Skip to content

Instantly share code, notes, and snippets.

@gtzilla gtzilla/README.md
Last active Feb 28, 2018

Embed
What would you like to do?
The Scripts/Config files to Create a Wireless Access Point with traffic tunneled through a socks5 proxy. Running Debian Stretch Proxmox VE 5. Uses hostapd running proxmox

Wireless Access Point

The is a collection of files that I used to create a Wireless access point that tunnels traffic through a socks5 proxy using tun2socks, hostapd, dnsmasq. This was done on a debian system, specifically Proxmox VE. The underlying hardware is an Intel Nuc. The wireless card currently only handles wireless G traffic. Testing "a" wireless resulted in the wireless interface not coming up. This could be merely user error. More information on setting hg_mode in hostapd.conf

This took approximately two days to setup corretly. The tutorials that address how-to create an access point, as well as how-to use tun2socks varied considerably. I was finally able to cobble together a working prototype that is able to tunnel traffic from my wireless access point through any SSH connection that can enable socks5 proxy.

This setup allows wireless device, such as Android, iPhone, iPad and other devices to get an external IP address of the SSH exit server. This isn't a guarantee against snooping. It merely allows TCP traffic to be passed from the Access point into a socks5 proxy.

Directions

Install all dependencies with install_support_libs.sh. Configure your ~/.ssh/config to make it very simple to call ssh myhost without needing to specify details like port, etc. See the sample ssh config below. Download the setup scripts into user home directory. You really only need setup_iptables_texas.sh which is a terrible name but pointed to one of my socks5 servers. Move hostapd.conf into /etc/hostapd/hostapd.conf. Move the dnsmasq.conf file to /etc/dnsmasq.conf be sure to update to the name of your interfaces. My interface for the wireless is wlp58s0.

Now that we have hostapd configured and dnsmasq setup. It's time to update the interfaces. On debian systems, be sure to set hostapd /etc/hostapd/hostapd.conf under your wireless interface.

It's possible to test that the access point is working, without having to worry about the complexity of the tun2socks transport layer. The setup_iptables.sh will route traffic from logical name wlp58s0 to vmbr0. Be sure to update this setup script if your interface names are different.

When you're sure that the wireless access point is working and your can get an ip address, in this case 192.168.5.9 and reach the open internet. I typically test with the website https://ifconfig.co

To route traffic from the Wireless access point to tun2socks, I found I needed the rules laid out in setup_iptables_texas.sh. I like this script, which is heavily borrowed from a forum noted below. I've added a few lines to handle starting a proxy on 127.0.0.1:8123 and then tearing it down after tun2socks is closed. This accompanies some nice cleanup for the routing tables. This results in the access point being able to switch between local gateway and socks5 and continue to get a valid ip address and reach the open internet.

Commands

  1. lshw -c network
  2. iw list

References

  1. https://github.com/ambrop72/badvpn/wiki/Tun2socks
  2. https://unix.stackexchange.com/questions/144562/redirect-all-packets-from-eth1-eth2-through-a-socks-proxy
  3. https://nims11.wordpress.com/2013/05/22/using-hostapd-with-dnsmasq-to-create-virtual-wifi-access-point-in-linux/
  4. https://help.ubuntu.com/community/WifiDocs/WirelessAccessPoint
  5. https://ifconfig.co/
  6. https://www.cyberciti.biz/faq/debian-ubuntu-linux-setting-wireless-access-point/
  7. https://michaelfranzl.com/2014/06/08/debian-linux-howto-briding-wlan-ethernet-access-point-infrastructure-mode-android-phones/
  8. https://wiki.gentoo.org/wiki/Hostapd
# wireless card is wlp58s0
# don't give anything else an ip address
# changes here appear to require restart to system
# location /etc/dnsqmasq.conf
no-resolv
interface=wlp58s0
except-interface=vmbr0
except-interface=eno1
except-interface=tun0
dhcp-range=192.168.5.3,192.168.5.14,12h
# dns addresses to send to the clients
server=8.8.8.8
server=8.8.4.4
# intel NUC running proxmox
# location: /etc/hostapd/hostapd.conf
interface=wlp58s0
country_code=US
driver=nl80211
channel=1
ssid=NETWORKSSIDHERE
wpa=2
wpa_passphrase=PASSPHRASE
## Key management algorithms ##
wpa_key_mgmt=WPA-PSK
# info
# https://superuser.com/questions/748455/how-to-setup-access-point-wifi-hotspot-on-debian
## Set cipher suites (encryption algorithms) ##
## TKIP = Temporal Key Integrity Protocol
## CCMP = AES in Counter mode with CBC-MAC
wpa_pairwise=CCMP
rsn_pairwise=CCMP
## Shared Key Authentication ##
auth_algs=1
## Accept all MAC address ###
macaddr_acl=0
hw_mode=g
# Change the broadcasted/multicasted keys after this many seconds.
wpa_group_rekey=600
# Change the master key after this many seconds. Master key is used as a basis
wpa_gmk_rekey=86400
apt install -y dnsmasq screen bridge-utils iw wireless-tools hostapd
# location: /etc/network/interfaces
# NOTE the /etc/hostapd/hostapd.conf is only linked from here. not in the daemon location
auto lo wlp58s0
iface lo inet loopback
iface tun0 inet static
address 192.168.4.1
netmark 255.255.0.0
iface wlp58s0 inet static
address 192.168.5.1
netmask 255.255.0.0
hostapd /etc/hostapd/hostapd.conf
auto vmbr0
iface vmbr0 inet static
address 192.168.1.9
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eno1
bridge_stp off
bridge_fd 0
# this is ONLY for testing that the access point works
# not needed for actual tunnel
# proxmox uses virtual interface on the box vmbr0
# wireless on intel nuc wlp58s0
# location ~/
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface vmbr0 -j MASQUERADE
iptables --append FORWARD --in-interface wlp58s0 -j ACCEPT
#!/bin/bash
# this file actually sets up routing from our WAP to the tunnel using tun2socks
# run screen then run this program!! prob have to restart if this needs changes.
# system is VERY fickle
# tvdoor.remote is defined in our ~/.ssh/config
# location ~/
socks_server=127.0.0.1:8123
ssh -D 8123 -f -C -q -N tvdoor.remote
id="$RANDOM"
tun="tun0"
ip tuntap add dev $tun mode tun
ip link set $tun up
ip addr add 192.168.4.1/30 dev $tun
sysctl -w net.ipv4.conf.$tun.forwarding=1
ip rule add fwmark $id lookup $id
ip route add default via 192.168.4.2 table $id
iptables -t mangle -I PREROUTING -i wlp58s0 -p tcp -j MARK --set-mark $id
# if need another interface routed
#iptables -t mangle -I PREROUTING -i eth2 -p tcp -j MARK --set-mark $id
badvpn-tun2socks --tundev $tun --netif-ipaddr 192.168.4.2 --netif-netmask 255.255.0.0 --socks-server-addr $socks_server
iptables -t mangle -D PREROUTING -i wlp58s0 -p tcp -j MARK --set-mark $id
ip route del default via 192.168.4.2 table $id
ip rule del from fwmark $id lookup $id
ip tuntap del dev $tun mode tun
ps -ef | grep ssh | grep tvdoor | grep -v grep | awk '{print $2}' | xargs kill -9
# append to ~/.ssh/config
Host tvdoor.remote
HostName somehostthatiown.com
Port 9011
User ssh_user
ForwardAgent yes
IdentityFile ~/.ssh/id_rsa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.