Building the drone secure WAP VPN hub of activity

You’ve probably noticed me mentioning a TP-link powerline wireless access point (WAP) in my outdoor testing. It was the easiest way for me to get a decent WiFi signal outside the house.  But it does require a direct connection to the house ring-main to forward the IP traffic to the broadband router.  Good enough for testing, but useless for non-constrained live flying.  I knew at some point I needed the drone to be a Wireless Access Point in it’s own right, but I’ve been dodging the bullet for a while for a couple of reasons.  Here’s

  1. The drone is a headless model A so there’s no ethernet link to connect to the drone once it’s a WAP – that means I need to get everything I need installed before I turn on the WAP
  2. The WAP will not have bridging to the my broadband network; the drone will be using static IP addresses in its WLAN / VPN and will be secured; so again, another reason to get it right first time if at all possible
  3. My drone WiFi dongle uses the RealTek RTL8088 chipset which requires a modified host access point daemon (hostapd) and it’s only recently I’ve found a set of clear, concise, complete instructions how to set this up.

My aim here is to make the drone an isolated WAP (no access to the internet) which accepts secure client connections.  The clients need to be assigned IP addresses in the drone private nextwork, the the drone will run DHCP; the drone IP address will be static.  Since internet access is not required, no bridging, NAT or DNS services will be provided by the drone.

The information below is based on this link and this link, but is customized to give exactly what the drone needs: a secure WLAN / VPN with no internet access using a statically configured (constant) IP address.

The starting point is a Raspberry Pi, model A, newly flashed with the latest (Jun ’13) wheezy image; WiFi is working as a client to the main WiFi broadband hub and has internet access.

  • login (pi, raspberry), and start up LXDE (startx)
  • open an LXTerminal window
  • type “ping www.google.com” just to be certain of your internet access
  • open Midori browser and head here as a useful reference when making the changes below
  • type “sudo apt-get install hostapd udhcpd” to install the WAP and DHCP daemons
  • type the following to replace the standard WAP daemon with the Realtek version:
    wget http://www.daveconroy.com/wp3/wp-content/uploads/2013/07/hostapd.zip
    unzip hostapd.zip 
    sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.bak
    sudo mv hostapd /usr/sbin/hostapd.edimax 
    sudo ln -sf /usr/sbin/hostapd.edimax /usr/sbin/hostapd 
    sudo chown root.root /usr/sbin/hostapd 
    sudo chmod 755 /usr/sbin/hostapd
  • Configure the revised hostapd by creating /etc/hostapd/hostapd.conf “sudo vi /etc/hostapd/hostapd.conf” and add the following:
    interface=wlan0
    driver=rtl871xdrv
    ssid=MyWAPSSID
    channel=1
    wmm_enabled=0
    wpa=1
    wpa_passphrase=MyWAPPassphrase
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=TKIP
    rsn_pairwise=CCMP
    auth_algs=1
    macaddr_acl=0
  • Now to configure the WAP static IP address – “sudo vi /etc/network/interfaces”, replacing the existing entry for wlan0 with the following
    iface wlan0 inet static
    address 192.168.23.1
    netmask 255.255.255.0
  •  In the same file, comment out (# at the start of the line) the following if present
    #allow-hotplug wlan0
    #wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
    #iface default inet dhcp
  • We next need to configure dhcp for the clients accessing the network to  provide their IP addresses – edit /etc/udhcpd.conf adding:
    start 192.168.23.2 # This is the range of IPs that the hostspot will give to client devices.
    end 192.168.23.20
    interface wlan0 # The device uDHCP listens on.
    remaining yes
    opt domain local
    # opt dns 8.8.8.8 4.2.2.2 # The DNS servers client devices will use.
    opt subnet 255.255.255.0
    opt router 192.168.23.1 # The Pi's IP address on wlan0 which we have set up.
    opt lease 864000 # 10 day DHCP lease time in seconds

    Note the dhcp address range starts at 192.168.23.20 allowing some space for static addresses 1 – 19.

