cablethief/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Setup Upstream Internet and Radius

Intro

Sometimes you would either like to share internet or use Fancy wireless equipment to compete against corporate signal. Here are commands to setup a NAT to provide your device with internet and an IP. Afterwards you can create a RADIUS server to authenticate clients to your hardware.
I have created 2 scripts to do this automaticaly:
Share Internet: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-share_internet-sh
Create RADIUS: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-create_radius-sh
Give static IP

sudo ip addr add 192.168.55.1/24 dev enp0s20f0u2u3

Give DHCP LEASES

sudo dnsmasq -i enp0s20f0u2u3 --dhcp-range=192.168.55.50,192.168.55.150,12h --dhcp-option=option:router,192.168.55.1 -q -d

Enable IP forwarding

sudo sysctl net.ipv4.ip_forward=1

NAT networking

sudo iptables -t nat -A POSTROUTING -o wlp58s0 -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp0s20f0u2u3 -o wlp58s0 -j ACCEPT

Create RADIUS Certificates

openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem

Create RADIUS Config

cat << EOF >> hostapd.radius_clients
0.0.0.0/0 P@ssw0rd
EOF

Create Hostapd Radius Config

This requires certain compilation settings to work (CONFIG_DRIVER_NONE=y), if your hostapd errors try using hostapd-mana which by default is compiled with the flag.
cat << EOF >> radius_server.config
driver=none
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
radius_server_clients=hostapd.radius_clients
radius_server_auth_port=1812
logger_syslog=-1
logger_stdout=-1
logger_syslog_level=1
logger_stdout_level=1
EOF

Set Downstream Access Point

Now you may add your radius server to your EAP configuration on your AP. An OpenWRT example may be seen here: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-zopenwrtconfig-png.

  
## create_radius.sh
#!/bin/bash

PASSWORD='P@ssw0rd'
SUBJ='/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'
EAP_USER_FILE=

print_usage(){
    echo "Usage: sudo $0 [-p <RADIUS Password to use>] [-s <Certificate Subject>] [-f <eap_user_file>]"
    echo "Subject example -s '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'"
}

while getopts 'p:s:f:h' flag; do
  case "${flag}" in
    p) PASSWORD="${OPTARG}" ;;
    s) SUBJ="${OPTARG}" ;;
    f) EAP_USER_FILE="${OPTARG}" ;;
    h) print_usage
       exit 1 ;;
    *) print_usage
       exit 1 ;;
    :) echo "${OPTARG} requires an argument"; exit 1;
  esac
done


clean_up(){
    echo ""
    echo "Cleaning Temp Configs"
    rm -r "${directory}"
    return
}

create_configs(){
    echo "Creating RADIUS Client File"
    cat << EOF >> "${directory}/hostapd.radius_clients"
0.0.0.0/0 ${PASSWORD}
EOF

    if [[ -z ${EAP_USER_FILE} ]]; then
        echo "Creating EAP User File"
        cat << EOF >> "${directory}/hostapd.eap_user"
*       PEAP,TTLS,TLS,MD5,GTC
"t"         TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP  "1234test"  [2]
EOF
        EAP_USER_FILE="${directory}/hostapd.eap_user"
    fi

    echo "Creating Hostapd Config"
    cat << EOF >> "${directory}/radius_server.config"
driver=none
eap_server=1
eap_user_file=${EAP_USER_FILE}
ca_cert=${directory}/ca.pem
server_cert=${directory}/server.pem
private_key=${directory}/server.key
private_key_passwd=
radius_server_clients=${directory}/hostapd.radius_clients
radius_server_auth_port=1812
logger_syslog=-1
logger_stdout=-1
logger_syslog_level=1
logger_stdout_level=1
EOF
}

create_certs(){
    echo "Creating Certificates"
    $(which openssl) genrsa -out "${directory}/server.key" 2048
    $(which openssl) req -new -sha256 -key "${directory}/server.key" -out "${directory}/csr.csr" -subj "${SUBJ}"
    $(which openssl) req -x509 -sha256 -days 365 -key "${directory}/server.key" -in "${directory}/csr.csr" -out "${directory}/server.pem"
    ln -s "${directory}/server.pem" "${directory}/ca.pem"
    return
}

echo "ctrl+c to trigger cleanup"

