diff --git a/search/search_index.json b/search/search_index.json index 078d9a4..a1dbcbb 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Overview","text":"

Simple AP setup & WiFi management for Debian-based devices

"},{"location":"#about","title":"About","text":"

RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. Our popular Quick installer and Docker container create a known-good default configuration in minutes on all current Raspberry Pis with onboard wireless.

"},{"location":"#quick-start","title":"Quick start","text":"

Start with a clean install of the latest release of Raspberry Pi OS Lite. Both the 32- and 64-bit release versions are supported, as well as the latest 64-bit Desktop distribution. Consult this FAQ before installing RaspAP in a desktop environment.

Tip

Be sure to use an official power supply with your device. Power supply requirements differ by Raspberry Pi model. Inadequate voltage is the source of many WiFi issues.

Update RPi OS to its latest version, including the kernel and firmware, followed by a reboot:

sudo apt-get update\nsudo apt-get full-upgrade\nsudo reboot\n
Set the WiFi country in raspi-config's Localisation Options: sudo raspi-config.

Important

Failure to perform this step will prevent the RPi from enabling wireless operation. When this happens, you will see the warning Wi-Fi is currently blocked by rfkill in the console.

Install RaspAP from your device's shell prompt:

curl -sL https://install.raspap.com | bash\n
The Quick installer will complete the steps in the manual installation for you.

After the reboot at the end of the installation the wireless AP network will be configured as follows:

IP address: 10.3.141.1 Username: admin Password: secret DHCP range: 10.3.141.50 to 10.3.141.254 SSID: raspi-webgui Password: ChangeMe

It's strongly recommended that your first post-install action is to change the default admin authentication settings. Thereafter, your AP's basic settings and many advanced options are now ready to be modified by RaspAP.

Tip

If this is not a clean install or you are configuring a device with a non-standard integration try following the manual installation instructions or deploy RaspAP in a Docker container.

"},{"location":"#get-insiders","title":"Get Insiders","text":"

RaspAP is free software, but powered by your support. If you find RaspAP useful for your personal or commercial projects, become a sponsor and get access to exclusive features in the Insiders Edition.

"},{"location":"#compatible-operating-systems","title":"Compatible operating systems","text":"

RaspAP was originally made for Raspbian, but now also installs on the following Debian-based distros.

Distribution Release Architecture Support Raspberry Pi OS (64-bit) Lite Bookworm ARM Official Raspberry Pi OS (32-bit) Lite Bookworm ARM Official Raspberry Pi OS (64-bit) Desktop Bookworm ARM Official Raspberry Pi OS (64-bit) Lite Bullseye ARM Official Raspberry Pi OS (32-bit) Lite Bullseye ARM Official Armbian 23.11 (Jammy) ARM Beta Debian Bookworm ARM / x86_64 Beta Ubuntu Server 23.04 (Lunar) ARM / x86_64 Beta

You are also encouraged to use RaspAP's community-led Docker container.

Please note that \"supported\" is not a guarantee. If you are able to improve support for your preferred distro, we encourage you to actively contribute to the project.

"},{"location":"#get-involved","title":"Get involved","text":"

We welcome all users of RaspAP to contribute to the project. This can take the form of issue reports, discussions, or pull requests. Developers can get started by following these steps:

  1. Fork the project in your account and create a new branch: your-great-feature.
  2. Open an issue in the repository describing the feature contribution you'd like to make.
  3. Commit changes in your feature branch.
  4. Open a pull request and reference the initial issue in the pull request message.

Find out more about our coding style guidelines and recommended tools.

"},{"location":"#discussions","title":"Discussions","text":"

Questions or comments about the Quick start? Join the discussion here.

"},{"location":"adblock/","title":"Ad blocking","text":"

RaspAP has introduced a new DNS based filter to stop ads, trackers, malware and other undesirable hosts in their tracks.

In the best of times, ads are usually just annoying. When access to online services served by our AP is hampered by ads, malware and trackers, the best tool in our arsenal is DNS blacklisting. RaspAP already uses dnsmasq to manage both DHCP and DNS, so we have the foundation for a highly effective ad blocking facility.

"},{"location":"adblock/#quick-installer","title":"Quick installer","text":"

To install ad blocking with DNS blacklists, simply respond with Y or press Enter when prompted by the installer:

Install ad blocking and enable list management? [Y/n]\n

The installer will download the blocklists, configure RaspAP to use them and enable the Ad blocking management page.

Ad blocking is enabled and active for clients connected to your AP. You may update the blocklists or disable ad blocking with the management page. These actions are described below.

"},{"location":"adblock/#manual-installation","title":"Manual installation","text":"

Ad blocking may also be installed manually. Refer to the detailed installation steps.

"},{"location":"adblock/#blocklist-sources","title":"Blocklist sources","text":"

Blocklists are sourced from multiple, continuously updated open source projects. These are divided into two groups: hosts and domain blocklists. By default, RaspAP's ad block facility uses StevenBlack's hosts as the primary hosts blocklist. This repository is a hosts file aggregator that consolidates several reputable hosts files and merges them into a unified, optimized hosts file with duplicates removed.

Alternatively, users may choose from a number of host blocklist sources maintained by the badmojr/1Hosts GitHub project. These lists are compiled daily into Mini, Lite, Pro and Xtra versions depending on specific user needs. Refer to the GitHub project for an explanation of these different blocklists.

In addition to blocking hosts, domain blocking gives us the ability to use wildcards with dnsmasq to block an entire domain (for example, baddomain.org) with a single rule. This includes all known and unknown subdomains, such as *.baddomain.org. Domain blocklists are provided by the OISD project. Similar to hosts lists, these are continuously updated and curated into several lists: Small, Big and NSFW. Refer to the OISD project for an explanation of these lists.

"},{"location":"adblock/#updating-lists","title":"Updating lists","text":"

Each of the hosts and domains blocklists are updated daily, so it's a good practice to refresh them periodically. You can do this from the Ad Blocking management page in RaspAP. Simply select the list from the dropdown and choose Update now.

Next to the update button, a gear icon will appear to indicate that the selected list is being downloaded. Thereafter, a timestamp after each list will indicate when it was last updated.

Note

To apply the latest blocklists, be sure to Restart Ad Blocking.

"},{"location":"adblock/#automatic-updates","title":"Automatic updates","text":"

Alternatively, you may wish to automate the process of keeping the ad block source lists up-to-date. A method to achieve this is described in this FAQ.

"},{"location":"adblock/#custom-blocklist","title":"Custom blocklist","text":"

In addition to the notracking blocklists, you may create your own host blocklist by adding entries on the Custom blocklist tab. Define custom hosts to be blocked by entering an IPv4 or IPv6 address followed by any whitespace (spaces or tabs) and the host name. An IPv4 example would take the form 0.0.0.0 badhost.com. Choose Save settings and Restart Ad Blocking.

Note

As the name suggests, this is effective at blocking individual hosts, but not entire domains (or subdomains).

"},{"location":"adblock/#enabling-logging","title":"Enabling logging","text":"

By default, DNS logging is disabled. If you'd like to see which hosts are being blocked, enable it on the DHCP Server > Logging tab by selecting the Log DNS queries toggle. Save settings and Restart Ad Blocking. The Logging tab on the Ad Blocking page will display blacklisted DNS queries with host addresses of 0.0.0.0. A sample of blocked ad/tracker requests is below.

