mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-18 10:19:24 +01:00
101 lines
3.1 KiB
Plaintext
101 lines
3.1 KiB
Plaintext
Virtual Ethernet Device
|
|
=======================
|
|
|
|
Virtual Ethernet device pairs are a pair of fake Ethernet devices that act
|
|
as a pipe, Traffic sent via one interface comes out the other. As these are
|
|
Ethernet devices and not point to point devices you can handle broadcast
|
|
traffic on these interfaces and use protocols other than IP.
|
|
|
|
To create a virtual ethernet pipe with one end called veth0 and the other
|
|
called veth1, use the following command:
|
|
|
|
sudo ip link add veth0 type veth peer name veth1
|
|
|
|
The pair of interfaces are identical and act as a dumb pipe, there is no
|
|
master or slave end. Deleting either end will cause both interfaces to be
|
|
deleted. The pair of interfaces implement carrier detection and can tell
|
|
when one side of the link is in the 'DOWN' state. if the other link is in
|
|
the 'DOWN' state it will indicate 'NO-CARRIER' until the other end is
|
|
brought up:
|
|
|
|
sudo ip link set veth0 up
|
|
sudo ip link set veth1 up
|
|
|
|
|
|
Testing 802.1x on Virtual Ethernet Device
|
|
=========================================
|
|
|
|
It is based on hostapd and wpa_supplicant. To compile them, go in the
|
|
hostapd/wpa_supplicant directory, copy "defconfig" to ".config", for
|
|
hostapd uncomment the line "CONFIG_DRIVER_WIRED=y" and "make".
|
|
|
|
Using hostapd (the authenticator) and following hostapd.conf file:
|
|
|
|
interface=veth0
|
|
driver=wired
|
|
ieee8021x=1
|
|
use_pae_group_addr=1
|
|
eap_server=1
|
|
eap_user_file=hostapd.eap_user # replace with the right path
|
|
ca_cert=newcertca.crt # replace with your CA certificate path
|
|
server_cert=newcertca.crt # replace with your server certificate path (here I use the same as for the CA for simplicity)
|
|
private_key=newkeyca.key # replace with your server private key path
|
|
|
|
A sample hostapd.eap_user that works is the following:
|
|
|
|
# Phase 1 users
|
|
* PEAP
|
|
# Phase 2
|
|
"test" MSCHAPV2 "password" [2]
|
|
|
|
To execute hostapd (add "-dd" for debug mode):
|
|
|
|
sudo ./hostapd hostapd.conf
|
|
|
|
Using wpa_supplicant (the supplicant, i.e., the client) with the following
|
|
wpa_supplicant.conf configuration file:
|
|
|
|
ap_scan=0
|
|
fast_reauth=1
|
|
network={
|
|
ssid=""
|
|
scan_ssid=0
|
|
key_mgmt=IEEE8021X
|
|
eap=PEAP
|
|
phase2="auth=MSCHAPV2"
|
|
identity="test"
|
|
password="password"
|
|
ca_cert="newcertca.crt" # replace with your CA certificate path
|
|
}
|
|
|
|
To run wpa_supplicant (add "-dd -K" for debugging):
|
|
|
|
sudo ./wpa_supplicant -iveth1 -c./wpa_supplicant.conf -Dwired
|
|
|
|
|
|
Running Authenticator in a network namespace
|
|
============================================
|
|
|
|
In some cases it might be useful to run hostapd in a network namespace to
|
|
provide real separation between the two network interfaces. First create
|
|
the "hostap" named network namespace:
|
|
|
|
sudo ip netns add hostap
|
|
|
|
Now move the network interface of hostapd into the "hostap" named network
|
|
namespace:
|
|
|
|
sudo ip link set veth0 netns hostap
|
|
|
|
Inside the "hostap" named network namespace the loopback interface needs
|
|
to be brought up and also the network interface:
|
|
|
|
sudo ip netns exec hostap ip link set lo up
|
|
sudo ip netns exec hostap ip link set veth0 up
|
|
|
|
Then execute hostapd inside the network namespace:
|
|
|
|
sudo ip netns exec hostap ./hostapd wired_hostapd.conf
|
|
|
|
After that run wpa_supplicant as described above.
|