This is an old revision of the document!
eth0
(wired) connected to home network:192.168.167.0/24
192.168.167.1
Create the following in /etc/network/interfaces.d/
as root:
eth0
:
auto eth0 iface eth0 inet manual
wlan0
:
auto wlan0 iface wlan0 inet manual nohook wpa_supplicant # Conflicts with running in Access Point mode
br0
:
auto br0 iface br0 inet static address 192.168.167.48 gateway 192.168.167.1 bridge_ports eth0 wlan0 # Ethernet Bridging: Block DHCP from our WiFi stations going out over our # wired connection (we want to be the ones to answer DHCP requests, not our # ISP) up ebtables -t filter -A FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP down ebtables -t filter -D FORWARD --protocol 0x0800 --ip-protocol UDP --ip-destination-port 67 -j DROP # Internet Protocol Network Address Translation when using this bridge, and # any ExpressVPN tun0 which come and go with VPN connections up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE up iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE down iptables -t nat -D POSTROUTING -o br0 -j MASQUERADE down iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
Then run:
sudo apt remove openresolv sudo apt install dnsmasq hostapd
Modify /etc/dnsmasq.conf
:
dhcp-range=172.16.0.10,172.16.0.20,1h except-interface=eth0 dhcp-authoritative
Restart dnsmasq
service to pick up changes:
sudo systemctl restart dnsmasq
Modify /etc/default/hostapd
and change value of DAEMON_CONF
:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
Create /etc/hostapd/hostapd.conf
:
ctrl_interface=/var/run/hostapd ctrl_interface_group=0 auth_algs=1 beacon_int=100 ssid=teleport wpa_passphrase=CHANGEME country_code=US interface=wlan0 bridge=br0 driver=nl80211 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP macaddr_acl=0 logger_syslog=0 logger_syslog_level=4 logger_stdout=-1 logger_stdout_level=0 hw_mode=a wmm_enabled=1 # N ieee80211n=1 require_ht=1 ht_capab=[MAX-AMSDU-3839][HT40+][SHORT-GI-20][SHORT-GI-40][DSSS_CCK-40] # AC ieee80211ac=1 require_vht=1 ieee80211d=0 ieee80211h=0 vht_capab=[MAX-AMSDU-3839][SHORT-GI-80] vht_oper_chwidth=1 channel=36 vht_oper_centr_freq_seg0_idx=42 ignore_broadcast_ssid=0
Restart service hostapd
to pick up changes:
sudo systemctl restart hostapd
Now apply network changes, and disable DHCP client daemon since we don't want our bridge's slave interfaces getting ideas above their station.
systemctl disable --now dhcpcd systemd-resolved ifdown --verbose --all ifup --verbose --all
pi@raspberrypi4:~ $ sudo iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 426 35264 MASQUERADE all -- * br0 0.0.0.0/0 0.0.0.0/0 804 103K MASQUERADE all -- * tun0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination pi@raspberrypi4:~ $ sudo ebtables -L Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 1, policy: ACCEPT -p 0x800 --ip-proto udp --ip-dport 67 -j DROP Bridge chain: OUTPUT, entries: 0, policy: ACCEPT pi@raspberrypi4:~ $ ip route 0.0.0.0/1 via 10.89.0.29 dev tun0 default via 192.168.167.1 dev br0 onlink 10.0.0.0/8 via 192.168.167.1 dev br0 10.89.0.1 via 10.89.0.29 dev tun0 10.89.0.29 dev tun0 proto kernel scope link src 10.89.0.30 128.0.0.0/1 via 10.89.0.29 dev tun0 172.16.0.0/12 via 192.168.167.1 dev br0 192.168.0.0/16 via 192.168.167.1 dev br0 192.168.167.0/24 dev br0 proto kernel scope link src 192.168.167.48 203.159.81.39 via 192.168.167.1 dev br0 pi@raspberrypi4:~ $ expressvpn status A new version is available, download it from https://www.vlycgtx.com/latest?utm_source=linux_app. Connected to Netherlands - The Hague - To protect your privacy if your VPN connection unexpectedly drops, you can enable Network Lock by typing 'expressvpn preferences set network_lock on'. pi@raspberrypi4:~ $