Adam's blog: Creating safe WiFi abroad, Vol. 2
Last time, I have mentioned that my first setup could be improved with an USB WiFi adapter, that I have forgotten home. So I have gone back to Croatia once again to test my hypothesis in action. How did in turn out?
The state of apartment complex WiFi
This time, the apartment complex had two WiFi APs - let’s call them
complex_5G. As you may have already guessed, the second one was the same as the first, only their frequencies had differed. Furthermore, both my RPi Zero and the USB WiFi adapter are capable of receiving only 2.4GHz WiFi APs, so we will ignore the 5GHz one for now. The
complex WiFi had a good signal strength and its DHCP server was working, so we already were in a better situation in comparison to the last time. When measuring the connection speed on the AP, I have been able to get speeds up to 4Mbit/s for both upload and download. Though, during rush hours, when most of the guests were present in the building, the top speed I have gained was about 0.5Mbit/s for download and 3Mbit/s for upload. Not good, not terrible.
Directly improving upon the last time, I have prepared a following setup:
- the core of the setup was once again my Raspberry Pi Zero W
- the RPi was connected to the
complexAP through an external (and more powerful) USB WiFi adapter
- through an USB HUB was also connected an USB Ethernet adapter
- on the other side of the Ethernet Adapter was a TP-Link WiFi router
- the WiFi router has acted as my AP and DHCP server for my network
- the RPi has accepted all traffic from my AP and routed it through a secure VPN tunnel
The first setup, nicely packed under the night table
Even though this setup was a direct upgrade upon the last one, when it was used in a real environment, it still shared some flaws with the original one. Most notably, the degradation of the TP-Link WiFI router speed has occurred – when measured with
iperf3 from my laptop to the RPi zero, the overall throughput sometimes was only about 0.3 Mbit/s, which is clearly not even close to the advertised speed of 300 Mbit/s. It was clear that the WiFi router is the weak link, even when used only as an AP. It had to be removed.
A great thing about RPi Zero W is that it has its own WiFi antenna, which can connect to or host an access point (or both at the same time, but that option is unreliable for real-world usage). Its antenna is fairly small and its signal weak, but since we have rented only one room, it should provide us with enough coverage for all of it. So, in this setup:
- the core of the setup is still Raspberry Pi Zero W
- the RPi is connected to the
complexAP through an external (and more powerful) USB WiFi adapter
- my AP is transmitted from RPi’s internal antenna
- the RPi accepts all traffic from my AP and is routing it through a secure VPN tunnel
After the TP-Link router is removed, I can also remove the USB hub and Ethernet adapter, making the night-stand setup even nicer-looking:
The second setup, nicely packed under the night table without bloat
The second setup from the side with easily distinguishable components
Of course, hosting the whole AP by myself has some implications – if I do want something more than static IP addressing, I have to run a DHCP server. (And a DNS server, but I can just reuse the already working dnscrypt-proxy from the original setup). I already have experience with isc-dhcp-server, which surely would be a reliable option, but what if there was a better way?
The answer is dnsmasq – a combination of both DHCP and DNS server, made for low-end machines (which RPi Zero certainly is). By default, it forwards all DNS requests to the system resolver, but, with a slight change of configuration, I can make it forward all requests to my DoH DNS proxy.
For creating the hotspot itself, I like to use hostapd, which provides a super easy way to create one. Just point it to an interface, add SSID, password, channel & version, and you are good to go.
Or, let’s go even easier! One could use something like RaspAP, which handles all these actions by itself. You can just use their single-command install script
curl -sL https://install.raspap.com | bash and afterwards connect to a web control interface. From there, you can adjust your hotspot, DNS and DHCP settings, restart services or access additional features like VPN, ad-blocking and more. Under the hood, RaspAP uses previously mentioned
dnsmasq. Just beware, the version of RaspAP that I have used has set the default forward policy to ACCEPT, meaning that everything could be forwarded everywhere, even packets coming from the interface connected directly to the complex WiFi, which is not ideal. To mitigate this security risk, I have used
iptables to set the default forward policy to DROP and allowed only forwarding from my AP to the VPN interface (effectively creating a VPN kill-switch for all clients connected to the AP).
The size of the rented room together with the bathroom and the balcony was about 6x8 meters, so that even the small and weak RPi internal antenna was able to cover the whole area with a good-enough signal. When testing the throughput with
iperf3 command from the most distant place, I have been able to measure stable speeds of about 6Mbit/s, which is not great, but given that the complex’s AP provided me with the maximum speed of 4Mbit/s, it is good enough.
Getting more speed
I have figured out that the complex’s AP distributes its available bandwidth evenly between all TCP streams. Fortunately, a few days before, I have written a Node.js application that allows me to split my UDP VPN connection into multiple TCP streams. Even though I have written this application for another purpose (and will possibly write another post about it), it seemed just perfect for this use case, when the single VPN connection gave me less bandwidth than browsing without any VPN tunnel.
When testing on my multicore smartphone, I was able to gain up to 4 times more bandwidth when using 8 TCP streams, which seemed promising. Unfortunately, when I deployed this Node.js application on the single-core RPi Zero, it took about 60% of the CPU, leaving almost nothing for other services. In the end, the throughput was worse than using a single UDP connection directly to the VPN provider.
Overall, the second setup was a success – the AP was working reliably for a number of days until we left, there was almost no decrease of my AP bandwidth when compared to the complex’s AP and the traffic of all connected clients was protected from nosy neighbours lurking through the complex’s AP (from UFW logs it was evident that someone has tried to port-scan the RPi). Even though this was most probably my last vacation abroad this summer, I may reincarnate this series in the future. Maybe I will purchase a more powerful device? Or the rented room will be too large for the RPi’s internal antenna and I will have to use the TP-Link WiFI router as a signal repeater? Whatever the future brings, only one thing is certain - I will keep you all updated with my latest setup. So let me end this the same way as the original post – with the view at the sea.
The view from the room’s balcony