chrisob/hostapd.conf

## hostapd.conf
interface=wlan0
driver=rtl871xdrv

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

ssid=Bridged AP
wpa_passphrase=mywpapassphrasehere

hw_mode=g
channel=1

beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0

wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0

eapol_key_index_workaround=0
eap_server=0

own_ip_addr=127.0.0.1
wpa=2
wpa_key_mgmt=WPA-PSK WPA-EAP WPA-PSK-SHA256 WPA-EAP-SHA256

## wlan-bridge.sh
#!/bin/bash

# This script enables a secure layer 3 tunnel to be bridged with a wlan AP:
#
# 1. Establish a level 3 (TAP) tunnel from your local host to a remote server via SSH (tap0)
# 2. Establish a wlan AP via a local wifi enabled device (wlan0)
# 3. Bridge these two devices on the local host, so your wlan uses the remote server as a gateway
# 4. Configure the appropriate addresses, routes, firewall rules, and DNS servers
#
# Initial required setup:
#
# On all hosts:
#    -root access
#    -iptables and iproute installed
#
# On the remote SSH host:
#    -At least OpenSSH server 4.3
#    -Your SSH public key is in /root/.ssh/authorized_keys
#    -"PermitRootLogin yes" is in /etc/ssh/sshd_config
#    -"PermitTunnel yes" is in /etc/ssh/sshd_config
#
# On the local host:
#    -At least OpenSSH client 4.3
#    -The bridge kernel module loaded
#    -dnsmasq is installed
#    -hostapd is installed, note: I had to compile a patched version for Realtek devices, please see:
#        -http://github.com/pritambaral/hostapd-rtl871xdrv
#        -http://w1.fi/hostap.git
#    -hostapd configuration file with AP config
#    -drivers for your wlan device (you should have a NIC named wlan0)
#        -http://github.com/dz0ny/rt8192cu
#
#
# Interfaces:
#    tap0 - Level 3 (ethernet) tunnel between local host and remote host (both called tap0)
#    wlan0 - Local wlan NIC
#    br0 - Local bridge NIC bridging tap0 and usb0
#
# Limitations:
#    Only tested with CentOS-6 for both the remote and local hosts.


REMOTE_SSH_IP=1.2.3.4
REMOTE_SSH_PORT=22
SSH_KEY=/root/.ssh/id_rsa
SSH_SOCK=/var/run/ssh_tunnel.sock
SSH_PROXY_COMMAND="none"
SSH_SOCKS_PROXY_PORT=12345

BRIDGE_SUBNET=10.123.123.0
PREFIX=24
REMOTE_GATEWAY=10.123.123.1
LOCAL_BRIDGE_IP=10.123.123.2
DHCP_FROM=10.123.123.3
DHCP_TO=10.123.123.5
DNS1=8.8.8.8
DNS2=8.8.4.4

HOSTAPD='/usr/local/src/hostap/hostapd/hostapd'
HOSTAPD_PID='/var/run/hostapd.pid'
HOSTAPD_CONFIG='/etc/hostapd/hostapd.conf'

DNSMASQ_PID='/var/run/dnsmasq.pid'


REMOTE_UP="
ip addr flush dev tap0
ip addr add ${REMOTE_GATEWAY}/${PREFIX} dev tap0
ip link set tap0 up
iptables -t filter -I FORWARD 1 -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
iptables -t filter -I INPUT 1 -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
iptables -t nat -I POSTROUTING 1 -o eth0 -s ${BRIDGE_SUBNET}/${PREFIX} -j MASQUERADE
"

REMOTE_DOWN="
iptables -t filter -D FORWARD -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
iptables -t filter -D INPUT -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -s ${BRIDGE_SUBNET}/${PREFIX} -j MASQUERADE
"

function usage {
   echo -e "Usage:\n$0 {up|down}\n"
}

echo
if [ "$1" == "up" ]; then

    echo Checking if local tap0 exists...
    ip addr show tap0 &> /dev/null
    if [ $? -ne 0 ]; then
        echo Creating local and remote tap0...
        ssh -f root@"${REMOTE_SSH_IP}" \
            -o "Port ${REMOTE_SSH_PORT}" \
            -o "IdentityFile ${SSH_KEY}" \
            -o "ProxyCommand ${SSH_PROXY_COMMAND}" \
            -o "AddressFamily inet" \
            -o "DynamicForward 0.0.0.0:${SSH_SOCKS_PROXY_PORT}" \
            -o "Tunnel ethernet" \
            -o "TunnelDevice 0:0" \
            -o "ExitOnForwardFailure yes" \
            -o "ServerAliveInterval 60" \
            -o "UserKnownHostsFile /dev/null" \
            -o "StrictHostKeyChecking no" \
            -o "ControlMaster yes" \
            -o "ControlPath ${SSH_SOCK}" \
            "${REMOTE_UP}"
    fi

    echo Configuring local br0...
    brctl addbr br0
    brctl addif br0 tap0
    brctl addif br0 wlan0
    ip addr flush dev br0
    ip addr add "${LOCAL_BRIDGE_IP}/${PREFIX}" dev br0

    echo Enabling local br0...
    ip link set br0 up
    echo Enabling local tap0...
    ip link set tap0 up

    echo Starting local dnsmasq...
    dnsmasq --no-hosts --no-poll --pid-file=${DNSMASQ_PID} --interface=br0 --bogus-priv --filterwin2k --no-resolv --server=${DNS1} --server=${DNS2} --cache-size=1000 --dhcp-option=3,${REMOTE_GATEWAY} --dhcp-option=6,${DNS1} --dhcp-range=${DHCP_FROM},${DHCP_TO} --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/tmp/dnsmasq.leases < /dev/null

    echo Starting local hostapd...
    "${HOSTAPD}" -B -P "${HOSTAPD_PID}" "${HOSTAPD_CONFIG}" > /dev/null

    echo Enabling packet forwarding...
    sysctl -w net.ipv4.ip_forward=1 > /dev/null

    echo Creating local iptables rules...
    # For DHCP assignment
    iptables -t filter -I INPUT 1 -i br0 -d 255.255.255.255 -j ACCEPT
    # Allow packet forwarding out to remote server
    iptables -t filter -I FORWARD 1 -i br0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
    # Allow usage of socks proxy
    iptables -t filter -I INPUT 1 -m state --state NEW -m tcp -p tcp --dport ${SSH_SOCKS_PROXY_PORT} -j ACCEPT

elif [ "$1" == "down" ]; then

    echo Checking if local tap0 exists...
    ip addr show tap0 &> /dev/null
    if [ $? -eq 0 ]; then
        echo Disabling local and remote tap0...
        ssh -S "${SSH_SOCK}" -O exit does-not-matter-what-goes-here-blaahh &> /dev/null

        echo Removing remote iptables rules...
        ssh root@"${REMOTE_SSH_IP}" \
            -o "Port ${REMOTE_SSH_PORT}" \
            -o "IdentityFile ${SSH_KEY}" \
            -o "ProxyCommand ${SSH_PROXY_COMMAND}" \
            -o "UserKnownHostsFile /dev/null" \
            -o "StrictHostKeyChecking no" \
            "${REMOTE_DOWN}"
    fi

    echo Stopping local dnsmasq...
    kill $(cat "${DNSMASQ_PID}") > /dev/null
    # dnsmasq doesn't automatically clean up its own pid file...
    rm -f "${DNSMASQ_PID}"

    echo Stopping local hostapd...
    kill $(cat "${HOSTAPD_PID}") > /dev/null

    echo Disabling local br0...
    ip link set br0 down
    ip link set wlan0 down
    brctl delbr br0

    echo Disabling packet forwarding...
    sysctl -w net.ipv4.ip_forward=0 > /dev/null

    echo Removing local iptables rules...
    iptables -t filter -D INPUT -i br0 -d 255.255.255.255 -j ACCEPT
    iptables -t filter -D FORWARD -i br0 -s "${BRIDGE_SUBNET}/${PREFIX}" -j ACCEPT
    iptables -t filter -D INPUT -m state --state NEW -m tcp -p tcp --dport ${SSH_SOCKS_PROXY_PORT} -j ACCEPT


else
   usage
   exit 1
fi
echo "Done!"
	interface=wlan0
	driver=rtl871xdrv

	logger_syslog=-1
	logger_syslog_level=2
	logger_stdout=-1
	logger_stdout_level=2

	ctrl_interface=/var/run/hostapd
	ctrl_interface_group=0

	ssid=Bridged AP
	wpa_passphrase=mywpapassphrasehere

	hw_mode=g
	channel=1

	beacon_int=100
	dtim_period=2
	max_num_sta=255
	rts_threshold=2347
	fragm_threshold=2346
	macaddr_acl=0
	auth_algs=3
	ignore_broadcast_ssid=0

