No Agenda Internet In A Box Hotspot Guide
You made it!
This guide is for NA fans who want to pro-propagate the formula in a new & off-grid way. You can counter mainstream propaganda by running a wifi hotspot that continuously streams the No Agenda podcast to anyone in range of your wifi network.
What’s included?
A Wifi hotspot running the following major components:- Hostapd, which broadcasts a no-interenet wifi network called “Join-me"
- Lighttpd web server hosting static web pages and a futaba image board (ala 4chan) so visitors can post messages and pictures for your local community.
- An Icecast server & iceS client which stream the episodes of noagenda that have been downloaded to the device
- A Podcast client (greg) which downloads the latest episodes on Thursday & Sunday afternoons (if you have connected the device to an ethernet network with Internet access.)
What do you have to do to run this device?
- Own a raspberry Pi 3+ or 4 with an 8gb or greater sd card.
- Have the ability to rip an image to the device using Etcher or the Raspberry Pi imaging software.
- Install the image on the SD Card, pop it in your pi. Power it up. Turn around 360 degrees and walk away.
I’m a DNB. What else can I do?
You should ssh into na-internet-in-a-box.local and change the password on the Pi account (default is ChangeDefaultPWD3331333) first. You can always run periodic apt-get update commands to keep your software up to date. Threat surface will be greatest on your LAN (brute force attacks against SSH). There is no ssh access to the hotspot from the wifi network by default.
What are the major components of the firmware build?
- Hostapd (Implements the wifi network named “Joinme") https://w1.fi/hostapd/
- DNSMasq (Forwards all dns requests to the hotspot itself. Also handles DHCP leases for clients attached to the device) https://thekelleys.org.uk/dnsmasq/doc.html
- Lighttpd (Webserver on the hotspot- hosts static pages that visitors are redirected to via DNS redirection in DNSMasq) https://www.lighttpd.net
- Icecast (MP3 Audio Streaming server) https://www.icecast.org
- Ices 0.4 (Source client that pushes MP3s to the Icecast server) https://icecast.org/ices/
- Kareha (Enables a local discussion board) https://wakaba.c3.cx/s/web/wakaba_kareha
- Greg (A Podcast Client for grabbing the latest episodes of the podcast) https://github.com/manolomartinez/greg
- NoDogSplash (A captive portal solution that supports captive portal detection) https://github.com/nodogsplash
How long does a build take?
As of 4/26, it takes ~60 minutes for a build to complete, plus another ~60 minutes to rip the firmware.
How can I see if people are accessing my hotspot?
There are five ways to see the various interaction data of the hotspot.
1. Track currently and recently attached devices
sudo arp -a | grep wlan0
2. Track Layer 1/2 connectivity to the wifi hotspot
sudo tail -f /tmp/hostapd.log | grep "New station”
3. Track DHCP IP address assignment
sudo tail -f /tmp/dnsmasq.log | grep "DHCPREQUEST(wlan0)”
4. Track Interactions with the NoDogSplash Captive portal
sudo tail -f /var/log/daemon.log | grep "src/client_list.c:138"
5. Interactions with the stream presentation page
sudo tail -f /var/log/lighttpd/access.log | grep "GET / HTTP/1.1"
What are the major components of the firmware build? What are some interesting configuration files on this device?
