Raspberry Pi - Bridge WLAN to local LAN


Object:

Use a Raspberry Pi (RPi) to connect to a WiFi network (offering internet access) and “bridge” that using the ethernet port of the RPi to the WAN port of a WiFi router to act as a gateway for local endpoint devices. It is also possible to “bridge” the RPi ethernet port directly to a switch where other devices can get network access using an ethernet cable (or a single computer directly connected to the ethernet port of the RPi).


“Schematics” for communication/setup:

Internet > WiFi access point > WLAN NIC on RPi > Ethernet NIC on RPi > WAN port of a WiFi router > local WLAN (or ethernet ports) of the WiFi router > local endpoint devices/clients

or, for a switch:

Internet > WiFi access point > WLAN NIC on RPi > Ethernet NIC on RPi > switch port > local endpoint devices/clients via ethernet cable


Things needed:

  • Raspberry Pi (either an older one without onboard WLAN NIC or one with an onboard WLAN NIC)

  • Raspberry Pi OS Lite, latest version available

  • A USB WLAN NIC (if not using a RPi with an onboard WLAN NIC)

  • Ethernet cable (between the RPi and the WAN port of the router, or the switch)

  • A power adapter for the RPi

  • A WiFi router w/ power adapter, or a switch w/ power adapter

  • Keyboard and screen to use for the first steps of the RPi setup (when the SSH daemon is active on the RPi, it is easier to use a PC to connect to the RPi via SSH to do the rest of the setup)



HowTo


Download and flash the latest available Raspberry Pi OS Lite to an SD card


Boot Raspberry Pi OS and make the “usual” changes with raspi-config

  • password

  • hostname

  • network (wifi network + wifi country)

  • timezone

  • keyboard layout

  • SSH daemon enabled

  • expand filesystem (should normally be done automatically at first boot)


Reboot


Check keyboard layout and wifi network access

(if network access isn’t working, check and change /etc/wpa_supplicant/wpa_supplicant.conf and reboot once again)


Upgrade Raspberry Pi OS (sudo apt update && upgrade)


Note: To add more WiFi networks, see “Add WiFi Networks” at the end of this instruction. Remember to add “scan_ssid=1” if connecting to a wireless network that has a hidden SSID.


A switch to SSH can be made at this point in the instruction, i.e. shut the RPi down and make it “headless” and boot it up again and connect to the RPi using SSH from another PC to do the rest of the setup. It’s easier to copy/paste commands and file content using a PC and SSH rather than typing on a locally attached keyboard on the RPi. Typing it all letter by letter also increases the risk of misspelling (and such) resulting in problems and unnecessary troubleshooting.


Now a DHCP server is needed for the ethernet NIC of the RPi in order to be able to provide the WAN port of the router with an IP address (or switch attached client devices).


First configure the ethernet NIC of the RPi to use a static IP address. It is also time to decide the IP address range that will be used for the “inside” network, i.e. the IP range from which the DHCP server will hand out leases of IP addresses to internal devices. It has to be an IP range that is taken from the non routable IP address ranges

https://en.wikipedia.org/wiki/Private_network


Chosen range for this configuration: 172.22.11.0/24


Edit /etc/dhcpcd.conf to make the address of the eth0 NIC static (no DHCP)

sudo nano /etc/dhcpcd.conf


Add the following to the bottom of the file:

interface eth0

static ip_address=172.22.11.1/24

#static routers=172.22.11.1

static domain_name_servers=1.1.1.1 8.8.8.8

nohook wpa_supplicant


Reboot the Rpi (or restart the nework service)

sudo reboot


Check using ifconfig to see that the eth0 interface has gotten its static IP address


Install the DHCP server/daemon (dnsmasq):

sudo apt install dnsmasq


Stop the service for dnsmasq while configuring

sudo systemctl stop dnsmasq


Configure the DHCP service

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

sudo nano /etc/dnsmasq.conf


Add the following to the file. Make sure to use a DHCP address lease range from the same range that was previously defined in /etc/dhcpcd.conf


interface=eth0

dhcp-range=172.22.11.100,172.22.11.199,255.255.255.0,24h


The above is sufficient but the following might be added as well:

listen-address=172.22.11.1

bind-interfaces

domain-needed # Don’t forward short names

bogus-priv # Drop the non-routed address spaces


Start up the dnsmasq service again
sudo systemctl start dnsmasq


Check that dnsmasq is running

journalctl -u dnsmasq.service


Check that the dnsmasq configuration file has correct syntax

dnsmasq --test


Head over to configure Network Address Translation (NAT). Setting up NAT will allow multiple clients to connect to the LAN and have all the communication routed through the single “outside” IP.


sudo nano /etc/sysctl.conf


Uncomment the line

#net.ipv4.ip_forward=1

so that it looks like

net.ipv4.ip_forward=1


This will start IPv4 forwarding on boot up.