dnsmasq[9633]: config static.ads-twitter.com is 0.0.0.0\ndnsmasq[9633]: config tag.bounceexchange.com is 0.0.0.0\ndnsmasq[9633]: config cdn.boomtrain.com is 0.0.0.0\ndnsmasq[9633]: config securepubads.g.doubleclick.net is 0.0.0.0\ndnsmasq[9633]: config c.amazon-adsystem.com is 0.0.0.0\ndnsmasq[9633]: config pixel.adsafeprotected.com is 0.0.0.0\ndnsmasq[9633]: config ad.doubleclick.net is 0.0.0.0\ndnsmasq[9633]: config www.summerhamster.com is 0.0.0.0\ndnsmasq[9633]: config c2.taboola.com is 0.0.0.0\ndnsmasq[9633]: config ads.servebom.com is 0.0.0.0\ndnsmasq[9633]: config s.cpx.to is 0.0.0.0\ndnsmasq[9633]: config pixel.quantserve.com is 0.0.0.0\ndnsmasq[9633]: config cdn.taboola.com is 0.0.0.0\ndnsmasq[9633]: config sdk.iad-01.braze.com is 0.0.0.0\n
"},{"location":"adblock/#disabling-ad-block","title":"Disabling ad block","text":"

To disable the ad blocking service, slide the Enable blocklists toggle to its off position, then choose Save settings. You may then restart your hotspot for the changes to take effect.

"},{"location":"adblock/#about-blocklist-policies","title":"About blocklist policies","text":"

The blocklist sources chosen for RaspAP adhere to these policies:

Users may tailor RaspAP's ad blocking to suit their needs by selecting from multiple blocklist sources. Furthermore, domain blocklists enable full use of domain name based wildcard filtering (for example, *.baddomain.org). This reduces the chance of missing any new subdomains and significantly reduces the size of the blocklists.

"},{"location":"adblock/#discussions","title":"Discussions","text":"

Questions or comments about using Ad blocking? Join the discussion here.

"},{"location":"ap-basics/","title":"Access point settings","text":""},{"location":"ap-basics/#basics","title":"Basics","text":"

After running the Quick installer, Docker setup or following the manual installation steps, RaspAP will start up a routed wireless access point (AP) with a default configuration. As part of this initial setup, the hostapd service broadcasts an AP with the following settings:

Interface: wlan0 SSID: raspi-webgui Wireless Mode: 802.11n - 2.4GHz Channel: 1 Security Type: WPA2 Encryption Type: CCMP Passphrase: ChangeMe

Each of these settings may be changed on the Hotspot > Basic and Security tabs to any values you wish. Your changes will be applied and made visible on the broadcasted AP by choosing Save settings followed by Restart hotspot.

At this point, a dialog will appear to indicate the progress of the RaspAP service. This is a Linux systemd process that is responsible for starting up several network services in a specific order and timing.

"},{"location":"ap-basics/#connecting-clients","title":"Connecting clients","text":"

When the AP is operational, you may connect clients to it by using one of two methods:

  1. Select the SSID from the list of available networks on your device and enter the passphrase.
  2. Scan the QR code displayed on the Hotspot > Security tab and join the AP.

By default, clients are assigned IP addresses from the DHCP range 10.3.141.50 \u2014 10.3.141.254. These values may be changed in the DHCP options section of the DHCP server settings UI. If for some reason a client is unable to obtain an IP address from your AP, consult this FAQ.

"},{"location":"ap-basics/#80211ac-5-ghz","title":"802.11ac 5 GHz","text":"

For devices with compatible wireless hardware, RaspAP version 3.0 largely removes the guesswork in creating a 5 GHz access point. It achieves this by being tightly integrated with the wireless regulatory database used by the Linux kernel. Behind the scenes, RaspAP queries iw and intelligently matches its output with the 5 GHz channels allowed by hostapd, the user space daemon access point software.

From the Hotspot > Advanced tab, select your country from the dropdown then choose Save settings. This sets the wireless regulatory domain for your device. Now, on the Hotspot > Basic tab choose an interface and select the 802.11ac - 5 GHz wireless mode option. RaspAP will automatically populate the available 5 GHz channels for your country. Select a channel followed by Save settings, then Start or Restart hotspot.

Tip

Not all AC channels may be compatible with your hardware. If your hotspot fails to start, enable hostapd service logging by sliding the Logfile output toggle on the Hotspot > Logging tab, followed by Save settings, then Restart hotspot. See this FAQ for more assistance.

If the Channel dropdown and Save settings button are disabled, refer to this FAQ.

"},{"location":"ap-basics/#security-settings","title":"Security settings","text":"

WPA2 is currently the most secure standard utilizing AES (Advanced Encryption Standard) and a pre-shared key for authentication. WPA2 is also backwards compatible with TKIP to allow interoperability with legacy devices. AES uses the CCMP encryption protocol which is a stronger algorithm for message integrity and confidentiality.

By default, RaspAP's access point is configured with WPA2 and CCMP encryption. You may of course change this to allow legacy clients (older mobile devices, for example) by selecting TKIP+CCMP as the encryption type. Choose Save settings and Restart hotspot for your changes to take effect.

"},{"location":"ap-basics/#wpa3-personal","title":"WPA3-Personal","text":"

Experimental \u00b7 Insiders only

WPA3 is an improved encryption standard, thanks to Simultaneous Authentication of Equals (SAE) which replaces the Pre-Shared Key (PSK) authentication method used in prior WPA versions. WPA3-Personal allows for better password-based authentication even when using simple passphrases. In general, WPA3-Personal networks with simple passphrases are more difficult to crack by using brute-force, dictionary-based methods, as with WPA/WPA2.

WPA3 also requires the use of Protected Management Frames (PMFs) to increase network security. If you wish to connect AP clients that may not have support for WPA3-Personal or PMFs, a transitional security mode is also available.

Note

The Raspberry Pi's onboard wireless chipsets do not currently support the WPA3 standard. For this reason, in order to use this setting you will need to configure your AP with an external wireless adapter that supports WPA3.

"},{"location":"ap-basics/#80211w","title":"802.11w","text":"

Experimental \u00b7 Insiders only

The 802.11w amendment was introduced as a way to secure Wi-Fi management frames against attacks by ensuring that these frames are legitimately exchanged between an AP and its clients, rather than a malicious third-party. These 802.11w Protected Management Frames (PMFs) can mitigate common types of \"deauthentication\" and \"disassociation\" attacks.

Similar to WPA3-Personal, 802.11w may be configured in one of two modes: enabled and required. Enabled allows for mixed operation by allowing legacy devices that do not support 802.11w to associate while also allowing devices that support 802.11w to use the PMF features. Required will prevent clients that do not support 802.11w from associating with the SSID.

"},{"location":"ap-basics/#drag-drop-widgets","title":"Drag & drop widgets","text":"

Experimental \u00b7 Insiders only

The default dashboard layout may be customized to suit your needs. Enable this option from the System > Theme menu by selecting the Dynamic widgets toggle. Next, from the Dashboard click or tap the icon to modify the widgets. Each widget may be resized, dragged and repositioned. Release the widget to drop it into a new location.

Tip

This option works best for large displays. The default dashboard widgets are optimized for mobile devices and smaller displays.

Click or tap the icon a second time when you're done making changes. The new responsive dashboard layout will be saved to your browser's local storage.

"},{"location":"ap-basics/#printable-signs","title":"Printable signs","text":"

Experimental \u00b7 Insiders only

Beneath the QR code on the Hotspot > Security tab, you will find a link to open a \"Wi-Fi connect\" sign suitable for printing. Click or tap the link after the printer icon to open a new window with your hotspot's QR code, SSID and password neatly formatted.

To print, select File > Print from your browser's toolbar and adjust print preferences as needed. This feature can be especially useful if you operate a public wireless access point. You may also opt to integrate a captive portal for your visitors.

"},{"location":"ap-basics/#advanced-options","title":"Advanced options","text":"

The above sections cover everything you will need for a basic routed AP. The Hotspot > Advanced tab has several options that allow you to control advanced settings for the Linux hostapd service. These are discussed in the following sections.

"},{"location":"ap-basics/#bridged-ap-mode","title":"Bridged AP mode","text":"

If you wish to configure RaspAP as a bridged AP, this may be done by sliding the Bridged AP mode toggle, saving settings and restarting the hotspot. Be aware that when the hotspot restarts you will no longer be able to access the web interface from the default 10.1.141.1 address. Refer to this explanation and tips for administering your bridged AP.

