mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
Updated for v.2.3.1
parent
639069dce6
commit
ba8a60f939
@ -1,135 +1,184 @@
|
||||
> :information_source: **Note:** These instructions apply to the [v2.3 release](https://github.com/billz/raspap-webgui/releases/tag/2.3) of RaspAP. They will be updated shortly to include support for Debian, Armbian and Ubuntu Server. You can still use them for Raspbian.
|
||||
These steps apply to the latest release of Raspbian (currently [Buster](https://www.raspberrypi.org/downloads/raspbian/)), Debian and Armbian. Notes for previous versions, Ubuntu Server 18.04 TLS and 19.10 are provided, where applicable. Please refer to [this](https://github.com/billz/raspap-webgui#supported-operating-systems) regarding operating systems support.
|
||||
|
||||
Start off by following the [project prerequisites](https://github.com/billz/raspap-webgui#prerequisites), updating your kernel, firmware and packages to their latest versions:
|
||||
|
||||
These steps apply to the latest release of Raspbian (currently [Buster](https://www.raspberrypi.org/downloads/raspbian/)). Notes for previously released versions are provided, where applicable. Start off by installing git, lighttpd, php7, hostapd, dnsmasq and some extra packages.
|
||||
```sh
|
||||
sudo apt-get install git lighttpd php7.3-cgi hostapd dnsmasq vnstat qrencode
|
||||
```
|
||||
**Note:** for Raspbian Stretch, replace `php7.3-cgi` with `php7.0-cgi`. php5 is no longer supported. After that, enable PHP for lighttpd and restart it for the settings to take effect.
|
||||
```sh
|
||||
sudo apt-get update
|
||||
sudo apt-get dist-upgrade
|
||||
sudo reboot
|
||||
```
|
||||
|
||||
On Ubuntu Server, add a dependency and the `ppa:ondrej/php` apt package.
|
||||
|
||||
```
|
||||
sudo apt-get install software-properties-common
|
||||
sudo add-apt-repository ppa:ondrej/php
|
||||
```
|
||||
|
||||
On Debian, Armbian and Ubuntu, install `dhcpcd5`. **Note:** skip this step if using Raspbian.
|
||||
|
||||
```
|
||||
sudo apt-get install dhcpcd5
|
||||
```
|
||||
|
||||
Install git, lighttpd, php7, hostapd, dnsmasq and some extra packages. **Note:** for Ubuntu, you may replace `php7.3-cgi` with `php7.4-cgi`. For Raspbian Stretch, replace `php7.3-cgi` with `php7.0-cgi`. php5 is no longer supported.
|
||||
|
||||
```
|
||||
sudo apt-get install lighttpd git hostapd dnsmasq iptables-persistent vnstat qrencode php7.3-cgi
|
||||
```
|
||||
|
||||
Enable PHP for lighttpd and restart it for the settings to take effect.
|
||||
```
|
||||
sudo lighttpd-enable-mod fastcgi-php
|
||||
sudo service lighttpd restart
|
||||
```
|
||||
Now comes the fun part. For security reasons, the `www-data` user which lighttpd runs under is not allowed to start or stop daemons, or run commands like ifdown and ifup, all of which we want our page to do.
|
||||
So what I have done is added the `www-data` user to the sudoers file, but with restrictions on what commands the user can run. Add the following to the end of `/etc/sudoers` with `sudo visudo`:
|
||||
|
||||
```sh
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/ifdown
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/ifup
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/wifidata /etc/wpa_supplicant/wpa_supplicant-wlan[0-9].conf
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan_results
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] scan
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] reconfigure
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/wpa_cli -i wlan[0-9] select_network
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/hostapddata /etc/hostapd/hostapd.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl start hostapd.service
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop hostapd.service
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl start dnsmasq.service
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop dnsmasq.service
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl start openvpn-client@client
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/systemctl stop openvpn-client@client
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/openvpn.ovpn /etc/openvpn/client/client.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/authdata /etc/openvpn/client/login.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dnsmasqdata /etc/dnsmasq.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /tmp/dhcpddata /etc/dhcpcd.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/shutdown -h now
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/reboot
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] down
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/ip link set wlan[0-9] up
|
||||
www-data ALL=(ALL) NOPASSWD:/sbin/ip -s a f label wlan[0-9]
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/cp /etc/raspap/networking/dhcpcd.conf /etc/dhcpcd.conf
|
||||
www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/enablelog.sh
|
||||
www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/disablelog.sh
|
||||
www-data ALL=(ALL) NOPASSWD:/etc/raspap/hostapd/servicestart.sh
|
||||
www-data ALL=(ALL) NOPASSWD:/etc/raspap/lighttpd/configport.sh
|
||||
www-data ALL=(ALL) NOPASSWD:/etc/raspap/openvpn/configauth.sh
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/chmod o+r /tmp/hostapd.log
|
||||
www-data ALL=(ALL) NOPASSWD:/bin/chmod o+r /tmp/dnsmasq.log
|
||||
sudo service lighttpd force-reload
|
||||
sudo systemctl restart lighttpd.service
|
||||
```
|
||||
|
||||
Once those modifications are done, git clone the files to `/var/www/html`.
