obsidian | avz@elpolla.com

Enlace original: https://www.ixonae.com/configure-a-raspberry-pi-as-a-secure-wifi-access-point-with-open-wrt/

Getting OpenWRT Running

The first step is to flash OpenWRT into a microSD card. Raspberry has software to do so, but you can also use dd, or whatever software you are comfortable with. The image can be found on OpenWrt’s website.

Once this is done, you can plug your Raspberry Pi and your computer into a switch, and boot the machine. You will then be able to access the LuCI interface at 192.168.1.1 and to log in as root with no password.

Note that by default, your microSD card will only be formatted with partitions of a few hundred MBs, so at some point, you might want to reformat your partitions if you want to go into advanced use of OpenWrt.The various instructions on the Internet did not work for me, and I had no time or need to investigate further, but I’ll leave references at the end of the article.

Once we access the administration interface, we first want to go to System/Administration and set a decent password. I also recommend changing the SSH settings to only allow logging in with an SSH Key.

Basic Network Configuration

Now that OpenWrt is up and running, we want to enable the Wifi and do some basic network configuration.

In Network/Wireless, edit the wireless network interface:

You can choose the frequency that suits your needs best. I used N mode with a 5 GHz band and an automatic channel. If you want to set things manually, you can use the Channel Analysis in the Status menu
Mode: Access Point
Network: lan
Encryption: anything that is WPA2 or WPA3, auto cipher, and a strong key
In the advanced settings, there is also an option to prevent client-to-client communications

Then, enable the interface, and you should see your WiFi network. You might notice that you can add an extra WiFi AP in the radio0 configuration. Doing so will only make OpenWRT unhappy, and your changes will be automatically un-applied.

The final step before being able to use the WiFi is to configure the interfaces in Network/Interfaces. By default, you should have a single Interface br-lan, or something of the kind. We will edit this interface to have the following:

Protocol: Static address
Device wlan0
Bring up boot checked
IPV4 address 192.168.1.1
Netmask: 255.255.255.0
Firewall-zone: lan
Make sure that the DHCP service is not disabled

Now we disconnect the Ethernet from the computer, we connect it to the router and continue with WiFi. Then, we will add an interface for eth0 with the following settings:

Protocol DHCP Client
Device eth0
Bring up on boot enabled
Firewall zone: wan

When all of this is done, the final step before being able to use the WiFi to access the Internet is to check the firewall settings in Network/Firewall. You should have two zones:

lan => wan should have lan as a Covered networks, allow forward to the wan destination, and have Input, Output, and Forward as accepted
wan => DROP should have eth0 as Covered networks, drop Input and Forward, and accept Output

You can now click on Save & Apply, and connect to your WiFi.