Building a WPA2 Protected Wireless Access Extender for Jogglers using Ubuntu 12.04

Shesh! What a lot of keywords in the title!

For those who don’t know what some of those key words were, I’ll break down the title

• Ubuntu is a Linux distribution, and 12.04 is the version number of the latest Long Term Stable version.
• Joggler is the name of a device sold by O2 a couple of years ago. It is a re-branded OpenPeak tablet.
• A Wireless Access Extender is a device like a WiFi enabled router, but it uses the same DHCP pool and should use the same SSID name and WPA2 passphrase.
• WPA2 is the latest incarnation of the WiFi security protocol. It is currently (at this time, as far as I know) uncracked, unlike WPA1 or WEP.

So, now that we know what I’m talking about, let’s look at what components we will be using today.

• An O2 Joggler. EBay lists them from between £30 and £100. They originally sold for around £100, but got popular when O2 dropped the price to £50. They are no longer available for sale from O2, hence EBay.
• A wired network connection. I’m using a pair of Ethernet over Power (or “HomePlug”) devices to let me position this device in a useful place in my house. I’ve had a lot of success with the 200M devices sold by 7DayShop.com, but if I were buying new today, I’d probably stretch up to the 500M devices, as they will be Half Duplex (like a narrow street permitting traffic only one way at a time), and will loose some data due to interference and “collisions” – where two devices on the Ethernet over Power “network” are talking at the same time. Ultimately, you won’t get the equivalent to 100M Full Duplex with the 200M devices, but should do with the 500M devices.
• A USB stick. This needs to be 4Gb or greater, but not all devices are suitable. I bought some 4Gb sticks from 7DayShop.com and found they only actually held around 3.5Gb… making them unsuitable. I bought three 8Gb sticks from 7DayShop.com, but only used one for this task!
• A Ubuntu 12.04 install. Actually, I used the Xubuntu 12.04 image, because I didn’t need everything that Ubuntu 12.04 gave me. This is a special non-official build of Xubuntu, customised for Joggler hardware and it’s touchscreen, and is what I’ll be moving all my Jogglers in the house to, eventually, however, the principals in making all of this stuff work will apply just as much to Ubuntu as it would Xubuntu – special build or not!
• Once installed, you’ll use a combination of VNC and SSH to manage your device, these will be through the X11VNC project and OpenSSH-Server. You should have an SSH client (for Linux/Mac, ssh should be fine, for Windows, use PuTTY) and a VNC client (for Ubuntu, I use Remmina, for Windows, I use TightVNC).

So, you’ve got all your goodies, and you’re ready to go. Let’s do this!

1. Transfer the Xubuntu image to the USB stick. This is a simple task, and is clearly documented on the site where I got the Xubuntu image from, and involves you copying the image directly to the USB stick, not to one of it’s partitions. It sounds complicated, it really isn’t.
2. Stick the Xubuntu stick into the side of the Joggler. Get used to that shape, as it’s going to be in the side of that from now on. This is because the Linux distribution needs more than the 1Gb that the Joggler holds internally.
3. Plug in the HomePlug device – make it as close to the wall as you can make it! I’ve had experience of it being three 4way plug strips away from the wall and it worked fine, but I’ve also had the same HomePlug only one 4way away, and it’s completely failed to work, and had to juggle all my sockets to get it plugged directly into the wall. I think it may be down to the number of “noisy” plugs in the same 4way, but I can’t be sure. Just experiment!
4. Plug your Ethernet cable between the HomePlug and the Joggler.
5. Power on the Joggler. It will start up with an O2 logo (or possibly an “OpenPeak” logo – depends on when the device was manufactured)  – sometimes either of these may corrupt or show with a big white block as it’s booting. Don’t worry too much about this, we’ll stay away from the boot screen as much as possible! :)
6. Once you get to a blue screen with icons on it – this is Xubuntu (well, actually XFCE4, but the semantics are moot really). Click on the blue spot in the top left corner of the screen – it may be a little fiddly – and select Ubuntu Software Centre.
7. Open the “Florence” keyboard – found by pressing the small grid icon near the clock in the top right corner of the screen. If you struggle with this keyboard (I did), you may find it easier to use the “OnBoard” keyboard, found through the applications menu (again, via the blue button in the top corner).
8. Select the Search box in the Software Centre and search for OpenSSH-Server. Click on the only entry which comes back (you need to search for the exact term) and then click install. While that’s installing, click on the two arrows icon in the top right corner, and select Connection Information. Make a note of the IP address you have received. Once it’s finished installing you can move away to something a little more comfortable to work on your Joggler!
9. SSH to your Joggler’s IP address – the username for the device is “joggler” and the password is also “joggler”. All of the following you’ll need to be root for. I always use the following line to become root:

   sudo su -

10. The wireless driver that is installed by default on the Jogglers don’t support “Master” mode – the mode you need to be a wifi access point or extender, so you’ll need to change the wireless driver. Thanks to this post, we know that you edit the file /etc/modprobe.d/joggler.conf and move the comment symbol (#) from before the line blacklist rt2870sta to the line blacklist rt2800usb. It should look like this after you’re done:

    # blacklist rt2800usb
    blacklist rt2870sta

11. We need to bridge the wlan0 and eth0 interfaces.
1. Install bridge-utils using apt-get install.
2. Now we’ll start to configure the bridge. Edit /etc/network/interfaces to create your bridge interfaces.

   auto lo
   iface lo inet loopback
   
   auto eth0
   iface eth0 inet manual
   
   auto wlan0
   iface wlan0 inet manual
       pre-up service hostapd start
       post-up brctl addif br0 wlan0
   
   auto br0
   iface br0 inet dhcp
       bridge_ports eth0 wlan0
       pre-up iptables-restore -c < /etc/iptables.rules
       post-down iptables-save -c > /etc/iptables.rules

   If you want to use a static IP address instead of a DHCP one, then change the last block (auto br0; iface br0 inet dhcp) to the following (this assumes your network is a 192.168.0/24 with .1 as your router to the outside world):

   auto br0
   iface br0 inet static
       bridge_ports eth0 wlan0
       address 192.168.0.2
       broadcast 192.168.0.255
       netmask 255.255.255.0
       gateway 192.168.0.1

3. Setup /etc/sysctl.conf to permit forwarding of packets. Find, and remove the comment symbol (#) from the line which looks like this:

   # net.ipv4.ip_forward = 1

4. Create your initial /etc/iptables.rules (this is based on details from this page) and then “restore” them using iptables.

   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [1:81]
   -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
   -A FORWARD -m state --state INVALID -j DROP
   -A FORWARD -i wlan0 -o eth0 -j ACCEPT
   -A FORWARD -i eth0 -o wlan0 -j ACCEPT
   COMMIT

5. Check the iptables have restored properly by running iptables -L -v which should return the following data:

   # iptables -L -v
   Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
   
   Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination
       0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
       0     0 DROP       all  --  any    any     anywhere             anywhere             state INVALID
       0     0 ACCEPT     all  --  wlan0  eth0    anywhere             anywhere
       0     0 ACCEPT     all  --  eth0   wlan0   anywhere             anywhere            
   
   Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination

12. Now you’ve got a bridged interface, and your wifi adaptor is ready to go, let’s get the DHCP relay in and working right.
1. apt-get install dhcp3-relay
2. It’ll ask you where to forward the DHCP requests to – that is your current gateway – if you have your network as 192.168.0.0/24 with the gateway as .1, then it should be 192.168.0.1.
3. Next, it’ll ask which interfaces to listen on – this is br0.
4. The last screen asks for some options to configure – this is “-m forward” (without the quote marks).
13. Last thing to do, we need to configure something to listen on the wifi interface to provide the Access Point facility to your device. This is “hostapd”.
1. apt-get install hostapd
2. zcat /usr/share/doc/hostapd/examples/hostapd.conf.gz > /etc/hostapd/hostapd.conf
3. Edit /etc/hostapd/hostapd.conf replacing the following config items:

   FROM: # driver = hostapd
   TO:   driver = nl80211
   FROM: #country_code = US
   TO:   country_code = GB
   FROM: hw_mode = a
   TO:   hw_mode = g
   FROM: channel = 60
   TO:   channel = 12
   FROM: #ieee80211n = 1
   TO:   ieee80211n = 1
   FROM: #wpa = 1
   TO:   wpa = 2
   FROM: #wpa_passphrase=secret passphrase
   TO:   wpa_passphrase=MySecretPassword
   FROM: #wpa_pairwise = TKIP CCMP
   TO:   wpa_pairwise = TKIP CCMP

4. Edit /etc/default/hostapd amending the DAEMON_CONF line to show /etc/hostapd/hostapd.conf

Reboot, and your access point should come to life! Huzzah!! Initially it’ll have the SSID of “test” (it’s in /etc/hostapd/hostapd.conf as the config line “ssid = test”) but you should probably change it to the same SSID as your main router. If you do that, ensure your WPA passphrase is the same as your main router too, otherwise your network will get very confused!

So, now you’ve got an Access extender, running Ubuntu… what else could you do with it? Well, I run one of two things on all of mine – sqeezeplay or vlc monitoring a webcam. All very useful stuff, and stuff I was doing with it before it was an access extender!