|
||||
```sh
|
||||
Prepare the web destination and git clone the files to `/var/www/html`.
|
||||
```
|
||||
sudo rm -rf /var/www/html
|
||||
sudo git clone https://github.com/billz/raspap-webgui /var/www/html
|
||||
```
|
||||
Move the high-res favicons to the web root.
|
||||
|
||||
Now comes the fun part. For security reasons, the `www-data` user which lighttpd runs under is not allowed to start or stop daemons, or run commands like ifdown and ifup, all of which we want RaspAP to do. So we will add the `www-data` user to sudoers, but with restrictions on what commands the user can run. Copy the sudoers rules to their destination:
|
||||
|
||||
```
|
||||
sudo mv /var/www/html/app/icons/* /var/www/html
|
||||
cd /var/www/html
|
||||
sudo cp installers/raspap.sudoers /etc/sudoers.d/090_raspap
|
||||
```
|
||||
|
||||
Create the RaspAP configuration directories. Add `/etc/dhcpcd.conf` as a base config:
|
||||
|
||||
```
|
||||
sudo mkdir /etc/raspap/
|
||||
sudo mkdir /etc/raspap/backups
|
||||
sudo mkdir /etc/raspap/networking
|
||||
sudo mkdir /etc/raspap/hostapd
|
||||
sudo mkdir /etc/raspap/lighttpd
|
||||
cat /etc/dhcpcd.conf | sudo tee -a /etc/raspap/networking/defaults > /dev/null
|
||||
```
|
||||
|
||||
Move RaspAP's auth control file to the correct location.
|
||||
|
||||
```
|
||||
sudo cp raspap.php /etc/raspap
|
||||
```
|
||||
|
||||
Set the files ownership to `www-data` user for the web files and RaspAP config.
|
||||
|
||||
```
|
||||
Set the files ownership to `www-data` user.
|
||||
```sh
|
||||
sudo chown -R www-data:www-data /var/www/html
|
||||
```
|
||||
Move the RaspAP configuration file to the correct location.
|
||||
```sh
|
||||
sudo mkdir /etc/raspap
|
||||
sudo mv /var/www/html/raspap.php /etc/raspap/
|
||||
sudo chown -R www-data:www-data /etc/raspap
|
||||
```
|
||||
|
||||
Move the HostAPD logging and service control shell scripts to the correct location.
|
||||
```sh
|
||||
sudo mkdir /etc/raspap/hostapd
|
||||
sudo mv /var/www/html/installers/*log.sh /etc/raspap/hostapd
|
||||
sudo mv /var/www/html/installers/service*.sh /etc/raspap/hostapd
|
||||
|
||||
```
|
||||
sudo mv installers/*log.sh /etc/raspap/hostapd
|
||||
sudo mv installers/service*.sh /etc/raspap/hostapd
|
||||
```
|
||||
|
||||
Set ownership and permissions for logging and service control scripts.
|
||||
```sh
|
||||
|
||||
```
|
||||
sudo chown -c root:www-data /etc/raspap/hostapd/*.sh
|
||||
sudo chmod 750 /etc/raspap/hostapd/*.sh
|
||||
```
|
||||
Add the following lines to `/etc/rc.local` before `exit 0`.
|
||||
```sh
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward #RASPAP
|
||||
iptables -t nat -A POSTROUTING -j MASQUERADE #RASPAP
|
||||
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE #RASPAP
|
||||
|
||||
Copy and set ownership of the lighttpd control scripts
|
||||
```
|
||||
Force a reload of new settings in `/etc/rc.local`.
|
||||
```sh
|
||||
sudo systemctl restart rc-local.service
|
||||
sudo cp installers/configport.sh /etc/raspap/lighttpd
|
||||
sudo chown -c root:www-data /etc/raspap/lighttpd/*.sh
|
||||
```
|
||||
|
||||
Move the raspap service to the correct location and enable it.
|
||||
|
||||
```
|
||||
sudo mv installers/raspapd.service /lib/systemd/system
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable raspapd.service
|
||||
```
|
||||
|
||||
Copy the configuration files for dhcpcd, dnsmasq, and hostapd. Optionally, backup your existing hostapd.conf.
