Wide area Wi-Fi coverage

Introduction

This HOWTO requires proficienciy in an OpenVPN-based Virtual private network (cf. vpn.server.openvpn.tap/vpn.client.openvpn.tun and vpn.server.openvpn.tap/vpn.client.openvpn.tap), Networking configuration on RHEL/CentOS, Shorewall (cf. shorewall-on-openwrt).

In the proposed scenario a big area must be covered with Wi-Fi access and no Access Point alone can provide that kind of reachability. Three different Wi-Fi networks are configured for different access levels. Traffic from these networks will be isolated and controlled by a central Linux box running Shorewall. A wired Ethernet backbone will carry traffic from the Access Points (three in our example). The encapsulation protocol for different network traffic will be OpenVPN with no cypher(encryption can be enabled with one liner 'cypher' statement if required). The author has successfully done a similar setup using 802.1q (VLAN) encapsulation. L2tp is a another reasonable alternative for traffic encapsulation (cf. network.interfaces).

The following is a simplified scheme of the network structure of the solution described here:

Configuration files are provided, but nothing prohibits the much more easy configuration with the LuCi web interface.

Acess Point Configuration

  • Flash OpenWrt Attitude Adjustment on your router (i've used the venerable tp-link 1043nd)
  • Connect it to internet and do "opkg install openvpn" from console
  • Setup hostname, date, timezone and password as you wish
  • Configure Networks (/etc/config/network) (Plan your addressing based on the previous diagram)
    
    config interface 'loopback'                                                     
            option ifname 'lo'                                                      
            option proto 'static'                                                   
            option ipaddr '127.0.0.1'                                               
            option netmask '255.0.0.0'                                              
                                                                                    
    config interface 'lan'                                                          
            option ifname 'eth0.1'                                                  
            option type 'bridge'                                                    
            option proto 'static'                                                   
            option netmask '255.255.255.0'                                          
            option ipaddr '192.168.1.3'                                             
            option dns '192.168.1.2'                                                
            option gateway '192.168.1.2'                                            
                                                                                    
    config switch                                                                   
            option name 'rtl8366rb'                                                 
            option reset '1'                                                        
            option enable_vlan '1'                                                  
            option enable_vlan4k '1'                                                
                                                                                    
    config switch_vlan                                                              
            option device 'rtl8366rb'                                               
            option vlan '1'                                                         
            option ports '0 1 2 3 4 5t'                                             
                                                                                    
    config interface 'workers'                                                      
            option type 'bridge'                                                    
            option ifname 'tapWorkers'                                              
            option _orig_ifname 'tapWorkers wlan0-1'                                
            option _orig_bridge 'true'                                              
            option proto 'static'                                                   
            option ipaddr '192.168.2.2'                                             
            option netmask '255.255.255.0' 
    
    config interface 'guests'             
            option type 'bridge'
            option proto 'static'
            option ifname 'tapGuests'
            option ipaddr '192.168.3.2'
            option netmask '255.255.255.0'                                         
                       
    
  • Configure wireless (/etc/config/wireless). 'Access' network is not tunneled and goes to raw ethernet, 'guests' goes to the unsecure network and 'workers' to the secure network. Put your own SSID, MAC Address and PSK
    .
    config wifi-device 'radio0'
            option type 'mac80211'
            option macaddr '54:e6:fc:fb:a7:10'
            option hwmode '11ng'
            option htmode 'HT20'
            list ht_capab 'SHORT-GI-40'
            list ht_capab 'DSSS_CCK-40'
            option channel '6'
            option txpower '27'
            option country 'US'
            option distance '15'
    
    config wifi-iface
            option device 'radio0'
            option network 'lan'
            option mode 'ap'
            option encryption 'psk2'
            option key 'secretisssimo'
            option ssid 'SuperCompany (Access)'
    
    config wifi-iface
            option device 'radio0'
            option mode 'ap'
            option encryption 'psk2'
            option network 'workers'
            option key '123supersecret'
            option ssid 'SuperCompany (Workers)'
    
    config wifi-iface
            option device 'radio0'
            option mode 'ap'
            option encryption 'psk2'
            option ssid 'SuperCompany (Guests)'
            option network 'guests'
            option key 'welcomeguests'
    
    
    
  • Disable DHCP (/etc/config/dhcp). The linux box is the global DHCP server here.
    config dnsmasq
            option domainneeded '1'
            option boguspriv '1'
            option filterwin2k '0'
            option localise_queries '1'
            option rebind_protection '1'
            option rebind_localhost '1'
            option local '/lan/'
            option domain 'lan'
            option expandhosts '1'
            option nonegcache '0'
            option authoritative '1'
            option readethers '1'
            option leasefile '/tmp/dhcp.leases'
            option resolvfile '/tmp/resolv.conf.auto'
    
    config dhcp 'lan'
            option interface 'lan'
            option ignore '1'
    
  • Disable Firewall (config/firewall). There isn't any reason to filter traffic in the Access Point
    config defaults
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
    
    config include
            option path '/etc/firewall.user'
    