Add a masquerade for outbound traffic on wlan0 + other rules needed (3 in total)


sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT


You can check to see what is in the tables with:

sudo iptables -t nat -S

sudo iptables -S


Note: If the wireless interface is connected to a public unsafe network, yet another iptables rule might be good for security measures. The rule will drop any attempt to access the wireless interface from the outside.

sudo iptables -A INPUT -i wlan0 -j DROP


To make the above iptables rules happen on reboot, run:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"


Edit /etc/rc.local and add the line below just above "exit 0" to install these rules on boot

sudo nano /etc/rc.local

add:

iptables-restore < /etc/iptables.ipv4.nat


Please note that the above iptables rules do not necessary offer a bullet proof and full blown “firewall” if not set up with knowledge and care. Further IPtables config may be needed for this to happen.


Reboot the RPi

sudo reboot


Check that the iptables rule and IPv4 forwarding works (i.e. just surf the web from a client connected to the newly created setup, and if that works, everything is fine).


---------


Add WiFi Networks


To add additional WiFi networks, edit the wpa_supplicant.conf file

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf


The settings used in this configuration file may vary depending on how the wireless network is set up, the below is for a network using WPA2-PSK and AES. In most cases though, only the SSID and the psk is needed to connect.


network={

ssid=”SSID of the network”

psk=”the password/passphrase to connect to the network”

proto=RSN

key_mgmt=WPA-PSK

pairwise=CCMP

auth_alg=OPEN

id_str="home"

}

Popular posts from this blog

Hak5 Cloud C2 on a Raspberry Pi

Setting up the Raspberry Pi (RPi) itself isn't covered here, a default installation of Raspberry Pi OS Lite will do the job. This setup will work on a LAN only, i.e. no external access to the C2 instance from the internet. To get that working, port openings and stuff is needed but that isn't covered here. If needed, run the following to get information about which C2 version to run on the RPi: cat /proc/cpuinfo Note! You need a license key from Hak5 in order to activate/validate the installation (the community edition is free, but still needs a license key). The RPi also needs to have a working connection to the internet since the C2 license is validated at service start, and during runtime as well. Download the C2 zip file to the RPi and unzip it wget https://c2.hak5.org/download/community -O c2.zip unzip c2.zip Start the server manually to verify that it works: ./c2-3.1.2_armv7_linux -hostname <ip address> (or whatever version that was downloaded) When the C2 instance h...
Read more

Hak5 Cloud C2 as a Windows service

As long as the C2 Windows binary is just a plain and simple exe (i.e. a "non-service" executable), it won't be allowed to start as a service in Windows (error 1053). To do this, either A) the C2 binary for Windows needs to be developed in a way that it is allowed to be started as a service or B) use one of the utilities out there on the interwebs that allows using an "ordinary" exe as a service. The "Plan B" is used here building on the tool "srvstart". Download the latest C2 zip file from Hak5 and extract it Download srvstart and extract the zip file https://github.com/rozanski/srvstart/blob/master/srvstart/srvstart_run.v110.zip Copy/move the two DLL and two EXE files from the srvstart zip to the C:\Windows folder of the computer (or somewhere in PATH) Make sure that there is a "msvcrt.dll" file in C:\Windows\System32 Rename the Hak5 C2 executable (64 bit variant used here) to c2_amd64_windows.exe This makes it more "transpare...
Read more

Project name: WEIRDFEED

  Project name: WEIRDFEED Instruction on installing Kali Linux 2020.4 AMD64 using an ISO file downloaded from kali.org on a Windows 10 2004 host/"hypervisor" running VirtualBox 6.1.16 r140961 (w/ VirtualBox Extension Pack) and get the Hak5 Shark Jack available to the VM Make sure that virtualization is enabled in BIOS/UEFI (VT-x/AMD-V) otherwise you might get the turtle Create a new VM in VirtualBox by clicking "New" Name the VM and select Linux as Type and Debian 64-bit as Version Set the desired amount of RAM (using 2048 MB here) Create a Virtual storage device (using 24 GB here) The VM is now created, click "Settings" and make any additional config to the VM (# of CPUs/cores, video RAM, disable floppy, disable audio, shared folders, etc. anything of choice that is valid) Last but not least, attach the Kali Linux ISO file to the virtual optical drive of the VM Click "OK" Click "Start" to boot the VM Select the startup disk if asked (o...
Read more