This repository holds configuration files for the WiFi network tracing setup of the Android Device Security Database Lab at the Institute of Networks and Security at JKU Linz. It is based on a Turris Omnia access point performing 802.1x/802.11i client specific authentication and assigning a unique (virtual) VLAN to each Android device. This allows capturing all WiFi network traffic per device, including broadcast/multicast packets and independently of MAC address randomization.
We currently mirror all VLAN tagged packets to an Arkime server for statistical analysis, but any tool capable of monitoring Ethernet packets should be useful for analysis in this setup. This is currently using L2TP because that actually worked with the standard Turris kernel and a Debian VM peer, while I couldn't manage to get a GRETAP tunnel working so far.
To make this reasonably usable, replace
- 'wifilab123' in
config/wireless
with a local PSK that devices need to connect to internal, non-VLAN-tagged network (e.g. for the access point admin interface), which is bridged to the Ethernet LAN ports - 'testing123' in all config files and command line argyments with a randomly created password to authenticate the Radius communication
- 'client123' in
freeradius3/mods-config/files/authorize
with passwords for the actual Android clients - using the same password is ok. The user names should be unique to map to unique VLAN numbers, which is the whole point of this exercise. ula_prefix
inconfig/network
with a unique prefix- potentially
wan
configuration inconfig/network
if DHCP is not used upstream - L2TP tunnel configuration for the
mirror
interface inconfig/network
andrc.local
to match the local and peer IP addresses for the specific setup MAILTO
incron.d/local-check-connected-wifi-devices
and local mail server inmsmtprc
to receive email about device connection stats
Inspired by https://brainfood.xyz/post/20190518-letsencrypt-on-turris-omnia/
- Call
opkg install acme
to get the necessary scripts - Make sure there is a publicly resolvable DNS name for your access point, with port 80 reachable from the WAN side (the firewall rule for the port on the router itself will be opened dynamically only while renewing)
- Disable sentinel/minipot (the honeypot) from catching port 80
mkdir mkdir -p /www/letsencrypt/.well-known/acme-challenge/
echo 'alias.url += ( "/.well-known/acme-challenge/" => "/www/letsencrypt/.well-known/acme-challenge/")' > /etc/lighttpd/conf.d/05-letsencrypt.conf
- Adapt
/etc/config/acme
with your hostname - Change
/etc/acme/cleanup-letsencrypt.sh
to use the proper filenames with your hostname - Execute
/etc/init.d/acme enable; /etc/init.d/acme start
ln -s /etc/acme/<your-hostname>/ca.cer /etc/freeradius3/certs/ca.pem
If something goes wrong, manually starting /usr/lib/acme/run-acme
should give some error messages.