This setup lets you:
- SSH into the Pi directly (e.g.
ssh pi@raspberrypi
) - Access things running on the Pi (e.g. a web server)
- Set up fun domains that only exist within the local network, and can route to your services running on the Pi
- Prevents any access to the internet which can be useful if you are running the Pi as a tech demo, or for teaching etc
This is a modified/shorter version from the official Pi docs.
sudo apt install hostapd dnsmasq iptables-persistent
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
The Raspberry Pi will act as the router and we give it the first IP address in the network: 192.168.4.1.
sudo nano /etc/dhcpcd.conf
/etc/dhcpcd.conf:
interface wlan0
static ip_address=192.168.4.1/24
nohook wpa_supplicant
The DHCP and DNS services are provided by dnsmasq. The default configuration file serves as a template for all possible configuration options, whereas we only need a few. It is easier to start from an empty file. Rename the default configuration file and create a new one:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf
/etc/dnsmasq.conf:
interface=wlan0
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
domain=wlan
address=/raspberry.com/192.168.4.1
The Raspberry Pi will provision IP addresses between 192.168.4.2 and 192.168.4.20, with a lease time of 24 hours, to wireless DHCP clients. The address
line routes raspberry.com
to the Pi. You can additional lines for additional custom domains.
This creates a wireless network with a SSID of raspberrypi
, with bands for Australia (AU), and no password. Modify this file as needed.
sudo nano /etc/hostapd/hostapd.conf
/etc/hostapd/hostapd.conf:
country_code=AU
interface=wlan0
ssid=raspberrypi
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.4.1:3000
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
My web server is running on port 3000. The above iptable rules route traffic from port 80 to 3000. Therefore, raspberry.com
routes to the web server without having to include the port number.
To persist the iptable rules:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"