	wmm_enabled=1
	wmm_ac_bk_cwmin=4
	wmm_ac_bk_cwmax=10
	wmm_ac_bk_aifs=7
	wmm_ac_bk_txop_limit=0
	wmm_ac_bk_acm=0
	wmm_ac_be_aifs=3
	wmm_ac_be_cwmin=4
	wmm_ac_be_cwmax=10
	wmm_ac_be_txop_limit=0
	wmm_ac_be_acm=0
	wmm_ac_vi_aifs=2
	wmm_ac_vi_cwmin=3
	wmm_ac_vi_cwmax=4
	wmm_ac_vi_txop_limit=94
	wmm_ac_vi_acm=0
	wmm_ac_vo_aifs=2
	wmm_ac_vo_cwmin=2
	wmm_ac_vo_cwmax=3
	wmm_ac_vo_txop_limit=47
	wmm_ac_vo_acm=0

	eapol_key_index_workaround=0
	eap_server=0

	own_ip_addr=127.0.0.1
	wpa=2
	wpa_key_mgmt=WPA-PSK WPA-EAP WPA-PSK-SHA256 WPA-EAP-SHA256
	#!/bin/bash

	# This script enables a secure layer 3 tunnel to be bridged with a wlan AP:
	#
	# 1. Establish a level 3 (TAP) tunnel from your local host to a remote server via SSH (tap0)
	# 2. Establish a wlan AP via a local wifi enabled device (wlan0)
	# 3. Bridge these two devices on the local host, so your wlan uses the remote server as a gateway
	# 4. Configure the appropriate addresses, routes, firewall rules, and DNS servers
	#
	# Initial required setup:
	#
	# On all hosts:
	# -root access
	# -iptables and iproute installed
	#
	# On the remote SSH host:
	# -At least OpenSSH server 4.3
	# -Your SSH public key is in /root/.ssh/authorized_keys
	# -"PermitRootLogin yes" is in /etc/ssh/sshd_config
	# -"PermitTunnel yes" is in /etc/ssh/sshd_config
	#
	# On the local host:
	# -At least OpenSSH client 4.3
	# -The bridge kernel module loaded
	# -dnsmasq is installed
	# -hostapd is installed, note: I had to compile a patched version for Realtek devices, please see:
	# -http://github.com/pritambaral/hostapd-rtl871xdrv
	# -http://w1.fi/hostap.git
	# -hostapd configuration file with AP config
	# -drivers for your wlan device (you should have a NIC named wlan0)
	# -http://github.com/dz0ny/rt8192cu
	#
	#
	# Interfaces:
	# tap0 - Level 3 (ethernet) tunnel between local host and remote host (both called tap0)
	# wlan0 - Local wlan NIC
	# br0 - Local bridge NIC bridging tap0 and usb0
	#
	# Limitations:
	# Only tested with CentOS-6 for both the remote and local hosts.


	REMOTE_SSH_IP=1.2.3.4
	REMOTE_SSH_PORT=22
	SSH_KEY=/root/.ssh/id_rsa
	SSH_SOCK=/var/run/ssh_tunnel.sock
	SSH_PROXY_COMMAND="none"
	SSH_SOCKS_PROXY_PORT=12345

	BRIDGE_SUBNET=10.123.123.0
	PREFIX=24
	REMOTE_GATEWAY=10.123.123.1
	LOCAL_BRIDGE_IP=10.123.123.2
	DHCP_FROM=10.123.123.3
	DHCP_TO=10.123.123.5
	DNS1=8.8.8.8
	DNS2=8.8.4.4

	HOSTAPD='/usr/local/src/hostap/hostapd/hostapd'
	HOSTAPD_PID='/var/run/hostapd.pid'
	HOSTAPD_CONFIG='/etc/hostapd/hostapd.conf'

	DNSMASQ_PID='/var/run/dnsmasq.pid'


	REMOTE_UP="
	ip addr flush dev tap0
	ip addr add ${REMOTE_GATEWAY}/${PREFIX} dev tap0
	ip link set tap0 up
	iptables -t filter -I FORWARD 1 -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
	iptables -t filter -I INPUT 1 -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
	iptables -t nat -I POSTROUTING 1 -o eth0 -s ${BRIDGE_SUBNET}/${PREFIX} -j MASQUERADE
	"