  • In the same file, delete or comment out “#” any other lines as these are just example settings.
  • Enable dhcp by editing /etc/default/udhcpd thus to comment out the line
    #DHCPD_ENABLED="no"
  • Add the dhcp leases file by typing
    sudo touch /var/lib/misc/udhcpd.leases
    sudo chmod 666 /var/lib/misc/udhcpd.leases
  • Enable hostapd by editing /etc/default/hostapd thus, adding
    DAEMON_CONF="/etc/hostapd/hostapd.conf"
  • Now at this point, you should be ready for a reboot, but when I did that, although other devices could see and connect to my WAP, dhcp was not assigning IP addresses and whatever I did failed – so I abandoned dhcp for the moment, and assigned static IP addresses for the various clients I was going to use to access the drone thus…
  • edit /etc/hostname to ensure the domain name is included – in my case, the domain is called local, and the hostname is wappi, so /etc/hosts reads
    wappi.local
  • Strike this – DHCP problem solved below: Next assign static IP address for the server in /etc/hosts
    192.168.23.1 wappi wappi.local
  • Turn off the ifplugd (pluggable interface daemon) for the WiFi dongle as it seems to cause conflict between hostapd and udhcpd – edit /etc/default/ifplugd
    # This file may be changed either manually or by running dpkg-reconfigure.
    #
    # N.B.: dpkg-reconfigure deletes everything from this file except for
    # the assignments to variables INTERFACES, HOTPLUG_INTERFACES, ARGS and
    # SUSPEND_ACTION.  When run it uses the current values of those variables
    # as their default values, thus preserving the administrator's changes.
    #
    # This file is sourced by both the init script /etc/init.d/ifplugd and
    # the udev script /lib/udev/ifplugd.agent to give default values.
    # The init script starts ifplugd for all interfaces listed in
    # INTERFACES, and the udev script starts ifplugd for all interfaces
    # listed in HOTPLUG_INTERFACES. The special value all starts one
    # ifplugd for all interfaces being present.
    INTERFACES=""
    HOTPLUG_INTERFACES=""
    ARGS="-q -f -u0 -d10 -w -I"
    SUSPEND_ACTION="stop"
  • Finally (and I don’t know if this was necessary), update /etc/resolv.config to local domain name resolution rather than relying on an external DNS
    domain local
    search local
    nameserver 192.168.1.254
  • Check, double check, and triple check that you’ve done all the above steps, and then finally
     sudo reboot

Because there’s no internet connection, there’s no DNS available, so the clients for the WAP need the WAP static IP address added to /etc/hosts:

192.168.23.1       wappi.local

Now that this works on my test WAP RPi, I still have a few steps remaining:

  • These instructions are for the Edimax Nano USB dongle -EW-7811Un (Realtek RTL8188CUS chipset) and that’s what I tested. But the drone uses a different RealTek device so I need to test that on wappi first Strike that: both the Edimax Nano dongle and the EDUP MS-15003 dongles work successfully as WAPs with the modified hostapd listed above.
  • Once that’s working, I need to follow my own instructions to get the WAP onto the drone itself. Strike that – all working as of this morning following my own blog details
  • And I’d better make sure the drone is set up as an FTP server / daemon as that’s the only way to transfer files to it once it’s a private WAP – I could use a USB stick, but since it’s a model A, that means unplugging the WiFi dongle.Strike that, I’ll use a USB drive or connect to a different network when I need updates. Strike 2 – I installed the FTP server so clients can FTP into the drone, as the clients also have internet access.

When later you wish to update the RPi software, you’ll need to add an ethernet interface.  First, get a USB to Ethernet dongle – I use one by Pluggable which worked out of the box.  Then you need to re-enable the interface pluggable daemon:

# This file may be changed either manually or by running dpkg-reconfigure.
#
# N.B.: dpkg-reconfigure deletes everything from this file except for
# the assignments to variables INTERFACES, HOTPLUG_INTERFACES, ARGS and
# SUSPEND_ACTION.  When run it uses the current values of those variables
# as their default values, thus preserving the administrator's changes.
#
# This file is sourced by both the init script /etc/init.d/ifplugd and
# the udev script /lib/udev/ifplugd.agent to give default values.
# The init script starts ifplugd for all interfaces listed in
# INTERFACES, and the udev script starts ifplugd for all interfaces
# listed in HOTPLUG_INTERFACES. The special value all starts one
# ifplugd for all interfaces being present.
INTERFACES="all"
HOTPLUG_INTERFACES="auto"
ARGS="-q -f -u0 -d10 -w -I"
SUSPEND_ACTION="stop"

You may also need to update /etc/hostname if there is a domain name specified like phoebe.local, rather than just the machine name.

You also probably will need to update /etc/hosts to remove the WAP host  phoebe.local

Connect an ethernet cable to your hub, and a reboot then should give you internet access – ping www.google.co.uk to check. From there you can do a “sudo apt-get update && sudo apt-get upgrade”. Then reboot, revert /etc/default/ifplugd to

# This file may be changed either manually or by running dpkg-reconfigure.
#
# N.B.: dpkg-reconfigure deletes everything from this file except for
# the assignments to variables INTERFACES, HOTPLUG_INTERFACES, ARGS and
# SUSPEND_ACTION.  When run it uses the current values of those variables
# as their default values, thus preserving the administrator's changes.
#
# This file is sourced by both the init script /etc/init.d/ifplugd and
# the udev script /lib/udev/ifplugd.agent to give default values.
# The init script starts ifplugd for all interfaces listed in
# INTERFACES, and the udev script starts ifplugd for all interfaces
# listed in HOTPLUG_INTERFACES. The special value all starts one
# ifplugd for all interfaces being present.
INTERFACES=""
HOTPLUG_INTERFACES=""
ARGS="-q -f -u0 -d10 -w -I"
SUSPEND_ACTION="stop"

Readd the WAP domain into /etc/hostname if you changed it previously.  Likewise add back into /etc/hosts the WAP local address (192.168.69.1  phoebe.local phoebe)

Unplug the ethernet dongle and reboot. All should be back to how it was before with just the WAP.

17 thoughts on “Building the drone secure WAP VPN hub of activity

  1. Hey great tutorial my man!

    You may want to add the updated HOSTAPD to the tutorial since I only got it to work after installing that. Fortunately it was at the top of the comments and I spotted it 😀

    I tried to SSH into the pi, added my username to /etc/hosts and still nothing, any other ideas?

    Also (I’m very uninitiated into this world), is there any way of assigning IP addresses to devices that access the pi? For my application this would make things simpler (going to have technologically illiterate people hopefully accesing this WAP).

    Thanks again!!!
    Zach

    • I thought the instructions included how to install the new driver; I’ll have a look to check, thanks.

      You don’t need your username for /etc/hosts – it’s the remote hosts name (the RPI name) and it’s IP address.

      Last bit’s easiest: in /etc/hosts, you add your Raspberry Pi IP address and name. /etc/hosts exists for Windows as well as Linux systems; it’s just well hidden.

  2. I have a ground based robot, but I want to do the same thing you are doing with your drone.

    Your instructions are the third set I have tried. The ones I found on adafruit lead to a connection that times out. The ones on daveconroy.com work fine to make the Raspberry Pi a router, but don’t work when the wired connection is not present.

    I think I followed your instructions correctly. But when I first boot the RPi, wlan0 doesn’t have its static ipaddress when I run ifconfig. I manually started it with sudo ifup wlan0 and now I see the ip, but I cannot connect to the network. My laptop and a desktop see the network, but they cannot connect to it. I have an edimax tiny usb dongle. My laptop is a macbook and my desktop is running Ubuntu. Neither can connect.

    Any suggestions on how to debug this?

      • One other thought – I do configure the static IP address on my clients: in my case my iPad mini and some other Raspberry Pi’s (in /etc/hostnames). I assume it’s a DNS / DHCP problems, but I never bothered sorting it out as the static IP config in the clients worked.

  3. Pingback: Jessie James | PiStuffing

  4. This is a great tutorial, thanks for posting. Did you ever try running the camera and record videos while flying at the same time? Thanks.

  5. Hi,
    I’m having the same problem as Corey. I can connect to the raspberry pi by assigning static IP addresses to my clients (192.168.23.2), but for some reason when I try and ssh to the pi using 192.168.23.1 as the IP it can’t find it.
    Please Help!!!

    • I don’t assign IP addresses to the clients – I use DHCP on the Raspberry Pi WAP to choose those.

      If you do use static IP for the clients, you may need to add the clients to /etc/hosts – I’m only guess though as this isn’t how I have it working.

      When you’ve connected your PC / laptop to the RPi WAP, can you ping 192.168.23.1 from your PC / laptop?

  6. Hi, i have followed all of the steps exactly, and i can connect to my pi. When i try to SSH into it though, it cannot find my pi… I connect my laptop to my pi, and try to ping the IP address, but still no response. Do i need any additional modules or a different client? I’m currently using Putty. Please help!

    • Putty should work fine, but you need to make sure your laptop is connected to the WAP network, not your internet hub or other WiFi network.

      Other than that, sorry, I don’t have any other ideas.

  7. ..drop BS ftp, if you have ssh, you have scp too, try “scp” on your cli, e.g.
    ‘scp -r NOOBS arnt@192.168.1.169:/home/arnt/ ‘, “ftps” my NOOBS tree
    to 192.168.1.169:/home/arnt/ , and I also use passwd-free ssh keys. ;o)

    • That’s the plan when I get round to adding a Radio Control. The quadcopter will be the server listening in for connections, the RC will connect in over a TCP socket to pass joystick command to the quad. I’ve got the kit I need, and some of the code too, but that’s on hold until the quad flies completely stably – she’s nearly there now.

      The reason for adding the WAP is so the two can talk to each other when out of range of household WiFi access.

  8. Pingback: Super duper WiFi dongles | PiStuffing

Leave a Reply

Your email address will not be published. Required fields are marked *