Giving away public Wifi with DD-WRT and VPN

Cliff Notes for setting up a public (unencrypted) wifi hotspot to give free internet to guests with minimal risk to “your” network.

Sometimes it’s nice to give people free wifi, especially if you have more bandwidth than you normally use. However, you don’t want random people being able to access your network (or their random network activity to be traced TO your network….)   This is my set of notes for how to set up a 2nd wifi router (which must support the DD-WRT firmware) to act as a free wifi hotspot to untrusted guests.

Install DD-WRT on a router with two radios (just about any dual band 5ghz / 2.4ghz router will have dual radios….) You might want to change the default IP from 192.168.1.0 to 192.168.2.0 if “your” network router is already using the default.

Configure the 5Ghz radio as a “Client” to access “your” network via encrypted wifi.
Wireless -> Wireless Mode -> Client   (Wireless->wireless Security -> Your Wifi’s password)
This gets bandwidth (sweet sweet internet) to the router you are setting up. Once you do this, a device plugged into the ethernet ports on the router should be able to get internet access.     (This could   also useful as an ethernet to wifi bridge for devices that only have ethernet ports….)

Optional Management AP
Configure the 2.4 Ghz radio as an AP. If it supports virtual interfaces, I recommend using the main 2.4 Ghz radio as your “administration connection” with an encrypted wifi that will allow you to access the routers’ configuration website (192.168.2.1) remotely, otherwise, you’ll have to plug an ethernet cable in to access it, because we are going to block the 192.168.2.1 network from the freeloading guests.
(If your 2.4 Ghz radio doesn’t support virtual AP’s, you will need to use it as the main guest AP, see below.)

Guest AP
Configure a virtual access point (if supported) with no wireless security/password (completely open!), but under the advanced setting checkbox, enable the following:
AP Isolation (so the freeloaders can’t see/snoop on each other’s traffic)
Network Configuration Unbridged (so they can’t get to the rest of the router)
Masquerade / NAT Enabled (so they can get internet)
Net Isolation Enabled (keeps them away from other parts of the router)
IP Address 172.16.1.1   (Put them on a different network from the router)
Netmask: 255.255.255.0 (different network with max 255 clients)

Guest DHCP
Then, to give your freeloaders DHCP service, under Setup->Networking Scroll all the way to the bottom and set up the Multiple DHCP Server on your (virtual AP) Interface   which should show the same IP/netmask 172.16.1.1/255.255.255.0 to give out 50 or so IP addresses.

Unknown Traffic via a VPN
To make sure that the sketchy people in the park don’t do anything that might get traced back to YOUR network, you should probably run all their traffic through a VPN service.
Use the Services->VPN -> OpenVPN Client   to set that up.

Make sure to include a “VPN Kill-switch” so that if the VPN goes down, the freeloaders get zero internet access….
For me, that was in Administration->Commands->Firewall commands:

#VPN Killswitch, people on this router can't get out to the internet except via the VPN.
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

And finally, you don’t want people on the guest wifi to be able to access YOUR network, so we need to reject all packets going out to the default interface (don’t worry, the VPN still gets through when it’s up….)

#Keep people on this router from accessing upstream local network.
WAN_IF2="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF2 -j DROP

 

Bandwidth Limiting

Turn on Quality Of Service (NAT/QOS->QOS) with only as much bandwidth as you are willing to give away (7000 kbps down and 1000 kbps up is a reasonably generous amount if you have a cable modem). This limits the freeloaders from taking over the majority of your internet connection.

Testing

After you set this all up, connect to the guest network and verify your IP address is in the 172.16.1.x range. Go to “whatismyip.com” or similar to verify your networking is routed via the VPN. Run an internet speedtest to confirm that the QOS settings are properly restricting the maximum bandwidth usage.
Ping a public website like www.google.com or www.ford.com to make sure that your ping command is working.
Try to ping your upstream router (19.168.1.1???) and/or computers on the upstream local network to confirm that guests can’t access your local network.

More Reading:
Here are the guides that I used and recommend:
How to set up guest wifi securely:  https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

How to set up openVPN: https://support.nordvpn.com/Connectivity/Router/1047410342/DD-WRT-setup-with-NordVPN.htm

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *