Building an OpenBSD wireless access point
OpenBSD, networking | December 30, 2013
I have a Cisco/Linksys wireless access point to provide me with WiFi at home. I was never satisfied with the device, from day one, and it caused lots of trouble. I would never buy Cisco/Linksys again. Some time ago it even started crashing / rebooting very frequently. Which by the way also feels very creepy after watching @ioerror's talk at #30c3. Anyway, I'm totally fed up with the "broken" device so today I decided to see what hardware I had lying around to build a replacement.
My home network is protected by an OpenBSD NAT/firewall which also does things like DHCP and DNS. It used to run on a Soekris net5501. I also had an older, less powerful net4801 that was not in use. I found a wireless USB adapter and a wireless miniPCI adapter that I "recovered" from an old D-Link router. That was my initial hotspot setup.
Things changed over time. The home network is now running on APU2 and the Soekris net5501 became my the wifi access point, I got myself a athn card for it so I can do WPA. It runs OpenBSD 6.0 and when I upgrade it to anything more recent, performance drops to max 2Mbps, see also https://marc.info/?l=openbsd-bugs&m=151009278125431&w=2. Keep that in mind if you are on a similar setup.
pxeboot
The APU2 was set up with pxeboot capabilities. That is actually very easy. Just adding a single line in the /etc/dhcpd.conf:
filename "pxeboot";
Off course the tftp service must be running too:
rcctl start tftpd
The tftp service points to the directory /tftpboot. Which was created and populated like this:
# mkdir -p /tftpboot # cd /tftpboot # ftp https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.0/i386/pxeboot # ftp https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.0/i386/bsd.rd # mkdir etc # cat << EOF > etc/boot.conf stty com0 19200 set tty com0 boot tftp:/bsd.rd EOF
I think the default baud rate of a Soekris is also 19200, so I'm just adapting the OpenBSD console to that.
Installing base
For installing the base system I hooked up the Soekris with my laptop using a serial to USB cable. There are a lot of Linux tools available that can connect to a serial device. For example cu, screen (not tmux unfortunately) and ckermit. I used ckermit:
$ sudo apt-get install ckermit $ kermit C-Kermit>set line /dev/ttyUSB0 C-Kermit>set speed 19200 C-Kermit>set carrier-watch off C-Kermit>connect
When the power is connected, the system starts comBIOS and allows you to jump into configuration by pressing ctrl+p. At the comBIOS prompt, start network boot with this instruction:
boot f0
The system will use DHCP and the APU2 will give it instructions for pxeboot. The bsd.rd (ramdisk) kernel is loaded and the installation starts. A default installation was just fine in this case.
... comBIOS output ... switching console to com0 >> OpenBSD/i386 PXEBOOT 3.31 booting tftp:/bsd.rd: 3181055+1369088+3366920+0+454656 [349692+107+290608+284430]=0x8dfee4 entry point at 0x201000 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2019 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.5-beta (RAMDISK_CD) #1272: Sat Mar 16 23:11:49 MDT 2019 deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD ... dmesg output ... Welcome to the OpenBSD/i386 6.0 installation program. (I)nstall, (U)pgrade or (S)hell?
Network interfaces
The APU2 assigns a fixed IP for the device based on it's MAC address. The wired interface is /etc/hostname.vr0:
dhcp
For the machine to allow forwarding traffic between interfaces, the following system control must be active and uncommented in /etc/sysctl.conf:
net.inet.ip.forwarding=1
The two wireless interfaces I got for the machine is athn. It needs non-free firmware but OpenBSD installs that automatically.
The athn interface supports WPA. The device is configured in /etc/hostname.athn0:
inet 10.0.1.1 255.255.255.0 mediaopt hostap nwid ctors wpakey mysecretpassword chan 9
The wireless network has it's own IP range 10.0.1/24. The net5501 will hand out IP's for it on the athn interface. A DHCP service is started like this in /etc/rc.conf.local:
dhcpd_flags="athn0"
The DHCP service config is in /etc/dhcpd.conf:
option domain-name-servers 10.0.0.1; subnet 10.0.1.0 netmask 255.255.255.0 { option routers 10.0.1.1; range 10.0.1.10 10.0.1.20; }
To make the new subnet reachable from you wired network, add this to the APU's internal network interface /etc/hostname.vr1. 10.0.0.2 would be the IP of the access point's wired interface:
!route add -net 10.0.1/24 10.0.0.2
OpenBSD
This software is all installed by default on an OpenBSD system and just needs some configuration. I'm always surprised how easy these things are to set up with OpenBSD. This is also explained very well in the documentation, man pages and FAQ. OpenBSD is a system that is completely usable with just the manual pages. It has always been a pleasure to use.
