wifi-setup

PI COMMAND LINE WIFI SETUP

This isn't so much a project as a place to store my hard-won knowledge for my own future use. Maybe you'll also find it useful.

WHY

If you're using the Raspbian Lite image, you don't have access to the normal graphic WiFi setup tools. Setup can be done from the command line, but finding complete information is difficult. And the new init system has changed things a bit from what others have documented. Here's what worked for me:

HOW

Type the following. Replace ssid and password with the values needed for your access point:

    wpa_passphrase ssid password > /etc/wpa_supplicant/wpa_supplicant.conf

    systemctl enable wpa_supplicant

In the /etc/wpa_supplicant/wpa_supplicant.conf file there is a line with a # symbol and your password in it. This can be removed for added security.

Edit the /etc/network/interfaces file. Make the wlan0 section look like the following:

    allow-hotplug wlan0

    iface wlan0 inet manual

    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

If you want to set up a minimal firewall add the following lines to the /etc/rc.local file:

    #mitigate glibc vulnerability

    iptables -I INPUT -p udp --sport 53 -m length --length 511:65535 -j DROP

    iptables -I INPUT -p udp --dport 53 -m length --length 511:65535 -j DROP

    #allow www on external

    iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o wlan0 -p tcp -m multiport --dports 80,443

    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i wlan0 -p tcp

    #allow ping on external

    iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o wlan0 -p icmp

    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i wlan0 -p icmp

    #allow dns on external

    iptables -A OUTPUT -j ACCEPT -o wlan0 -p udp --dport 53

    iptables -A INPUT -j ACCEPT -i wlan0 -p udp --sport 53

    #allow dhcp renewals on external

    iptables -A OUTPUT -j ACCEPT -o wlan0 -p udp --sport 67:68 --dport 67:68

    iptables -A INPUT -j ACCEPT -i wlan0 -p udp --sport 67:68 --dport 67:68

    #allow all on internal

    iptables -A INPUT -j ACCEPT -p all -s 127.0.0.0/24 -i lo

    iptables -A OUTPUT -j ACCEPT -p all -d 127.0.0.0/24 -o lo

    #block everything else

    iptables -P OUTPUT DROP

    iptables -P INPUT DROP

    iptables -P FORWARD DROP

    #show all rules

    iptables -L -n -v

For even more security, edit the /etc/sysctl.conf file and un-comment applicable security options. It's self-documenting.

Reboot and wait a couple of minutes. You should be connected to your access point!

This site has been tested to display correctly using Epiphany on the Raspberry Pi