"You are hereby empowered!!!" - Tom Wolfe, The Electric Kool-Aid Acid Test
In
Part 1, we tested for cheap devices compatible with IEEE 802.11w-2009. Here, we will just detail the configuration files needed to build a Ieee 802.11w-209 compatible Raspberry Pi 3 B+ WiFi Bridge. The actual steps are detailed in the
official Raspberry Pi site. We will need:
1. Raspberry Pi 3 B+
2. Very good 5V 2.5A USB power module (e.g. the Raspberry Pi 2.5A module).
This requirement is important! I used a stonking 5V 6A TDK RDM05-6R0
3. Realtek RTL8812BU generic WiFi dongle. Or a dongle with any of the Atheros chips tested in
Part 1.
4. ADSL modem router with wired (ie copper) LAN interface.
For simplicity, the above diagram omits the power supplies and the powered hub. The RTL8812BU can draw a lot of power, especially if connected to an outdoor antenna.
Note it is also possible to set up the above devices as WiFi repeater by using the Raspberry Pi's built-in WiFi chip (wlan0) as WAN.
|
Top middle: TDK 5V 6A power module. Center: Raspberry Pi 3 B+ with RTL8812BU. Bottom left: thick USB power cable with ammeter showing 920mA current draw |
First, set up your ADSL modem and make sure you have Internet WAN access via the copper LAN (ie wired Ethernet). I used a TP-Link Archer D20.
Next, set up your Raspberry Pi 3 B+ with the
latest and greatest version of Raspbian. The
Linux version of the installation guide worked for me, but there is also a Windows version. It is really worth using a fast sdcard (16GB is sufficient and 32GB is plenty), Class 10 or better if you can manage it. You will need to set it up to log into your Internet connection. My Pi connected to the Internet when I plugged in the LAN cable. After it has finished installation you need to update it immediately:
# apt-get update
# apt-get upgrade
This can take hours depending on your Internet connection and you will have to reboot your Pi. Next, set up your root password:
# sudo vi /etc/passwd
Remove the 'x' from the line
root:x:0:0::/root:/bin/bash
Next set the root password using:
#sudo passwd root
I usually use the wifi bridge in 'headless' (ie no monitor or keyboard) so I usually turn off the GUI using
#sudo raspi-config
To control it, I usually enable the ssh server (again using raspi-config). Now to run it headless I make sure my laptop is connected to the same network and if it is also running Debian (Rasbian is a version of Debian) I simply do:
$ssh -t pi@raspi.local
It is also handy to have your first setup connected to copper LAN as well as keyboard and monitor, as we will be messing about with networking tools and a mistake is likely to freeze up your remote login.
If wlan1 the rtl8812bu does not come up, refer to
Part 1.
Next you will need to stop systemd from messing with your network interfaces.
# systemctl mask wpa_supplicant.service
Created symlink /etc/systemd/system/wpa_supplicant.service � /dev/null.
In /etc/dhcpcd.conf add the lines:
interface eth0
static ip_address=192.168.1.1/24
interface wlan0
denyinterfaces wlan0
nohook wpa_supplicant
interface wlan1
denyinterfaces wlan1
nohook wpa_supplicant
Reboot, and you should be ready for the next step.
We need to use hostapd for our bridge, so we stop systemd from messing with it:
# systemctl mask hostapd
We make a bridge:
# brctl addbr br0
If all went well, you should get:
# brctl show br0
bridge name bridge id STP enabled interfaces
br0 8000.1cbfce5d51a0 no wlan1
Add the copper LAN to your new bridge in case you want to connect client devices by wire
# brctl addif br0 eth0
# ifconfig eth0 0.0.0.0 up
# ifconfig wlan1 0.0.0.0 up
Where 192.168.1.1 is the IP address of your Pi at eth0 and 192.168.0.1 is the address of your WAN router (ie the D-Link Archer D50 in the diagram):
# ifconfig br0 192.168.1.1 up
Next set up your dnsmasq config file with:
interface=br0
except-interface=lo
listen-address=192.168.1.1
bind-interfaces
As usual you need to tell systemd to keeps its grubby hands to itself:
# systemctl mask dnsmasq
# killall dnsmasq
# dnsmasq -C /etc/dnsmasq.conf
Next we get the Pi to start forwarding. Add the following lines to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_dynaddr = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# sysctl -p /etc/sysctl.conf
Next is hostapd. Set up the config file /etc/hostapd/hostapd.conf thus:
interface=wlan1
driver=nl80211
ssid=ElectricKoolAid
hw_mode=g
channel=1
macaddr_acl=0
wpa=2
wpa_passphrase=VerySecretPassword
rsn_pairwise=CCMP
ieee80211w=2
wmm_enabled=1
auth_algs=3
ignore_broadcast_ssid=1
wpa_key_mgmt=WPA-PSK-SHA256 WPA-EAP-SHA256
wpa_pairwise=CCMP
# killall hostapd
# hostapd -dd -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf -B
Next set up /etc/firewall.conf thus:
*filter
:INPUT DROP [39:4576]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [42055:10283301]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Generated by iptables-save v1.6.0
*nat
:PREROUTING ACCEPT [78732:17589805]
:INPUT ACCEPT [29742:7228146]
:OUTPUT ACCEPT [2937:514776]
:POSTROUTING ACCEPT [985:97284]
-A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.6.0
*mangle
:PREROUTING ACCEPT [1318452:373291697]
:INPUT ACCEPT [623742:150528221]
:FORWARD ACCEPT [120385:79521689]
:OUTPUT ACCEPT [42068:10285133]
:POSTROUTING ACCEPT [168801:90872517]
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "fix packet size for stuff that\'s being routed through this box (SEE NOTE *)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# iptables-restore < /etc/firewall.conf
Your IEEE 802.11w-2009 bridge AP "ElectricKoolAid" with "VerySecretPassword" should be up by now.
Over at the client (in my case the Acer Aspire E1) make a wpa_supplicant config file wpa_supplicant.conf. Notice we make IEEE 802.11w compulsory:
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
# WPA protected network, supply your own ESSID and WPAPSK here:
network={
scan_ssid=1
ssid="ElectricKoolAid"
proto=RSN
key_mgmt=WPA-PSK-SHA256
pairwise=CCMP TKIP
group=CCMP TKIP
psk="VerySecretPassword"
ieee80211w=2
priority=10
}
And, assuming you have already wrestled with systemd (and won!) there too:
# wpa_supplicant -d -Dnl80211 -iwlan0 -c/etc/wpa_SIKAMAT7.conf -B
Note: for some reason, nl80211 worked a lot better than wext
And you should have a working link to the Pi bridge.
# wpa_cli -iwlan0 status
bssid=11:22:33:44:55:66
freq=2412
ssid=ElectricKoolAid
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK-SHA256
pmf=2
mgmt_group_cipher=BIP
wpa_state=COMPLETED
ip_address=192.168.0.114
And there should be Internet access; provided you have set up your WAN router's dhcp server, the client at the end of the bridge "ElectricKoolAid" should get its dhclient requests routed straight through.
ping -c 4 -I wlan0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.0.114 wlan0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=524 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=518 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=380 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=346 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 346.240/442.040/524.243/79.921 ms
To get it to start on power up, just put the commands in /etc/rc.local
There you have it, IEEE 802.11w-2009 AP and client, immune from the dreaded Deauth Attack. In part 3 we will launch an aircrack-ng deauth attack at the the bridge AP.
Or, as Tom Wolfe said: "You are hereby empowered!!!". Happy Trails.