Configuring OpenBSD as a Wi-Fi access point

Goal

Now that my Wi-Fi dongle works, I want to configure an access point with it so I could connect to my network and to the internet using Wi-Fi.

My router is still an OpenBSD 4.4 fit-PC box, with the following network interfaces:

• rl0 (ethernet) connected to my broadband modem, configured by my ISP's DHCP
• rl1 (ethernet) connected to my network switch, static configuration (192.168.1.254)
• rum0 (Wi-Fi) static configuration (192.168.2.254)

So I have two local networks and I want them to be able to communicate with each other and connect to the internet.

Ethernet configuration

/etc/hostname.rl0

dhcp NONE NONE NONE

/etc/hostname.rl1

inet 192.168.1.254 255.255.255.0 NONE

Setting up the Wi-Fi dongle

The Wi-Fi dongle needs to be configured as an access point. Network configuration is done in /etc/hostname.rum0 (it can also be configured with ifconfig but in order to keep the configuration after the next reboot it must be written in that file).

/etc/hostname.rum0

inet 192.168.2.254 255.255.255.0 NONE media autoselect mode 11g mediaopt hostap nwid [SSID] wpa wpaprotos wpa2 wpaakms psk wpapsk [shared key]

The beginning is a typical static configuration with 192.168.2.254 as IP address and 255.255.255.0 netmask. Detailed information for each parameter can be find in ifconfig's manpage.

• mode 11g tells the dongle to use IEEE 802.11g standard (by default the dongle was using IEEE 802.11b)
• mediaopt hostap tell the driver to use the dongle as an access point
• nwid [SSID] set network's name, the one showed when scanning Wi-Fi access points ([SSID] must be replaced with the name of the network)
• wpa use WPA protocol to protect the Wi-Fi network
• wpaprotos wpa2 tells that I only want to use wpa2, no wpa1
• wpaakms psk set the authentication protocol to PSK (Pre Shared Key)
• wpapsk [shared key] set the pre shared key (256 bits). It's generated with the following command: wpa-psk [SSID] [passphrase] (where [passphrase] is the secret pass phrase, the one to type in the client devices to connect to the access point)

DHCP

I want Wi-Fi clients to have their network configuration set automatically. So I need to set up a DHCP server.

DHCP configuration is in /etc/dhcpd.conf:

shared-network WLAN {
  option  domain-name "example.net";
  option  domain-name-servers xxx.xxx.xxx.xxx, yyy.yyy.yyy.yyy;

  subnet 192.168.2.0 netmask 255.255.255.0 {
    option routers 192.168.2.254;
    range 192.168.2.32 192.168.2.127;
  }
}

I want DHCP to give addresses only for Wi-Fi devices, so only on rum0 interface. The list of interfaces to work on is stored in /etc/dhcpd.interfaces, I just have to write rum0 in it.

Activating the DHCP server is done by adding the following line to /etc/rc.conf.local:

/etc/rc.conf.local

(…)
dhcpd_flags=""

PF

A major feature of OpenBSD is Packet Filter (aka PF). This is the tool to filter TCP/IP traffic and do mostly anything on network packets. The official PF's FAQ is very useful.

Here is an small configuration to get the described network to work. Configuration is done in /etc/pf.conf:

# PF options
set skip on lo

# Set variables
ext_if="rl0"
int_if="rl1"
wlan_if="rum0"

# Normalize packets
scrub all random-id fragment reassemble reassemble tcp

# NAT
nat on $ext_if inet from $int_if:network to any -> $ext_if
nat on $ext_if inet from $wlan_if:network to any -> $ext_if

block log all
antispoof log quick for { lo $int_if $wlan_if }
pass quick on $int_if no state
pass quick on $wlan_if no state

# Allow outgoing traffic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all modulate state

Activating PF is done by adding the following line to /etc/rc.conf.local:

(…)
pf=YES

Conclusion

Reboot to take all the changes into account and check that the configuration is still set. I tried to connect with my laptop and my phone, it works.

Of course I had several problems, the main one was to forgot a parameter in Wi-Fi configuration, so I had to read the documentation. When you do so (and ask a bit Google for help), OpenBSD is quite easy to configure (well, considering that I don't have a GUI with a good wizard for it).