Ok, let’s go for a short howto.
This is just the start of the journey since right now, the best we could achieve is a switch, not a router.
Why we are doing this? Short answer: just for fun, long one… actually if the VIM provides enough bandwidth to be used on a DSL WAN then this could be a great base to build an OpenVPN endpoint without the CPU/RAM constraints from a typical consumer grade router.
Let’s set the goal: build a basic router with the WAN port on the VIM ethernet interface, the LAN port(s) will be supported by the VIM wireless interface operating in access point mode (AP).
From a logical point of view the LAN will operate on the 10.10.0.x address space and a local DHPCP server will manage the local clients. In order to route packets between the WAN interface and the LAN we need to use the linux kernel netfilter subsystem and specifically the NAT/masquerading function and this is the first problem we have to solve.
Assuming we can overcome this then it’s a matter of the bandwith we can achieve between LAN and WAN, if we are above 20-30 Mb/s then the whole thing becomes useful and we could integrate the VPN client and a firewall.
Last but not least, the credit for this fully goes to the thread at this link: https://askubuntu.com/questions/180733/how-to-setup-an-access-point-mode-wi-fi-hotspot
Let’s start.
First thing you want to install the Vim_Ubuntu-server-16.04_Linux-4.9_V170604 image, when done you need to connect the VIM ethernet port to a network with internet access and run these commands:
echo “auto eth0” >> /etc/network/interfaces
echo “iface eth0 inet dhcp” >> /etc/network/interfaces
/etc/init.d/networking restart
at this point you should have internet access on the VIM, you can test it pinging something, then we need some support packages:
apt update
apt upgrade
apt install openssh-server (this is optional but I just prefer to do the rest on my laptop on a remote ssh seession)
apt install man-db
apt install nano
now we need to enable some additional repository for the packages we actually need, you can use the editor “nano” you just installed so run:
nano /etc/apt/sources.list
in this file you want to uncomment (remove the # in the first column) the “universe” repositories (it’s in more than one line) where there are the packages we need for the next steps. When done save the file and run the following commands to reload the repositories and install everything:
apt update
apt upgrade
apt install iptables
apt install iw
apt install hostapd
apt install isc-dhcp-server
if everything is fine we are done, all the packages are installed and we can configure them.
To do so we need to edit some files, let’s go:
nano /etc/hostapd/hostapd.conf
and inside the file past this:
interface=wlan0
driver=nl80211
ssid=test
channel=1
wpa=3
wpa_passphrase=1234567890
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
when activated this will open a WPA access point on the VIM broadcasting a “test” network you can join with passphrase 1234567890. To test the configuration run:
hostapd /etc/hostapd/hostapd.conf
and if you can see the test network then you can start it as a service with:
service hostapd restart
Right now the “test” netweork still lacks a dhcp server so if you attempt to join it then you will get an error.
Ok let’s fix this, edit this file:
nano /etc/default/isc-dhcp-server
and add this:
INTERFACES=“wlan0”
then edit this other file:
nano /etc/dhcp/dhcpd.conf
and at the end add this:
subnet 10.10.0.0 netmask 255.255.255.0 {
range 10.10.0.2 10.10.0.16;
option domain-name-servers 8.8.4.4, 208.67.222.222;
option routers 10.10.0.1;
}
and then this one:
nano /etc/network/interfaces
at the end add this:
auto wlan0
iface wlan0 inet static
address 10.10.0.1
netmask 255.255.255.0
in order to activate the dhcp server you need to restart it with:
service isc-dhcp-server restart
and to check if everything is fine you can look at the syslog output running
journalctl -e
If you are still with me at this point you shold have (I can confirm I got it working):
- the VIM ethernet (eth0) port connected to the internet
- hostapd fully configured providing a WPA protected “test” WiFi network (passphrase 1234567890)
- a dhcp server assigning client addresses on the range 10.10.0.2 - 10.10.0.16 and google/opendns dns servers
Now the only missing stuff should be this two commands:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE
the first one tells the kernel to enable the routing and the second tells the kernel netfilter subsystem how to actually manage the routing between the LAN and the WAN (we need address translation since on the LAN we are using IPs from a not public range).
The problem here is that “iptables -t nat” fails complaing that the NAT is not available from the kernel.
I found another thread (Get Docker running on Khadas VIM) where it seems some netfiter stuff was not included in a previous VIM kernel image:
- CONFIG_NETFILTER_XT_MATCH_IPVS: missing
- CONFIG_IP_NF_NAT: missing
Looking in the VIM filestem under /lib/modules/ I see very few modules are there. I do not have the full config file for the released VIM 4.9 kernel but at this point I understand this is how the kernel was configured.
Maybe @Gouwa has some additional infos here.
It would be great if someone can build a new kernel image with the full netfilter functions enabled and for the next official release this would be really appreciated.
In the meantime we are basically stuck. If you have any suggestion it is welcome