  • Configure OpenVPN (config/openvpn). Upload your keys (you need to generate them in the Linux box using easy-rsa scripts)
    package openvpn
    
    config openvpn confWorkers
    
            option enabled 1
            option client 1
    
            option dev tapWorkers
            list remote "192.168.1.2 1194"
            option lport 1194
            option proto udp
            option resolv_retry infinite
    
            option ca /etc/openvpn/ca.crt
            option cert /etc/openvpn/ap01.supercompany.tld.crt
            option key /etc/openvpn/ap01.supercompany.tld.key
            option cipher none
    
            option verb 3
            option mute 20
    
    config openvpn confGuests
    
            option enabled 1
            option client 1
    
            option dev tapGuests
            list remote "192.168.1.2 1195"
            option lport 1195
            option proto udp
            option resolv_retry infinite
    
            option ca /etc/openvpn/ca.crt
            option cert /etc/openvpn/ap01.supercompany.tld.crt
            option key /etc/openvpn/ap01.supercompany.tld.key
            option cipher none
    
            option verb 3
            option mute 20
    

Repeat all these steps for ap02 and ap03. Rembember to change IP and MAC address and openvpnc keys for each Access Point!. Set each AP in different channels to prevent interference!!!!

Linux Box Configuration

The linux box is used as the OpenVPN concentrator for the traffic coming from the Access points. Shorewall is used to the traffic policing. OpenVPN keys are administered with "easy-rsa" scripts. CentOS 6.4 is used in this example.

Networking

  • Configure the tunnel interfaces /etc/sysconfig/network-scripts/ifcfg-(tapGuests|tapWorkers).
    DEVICE=tapWorkers
    TYPE=Ethernet
    ONBOOT=yes
    BOOTPROTO=none
    NM_CONTROLLED=no
    IPADDR=192.168.2.1
    NETMASK=255.255.255.0
    TYPE=Tap
    

DEVICE=tapGuests
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
NM_CONTROLLED=no
IPADDR=192.168.3.1
NETMASK=255.255.255.0
TYPE=Tap

  • Configure your wan and lan interface as you wish. Here eth0 is LAN and eth1 is WAN
    . 
    DEVICE=eth0
    HWADDR=E8:40:F2:3D:7F:48
    TYPE=Ethernet
    UUID=07a338a7-6753-4b4c-90fa-3a2866a10493
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=static
    IPADDR0=192.168.1.1
    NETMASK0=255.255.255.0
    IPADDR1=192.168.1.2
    NETMASK1=255.255.255.0
    

DEVICE=eth1
HWADDR=C8:3A:35:DA:B6:80
TYPE=Ethernet
UUID=3cbafbed-181a-4025-b31e-9ab7c08eebca
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR0=201.n.n.n
NETMASK0=255.255.255.248
IPADDR1=201.n.n.n
NETMASK1=255.255.255.248
GATEWAY=201.n.n.n

OpenVPN Server Configuration

  • Configure OpenVPN (/etc/openvpn/(guests|workers).conf)
    mode server
    tls-server
    dev tapGuests
    port 1195
    proto udp
    keepalive 10 60
    client-to-client
    
    syslog openvpn(Guests)
    verb 3
    
    ca easy-rsa/keys/ca.crt
    cert easy-rsa/keys/net01.supercompany.tld.crt
    key easy-rsa/keys/net01.supercompany.tld.key
    dh easy-rsa/keys/dh1024.pem
    cipher none
    

mode server
tls-server
dev tapWorkers
port 1194
proto udp
keepalive 10 60
client-to-client

syslog openvpn(Workers)
verb 3

ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/net01.supercompany.tld.crt
key easy-rsa/keys/net01.supercompany.tld.key
dh easy-rsa/keys/dh1024.pem
cipher none

Shorewall Configuration

Shorewall was installed from rpms (provided at their homepage).

  • Define zones (/etc/shorewall/zones)
    #
    # Shorewall version 4 - Zones File
    #
    # For information about this file, type "man shorewall-zones"
    #
    # The manpage is also online at
    # http://www.shorewall.net/manpages/shorewall-zones.html
    #
    ###############################################################################
    #ZONE   TYPE            OPTIONS         IN                      OUT
    #                                       OPTIONS                 OPTIONS
    fw      firewall
    wan     ipv4
    lan     ipv4
    guest   ipv4
    
  • Define interfaces shorewall/interfaces
    #
    # Shorewall version 4 - Interfaces File
    #
    # For information about entries in this file, type "man shorewall-interfaces"
    #
    # The manpage is also online at
    # http://www.shorewall.net/manpages/shorewall-interfaces.html
    #
    ###############################################################################
    ?FORMAT 2
    ###############################################################################
    #ZONE           INTERFACE               OPTIONS
    wan             eth1
    lan             eth0                    
    lan             tapWorkers
    guest           tapGuests
    
  • The policy and rules are up to you

Back to top

doc/howto/wide.area.wifi.txt · Last modified: 2013/10/28 07:22 by lorema