- Notifications
You must be signed in to change notification settings - Fork174
Set Linux as router in one command. Support Internet sharing, redsocks, Wifi hotspot, IPv6. Can also be used for routing VM/containers 🛰️
License
garywill/linux-router
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
It wrapsiptables,dnsmasq etc. stuff. Use in one command, restore in one command or bycontrol-c (or even by closing terminal window).
More tools and projects 🛠️ |🍻 Buy me a coffee ❤️
Basic features:
- Create a NATed sub-network
- Provide Internet
- DHCP server (and RA)
- Specify what DNS the DHCP server assigns to clients
- DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4)
- Creating WiFi hotspot:
- Wifi 3/4/5/6
- 2.4GHz, 5GHz
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (Need hardware support. Usually require same channel)
- Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets)
- Detect and prevent interference from following Linux system daemons:
- NetworkManager (handle interface (un)managed status)
- firewalld (use temporary
trustedzone)
- Instances managing. You can run multiple instances, to create different sub-networks.
For many other features, see belowCLI usage
Internet----(eth0/wlan0)-Linux-(wlanX)AP |--client |--client InternetWiFi AP(no DHCP) | |----(wlan1)-Linux-(eth0/wlan0)------ | (DHCP) |--client |--client Internet Switch | |---(eth1)-Linux-(eth0/wlan0)-------- |--client |--clientInternet----(eth0/wlan0)-Linux-(eth1)------Another PCInternet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container1-file-script. Release onLinux-router repo on Github. Just download and run the bash script (meet the dependencies). In this case use without installation.
I'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here
| Linux distro | |
|---|---|
| Any | download1-file-script and run without installation |
- bash
- procps or procps-ng
- iproute2
- dnsmasq
- iptables (or nftables with
iptables-nfttranslation linked) - WiFi hotspot dependencies
- hostapd
- iw (or iwconfig, when iw can not recognize adapter)
- haveged (optional)
- crda and wireless-regdb (optional)
sudo lnxrouter -i eth1
no matter which interface (other thaneth1) you're getting Internet from.
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
no matter which interface you're getting Internet from (even fromwlan0). Will create virtual Interfacex0wlan0 for hotspot.
Clients access Internet through onlyisp5
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
In this case of usage, it's recommended to:
- Stop serving local DNS
- Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
Create a bridge
sudo brctl addbr lxcbr5
In LXC containerconfig
lxc.network.type = vethlxc.network.flags = uplxc.network.link = lxcbr5lxc.network.hwaddr = xx:xx:xx:xx:xx:xxsudo lnxrouter -i lxcbr5
All clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use)
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
Intorrc
TransPort 192.168.55.1:9040 DNSPort 192.168.55.1:9053TransPort [fd00:5:6:7::1]:9040 DNSPort [fd00:5:6:7::1]:9053Warn: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity.
Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity.
To not give our infomation to clients. Clients can still access Internet.
sudo lnxrouter -i eth1 \ --tp 9040 --dns 9053 \ --random-mac \ --ban-priv \ --catch-dns --log-dns# optionalLinux-router comes with no warranty. Use on your own risk
Create a bridge
sudo brctl addbr lxdbr5
Create and add a new LXD profile overriding container'seth0
lxc profile create profile5lxc profile edit profile5### profile content ###config: {}description:""devices: eth0: name: eth0 nictype: bridged parent: lxdbr5 type: nicname: profile5lxc profile add<container> profile5
sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053
To remove that new profile from container
lxc profile remove<container> profile5
Add neweth0 to container overriding defaulteth0
lxc config device add<container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5
To remove the customizedeth0 to restore defaulteth0
lxc config device remove<container> eth0
In VirtualBox's global settings, create a host-only networkvboxnet5 with DHCP disabled.
sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
Create a bridge
sudo brctl addbr firejail5
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
Firejail's/etc/resolv.conf doesn't obtain DNS from DHCP, so we need to assign.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
Usage: lnxrouter <options>Options: -h, --help Show this help --version Print version number -i <interface> Interface to make NATed sub-network, and to provide Internet to (To create WiFi hotspot use '--ap' instead) -o <interface> Specify an inteface to provide Internet from. (Note using this with default DNS option may leak queries to other interfaces) -n Do not provide Internet --ban-priv Disallow clients to access my private network -g <ip> This host's IPv4 address in subnet (mask is /24) (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) --no4 Disable IPv4 Internet (not forwarding IPv4). Usually used with '-6' --p6 <prefix> Set IPv6 LAN address prefix (length 64) (example: 'fd00:0:0:5::' or '5' shortly) Using this enables '-6' --dns <ip>|<port>|<ip:port> DNS server's upstream DNS. Use ',' to seperate multiple servers (default: use /etc/resolv.conf) (Note IPv6 addresses need '[]' around) --no-dns Do not serve DNS --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) whose destination port is 53 to this host --log-dns Show DNS query log (dnsmasq) --dhcp-dns <IP1[,IP2]>|no Set IPv4 DNS offered by DHCP (default: this host). --dhcp-dns6 <IP1[,IP2]>|no Set IPv6 DNS offered by DHCP (RA) (default: this host) (Note IPv6 addresses need '[]' around) Using both above two will enable '--no-dns' --hostname <name> DNS server associate this name with this host. Use '-' to read name from /etc/hostname -d DNS server will take into account /etc/hosts -e <hosts_file> DNS server will take into account additional hosts file --dns-nocache DNS server no cache --mac <MAC> Set MAC address --random-mac Use random MAC address --tp <port> Transparent proxy, redirect non-LAN TCP and UDP(not tested) traffic to port. (usually used with '--dns') WiFi hotspot options: --ap <wifi interface> <SSID> Create WiFi access point -p, --password <password> WiFi password --qr Show WiFi QR code in terminal (need qrencode) --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface Using this you can't use same wlan interface for both Internet and AP --virt-name <name> Set name of virtual interface -c <channel> Specify channel (default: use current, or 1 / 36) --country <code> Set two-letter country code for regularity (example: US) --freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4) --driver Choose your WiFi adapter driver (default: nl80211) -w <WPA version> '2' for WPA2, '1' for WPA, '1+2' for both (default: 2) --psk Use 64 hex digits pre-shared-key instead of passphrase --mac-filter Enable WiFi hotspot MAC address filtering --mac-filter-accept Location of WiFi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients --sta-timeout <seconds> Timeout to disconnect a no-signal client --no-haveged Do not run haveged automatically when needed --hs20 Enable Hotspot 2.0 WiFi 4 (802.11n) configs (2.4G/5GHz): (default: not enable) --wifi4 Enable IEEE 802.11n (HT, High Throughput) --ht-capab <HT caps> HT capabilities (example: '[HT40+][DSSS_CCK-40]') (default: '[HT40+]') --req-wifi4 Only support Wifi>=4 clients WiFi 5 (802.11ac) configs (5GHz): (default: not enable) --wifi5 Enable IEEE 802.11ac (VHT, Very High Thoughtput) --vht-capab <VHT caps> VHT capabilities (example: '[VHT160][RXLDPC]') --vht-ch-width <index> Index of VHT channel width: 0 for 20MHz or 40MHz (default) 1 for 80MHz 2 for 160MHz 3 for 80+80MHz (Non-contigous 160MHz) --vht-seg0-ch <channel> Channel index of VHT center frequency for primary segment. Use with '--vht-ch-width' --vht-seg1-ch <channel> Channel index of VHT center frequency for secondary (second 80MHz) segment. Use with '--vht-ch-width 3' --req-wifi5 Only support Wifi>=5 clients WiFi 6 (802.11ax) configs (2.4G/5GHz): (default: not enable) --wifi6 Enable IEEE 802.11ax (HE, High Efficiency) --he-ch-width <index> Index of HE channel width: 0 for 20MHz or 40MHz (default) 1 for 80MHz 2 for 160MHz 3 for 80+80MHz (Non-contigous 160MHz) --he-seg0-ch <channel> Channel index of HE center frequency for primary segment. Use with '--he-ch-width' --he-seg1-ch <channel> Channel index of HE center frequency for secondary (second 80MHz) segment. Use with '--he-ch-width 3' --he-su-bfe HE Single User Beamformee support --he-su-bfr HE Single User Beamformer support --he-mu-bfr HE Multi User Beamformer support --req-wifi6 Only support Wifi>=6 clients --p2ptwt Peer-to-Peer Target Wake Time support Note: Some cutting-edge Wifi features strongly depends on hostapd built with specific flags enabled and compatible hardware Instance managing: --daemon Run in background --keep-confdir Don't delete the temporary config dir after exit -l, --list-running Show running instances --lc, --list-clients <id|interface> List clients of an instance. Or list neighbors of an interface, even if it isn't handled by us. (passive mode) --stop <id> Stop a running instance For <id> you can use PID or subnet interface name. You can get them with '--list-running'On exit of a linux-router instance, scriptwill do cleanup, i.e. undo most changes to system. Though,some changes (if needed) willnot be undone, which are:
/proc/sys/net/ipv4/ip_forward = 1and/proc/sys/net/ipv6/conf/all/forwarding = 1- dnsmasq in Apparmor complain mode
- hostapd in Apparmor complain mode
- Kernel module
nf_nat_pptploaded - The wifi device which is used to create hotspot is
rfkill unblocked - WiFi country code, if user assigns
Visitmy homepage 🏡 to seemore tools and projects 🛠️.
❤️ Buy me a coffee , this project took me lots of time! (❤️ 扫码领红包并打赏一个!)
🥂 ( ^_^) o自自o (^_^ ) 🍻
🤝 Bisides, thankcreate_ap byoblique. This script was forked from create_ap. Now they are quite different. 🤝 Also thank those people who contributed to that project.
👨💻 You can be contributor, too!
- 🍃 There're some TO-DOs listed, in bothreadme TODO andin the code file
- 🍃 Also someunfulfilled enhancements in the Issues
- 🙋♂️ Contributions are not limited to coding. There'resome posts and questions that need more people to answer
- WPA3
- Global IPv6
linux-router is LGPL licensed
linux-routerCopyright (C) 2018 garywillThis library is free software; you can redistribute it and/ormodify it under the terms of the GNU Lesser General PublicLicense as published by the Free Software Foundation; eitherversion 2.1 of the License, or (at your option) any later version.This library is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNULesser General Public License for more details.You should have received a copy of the GNU Lesser General PublicLicense along with this library; if not, write to the Free SoftwareFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USAUpstream create_ap was BSD licensed
Copyright (c) 2013, obliqueAll rights reserved.Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions are met:* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLEFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USEOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.About
Set Linux as router in one command. Support Internet sharing, redsocks, Wifi hotspot, IPv6. Can also be used for routing VM/containers 🛰️
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.