|
||||
|
||||
```
|
||||
sudo mv /etc/default/hostapd ~/default_hostapd.old
|
||||
sudo cp /etc/hostapd/hostapd.conf ~/hostapd.conf.old
|
||||
sudo cp config/default_hostapd /etc/default/hostapd
|
||||
sudo cp config/hostapd.conf /etc/hostapd/hostapd.conf
|
||||
sudo cp config/dnsmasq.conf /etc/dnsmasq.d/090_raspap.conf
|
||||
sudo cp config/dhcpcd.conf /etc/dhcpcd.conf
|
||||
sudo cp config/config.php /var/www/html/includes/
|
||||
```
|
||||
|
||||
Disable `systemd-networkd` and copy the bridge configuration.
|
||||
|
||||
```
|
||||
sudo systemctl stop systemd-networkd
|
||||
sudo systemctl disable systemd-networkd
|
||||
sudo cp config/raspap-bridge-br0.netdev /etc/systemd/network/raspap-bridge-br0.netdev
|
||||
sudo cp config/raspap-br0-member-eth0.network /etc/systemd/network/raspap-br0-member-eth0.network
|
||||
```
|
||||
|
||||
(Optional) Optimize PHP, replacing `php7.3-cgi` with your installed version.
|
||||
|
||||
```
|
||||
sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' /etc/php/7.3/cgi/php.ini
|
||||
sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' /etc/php/7.3/cgi/php.ini
|
||||
sudo phpenmod opcache
|
||||
```
|
||||
|
||||
Enable IP forwarding.
|
||||
|
||||
```
|
||||
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/90_raspap.conf > /dev/null
|
||||
sudo sysctl -p /etc/sysctl.d/90_raspap.conf
|
||||
sudo /etc/init.d/procps restart
|
||||
```
|
||||
|
||||
Create iptables NAT rules and persist them.
|
||||
|
||||
```
|
||||
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
|
||||
sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
|
||||
sudo iptables-save | sudo tee /etc/iptables/rules.v4
|
||||
```
|
||||
|
||||
Unmask and enable hostapd.service
|
||||
|
||||
```
|
||||
Unmask and enable the hostapd service.
|
||||
```sh
|
||||
sudo systemctl unmask hostapd.service
|
||||
sudo systemctl enable hostapd.service
|
||||
```
|
||||
Move the raspap service to the correct location and enable it.
|
||||
```
|
||||
sudo mv /var/www/html/installers/raspap.service /lib/systemd/system
|
||||
sudo systemctl enable raspap.service
|
||||
```
|
||||
Copy the configuration files for dhcpcd, dnsmasq, and hostapd.
|
||||
```
|
||||
sudo mv /var/www/html/config/default_hostapd /etc/default/hostapd
|
||||
sudo mv /var/www/html/config/hostapd.conf /etc/hostapd/hostapd.conf
|
||||
sudo mv /var/www/html/config/dnsmasq.conf /etc/dnsmasq.conf
|
||||
sudo mv /var/www/html/config/dhcpcd.conf /etc/dhcpcd.conf
|
||||
sudo mv /var/www/html/config/config.php /var/www/html/includes/
|
||||
```
|
||||
(Optional) Optimize PHP
|
||||
```
|
||||
sudo sed -i -E 's/^session\.cookie_httponly\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/session.cookie_httponly = 1/' /etc/php/7.1/cgi/php.ini
|
||||
sudo sed -i -E 's/^;?opcache\.enable\s*=\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\s*$/opcache.enable = 1/' /etc/php/7.1/cgi/php.ini
|
||||
sudo phpenmod opcache
|
||||
```
|
||||
(Optional) Install OpenVPN, enable option in RaspAP config and enable openvpn-client service
|
||||
|
||||
(Optional) Install OpenVPN, enable option in RaspAP config and enable openvpn-client service.
|
||||
|
||||
```
|
||||
sudo apt-get install openvpn
|
||||
sudo sed -i "s/\('RASPI_OPENVPN_ENABLED', \)false/\1true/g" /var/www/html/includes/config.php
|
||||
sudo systemctl enable openvpn-client@client
|
||||
```
|
||||
(Optional) Create OpenVPN auth control scripts, set ownership and permissions
|
||||
|
||||
(Optional) Create OpenVPN auth control scripts, set ownership and permissions.
|
||||
|
||||
```
|
||||
sudo mkdir /etc/raspap/openvpn
|
||||
sudo cp /var/www/html/installers/configauth.sh /etc/raspap/openvpn
|
||||
sudo mkdir /etc/raspap/openvpn/
|
||||
sudo cp installers/configauth.sh /etc/raspap/openvpn/
|
||||
sudo chown -c root:www-data /etc/raspap/openvpn/*.sh
|
||||
sudo chmod 750 /etc/raspap/openvpn/*.sh
|
||||
```
|
||||
Reboot and it should be up and running!
|
||||
```sh
|
||||
|
||||
Reboot and it should be up and running.
|
||||
|
||||
```
|
||||
sudo reboot
|
||||
```
|
||||
|
||||
The default username is 'admin' and the default password is 'secret'.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user