Configuring a linux wireless access point

If at first you don’t succeed try, try again…

Despite the fact that I did succeed in turning my Raspberry Pi into a wireless access point by bridging the network interfaces I decided to start again from scratch using the debian wiki page and sample configuration file for guidance.

Although the examples below are taken from a Raspberry Pi you should be able to use the same process on any recent version of linux derived from the Debian distribution, and you can use the same rules to forward network traffic from one LAN interface to another (in this case you do not need to install or configure hostapd).

If you are setting up a wireless access point then need to begin by installing the firmware and configuring the wireless network, before modifying the network configuration to assign it a static IP address.

vi /etc/network/interfaces

auto lo
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet dhcp
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface wlan0 inet static

allow-hotplug eth0
iface eth0 inet dhcp

To allow clients to connect we need to install the Host Access Point deamon.

apt-get install hostapd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
The following NEW packages will be installed:
  hostapd libnl-route-3-200
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 576 kB of archives.
After this operation, 1565 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Fetched 576 kB in 0s (1193 kB/s)
Setting up hostapd (2:2.4-1+deb9u2) ...
Processing triggers for systemd (232-25+deb9u6) ...

This uses two separate configuration files, one for the wireless access point parameters and one to configure the deamon.

vi /etc/hostapd/hostapd.conf

# /etc/hostapd/hostapd.conf
wpa_pairwise=TKIP CCMP

vi /etc/default/hostapd

# Defaults for hostapd initscript
# See /usr/share/doc/hostapd/README.Debian for information about alternative
# methods of managing hostapd.
# Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration
# file and hostapd will be started during system boot. An example configuration
# file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz
# Additional daemon options to be appended to hostapd command:-
#       -d   show more debug messages (-dd for even more)
#       -K   include key data in debug messages
#       -t   include timestamps in some debug messages
# Note that -B (daemon mode) and -P (pidfile) options are automatically
# configured by the init.d script and must not be added to DAEMON_OPTS.

To handle DNS requests and allow clients to obtain network addresses using DHCP, we will install a DNS forwarder and DHCP server.

apt-get install dnsmasq
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  dnsmasq-base libgmp10 libhogweed4 libnetfilter-conntrack3 libnfnetlink0
Suggested packages:
Recommended packages:
The following NEW packages will be installed:
  dnsmasq dnsmasq-base libgmp10 libhogweed4 libnetfilter-conntrack3 libnfnetlink0
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 759 kB of archives.
After this operation, 1672 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Fetched 963 kB in 5s (184 kB/s)
Setting up dnsmasq-base (2.76-5+rpt1+deb9u1) ...
Setting up dnsmasq (2.76-5+rpt1+deb9u1) ...
Created symlink /etc/systemd/system/
  -> /lib/systemd/system/dnsmasq.service.
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Processing triggers for dbus (1.10.26-0+deb9u1) ...
Processing triggers for systemd (232-25+deb9u6) ...

Then we need to tell it which interface to listen on and set up the range of IP addresses to use for DHCP leases, and define how long these leases are valid.

vi /etc/dnsmasq.conf

# Configuration file for dnsmasq.
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and 
# optionally a lease time. If you have more than one network, 
# you will need to repeat this for each network on which you  
# want to supply DHCPservice.

Since we will be using the Uncomplicated Firewall (UFW) to set up the additional rules necessary to forward packets from one interface to another we need to install it first.

After installing it use the following command to disable all incoming connections by default

ufw default deny
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

If you want to you can allow incoming ‘ssh’ connections from the wireless network.

ufw allow in on wlan0 from to any port 22 proto tcp
Rules updated  

We also need set up rules to allow incoming connections for DNS and DHCP queries.

ufw allow in on wlan0 from any port 68 to any port 67 proto udp
Rules updated
ufw allow in on wlan0 from to any port 53
Rules updated  

Next we need to set up the kernel to allow forwarding and configure the firewall to use NAT to forward packets.

vi /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4

vi /etc/ufw/before.rules

# /etc/ufw/before.rules
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
# Enable NAT
# Forward traffic through eth0 - Change to match your out-interface

# Don't delete these required lines, otherwise there will be errors
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

vi /etc/ufw/after.rules

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# Enable Port forwarding
-A FORWARD -o eth0 -i wlan0 -s -m conntrack --ctstate NEW -j ACCEPT 

# don't delete the 'COMMIT' line or these rules won't be processed

vi /etc/default/ufw

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules

Finally we need to enable the firewall and reboot.

ufw enable
Firewall is active and enabled on system startup
[  OK  ] Stopped target Graphical Interface.
[  OK  ] Stopped target Multi-User System.
[  OK  ] Stopped Create Static Device Nodes in /dev.
[  OK  ] Reached target Shutdown.
         reboot: Restarting system
Welcome to Raspbian GNU/Linux 9 (stretch)!
[  OK  ] Listening on udev Control Socket.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Started Update UTMP about System Runlevel Changes.
Raspbian GNU/Linux 9 unknown ttyAMA0
unknown login: 

You can check that the services are running by displaying their status.

service hostapd status
 hostapd.service - LSB: Advanced IEEE 802.11 management daemon
   Loaded: loaded (/etc/init.d/hostapd; generated; vendor preset: enabled)
   Active: active (running) since Sat 2019-02-02 18:40:55 UTC; 40s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 286 ExecStart=/etc/init.d/hostapd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/hostapd.service
           └─337 /usr/sbin/hostapd -B -P /run/ /etc/hostapd/hostapd.conf
Feb 02 18:40:52 unknown systemd[1]: Starting LSB: Advanced IEEE 802.11 management daemon...
Feb 02 18:40:55 unknown hostapd[286]: Starting advanced IEEE 802.11 management: hostapd.
Feb 02 18:40:55 unknown systemd[1]: Started LSB: Advanced IEEE 802.11 management daemon.

service dnsmasq status
 dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-02-02 22:50:30 UTC; 1min 45s ago
  Process: 347 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 297 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 277 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 346 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           └─346 /usr/sbin/dnsmasq -x /run/dnsmasq/ -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service
Feb 02 22:50:29 unknown dnsmasq[346]: reading /etc/resolv.conf
Feb 02 22:50:29 unknown dnsmasq[346]: using nameserver
Feb 02 22:50:29 unknown dnsmasq[346]: read /etc/hosts - 2 addresses
Feb 02 22:50:30 unknown systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Feb 02 22:50:33 unknown dnsmasq[346]: reading /etc/resolv.conf
Feb 02 22:50:33 unknown dnsmasq[346]: using nameserver
Feb 02 22:52:10 unknown dnsmasq-dhcp[346]: DHCPDISCOVER(wlan0) a0:88:b4:e8:1e:ac
Feb 02 22:52:10 unknown dnsmasq-dhcp[346]: DHCPOFFER(wlan0) a0:88:b4:e8:1e:ac
Feb 02 22:52:10 unknown dnsmasq-dhcp[346]: DHCPREQUEST(wlan0) a0:88:b4:e8:1e:ac
Feb 02 22:52:10 unknown dnsmasq-dhcp[346]: DHCPACK(wlan0) a0:88:b4:e8:1e:ac

You should now be able to use your linux server as a wireless access point.

Note – Although we are using UFW to set up the rules, other than DHCP requests and DNS queries all the network traffic will simply be forwarded from the wireless interface to the LAN, and no ports or protocols are being blocked so it won’t behave as a firewall device.


If one of the services hasn’t started then starting it interactively with the debug option may help identify what is going wrong.

dnsmasq -d

hostapd -d /etc/hostapd/hostapd.conf

Raspberry Pi is a trademark of the Raspberry Pi Foundation

This entry was posted in Debian, Raspbian, Ubuntu and tagged , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.