How To use WiFi as LAN interface on Raspberry Pi

Introduction

When using Rasberry PI as a vGateway device, you may use a built WiFi card to create a WiFi Access point. This procedure requires modification of image created for Ecosystem you by Wedge.

Prerequisites

  1. Existing and configured Ecosystem
  2. Configured Gateway
  3. Basic knowledge about Unix configuration.

How-To

  1. Generate an image for your Raspberry device and install it on your device - check how to do it

  2. Log in to the device.

  3. Update system and install Hostpad

    sudo apt-get update -y
sudo apt-get install -y hostapd

  4. Go to /etc/hostapd/ and check dose the file hostapd.conf exist. Edit it by adding config of your Access Point:

    interface=wlan0 
ssid=acreto
hw_mode=g
channel=1
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=acreto#1234
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

  5. Go to /etc/ipsec.d/ adn create the ipsec-leftupdown.sh file withe this content:

    #! /bin/bash

#  This script creates a new vti interface and adds routes based on data passed from Strongswan.
#  To use, add to "conn..." section of ipsec config file:
#    leftupdown=/path/to/ipsec-leftupdown.sh

set -o nounset
set -o errexit

VTI_IF="vti-${PLUTO_CONNECTION:0:10}"
VTI_IF="${VTI_IF/./}"

# Create run directory
RUNDIR=/var/run/acreto ; mkdir -p $RUNDIR

# Read configuration from config file

networks_right=''
if [ -f /etc/ipsec.d/$PLUTO_CONNECTION.route ] ; then
  networks_right=`cat /etc/ipsec.d/$PLUTO_CONNECTION.route`
else
    echo WARN: Routing info file /etc/ipsec.d/$PLUTO_CONNECTION.route not found
fi

# Determine gateway to use to reach ${PLUTO_PEER}
function detectGateway {
   # Find a route with a 'via' address
   local gateway=""


   # Start with default route
   # Note that we exclude gateways that are on vti- devices
   [ -z "$gateway" ] &&  gateway=`ip route show default | grep -v 'dev vti-'  | egrep -o1 'via (([0-9]{1,3}.){3}[0-9]{1,3})' | head -1 |cut -d' ' -f2  `

   # Try 'ip route get'
   # It's not first rule because it doesn't survive link change
   [ -z "$gateway" ] && gateway=`ip route get $1 | grep -v 'dev vti-' | egrep -o 'via (([0-9]{1,3}.){3}[0-9]{1,3})' |cut -d' ' -f2`

   # Fallback to a previously detected gateway
   [ -z "$gateway" ] && gateway=`cat $RUNDIR/local-gateway.conf` || true

   # Save detected gateway
   [ ! -z "$gateway" ] && echo $gateway > $RUNDIR/local-gateway.conf

   echo $gateway
}

set -x

gateway=`detectGateway  ${PLUTO_PEER}`

case "${PLUTO_VERB}" in
   up-client)
      if ip tunnel show "${VTI_IF}" ; then
         op=change
      else
         op=add
      fi

      ip tunnel $op "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
            okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
      ip link set "${VTI_IF}" up
      sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

      for net in $networks_right ; do
            if [ $net == '0.0.0.0/0' ] ; then
               # Ensure that PEER is always accessible if we set up default route (and ignore errors)
               [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
               # Ensure we don't have any other default gateway defined
               while ip route show default|grep -q default ; do
                  ip route del default
               done
            fi
            ip route add $net dev ${VTI_IF}
      done
      ;;
   down-client)
      # Ensure that PEER is always accessible if we set up default route (and ignore errors)
      [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true

      # Nothing else to do here:
      # 1. We don't delete the tunnel interface and routing setup because it causes connection reset, as down-client is called whenever a connectionis renegotiated, and it makes apps (like mtr) break.
      # 2. We also don't remove the specific route to our gateway to be able to re-establish the connection.
      # 3. We also don't recover the default gateway, as we want to block all traffic if the tunnel is down.
      ;;
esac

  6. Go to /etc/netplan/ and check does the 50-acreto.yaml file (or common) exist. Edit it by adding Access Point configuration:

    network:
version: 2
+  renderer: NetworkManager
ethernets:
   eth0:
      dhcp4: yes
+  wifis:
-  eth1:
+    wlan0:
      addresses:
      - 10.153.250.1/29
+      dhcp4: true
+      optional: true
+      access-points:
+        "acreto":
+          password: "acreto#1234"
+          mode: ap

  7. After all of the modifications content of the folder should look like this:

    Custom /boot/firmware/strongswan.zip contents
❯ tree custom
custom
└── etc
   ├── default
   │   └── hostapd               <-- added one line
   ├── hostapd
   │   └── hostapd.conf         <-- all WiFi settings
   ├── ipsec.d
   │   ├── 402fd2ced4.conf
   │   ├── 402fd2ced4.route
   │   └── ipsec-leftupdown.sh  <-- added iptables commands to flush rules
   ├── ipsec.secrets
   ├── netplan
   │   └── 50-acreto.yaml      <-- added configuration for ap mode and IP
   └── sysctl.d
      └── 10_ac_ip_forward.conf

  8. Restart the device to provide all of the changes.

  9. Try to connect to the acreto wifi network using acreto#1234 as a password.

Summary

After the device restart, you should be able to connect to the Acreto WiFi network. All traffic will go thru the Ecosystem and should be visible in logs.