WiFi Access point - preferred options?

There is a huge amount of seemingly duplicated options if you look for wireless and wlan in options search. I wonder what’s the right way?

I want to provide multiple SSID in AP mode.
Differently routed via vpn and adguard and a public WIFI with captive portal.

The sane option seems to be hostapd. But there is also linux-wifi-hotspot and wpa_supplicant and I wonder if even systemd-network can do it?

Are there intrinsic benefits or disadvantages I should know?

Options that seem relevant

  • services.create_ap
  • servces.hostapd
  • networking.wireless.interfaces
  • networking.wireless.networks (iwd and wpa_supplicant)
  • etworking.wlanInterfaces
  • systemd.network (probably not)

linux-wifi-network is basically a script that simplifies all the network configuration so you don’t have to do any of the dnsmasq setup or whatever.

hostapd is definitely the sane option if you have more complex requirements. You’ll likely want to combine it with systemd-networkd or iptables to configure the firewall/NAT. You may also need to host your own DNS server depending on whether you set up bridge networking.

wpa_supplicant and iwd aren’t really designed to do this, so neither is the networking option.

1 Like

Yea pretty non-nix in every way. I don’t think it will be flexible enough for me.

I will set it up incrementally, but that was the reason I asked for sanity check before. I don’t want to get stuck once I get creative.

I suspected that but wasn’t sure. They can only do the client configuration I suppose?

I suspected that but wasn’t sure. They can only do the client configuration I suppose?

wpa_supplicant and hostapd are literally the same project: the former is the client, the latter the “server”. So, yes, you want to use hostapd. I’m not even aware of any other AP implementation for Linux…

2 Likes

So, to clear up the confusion a bit:

  • services.create_ap → manage a wireless AP, simply
    (it’s a wrapper around hostapd for end-users)

  • services.hostapd → manage a wireless AP
    (it’s hostapd in all of its majestic complexity)

  • networking.wireless → manage a wireless client
    (it’s wpa_supplicant under the hood)

  • networking.wireless.interfaces → to specify which interfaces the client can use
    (if unset, the first available will be used)

  • networking.wlanInterfaces → create virtual interfaces for your AP
    (needed only if you want to run multiple SSIDs/networks on the same radio)

5 Likes

By the way, I’ve recently built a home router using only NixOS and I maintain the networking.wireless module, so if you’ve got any question you can ask me.

2 Likes

Thanks a lot for your help. That clears things up a lot.

If you have your config public that would be a great place to “steal” some inspiration. As a home router is exactly what I’m doing.

I’m still waiting for the hardware. I live on Morocco at the moment, shipping is a nightmare. Not before October I suspect.

I think I will have some low level issues to solve before I jump in head first. I’m using the banana-pi rp4. There is a board support package for it already but the extremely new WiFi 7 card could still give me a few surprises…

Ah for the lulz. NetworkManager can set up access points too. :sweat_smile: (Supposedly native but maybe it’s also just hostapd under the hood)
But I’m staying as far away from that as I can. If it were systemd-network I would consider it.

If you have your config public that would be a great place to “steal” some inspiration. As a home router is exactly what I’m doing.

Here you go: https://maxwell.ydns.eu/~rnhmjoj/router.nix. I must warn you that it’s very unconventional, so I don’t think you will be able to reuse much besides the wireless AP. The setup is:

  • IPv6-only LAN (IPv4 masquerade is on, though, you could easily add RFC1918 addresses)
  • IPv4 is provided to the router via a 4in6 tunnel
  • local NAT64 service
  • WAN addresses and routes are statically configured (there is only a script to send a fake DHCPv6 packet to appease the ISP)

The more standard part is:

  • local DNS resolver
  • zone-based firewall using nftables
  • three VLANs: home, guest, botnet (read IoT devices)
  • hostapd to create access points (2.4, 5GHz) for each VLAN
  • a “trunk” port to connect more APs
  • IPSec VPN to connect home when travelling
  • IPSec mesh network for other remote servers

That’s quite unusual indeed. But I will keep it as a reference.

Thanks to living in a shithole country no provider here can give me IPv6. I’m even considering setting up a v6 tunnel just to feel normal again.

Liminix is also worth looking at, I’m hopeful it will become usable enough for a daily driver one day :slight_smile:

I think I misunderstood what this project wants to achieve when I looked at it before. I thought they just generate a WRT style set of env variables via Nix. But it seems to be a bunch more.

But modern SoC have so much resources. I guess enough for NixOS.

Not my little travel routers, sadly, but yeah, I can see building a router with NixOS if you have the hardware for it.

Liminix is purpose-built and therefore may become more convenient in the long term, though, so I’ll always bring it up when people talk about nix-based routers.