Difference between revisions of "Use Cell Phone As LAN Gateway"

From Nearline Storage
Jump to navigation Jump to search
Line 12: Line 12:
 
Connect the Pi to the existing LAN and access it via ssh.
 
Connect the Pi to the existing LAN and access it via ssh.
  
Install your public key in <code>/home/pi/,ssh/authorized keys</code>
+
Install your public key in <code>/home/pi/.ssh/authorized keys</code>
  
 
After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code>
 
After confirming that access using your public key works, modify <code>/etc/ssh/sshd_config</code> to prohibit logins using passwords by uncommenting <code>PasswordAuthentication no</code>

Revision as of 16:31, 24 February 2021

I'd like to use my cell phone's data connection to backup my cable modem. In other words, when the cable goes out, I want to be able to switch my main house router over to using my cell phone as its WAN network provider.

Like most, my cell phone has both wifi hotspot and USB tethering capabilities. My house router cannot make use of either of these. My solution, then, is to use a Raspberry Pi computer as an intermediate, "stacked" router in between my cell phone and my house router. The router's WAN port is connected to the Pi's ethernet port and the cell phone is tethered to one of the Pi's USB ports.

No changes are required on the cell phone, other than turning on the USB tethering feature. No changes are required on my router. It will pick up its connection details from a DHCP server running on the Pi. All that's required is to properly configure the Pi.

Install Raspian

I installed the "Lite" version of the Raspian distribution.

Set up sshd for remote access

Connect the Pi to the existing LAN and access it via ssh.

Install your public key in /home/pi/.ssh/authorized keys

After confirming that access using your public key works, modify /etc/ssh/sshd_config to prohibit logins using passwords by uncommenting PasswordAuthentication no

Upgrade and install additional packages

sudo apt update
sudo apt update
sudo apt install isc-dhcp-server dnsmasq vim dnsutils

Disable unnecessary network ports opened by avahi-daemon

sudo systemctl stop avahi-daemon
sudo systemctl disable avahi-daemon.socket
sudo systemctl disable avahi-daemon

Configure the ethernet port with a static address

/etc/dhcpcd.conf

Leave the defaults in this file as is. Add a static address definition for the eth0 port:

interface eth0
static ip_address=10.254.239.1/24

Configure and start the isc-dhcp-server

/etc/default/isc-dhcp-server

Set INTERFACESv4="eth0"

/etc/dhcp/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 10.254.239.0 netmask 255.255.255.0 {
  range 10.254.239.20 10.254.239.254;
  option broadcast-address 10.254.239.255;
  option routers 10.254.239.1;
}

Enable and start the isc-dhcp-server systemd service.

Prevent ssh access to the Pi from the internet

Modify /etc/ssh/sshd_config and set ListenAddress 10.254.239.1

Start the dnsmasq service

No configuration changes are required. Enable and start the dnsmasq systemd service.

Set up forwarding in the kernel

/etc/sysctl.d/97-dlk-router.conf

net.ipv4.ip_forward=1

Then do sudo sysctl -p

Create firewall script

/etc/network/if-pre-up.d/iptables

#!/bin/sh

#  Set up rules for a router that tethers my cell phone
#  and acts as a replacement for the cable modem in my
#  network when the cable goes out.
#
#  There's wide open flow between the cell phone interface
#  and the ethernet interface.  We're only concerned about
#  blocking external access to services on the router itself.

#  usb0: the tethered cell phone
IF=usb0

#  Set up masquerading in the nat table
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P INPUT ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE

#  Completely open access on all interfaces
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

#  Block inbound ssh, dns, and dhcp traffic from the internet just
#  to be safe (the daemons should already be ignoring these ports)
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 22 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p tcp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 53 -j DROP 
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 67 -j DROP
/usr/sbin/iptables -A INPUT -i $IF -p udp --dport 68 -j DROP

Then do chown 0:0 /etc/network/if-pre-up.d/iptables and chmod a+x /etc/network/if-pre-up.d/iptables. Run the script.

Testing the router

Power on the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect a PC to the Pi's ethernet port. The PC should obtain an address in the 10.254.239.0/24 subnet from DHCP on the Pi. Make sure that this is only active connection on the PC, i.e., turn off any wireless connections the PC may have, etc.

Connect the cell phone to a USB port on the Pi and turn on its tethering function. You should be able to watch the Pi's log using journalctl -f and see the usb0 connection come up on the Pi.

The PC should now be able to use the internet as normal.

Using the router

When the cable modem dies, unplug it from the home router.

Connect the home router to the Pi's ethernet port and power up the Pi.

  • The Pi can be run headless but a monitor and keyboard make it easier to monitor the Pi and fix any problems that occur.

Connect the phone to the Pi's USB port and turn on its tethering feature.

The devices on your LAN should now have network access as usual.

Know that the longer you run this way, the more astronomical will be your data charges on your cell phone bill.