a good wizard for it).

Comments Add one by sending me an email.

From Cato Auestad · 24 Sep 2010
I am trying to set up this at home and your guide is currently the only one I found that includes WPA ;) Thanks!
However, you do not mention anything about net.ip.forwarding in sysctl, is this not necessary?
From Laurent · 25 Sep 2010
Thanks for pointing this out. You are right, you need to set net.inet.ip.forwarding=1 in /etc/sysctl.conf otherwise it won't work.
From Tweets that mention » Configuring OpenBSD as a Wi-Fi access point desgrange.net · 16 Jan 2011
[...] This post was mentioned on Twitter by Felix Kronlage. Felix Kronlage said: RT @seclectech: So #openbsd appears to the be easiest BSD to bulid an AP with your ath(4) card http://goo.gl/pYn2R [...]
From Peter Hansteen · 16 Jan 2011
@Cato actually deep in http://home.nuug.no/~peter/pf/ (http://home.nuug.no/~peter/pf/en/wireless.simple.setup.html to be exact) you will find wpa. Also, the ifconfig (and hostname.if) syntax for wpa changes slightly in the upcoming 4.9 essentially wpa-psk as a separate program retires to the attic.
From ofthecentury · 9 Mar 2024
In OpenBSD 7.5 it's wpakey, not wpapsk, for the shared key.