Hostapd
Hostapd is is the daemon that turns your raspberry pi into a wifi hotspot. It’s configured to run 802.11g wifi and spin up an open wifi network named “Join me” hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. https://w1.fi/hostapd/Interesting Files
- /etc/hostapd/CaptivePortalAPD.conf
- /etc/default/hostapd (Points to our CaptivePortalAPD.conf file for wifi configuration and configures logging to /tmp/hostapd.log)
- /etc/init.d/hostapd (Used for initializing hostapd at boot)
- /etc/sysctl.conf (disables ipv4 forwarding, keeping those who attach to your hotspot from being able to route out to to your lan)
Useful commands
-
TBD<-- #Tells you about firewall rules restricting access to your RaspberryPi and LAN network -
TBD<-- #Tells you about firewall rules restricting access to your RaspberryPi and LAN network
DNSmasq
DNSMASQ is configured to redirect all DNS requests to the IP address of the gateway (33.33.33.33). Every device on the local wifi network is offered a .itm TLD hostname for the local network. The log file for dnsmasq is at /tmp/dnsmasq.log, which you can tail to see who’s assigned IP addresses, what the DNS requests are, etc.) Most websites that use TLS will fail with a currently unrecoverable cert error. If the visitor accesses an HTTP site that doesn’t have HSTS configured, they’ll reroute to the captive portal on the server. DNSmasq is restricted to the WLAN0 interface- which prevents any DNS poisoning on your LAN.Interesting Files
- /etc/dnsmasq.conf
- /tmp/dnsmasq.log (want to see who is attached to the hotspot? Tail this file)
Useful commands
-
arp -a | grep wlan0<-- Tells you if any devices are attached to the wifi network tail -f /tmp/dnsmasq.log<-- Tells you mac addresses & ip assignment for attached devices, as well as dns requests that were redirected to the hotspot itself)
Lighttpd
Lighttpd is configured to host the static content & the perl integration for the local Kareha image board (https://wakaba.c3.cx/s/web/wakaba_kareha).Interesting Files
- /etc/lighttpd.conf
- /var/log/lighttpd/error.log
- /var/log/lighttpd/access.log
- /var/www/html/ (web root)
- /var/www/html/cgi-bin/[config.pl, config_defaults.pl] (kareha configuration scripts)
Useful commands
-
tail -f /var/log/lighttpd/acceess.log<-- #Tells you about connection attempts to the webserver
Icecast
Icecast is free server software for streaming multimedia. (https://www.icecast.org).Interesting Files
- /etc/icecast2/icecast.xml (Defines configuration for serving a web page for streaming the content at na-internet-in-a-box.itm:8000, specifies access & error log configuration and defines the mount point (/itm) & appropriate credentialsfor the audio stream.
Useful commands
-
tail -f /var/log/icecast2/error.log<-- #Tells you about errors launching icecast server
Ices 0.4
Ices is a “Source Client” which transmits an audio stream to the Icecast Server. You can learn more about the distinction between Ices & Icecast here.Interesting Files
- /etc/ices2/ices-playlist.xml (Defines configuration for a client that can stream the MP3’s we’ve downloaded to the Icecast server for rebroadcasting to devices attached to the network. Note that in this file, we provide the port, mountpoint name & the appropriate credentials for connecting to the ITM mountpoint of the Icecast server.
- /etc/ices2/playlist.txt (This a text file, populated by a systemd script ran every Thursday & Sunday.
- /var/log/ices/ices.log (a log file for the ices client)
- /etc/systemd/system/ices_source.service (service starts the ices source client during boot)
Useful commands
-
tail -f /var/log/icecast2/error.log<-- #Tells you about errors launching icecast server
Kareha
Kareha is an imageboard script that supports anonymous posting. This gives you a little chat room that network passers-by can post to. You can manage what’s posted by using the admin password found in /var/www/html/cgi-bin/config_defaults.pl when prompted for a password to delete posts/threads on the web form.Interesting Files
- /var/www/html/cgi-bin/[config.pl, config_defaults.pl] (kareha configuration scripts)
Useful commands
-
systemctl —user status schedule-greg.service<-- #This service manages downloading of new versions of the podcast -
systemctl —user status schedule-Ices-PlaylistJanitor.service<-- #This service manages the updating of the Ices Playlist to use the new versions of the podcast. -
ps -aux | grep ices<-- #The podcast stream starts one minute after boot up. If for some reason, the stream is inaccessible, it's probably because the ices client is not working. Use this command to discover if the service is running