	REMOTE_DOWN="
	iptables -t filter -D FORWARD -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
	iptables -t filter -D INPUT -i tap0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
	iptables -t nat -D POSTROUTING -o eth0 -s ${BRIDGE_SUBNET}/${PREFIX} -j MASQUERADE
	"

	function usage {
	echo -e "Usage:\n$0 {up\|down}\n"
	}

	echo
	if [ "$1" == "up" ]; then

	echo Checking if local tap0 exists...
	ip addr show tap0 &> /dev/null
	if [ $? -ne 0 ]; then
	echo Creating local and remote tap0...
	ssh -f root@"${REMOTE_SSH_IP}" \
	-o "Port ${REMOTE_SSH_PORT}" \
	-o "IdentityFile ${SSH_KEY}" \
	-o "ProxyCommand ${SSH_PROXY_COMMAND}" \
	-o "AddressFamily inet" \
	-o "DynamicForward 0.0.0.0:${SSH_SOCKS_PROXY_PORT}" \
	-o "Tunnel ethernet" \
	-o "TunnelDevice 0:0" \
	-o "ExitOnForwardFailure yes" \
	-o "ServerAliveInterval 60" \
	-o "UserKnownHostsFile /dev/null" \
	-o "StrictHostKeyChecking no" \
	-o "ControlMaster yes" \
	-o "ControlPath ${SSH_SOCK}" \
	"${REMOTE_UP}"
	fi

	echo Configuring local br0...
	brctl addbr br0
	brctl addif br0 tap0
	brctl addif br0 wlan0
	ip addr flush dev br0
	ip addr add "${LOCAL_BRIDGE_IP}/${PREFIX}" dev br0

	echo Enabling local br0...
	ip link set br0 up
	echo Enabling local tap0...
	ip link set tap0 up

	echo Starting local dnsmasq...
	dnsmasq --no-hosts --no-poll --pid-file=${DNSMASQ_PID} --interface=br0 --bogus-priv --filterwin2k --no-resolv --server=${DNS1} --server=${DNS2} --cache-size=1000 --dhcp-option=3,${REMOTE_GATEWAY} --dhcp-option=6,${DNS1} --dhcp-range=${DHCP_FROM},${DHCP_TO} --dhcp-lease-max=253 --dhcp-authoritative --dhcp-leasefile=/tmp/dnsmasq.leases < /dev/null

	echo Starting local hostapd...
	"${HOSTAPD}" -B -P "${HOSTAPD_PID}" "${HOSTAPD_CONFIG}" > /dev/null

	echo Enabling packet forwarding...
	sysctl -w net.ipv4.ip_forward=1 > /dev/null

	echo Creating local iptables rules...
	# For DHCP assignment
	iptables -t filter -I INPUT 1 -i br0 -d 255.255.255.255 -j ACCEPT
	# Allow packet forwarding out to remote server
	iptables -t filter -I FORWARD 1 -i br0 -s ${BRIDGE_SUBNET}/${PREFIX} -j ACCEPT
	# Allow usage of socks proxy
	iptables -t filter -I INPUT 1 -m state --state NEW -m tcp -p tcp --dport ${SSH_SOCKS_PROXY_PORT} -j ACCEPT

	elif [ "$1" == "down" ]; then

	echo Checking if local tap0 exists...
	ip addr show tap0 &> /dev/null
	if [ $? -eq 0 ]; then
	echo Disabling local and remote tap0...
	ssh -S "${SSH_SOCK}" -O exit does-not-matter-what-goes-here-blaahh &> /dev/null

	echo Removing remote iptables rules...
	ssh root@"${REMOTE_SSH_IP}" \
	-o "Port ${REMOTE_SSH_PORT}" \
	-o "IdentityFile ${SSH_KEY}" \
	-o "ProxyCommand ${SSH_PROXY_COMMAND}" \
	-o "UserKnownHostsFile /dev/null" \
	-o "StrictHostKeyChecking no" \
	"${REMOTE_DOWN}"
	fi

	echo Stopping local dnsmasq...
	kill $(cat "${DNSMASQ_PID}") > /dev/null
	# dnsmasq doesn't automatically clean up its own pid file...
	rm -f "${DNSMASQ_PID}"

	echo Stopping local hostapd...
	kill $(cat "${HOSTAPD_PID}") > /dev/null

	echo Disabling local br0...
	ip link set br0 down
	ip link set wlan0 down
	brctl delbr br0

	echo Disabling packet forwarding...
	sysctl -w net.ipv4.ip_forward=0 > /dev/null

	echo Removing local iptables rules...
	iptables -t filter -D INPUT -i br0 -d 255.255.255.255 -j ACCEPT
	iptables -t filter -D FORWARD -i br0 -s "${BRIDGE_SUBNET}/${PREFIX}" -j ACCEPT
	iptables -t filter -D INPUT -m state --state NEW -m tcp -p tcp --dport ${SSH_SOCKS_PROXY_PORT} -j ACCEPT


	else
	usage
	exit 1
	fi
	echo "Done!"