Setting up an All-Linux Wireless LAN

Laptops are cheap, WiFi cards are cheap and well-supported...maybe it's time to build your own LAN.
Set up WiFi on the Client

All you should have to do is put in an extended service set ID (ESSID) that matches the one on the base station.

Set up the DHCP Server on the Base Station

To make the base station work as a DHCP server, you also will need to add a route to 255.255.255.255, which is the destination address for DHCP traffic. Unless the 255.255.255.255 route exists, DHCP packets will take the default route instead of the WiFi interface, which is not what you want. You can add this route to the dhcp init script. While you're editing this script, make dhcpd run it only on the WiFi interface (in the case of solanum, eth0). You don't want the base station spewing DHCP traffic to places it isn't wanted. So replace

/usr/sbin/dhcpd

with

route add -host 255.255.255.255 dev eth0
/usr/sbin/dhcpd eth0
Set up a dhcpd.conf file on the base station to give out IP addresses only to your own systems:
# /etc/dhcpd.conf for solanum
# run the DHCP server on the WiFi interface only!
default-lease-time 1800;
max-lease-time 7200;
subnet 10.2.0.0 netmask 255.255.0.0 {
}
subnet 198.144.202.0 netmask 255.255.255.0 {
}
host cannabis {
    hardware ethernet 00:02:2d:2e:56:df;
    fixed-address 10.2.0.2;
}
This is not a security measure, but it will keep your DHCP server from wasting time on any of your neighbors who set up their clients incorrectly.

At this point you should be able to ping the base station from the client over WiFi.

VPN

There are many virtual private network (VPN) options for Linux, and you might have one installed already for a different reason. If so, you can skip installing a separate VPN just for WiFi, and simply configure IP masquerading on the base station to allow traffic only from the WiFi network to the VPN server and vice versa, and you're done. If you need to set up a VPN between several locations for travelers or for home offices, and you also need VPNs for WiFi at each location, save time by picking one VPN that works for both.

Otherwise, choose and install a VPN just for WiFi. For this article, I chose vpnd (see Resources), which has the advantages of working with an “out-of-the-box” kernel, being available as a Debian package and being simple to configure.

The kernels of clients and the server will need to have the kernel random number generator and SLIP support as a module. The stock kernels that come with distributions have this, but if you built your own kernel and didn't compile any modules you didn't need then, you'll have to go back, make menuconfig, choose SLIP and then do:

make modules && make modules_install.

The good news is that you don't have to reboot to do this if you're running a modular kernel and still have the kernel source and kernel .config that you built from. If you took out kernel random number generator support, shame on you—put it back in, as not only vpnd but much other fine crypto software depends on it.

To set up keys for vpnd, run vpnd -m on the base station, then copy the resulting /etc/vpnd/vpnd.key to the client. Configuration files for vpnd are pretty simple; Listing 2 shows an example.

Listing 2. /etc/vpnd/vpnd.conf

At this point you should be able to ping the base station's virtual address (10.3.0.1 in this case) from the client, and vice versa. If not, check the logs for vpnd errors, and use ifconfig and route at both ends to make sure the IP address and routing information are correct.

IP Masquerading

Every distribution has its own IP masquerading setup tool, and IP masquerading articles are as common as pig tracks, so turn it on however it says in the book. You will need to make sure that the WiFi network (10.2.0.0/16 in our example) doesn't get masqueraded—just the VPN. To test that masquerading is set up correctly, don't only surf the Web and send mail from the client—temporarily change the default route on the client to go over the WiFi directly instead of the VPN, and make sure that you can't.

Many exciting future developments in wireless networking are on the way. Future security protocols should make the VPN dance unnecessary, and community networks such as NoCatNet are working out protocols to let you share your access point with neighbors without opening yourself up to abuse. But, today's 802.11b cards are going to be common and serviceable for a long time.

Resources

email: dmarti@zgp.org

Don Marti is technical editor of Linux Journal and editor in chief of Embedded Linux Journal.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Setting Up Wi-Fi under Linux

Andrii Iarmolatii's picture

I wish such articled were less filled with extra words, but thanks for his, part about DHCP might be helpful.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix