How To use WiFi as LAN interface on Raspberry Pi

Introduction

When using Rasberry PI as a vGateway device, you may use a built WiFi card to create a WiFi Access point. This procedure requires modification of image created for Ecosystem you by Wedge.

Prerequisites

1. Existing and configured Ecosystem
2. Configured Gateway
3. Basic knowledge about Unix configuration.

How-To

1. Generate an image for your Raspberry device and install it on your device - check how to do it

2. Log in to the device.

3. Update system and install Hostpad

   sudo apt-get update -y
   sudo apt-get install -y hostapd

4. Go to /etc/hostapd/ and check dose the file hostapd.conf exist. Edit it by adding config of your Access Point:

   interface=wlan0 
   ssid=acreto
   hw_mode=g
   channel=1
   wmm_enabled=0
   macaddr_acl=0
   auth_algs=1
   ignore_broadcast_ssid=0
   wpa=2
   wpa_passphrase=acreto#1234
   wpa_key_mgmt=WPA-PSK
   wpa_pairwise=TKIP
   rsn_pairwise=CCMP

5. Go to /etc/ipsec.d/ adn create the ipsec-leftupdown.sh file withe this content:

   #! /bin/bash
   
   #  This script creates a new vti interface and adds routes based on data passed from Strongswan.
   #  To use, add to "conn..." section of ipsec config file:
   #    leftupdown=/path/to/ipsec-leftupdown.sh
   
   set -o nounset
   set -o errexit
   
   VTI_IF="vti-${PLUTO_CONNECTION:0:10}"
   VTI_IF="${VTI_IF/./}"
   
   # Create run directory
   RUNDIR=/var/run/acreto ; mkdir -p $RUNDIR
   
   # Read configuration from config file
   
   networks_right=''
   if [ -f /etc/ipsec.d/$PLUTO_CONNECTION.route ] ; then
     networks_right=`cat /etc/ipsec.d/$PLUTO_CONNECTION.route`
   else
       echo WARN: Routing info file /etc/ipsec.d/$PLUTO_CONNECTION.route not found
   fi
   
   # Determine gateway to use to reach ${PLUTO_PEER}
   function detectGateway {
      # Find a route with a 'via' address
      local gateway=""
   
   
      # Start with default route
      # Note that we exclude gateways that are on vti- devices
      [ -z "$gateway" ] &&  gateway=`ip route show default | grep -v 'dev vti-'  | egrep -o1 'via (([0-9]{1,3}.){3}[0-9]{1,3})' | head -1 |cut -d' ' -f2  `
   
      # Try 'ip route get'
      # It's not first rule because it doesn't survive link change
      [ -z "$gateway" ] && gateway=`ip route get $1 | grep -v 'dev vti-' | egrep -o 'via (([0-9]{1,3}.){3}[0-9]{1,3})' |cut -d' ' -f2`
   
      # Fallback to a previously detected gateway
      [ -z "$gateway" ] && gateway=`cat $RUNDIR/local-gateway.conf` || true
   
      # Save detected gateway
      [ ! -z "$gateway" ] && echo $gateway > $RUNDIR/local-gateway.conf
   
      echo $gateway
   }
   
   set -x
   
   gateway=`detectGateway  ${PLUTO_PEER}`
   
   case "${PLUTO_VERB}" in
      up-client)
         if ip tunnel show "${VTI_IF}" ; then
            op=change
         else
            op=add
         fi
   
         ip tunnel $op "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
               okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
         ip link set "${VTI_IF}" up
         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
   iptables -t nat -F
   iptables -t mangle -F
   iptables -F
   iptables -X
   
         for net in $networks_right ; do
               if [ $net == '0.0.0.0/0' ] ; then
                  # Ensure that PEER is always accessible if we set up default route (and ignore errors)
                  [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
                  # Ensure we don't have any other default gateway defined
                  while ip route show default|grep -q default ; do
                     ip route del default
                  done
               fi
               ip route add $net dev ${VTI_IF}
         done
         ;;
      down-client)
         # Ensure that PEER is always accessible if we set up default route (and ignore errors)
         [ ! -z "$gateway" ] && ip route replace ${PLUTO_PEER} via $gateway || true
   
         # Nothing else to do here:
         # 1. We don't delete the tunnel interface and routing setup because it causes connection reset, as down-client is called whenever a connectionis renegotiated, and it makes apps (like mtr) break.
         # 2. We also don't remove the specific route to our gateway to be able to re-establish the connection.
         # 3. We also don't recover the default gateway, as we want to block all traffic if the tunnel is down.
         ;;
   esac

6. Go to /etc/netplan/ and check does the 50-acreto.yaml file (or common) exist. Edit it by adding Access Point configuration:

   network:
   version: 2
   +  renderer: NetworkManager
   ethernets:
      eth0:
         dhcp4: yes
   +  wifis:
   -  eth1:
   +    wlan0:
         addresses:
         - 10.153.250.1/29
   +      dhcp4: true
   +      optional: true
   +      access-points:
   +        "acreto":
   +          password: "acreto#1234"
   +          mode: ap

7. After all of the modifications content of the folder should look like this:

   Custom /boot/firmware/strongswan.zip contents
   ❯ tree custom
   custom
   └── etc
      ├── default
      │   └── hostapd               <-- added one line
      ├── hostapd
      │   └── hostapd.conf         <-- all WiFi settings
      ├── ipsec.d
      │   ├── 402fd2ced4.conf
      │   ├── 402fd2ced4.route
      │   └── ipsec-leftupdown.sh  <-- added iptables commands to flush rules
      ├── ipsec.secrets
      ├── netplan
      │   └── 50-acreto.yaml      <-- added configuration for ap mode and IP
      └── sysctl.d
         └── 10_ac_ip_forward.conf

8. Restart the device to provide all of the changes.

9. Try to connect to the acreto wifi network using acreto#1234 as a password.

Summary

After the device restart, you should be able to connect to the Acreto WiFi network. All traffic will go thru the Ecosystem and should be visible in logs.