Adam's blog: Creating safe WiFi abroad, Vol. 1

15 Jul 2022, 877 words

After successfully completing my bachelor’s finals, I have set for a vacation near a sea in Croatia. The apartment that I was to stay in has advertised to have WiFi connection, even though some reviews have stated that it is quite unstable. Nonetheless, this seemed like a perfect opportunity to test my secure WiFi AP setup.

The state of apartment complex WiFi

The whole apartment complex has two active WiFi AP - <place>123 and <place>123-EXT. My room is in a second floor, where the receiving signal of <place>123-EXT is much stronger than the one of <place>123. Unfortunately, as it seems, the <place>123-EXT is only a D-Link repeater for the base network, and no a good one – it has frequently lost connection to the base AP for an extended period of time, which makes it practically unsuitable. I was unable to pinpoint the precise location of the base AP and I suspect that it may be hidden inside the complex owner’s room. The only thing that I can say about it is that it is located on the ground floor and is manufactured by Huawei. As of writing of this post, I was unable to obtain any dynamic IP from <place>123-EXT DHCP server for two days and the connection to the base AP is not possible from any of my standard devices, so I am unable to measure the precise network speed. The best measurement I have is the 8Mbit down/4M bit up from the day one of the vacation.

Secure Wifi AP setup

The setup itself consists of the parts - a TP-Link WiFi router and a Raspberry Pi Zero. Fortunately, the TP-Link WiFi router (when placed on the right spot) is strong enough to connect to the <place>123 AP directly, so I can skip the misbehaving repeater. The TP-Link router is also set to work in a WIPS mode – it connects to one AP and simultaneously emits another one. It also acts as an authoritative DHCP server. This DHCP server informs clients to use the IP address of the Raspberry Pi Zero both as a gateway and a DNS server.

The Raspberry Pi is connected to the TP-Link router with and Ethernet cable and has a static default gateway set as the IP of the TP-Link router. It also accepts all incoming packets and forwards them through an VPN back to my home country, so I can both keep my streaming services running and protect any other guests in the complex from sniffing my traffic. To provide the DNS functionality, an dnscrypt-proxy server is running on the RPi.

The working setup with the TP-Link router and RPi zero

Throughput of the setup

When I have tested this setup at home, I have been able to achieve a stable connection of about 24 Mbit/s, which is good enough for general usage. Somewhat mysteriously, the performance of the TP-Link router has started to degrade from the day one. Noted, it had shown marks of misbehaving in the past, but powering the device on and off has always solved the problem (rebooting it through the configuration interface had never any effect). Right now, when measured with iperf3 with server on my laptop and client on the Ethernet-connected RPi zero, the results are only around 1.5Mbit/s.

What to improve

Evidently, these results are not enough for most of everyday usage as they are barely sustainable for reading news. So what can I do in the future to improve upon this setup? The most obvious answer is to buy a device that has a firmware update since 2020, but I don’t want to do that – it is still a (mostly) functional device and I believe, that I can find a more elegant solution. I have also tough about flashing another open source firmware, but neither OpenWRT not DD-WRT seem to support this device, while OpenWRT actively discourages from using it. As a third option, I want to try a setup in which I use my USB WiFi adapter, which I have unfortunately forgotten home. It could act as a strong client/AP directly for the RPi. So, until the next time, all I can do is to enjoy the view and not YouTube clips.

The view from the apparment balcony

Post-publish updates

#1 The setup is working again

After publishing this post, the TP-Link router has stared to behave properly for an extended period of time. I have no idea what has changed and so I continue to search for any causes.

#2 Why the complex’s repeater does not work

I have been able to capture the precise model of the <place>123-EXT AP – the D-Link DAP-1330. The device shows only one amber indication LED, which (according to the manual) means that it has a very poor connection to the base network. This could provide a hint as to why the extender AP has close-to-nonexistent connectivity to the Internet.

Manual showing that one amber LED means a very poor connection

A photo of the complex’s repeater AP