Skip to content

Instantly share code, notes, and snippets.

@cablethief

cablethief/README.md

Last active March 15, 2019 07:39
Show Gist options
  • Save cablethief/9b75affb1d6f1a14fd989329b179cb87 to your computer and use it in GitHub Desktop.
Save cablethief/9b75affb1d6f1a14fd989329b179cb87 to your computer and use it in GitHub Desktop.
Download ZIP
Setting upstream Internet and Radius for External Wireless Devices
Raw
README.md

Setup Upstream Internet and Radius

Intro

Sometimes you would either like to share internet or use Fancy wireless equipment to compete against corporate signal. Here are commands to setup a NAT to provide your device with internet and an IP. Afterwards you can create a RADIUS server to authenticate clients to your hardware.

I have created 2 scripts to do this automaticaly:

Share Internet: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-share_internet-sh

Create RADIUS: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-create_radius-sh

Give static IP

sudo ip addr add 192.168.55.1/24 dev enp0s20f0u2u3

Give DHCP LEASES

sudo dnsmasq -i enp0s20f0u2u3 --dhcp-range=192.168.55.50,192.168.55.150,12h --dhcp-option=option:router,192.168.55.1 -q -d

Enable IP forwarding

sudo sysctl net.ipv4.ip_forward=1

NAT networking

sudo iptables -t nat -A POSTROUTING -o wlp58s0 -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp0s20f0u2u3 -o wlp58s0 -j ACCEPT

Create RADIUS Certificates

openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem

Create RADIUS Config

cat << EOF >> hostapd.radius_clients
0.0.0.0/0 P@ssw0rd
EOF

Create Hostapd Radius Config

This requires certain compilation settings to work (CONFIG_DRIVER_NONE=y), if your hostapd errors try using hostapd-mana which by default is compiled with the flag.

cat << EOF >> radius_server.config
driver=none
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
radius_server_clients=hostapd.radius_clients
radius_server_auth_port=1812
logger_syslog=-1
logger_stdout=-1
logger_syslog_level=1
logger_stdout_level=1
EOF

Set Downstream Access Point

Now you may add your radius server to your EAP configuration on your AP. An OpenWRT example may be seen here: https://gist.github.com/Cablethief/9b75affb1d6f1a14fd989329b179cb87#file-zopenwrtconfig-png.

Raw
create_radius.sh
#!/bin/bash
PASSWORD='P@ssw0rd'
SUBJ='/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'
EAP_USER_FILE=
print_usage(){
echo "Usage: sudo $0 [-p <RADIUS Password to use>] [-s <Certificate Subject>] [-f <eap_user_file>]"
echo "Subject example -s '/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com'"
}
while getopts 'p:s:f:h' flag; do
case "${flag}" in
p) PASSWORD="${OPTARG}" ;;
s) SUBJ="${OPTARG}" ;;
f) EAP_USER_FILE="${OPTARG}" ;;
h) print_usage
exit 1 ;;
*) print_usage
exit 1 ;;
:) echo "${OPTARG} requires an argument"; exit 1;
esac
done
clean_up(){
echo ""
echo "Cleaning Temp Configs"
rm -r "${directory}"
return
}
create_configs(){
echo "Creating RADIUS Client File"
cat << EOF >> "${directory}/hostapd.radius_clients"
0.0.0.0/0 ${PASSWORD}
EOF
if [[ -z ${EAP_USER_FILE} ]]; then
echo "Creating EAP User File"
cat << EOF >> "${directory}/hostapd.eap_user"
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]
EOF
EAP_USER_FILE="${directory}/hostapd.eap_user"
fi
echo "Creating Hostapd Config"
cat << EOF >> "${directory}/radius_server.config"
driver=none
eap_server=1
eap_user_file=${EAP_USER_FILE}
ca_cert=${directory}/ca.pem
server_cert=${directory}/server.pem
private_key=${directory}/server.key
private_key_passwd=
radius_server_clients=${directory}/hostapd.radius_clients
radius_server_auth_port=1812
logger_syslog=-1
logger_stdout=-1
logger_syslog_level=1
logger_stdout_level=1
EOF
}
create_certs(){
echo "Creating Certificates"
$(which openssl) genrsa -out "${directory}/server.key" 2048
$(which openssl) req -new -sha256 -key "${directory}/server.key" -out "${directory}/csr.csr" -subj "${SUBJ}"
$(which openssl) req -x509 -sha256 -days 365 -key "${directory}/server.key" -in "${directory}/csr.csr" -out "${directory}/server.pem"
ln -s "${directory}/server.pem" "${directory}/ca.pem"
return
}
echo "ctrl+c to trigger cleanup"
# ERR is triggered if rm file doesnt exist.
# trap "exit" INT TERM ERR
trap "exit" INT TERM
trap "clean_up" EXIT
directory=$(mktemp -d /tmp/create_radius.XXXXX)
create_certs
create_configs
echo "Running Hostapd-mana as RADIUS server"
hostapd-mana "${directory}/radius_server.config"
wait
Raw
share_internet.sh
#!/bin/bash
if (( $EUID != 0 )); then
echo "Please run as root"
exit
fi
internet=''
interface=''
print_usage(){
printf "Usage: sudo $0 -i <interface to NAT (Downstream)> -s <interface with internet (Upstream)>\n"
}
while getopts 's:i:h' flag; do
case "${flag}" in
i) interface="${OPTARG}" ;;
s) internet="${OPTARG}" ;;
h) print_usage
exit 1 ;;
*) print_usage
exit 1 ;;
:) echo "${OPTARG} requires an argument"; exit 1;
esac
done
if [ "$#" -ne 4 ]; then
print_usage
exit 0
fi
clean_up(){
echo ""
echo "Clearing Static IP address"
ip addr flush dev ${interface}
echo "Clearing NAT IPTABLE rules"
iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i ${interface} -o ${internet} -j ACCEPT
iptables -t nat -D POSTROUTING -o wlp58s0 -j MASQUERADE
return
}
create_router(){
echo "Setting Interface to up"
ip link set dev ${interface} up
echo "Giving interface static IP: 192.168.55.1"
ip addr add 192.168.55.1/24 dev ${interface}
echo "Enabling IP forwarding"
sysctl net.ipv4.ip_forward=1
echo "Enabling NAT IPTABLES to share internet"
iptables -t nat -A POSTROUTING -o ${internet} -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${interface} -o ${internet} -j ACCEPT
return
}
create_router
echo "ctrl+c to trigger cleanup"
# ERR is triggered if rm file doesnt exist.
# trap "exit" INT TERM ERR
trap "exit" INT TERM
trap "clean_up" EXIT
echo "Running Dnsmasq as a DHCP server"
dnsmasq -i ${interface} --dhcp-range=192.168.55.50,192.168.55.150,12h --dhcp-option=option:router,192.168.55.1 -q -d
wait
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment