In order to have some rogue WiFi networks for playing around with security tools and techniques at home, I wanted to set up my Raspberry Pi 3 as an Access Point. Turned out, that trying this with two WiFi adapters – the builtin one plus a USB adapter – can be a huge pain…
To give a quick overview of what scenario I want to create check out the picture below.
In the end we should be able to spawn a WiFi for our testing purposes as shown here being the
BadWiFi. The main machine will be able to connect to the Pi itself via SSH over the regular WiFi. The attacker will just connect/sniff the
Since I have an additional WiFi adapter the Pi registers two different interfaces:
wlan0is the Pi’s builtin WiFi interface
wlan1is the USB adapter
For the purpose of creating my own AP I will use
wlan0 as the AP interface and
wlan1 remains connected to my regular home WiFi.
If you want to set this up yourself, too – I had no luck using the interfaces the other way round (
wlan1 as AP). I wasted around 12 hours trying, so just don’t (or you tell me why I failed miserably). The issue I had with using
wlan1 as AP was that all clients were always disassociating from the WiFi and could not establish a stable connection.
wpa_supplicant will try to control all our WiFi interfaces on the Pi. In my case it would always make both of them immediately join the configured home WiFi. One neat thing I found after lots of googling was that it is possible to separate
wpa_supplicant configurations by interface.
First, let’s use the main configuration as base for both individual configs.
$ cd /etc/wpa_supplicant $ sudo cp wpa_supplicant.conf wpa_supplicant-wlan0.conf $ sudo cp wpa_supplicant.conf wpa_supplicant-wlan1.conf
Since we will be using
wlan1 as our normal WiFi interface, all the
network configuration blocks should go into
wpa_supplicant-wlan1.conf. Make sure both the regular
wpa_supplicant-wlan0.conf do not contain any
network blocks. In my case I only had a single line with a
country setting in the
Verify that everything is still working and you can connect to the Pi using
ssh by rebooting it. You should see when running
iwconfig that only
wlan1 is connected to the regular WiFi.
To be able to create the AP via software on the Pi I used
hostapd. In order to provide the DHCP server required to automatically hand out IP addresses I relied on
dnsmasq. To install both packages on the Pi just do:
$ sudo apt-get install hostapd dnsmasq
After installation we just make sure to have both services stopped so that we can play around with the configuration files:
$ sudo systemctl stop hostapd $ sudo systemctl stop dnsmasq
Since I don’t need the AP all the time and only activate it when required, I decided to completely disable both services to not have them started on boot:
$ sudo systemctl disable hostapd $ sudo systemctl disable dnsmasq
For DHCP to be fully operational both the
dhcpcd as well as
dnsmasq have to be properly configured. The former needs to be used to assign a fixed IP to the
wlan0 interface which will then hand out DHCP leases to the WiFi via
I decided to give the
192.168.1.1/24 IP subnet since my regular WiFi has
192.168.178.1/24. As such
wlan0 should get the address
/etc/dhcpcd.conf and at the end of the file add the following (check there is no other
interface wlan0 block):
interface wlan0 static ip_address=192.168.1.1/24
The original configuration of
dnsmasq that is provided after installation at
/etc/dnsmasq.conf contains a huge load of possible configuration options and comments. It’s best to just start with a fresh one and keep the old as backup:
$ sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig $ vim /etc/dnsmasq.conf
The required content for DHCP to work in our AP is:
interface=wlan0 no-dhcp-interface=wlan1 dhcp-range=192.168.1.100,192.168.1.200,24h dhcp-option=option:dns-server,192.168.1.1
We set to work on
wlan0 but exclude
wlan1 (my regular WiFi also does DHCP and I don’t want any conflicts there). The DHCP range itself is limited to the addresses 100 to 200 and
wlan0 will also be the DNS server for all clients.
After all this configuration once again make sure to reboot your Pi and verify that everything else is still working as expected…
Configuring the AP
Finally – it’s time to configure
hostapd and get the software AP up and running. We will place its configuration file at
$ sudo vim /etc/hostapd/hostapd.conf
The required content to create a simple WPA2 network is as follows:
interface=wlan0 # country_code=DE - adapt if needed ssid=BadWifi channel=9 auth_algs=1 wpa=2 wpa_passphrase=YourSecret! wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP wpa_group_rekey=86400
The options should be self explanatory. I only added
wpa_group_rekey=86400 to make sure the rekeying takes place only once per day.
A great resource to find out all those settings and see what is possible has been that dummy file.
The last thing to change to get
hostapd to pick the right config is to edit
/etc/default/hostapd and make sure the following line is in there:
Finally for IP forwarding to work and be able to share the WiFi connection upstream we need to change one setting in
/etc/sysctl.conf by uncommenting the following line:
Just reboot a last time without enabling any services and make sure everything else works as expected.
Starting the AP
After all the changes and configuration hurdles we can now try and start the Access Point at last:
$ sudo systemctl start dnsmasq $ sudo systemctl start hostapd
A minor little thing I found when starting
hostapd is that sometimes it doesn’t have enough entropy to be able to start the WPA encryption required for all handshakes. The easiest workaround: just run
find * / for a few seconds at that will be solved.
And after a few seconds you should finally be able to see the new
BadWiFi and join it with the provided password from above!
Despite following the official documentation I could not get the AP up and running. It really took me some hard hours of research, pain, and failure to finally succeed. I hope my description above does help you out when trying to get it running yourself. BUT IT WORKS!!