# ERR is triggered if rm file doesnt exist.
# trap "exit" INT TERM ERR
trap "exit" INT TERM
trap "clean_up" EXIT


directory=$(mktemp -d /tmp/create_radius.XXXXX)

create_certs
create_configs

echo "Running Hostapd-mana as RADIUS server"
hostapd-mana "${directory}/radius_server.config"

wait

## share_internet.sh
#!/bin/bash

if (( $EUID != 0 )); then
    echo "Please run as root"
    exit
fi


internet=''
interface=''


print_usage(){
    printf "Usage: sudo $0 -i <interface to NAT (Downstream)> -s <interface with internet (Upstream)>\n"
}

while getopts 's:i:h' flag; do
  case "${flag}" in
    i) interface="${OPTARG}" ;;
    s) internet="${OPTARG}" ;;
    h) print_usage
       exit 1 ;;
    *) print_usage
       exit 1 ;;
    :) echo "${OPTARG} requires an argument"; exit 1;
  esac
done

if [ "$#" -ne 4 ]; then
  print_usage
  exit 0
fi

clean_up(){
    echo ""
    echo "Clearing Static IP address"
    ip addr flush dev ${interface}
    echo "Clearing NAT IPTABLE rules"
    iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -D FORWARD -i ${interface} -o ${internet} -j ACCEPT
    iptables -t nat -D POSTROUTING -o wlp58s0 -j MASQUERADE
    return
}

create_router(){
    echo "Setting Interface to up"
    ip link set dev ${interface} up
    echo "Giving interface static IP: 192.168.55.1"
    ip addr add 192.168.55.1/24 dev ${interface}
    echo "Enabling IP forwarding"
    sysctl net.ipv4.ip_forward=1
    echo "Enabling NAT IPTABLES to share internet"
    iptables -t nat -A POSTROUTING -o ${internet} -j MASQUERADE
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i ${interface} -o ${internet} -j ACCEPT
    return
}

create_router

echo "ctrl+c to trigger cleanup"

# ERR is triggered if rm file doesnt exist.
# trap "exit" INT TERM ERR
trap "exit" INT TERM
trap "clean_up" EXIT

echo "Running Dnsmasq as a DHCP server"
dnsmasq -i ${interface} --dhcp-range=192.168.55.50,192.168.55.150,12h --dhcp-option=option:router,192.168.55.1 -q -d


wait

## ZOpenWRTConfig.png

      
    Raw
  

              ZOpenWRTConfig.png
	#!/bin/bash

	PASSWORD='P@ssw0rd'
	SUBJ='/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'
	EAP_USER_FILE=

	print_usage(){
	echo "Usage: sudo $0 [-p <RADIUS Password to use>] [-s <Certificate Subject>] [-f <eap_user_file>]"
	echo "Subject example -s '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'"
	}

	while getopts 'p:s:f:h' flag; do
	case "${flag}" in
	p) PASSWORD="${OPTARG}" ;;
	s) SUBJ="${OPTARG}" ;;
	f) EAP_USER_FILE="${OPTARG}" ;;
	h) print_usage
	exit 1 ;;
	*) print_usage
	exit 1 ;;
	:) echo "${OPTARG} requires an argument"; exit 1;
	esac
	done



	clean_up(){
	echo ""
	echo "Cleaning Temp Configs"
	rm -r "${directory}"
	return
	}

	create_configs(){
	echo "Creating RADIUS Client File"
	cat << EOF >> "${directory}/hostapd.radius_clients"
	0.0.0.0/0 ${PASSWORD}
	EOF

