Last active
June 8, 2024 20:01
-
-
Save paulscode/0b643b7f1fc91dd1873f6cc39b7a31ae to your computer and use it in GitHub Desktop.
Create Hotspot on RaspiOS Bullseye
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Usage: | |
# chmod +x ./create-hotspot.sh | |
# sudo ./create-hotspot.sh <ssid> <pass> [--usetor] | |
# Exit immediately if a command exits with a non-zero status | |
set -e | |
# Check for the --help flag | |
if [[ "$1" == "--help" ]]; then | |
echo "Usage:" | |
echo "chmod +x ./create-hotspot.sh" | |
echo "sudo ./create-hotspot.sh <ssid> <pass> [--usetor]" | |
exit 0 | |
fi | |
# Must be run with sudo | |
if [[ "$EUID" -ne 0 ]]; then | |
echo "Please run with sudo" | |
exit 1 | |
fi | |
# Exit if hostapd config already exists (script would break things if run more than once) | |
if [ -f /etc/hostapd/hostapd.conf ]; then | |
echo "This script cannot be run more than once" | |
exit 1 | |
fi | |
# Set default values: | |
DEFAULT_SSID="RPiHotSpot" | |
DEFAULT_PASS="1234567890" | |
USE_TOR=false | |
# If params provided, use those: | |
SSID="${1:-$DEFAULT_SSID}" | |
PASS="${2:-$DEFAULT_PASS}" | |
if [[ "$3" == "--usetor" ]]; then | |
USE_TOR=true | |
fi | |
# Install required packages: | |
apt-get update | |
apt-get install -y hostapd dnsmasq iptables-persistent | |
# Stop them before configuring: | |
systemctl stop hostapd | |
systemctl stop dnsmasq | |
# Configure hostapd: | |
cat <<EOF1 > /etc/hostapd/hostapd.conf | |
interface=wlan0 | |
driver=nl80211 | |
ssid=$SSID | |
hw_mode=g | |
channel=6 | |
wmm_enabled=0 | |
macaddr_acl=0 | |
auth_algs=1 | |
ignore_broadcast_ssid=0 | |
wpa=2 | |
wpa_passphrase=$PASS | |
wpa_key_mgmt=WPA-PSK | |
rsn_pairwise=CCMP | |
EOF1 | |
# Unmask and enable hostapd: | |
systemctl unmask hostapd | |
systemctl enable hostapd | |
# Configure dnsmasq: | |
cat <<EOF2 >> /etc/dnsmasq.conf | |
interface=wlan0 | |
bind-dynamic | |
domain-needed | |
bogus-priv | |
dhcp-range=192.168.50.150,192.168.50.200,255.255.255.0,12h | |
EOF2 | |
# Configure dhcpcd: | |
cat <<EOF3 >> /etc/dhcpcd.conf | |
interface wlan0 | |
nohook wpa_supplicant | |
static ip_address=192.168.50.10/24 | |
static routers=192.168.50.1 | |
static domain_name_servers=8.8.8.8 | |
EOF3 | |
# Uncomment the line net.ipv4.ip_forward=1 in /etc/sysctl.conf | |
sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf | |
# Create nftable directory if it doesn't exist | |
mkdir -p /etc/nftable | |
# Create nftable rule: | |
cat <<EOF4 > /etc/nftable/nft-stat-ap.nft | |
flush ruleset | |
table inet ap { | |
chain routethrough { | |
type nat hook postrouting priority filter; policy accept; | |
oifname "eth0" masquerade | |
} | |
chain fward { | |
type filter hook forward priority filter; policy accept; | |
iifname "eth0" oifname "wlan0" ct state established,related accept | |
iifname "wlan0" oifname "eth0" accept | |
} | |
} | |
EOF4 | |
# Give nftable rule execute permissions | |
chmod +x /etc/nftable/nft-stat-ap.nft | |
# Include the nftable rule in nftables.conf | |
cat <<EOF5 >> /etc/nftables.conf | |
include "/etc/nftable/nft-stat-ap.nft" | |
EOF5 | |
# Enable nftables service | |
systemctl enable nftables | |
# Set up iptables rules for routing traffic through Tor if --usetor is specified | |
if [ "$USE_TOR" = true ]; then | |
iptables -F | |
iptables -t nat -F | |
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-ports 9050 | |
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-ports 9050 | |
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT | |
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
# Save iptables rules | |
netfilter-persistent save | |
fi | |
echo "Hotspot setup is complete. Please reboot the system." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment