The Interceptor - Basic Install

These instructions will leave you with a device which only responds on the wireless interface. For testing, if you want to leave the wired interface with an IP address you will need to modify /etc/config/network and /etc/init.d/interceptor and change the IP address to the one you want.

On the Fon+

Flash with OpenWrt 8.09. This is a good guide. Stop at "Luvzzzzz ! Next step :"

This guide assumes you are connecting via a serial cable, if not you need to telnet to and use passwd to set your root password. This then disables telnet and enables ssh.

Crate/edit the following files:

# /etc/config/wireless
config 'wifi-device' 'wifi0'
	option 'type' 'atheros'
	option 'disabled' '0'
	option 'channel' '6'

config 'wifi-iface'
	option 'device' 'wifi0'
	option 'mode' 'ap'
	option 'ssid' 'interceptor'
	option 'encryption' 'psk2'
	option 'key' '<KEY HERE>'

This assumes you want to use WPA2-PSK. Even though the data will encrypted by the VPN this prevents unauthorized users connecting to the interface and using it as a way into the device. Make sure you modify your wpa_supplicant file on the laptop so that it can connect to the AP.

# /etc/config/network

config 'interface' 'loopback'
	option 'ifname' 'lo'
	option 'proto' 'static'
	option 'ipaddr' ''
	option 'netmask' ''

config 'interface' 'lan'
	option 'type' 'bridge'
	option 'proto' 'static'
	option 'netmask' ''
	option 'ifname' 'eth0.0'
	option 'ipaddr' ''

config 'interface' 'wan'
	option 'ifname' 'eth0.1'

I can't find a way to specify in this file that I want both eth0.0 and eth0.1 to startup on the same bridge so I manually have to add eth0.1 to the lan bridge, br-lan, in a startup script. If anyone can tell me how to do this please get in touch.

Install the following packages:

  • kmod-tun_2.6.26.5-atheros-1_mips.ipk
  • libopenssl_0.9.8i-3_mips.ipk
  • libdnet_1.10-2_mips.ipk
  • libpcap_0.9.8-1_mips.ipk
  • wpa-supplicant_0.6.3-1_mips.ipk
  • liblzo_2.03-1_mips.ipk
  • openvpn_2.0.9-4_mips.ipk
  • zlib_1.2.3-5_mips.ipk

These can be downloaded from OpenWrt package page.

Make sure you copy them to /tmp on the device and you can install all at once with:

opkg install /tmp/*ipk

Copy over and install the interceptor package:

  • interceptor_1.0_mips.ipk

Delete the following files:

  • /etc/rc.d/*httpd
  • /etc/rc.d/*dnsmasq

This prevents the automatic startup of the web server and the dns/dhcp server. The web server isn't needed and the dhcp server can interfere with legitimate dhcp traffic flowing over the bridge. This doesn't not remove these applications only the symlinks that are used to automatically start them, they can be restored by recreating the symlinks to /etc/init.d .


On the laptop

The first job is to create the openvpn certificates. The instructions on the OpenVpn site describe this best.

Follow the naming scheme used but only create a client certificate for client1.

Copy the following files just created to /interceptor/openvpn/client on the Fon+:

  • client1.crt
  • ca.crt
  • client1.key

Modify the server.conf file on the laptop so the certificate lines point at the correct locations. These are lines starting ca, key, cert and dh.

Starting it all up

Bring up the wireless on the laptop and connect to the AP on the Fon+.

Manually set the wireless IP to

Run the script. This starts the openvpn server on the laptop, waits a short period to allow it to come up correctly then, via ssh, executes a startup script on the Fon+. The Fon+ will ask for the root password for the ssh login.

You should see a lot of log output with the DaemonLogger startup message towards the end. If all goes well all traffic flowing across the bridge should now appear on tap0 on the laptop. Test it by running:

tcpdump -i tap0

while generating traffic across the bridge.

Shutting it all down

To shut it down run the script. This reverses the startup script, first killing DaemonLogger and the VPN client on the Fon+ via ssh and finally killing the VPN server on the laptop. Again, you will need to enter the Fon+ root password for the ssh.

Sub Pages


Support The Site

I don't get paid for any of the projects on this site so if you'd like to support my work you can do so by using the affiliate links below where I either get account credits or cash back. Usually only pennies, but they all add up.