	if [[ -z ${EAP_USER_FILE} ]]; then
	echo "Creating EAP User File"
	cat << EOF >> "${directory}/hostapd.eap_user"
	* PEAP,TTLS,TLS,MD5,GTC
	"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]
	EOF
	EAP_USER_FILE="${directory}/hostapd.eap_user"
	fi

	echo "Creating Hostapd Config"
	cat << EOF >> "${directory}/radius_server.config"
	driver=none
	eap_server=1
	eap_user_file=${EAP_USER_FILE}
	ca_cert=${directory}/ca.pem
	server_cert=${directory}/server.pem
	private_key=${directory}/server.key
	private_key_passwd=
	radius_server_clients=${directory}/hostapd.radius_clients
	radius_server_auth_port=1812
	logger_syslog=-1
	logger_stdout=-1
	logger_syslog_level=1
	logger_stdout_level=1
	EOF
	}

	create_certs(){
	echo "Creating Certificates"
	$(which openssl) genrsa -out "${directory}/server.key" 2048
	$(which openssl) req -new -sha256 -key "${directory}/server.key" -out "${directory}/csr.csr" -subj "${SUBJ}"
	$(which openssl) req -x509 -sha256 -days 365 -key "${directory}/server.key" -in "${directory}/csr.csr" -out "${directory}/server.pem"
	ln -s "${directory}/server.pem" "${directory}/ca.pem"
	return
	}

	echo "ctrl+c to trigger cleanup"

	# ERR is triggered if rm file doesnt exist.
	# trap "exit" INT TERM ERR
	trap "exit" INT TERM
	trap "clean_up" EXIT


	directory=$(mktemp -d /tmp/create_radius.XXXXX)

	create_certs
	create_configs

	echo "Running Hostapd-mana as RADIUS server"
	hostapd-mana "${directory}/radius_server.config"

	wait
	#!/bin/bash

	if (( $EUID != 0 )); then
	echo "Please run as root"
	exit
	fi


	internet=''
	interface=''


	print_usage(){
	printf "Usage: sudo $0 -i <interface to NAT (Downstream)> -s <interface with internet (Upstream)>\n"
	}

	while getopts 's:i:h' flag; do
	case "${flag}" in
	i) interface="${OPTARG}" ;;
	s) internet="${OPTARG}" ;;
	h) print_usage
	exit 1 ;;
	*) print_usage
	exit 1 ;;
	:) echo "${OPTARG} requires an argument"; exit 1;
	esac
	done

	if [ "$#" -ne 4 ]; then
	print_usage
	exit 0
	fi

	clean_up(){
	echo ""
	echo "Clearing Static IP address"
	ip addr flush dev ${interface}
	echo "Clearing NAT IPTABLE rules"
	iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -D FORWARD -i ${interface} -o ${internet} -j ACCEPT
	iptables -t nat -D POSTROUTING -o wlp58s0 -j MASQUERADE
	return
	}

	create_router(){
	echo "Setting Interface to up"
	ip link set dev ${interface} up
	echo "Giving interface static IP: 192.168.55.1"
	ip addr add 192.168.55.1/24 dev ${interface}
	echo "Enabling IP forwarding"
	sysctl net.ipv4.ip_forward=1
	echo "Enabling NAT IPTABLES to share internet"
	iptables -t nat -A POSTROUTING -o ${internet} -j MASQUERADE
	iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i ${interface} -o ${internet} -j ACCEPT
	return
	}

	create_router

	echo "ctrl+c to trigger cleanup"

	# ERR is triggered if rm file doesnt exist.
	# trap "exit" INT TERM ERR
	trap "exit" INT TERM
	trap "clean_up" EXIT

	echo "Running Dnsmasq as a DHCP server"
	dnsmasq -i ${interface} --dhcp-range=192.168.55.50,192.168.55.150,12h --dhcp-option=option:router,192.168.55.1 -q -d



	wait