OT: Adding A Wifi Adapter To Openvswitch
Hi all,
Finally, I have installed openvswitch from source to two CentOS hosts:
one 6.x and other 7.x.
I will do some tests using openvswitch bridges to my KVM machines. One of these tests is to add a wlan0 adapter from comandline but only when this wlan0 is associated with a ssid without assign an IP.
Is this posible? Do I nees to add some ebtables like, for example, Debian’s wiki says here:
https://wiki.debian.org/BridgeNetworkConnections#Bridging_with_a_wireless_NIC?
Thanks
11 thoughts on - OT: Adding A Wifi Adapter To Openvswitch
Usually it’s not.
When you connect as a station to the infrastructure (AP) – e.g without WDS or proprietary extensions enabled, every frame transmitted in between has three addresses: your station MAC, BSSID (AP MAC for simplicity), destination MAC.
WPA(2) PSK encryption is using your station MAC. So if you try to transmit a packet with MAC address other than yours, it won’t be decrypted thus no transmission.
To cut the long story short AFAIK you can’t bridge on WiFi client side with WPA(2) PSK encryption. But you can using WEP (or no encryption at all). Beware – WEP is as insecure as no encryption – it’s cracked literally in minutes.
You could run WDS in AP-AP mode with the help of hostap suite or have a proprietary solution (WNIC and/or driver).
Otherwise you can NAT/route it.
Best regards, Dmitry Mikhailov
Followup
They are doing an interesting Ethernet NAT with the following idea:
Your wireless station has MAC “A” and IP “X”
The virtual machine on the wireless station has MAC “B” and IP “Y”
1) To the outside world both your wireless station and virtual machine IPs would share the same MAC:
Arp:
IP “X”: MAC “A”
IP “Y”: MAC “A” (translated from “B”)
2) Every ingress packet coming to your wireless station with the VM’s IP
“Y” would have it’s MAC changed back
This scheme could provide you connectivity but it’s hacky and it requires you to know the MAC and IP address combination of VM. So IMHO
it’s not really everyday mess-free usable.
I’d prefer to have a real routing set up. Simple, fast and reliable.
Thanks Dimitry, but I use wlan0 or eth0 to connect my laptop to different networks. I use a vm as fw and I would like to have all vms and laptop behind this fw vm guest.
Another option is to assign an IP to these interfaces and natting all to this fw vm … but I don’t like this option
It isn’t going to be safe, simple and reliable. You won’t have anything like ‘NetworkManager’ on the laptop host OS. It either should be heavily scripted or not done at all.
You could write some fancy ebtables rules to do one-to-one MAC mapping between the fw VM interface and host interface and run DHCP client on the fw VM.
On the host you’d have static route to another fw VM interface.
But I can’t imagine all the hotplug event scripting. How could fw VM
find out if it’s time to (re-)run DHCP client? How would you configure WPA keys on the host. How would find out if WiFi is disconnected, cable is connected and it’s time to redo MAC mapping with another MAC address?
Without some real effort it’s going to be fully(partly?) manual config with wpa_supplicant, ebtables and ssh’ing to fw VM involved. I doubt I
would like to change from NetworkManager to this stuff instead.
That’s why they do https://www.anonabox.com/
Otherwise you can get some OpenWRT on a commodity router to run some VPN
or T#r or some other funny stuff
Actually I do a similar thing.
I use a VM as my home/office firewall.
It works quite well and I would argue it is as secure as your standard firewall based on something like openWRT running on dedicated hardware.
I also run a wireless AP in bridged mode to allow local network access on an appliance.
There should be no reason that you could not put both on the same physical hardware.
As for the openvswitch original question. Openvswitch has an API that you can access to manage your traffic along with supporting Openflow. If you can get events from your wireless interface then you could write some programs to connect to the switch API.
I am not sure the overall result is worth the effort but it will teach you lots about your wifi interface and Openvswitch.
Do you?
If your laptop/server/smth is permanently wired to the internet, there’s no problem to bridge this interface to the VM.
But the topic starter wants to connect to the cable or wifi and still have a firewall VM. WiFi client connection with WPA(2) PSK encryption does allow only the station’s MAC in the air.
Thus topic starter needs some hotplug event scripting, wpa_supplicant being started manually, fancy ebtables rules to make it work, some way to notice the fw WM that network config changed so it would rerun dhclient. Yea, and he should have some GUI/TUI to have it managed. No NetworkManager GUI here.
As aforementioned, it’s a bit complicated setup. And if you’re thinking security-wise, imagine you need T#r or some fancy VPN to get your job done AND due to some miniscule scripting glitch a SINGLE packet would fly out of your real IP address – you’re busted.
To be self-assured during such an intimate workout, you’d want to have a physical cable to the physical router that’s perforing the encryption job. No VPN/T#r/smth – no juice. Simple, bulletproof.
Do you connect to the AP wirelessly as the client to have a firewall VM
running over that WiFi?
Or have you connected the AP via cable to the server/router with fw VM
to provide connectivity to other clients?
You could. But it’s hard to use in everyday life of typical usage. If the user is a sysadm/hacker who doesn’t mind issuing several commands from the console upon every succesful wifi/wired connection – then welcome!
I do want to see a neat solution please. May be I’m just too lazy.
Thank you both for your help, I have done another test. I have setup another laptop with windows 2012 R2 Hyper-V and I have bridged wireless interface and assigned this bridge to a vm guest, and voila!!
works without problem. Using some powershell scripts, I can change between SSID’s without problems. Easy, really easy. And I don’t need to use WDS features,
I don’t understand why it doesn’t works with CentOS using the same approach. I am trying using brctl commands, but it doesn’t works also because wlan0 can’t authenticate with AP …
I know people used Parprouted to help with bridging wired with wireless. Have a look at it.
Somebody already automated the ARP mangling. Brilliant.
I wonder if there’s a way to run a script upon every NetworkManager connection event.
Topic starter wrote me that he bridged wired and wireless on Windows Server 2012 and it works for Hyper-V VM OOTB.
Still hoping to get the ARP table I asked to confirm.
http://linux.die.net/man/8/networkmanager search for “dispatcher.d”.
What he wants is entirely possible AFAIK, I’ve done it on a Rpi (Raspbian) at home, I’m sure it can’t be too hard in CentOS.
Ok. Windows does just the same. Thanks for the ARP table. [For ML
readers – it was sent directly]. Now we know what the money are paid for :)
Quite possible with the invalulable help of Nux:
Parprouted + NetworkManager scripting should do the trick.
Would work even better but I don’t think the laptop would suspend.
Try the aforementioned unnumbered option first. Can’t say anything about IPv6 – sadly not proficient. For IPv4 you won’t need iptables, only iproute:
1)save and delete the current wireless default gateway IP
2)create a source-based policy routing rule so traffic from the fw VM IP
address would have the earlier saved IP as a gateway IP
3)set the default gateway IP to the another interface’s (it’s a requirement) IP address of a fw VM.