"},{"location":"ap-basics/#wifi-repeater-mode","title":"WiFi repeater mode","text":"

Experimental \u00b7 Insiders only

RaspAP is capable of acting as a wireless repeater to connect to your wireless network and rebroadcast an existing signal. This requires configuring interface metrics and default routes with DHCP. Alternatively, enabling the WiFi repeater mode toggle will create these settings for you automatically.

Save settings and choose Restart hotspot to active the wireless repeater. As with AP-STA mode, described below, this option is disabled or \"greyed out\" until a wireless client is configured.

"},{"location":"ap-basics/#wifi-client-ap-mode","title":"WiFi client AP mode","text":"

RaspAP has support for this special mode, also known as a micro-AP or simply AP-STA. Typically this can be difficult to configure manually, but RaspAP performs most of the config work behind the scenes for you.

Note

This option is disabled or \"greyed out\" until a wireless client is configured. This can be done via the WiFi client UI, or by manually configuring a valid wpa_supplicant.conf.

Before using this mode, it is recommended that users familiarize themselves with how AP-STA works. Users of AP-STA mode should also be aware of its limitations, and understand that performance and stability of this AP mode will not be equal to using a second wireless adapter bound to a separate interface. For the latter, refer to this FAQ.

"},{"location":"ap-basics/#beacon-interval","title":"Beacon interval","text":"

Wireless APs continuously send beacon frames to indicate their presence, traffic load, and capabilities. The default hostapd beacon interval is 100ms. If desired, you may change this to any value between 15 and 65535.

"},{"location":"ap-basics/#disable-disassoc_low_ack","title":"Disable disassoc_low_ack","text":"

An AP may disassociate a client due to inactivity, transmission failures or other indications of connection loss. This phenomenon can usually be observed in the hostapd logs like so:

wlan0: AP-STA-DISCONNECTED 24:62:ab:fd:24:34\nwlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: disassociated\nwlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)\n

This option sets the disassoc_low_ack boolean value for hostapd. Be aware that this value is dependent on driver capabilities. Moreover, hostapd may disassociate a client (or station) for a variety of reasons, so this is not a silver bullet.

"},{"location":"ap-basics/#transmit-power","title":"Transmit power","text":"

RaspAP allows you to control the transmit power of the configured AP interface. The default \"auto\" setting will suffice for the vast majority of APs. A lower txpower value can be useful to mitigate WiFi radio interference, for example if you are hosting multiple APs in a given area. It can also be advantageous to set txpower to a lower value in IoT or similar applications where reduced power consumption is needed.

Set the transmit power by selecting a value from the dropdown and choosing Save settings. The transmit power setting is expressed as dBm, or decibels (dB) with reference to one milliwatt (mW). It is not necessary to restart the AP for this to take effect.

"},{"location":"ap-basics/#maximum-number-of-clients","title":"Maximum number of clients","text":"

This option sets the max_num_sta value for hostapd, and is effective for placing a limit on the number of clients (stations) that can connect to your AP. When the limit is reached, new client connections will be rejected.

Note

The default setting is 2007, but this is merely the value set by hostapd from the IEEE 802.11 specification. It should not be interpreted as a guarantee that RaspAP can support this many simultaneous clients. In practice, this number depends on several factors and is a much lower value, as discussed in this FAQ.

"},{"location":"ap-basics/#custom-user-settings","title":"Custom user settings","text":"

RaspAP gives you control over many common AP settings via the Hotspot > Basic, Security and Advanced tabs. However, hostapd has lots of other options that aren't exposed in the management UI. For this reason, RaspAP lets advanced users define any number of valid hostapd settings by adding them to a custom configuration file.

Begin by creating /etc/hostapd/hostapd.conf.users on your device's filesystem, then add your desired settings to this file. For example, to enable hostapd's built-in support for MAC address filtering, you may add the following:

# Accept/deny lists are read from separate files (containing list of\n# MAC addresses, one per line).\naccept_mac_file=/etc/hostapd.accept\ndeny_mac_file=/etc/hostapd.deny\n

Next, choose Hotspot > Save settings to parse this file and append your custom settings to RaspAP's hostapd configuration. Finally, choose Hotspot > Restart hotspot for your changes to take effect.

Tip

Direct manipulation of advanced hostapd settings may lead to your AP failing to start and/or other unanticipated behavior. For this reason, it's advisable to enable service logging on the Hotspot > Logging tab and monitor the log output for errors.

"},{"location":"ap-basics/#troubleshooting","title":"Troubleshooting","text":"

RaspAP gives you advanced control over several Linux networking-related services. As a result, your AP may fail to start for a variety of reasons. You may also encounter errors connecting clients to the AP, have no internet on AP clients, or observe clients being disconnected from the AP for no apparent reason.

If any of the above happens, one of the best diagnostic tools at your disposal is RaspAP's built-in service logging facility. You may enable the hostapd service log by sliding the Logfile output toggle on the Hotspot > Logging tab and choosing Save settings. Finally, choose Restart hotspot and check the log output.

Similarly, you may also enable DHCP server activity by sliding either of the two logging options on the DHCP server > Logging tab.

"},{"location":"ap-basics/#debug-log","title":"Debug log","text":"

In some situations, you may need more comprehensive information to self-diagnose a problem. RaspAP lets you generate a debug log with a detailed summary of your system including the installed OS, Linux kernel version, attached USB devices, RaspAP settings, network configuration and current state of several AP-related services.

To create this log, simply click or tap on the Generate debug log button from the System > Tools tab. You will be prompted to choose a location to store the generated raspap_debug.log file on your local computer or mobile device. An example portion of RaspAP's debug log is shown below:

System Info\n===========\nHardware: Raspberry Pi 3 Model B Rev 1.2\nDetected OS: Debian GNU/Linux 12 (bookworm) 64-bit\nKernel: Linux raspberrypi 6.1.0-rpi4-rpi-v8 (2023-10-05) aarch64 GNU/Linux\nSystem Uptime: 4 days, 20 hours, 45 minutes\nMemory Usage: 29.0749%\n\nInstalled Packages\n==================\nPHP Version: 8.2.7 (cli) (built: Jun  9 2023 19:37:27) (NTS)\nDnsmasq Version: 2.89\ndhcpcd Version: 9.4.1\nlighttpd Version: 1.4.69\nvnStat Version: 2.10\n\nRaspAP Install\n==============\nRaspAP Version: 2.9.9\nRaspAP Installation Directory: /var/www/html\nRaspAP hostapd.ini contents:\nWifiInterface = wlan0\n

Tip

If you are unable to perform a self-diagnosis and would like to share your debug log (or a portion of it) with another party, upload it to Pastebin or Ubuntu Pastebin. Please don't paste the log in its entirety to RaspAP's discussions, issues or other support channels.

RaspAP's debug log contains information about your system and local network configuration. However, no passwords or other senstive data are included.

"},{"location":"ap-basics/#diagnosing-problems","title":"Diagnosing problems","text":"

Look for any reported errors logged by the hostapd, dhcpcd or dnsmasq services. In most cases, errors thrown by one or more of these services have been discussed in various online forums. Start by searching the official Raspberry Pi forums or Raspberry Pi on Stack Exchange. Chances are the problems with your AP have been discussed and answered before.

For additional help and advice, the FAQ is a rich source of troubleshooting info that is continuously updated with answers to the most commonly asked questions. For issues not covered in the FAQ, you may find many topics in RaspAP discussions and the RaspAP subreddit.

Tip

Capture output from the Linux kernel's message buffer with dmesg to help diagnose failure events. Read the last 100 lines with dmesg | tail -100 and look for any anomalies.

The performance of WiFi radios may be impacted by many factors, including, but not limited to:

  1. Undervoltage due to inadequate power or too many peripherals connected to the USB bus
  2. Interference from a poorly shielded HDMI cable or using a specific HDMI screen resolution
  3. RF interference from overlapping WiFi networks on a crowded 2.4 GHz band.

Bear these things in mind if your AP exhibits unexpected behavior and do your best to mitigate them.

"},{"location":"ap-basics/#reverting-to-base-settings","title":"Reverting to base settings","text":"

It is generally advisable to begin with RaspAP's default configuration, which has been rigorously tested and validated with the project's supported operating systems. If, after modifying RaspAP's default settings, your AP no longer functions as expected, you may perform a system reset to restore these defaults.

"},{"location":"ap-basics/#accessing-backups","title":"Accessing backups","text":"

Each time you revert to RaspAP's base settings, your existing service configuration files are automatically backed up to /etc/raspap/backups. In this way, you can compare differences between your files and the default configuration, if needed. There are many ways to do this in Linux, such as using the built-in GNU diff tool. Another option is to install colordiff, a wrapper for diff that produces the same output but with colored syntax highligting. Install colordiff with sudo apt-get install colordiff.

Similarly, the web files located in the default /var/www/html root are backed up to /var/www in a directory named with a timestamp. Therefore, any changes you've made to RaspAP's internals are preserved.

"},{"location":"ap-basics/#discussions","title":"Discussions","text":"

Questions or comments about using access point settings? Join the discussion here.

"},{"location":"ap-sta/","title":"AP-STA mode","text":""},{"location":"ap-sta/#overview","title":"Overview","text":"

Experimental (Unsupported)

This describes an installation of RaspAP on the Raspberry Pi Zero W or Zero 2 W models. However, the same steps apply to any device with a chipset capable of supporting this mode.

A managed mode AP, variously known as WiFi client AP mode, a micro-AP or simply AP-STA, usually works with the Quick Installer if the steps below are followed carefully. This feature was added to RaspAP specifically to support Internet of Things (IoT) and embedded applications for the Pi Zero W, however it is equally useful for a broad range of projects.

Disclaimer

This mode is completely unsupported and should be used for educational purposes only. If you need a reliable solution with an access point (AP) and wireless client (STA) on the same device, obtain a second Wi-Fi adapter and follow this walkthrough instead. Issues related to this will be labeled as invalid and closed. No hard feelings.

Before proceeding with the installation, it's important to have a basic understanding of how AP-STA works.

"},{"location":"ap-sta/#what-is-ap-sta-mode","title":"What is AP-STA mode?","text":"

Many wireless devices support simultaneous operation as both an access point (AP) and as a wireless client/station (STA). This is sometimes called Wi-Fi AP/STA concurrency. In this configuration, it is possible to create a software AP acting as a wireless repeater for an existing network, using a single wireless device. This capability is listed in the following section in the output of iw list:

$ iw list | grep -A 4 'valid interface'\n    valid interface combinations:\n    * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,\n      total <= 3, #channels <= 2\n    * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,\n      total <= 4, #channels <= 1\n

The second valid interface combination indicates that both a managed and AP configuration is possible. The constraint #channels <= 1 means that your software AP must operate on the same channel as your Wi-Fi client connection.

Note

If you have a second wireless adapter bound to wlan1 on a Pi Zero W (or other device), refer to this FAQ.

"},{"location":"ap-sta/#use-cases","title":"Use cases","text":"

There are many scenarios in which AP-STA mode might be useful. These are some of the more popular ones:

  1. A device that connects to a wireless AP but needs an admin interface to configure the network and/or other services.
  2. A hub for Internet of Things devices, while also creating a bridge between them and the internet.
  3. A guest interface to your home wireless network.

Security is an important consideration with IoT and it can be beneficial to keep your devices on a separate network, for safety\u2019s sake. No one wants a random internet user turning your lights on and off.

"},{"location":"ap-sta/#how-does-ap-sta-work","title":"How does AP-STA work?","text":"

In this configuration, we create a virtual network interface (here uap0) and add it as the AP to the physical wlan0 device. This virtual interface is used by several of the services needed to operate a software access point. RaspAP manages these configurations in the background for you. Relevant sections are displayed below as examples.

dhcpcd.conf:

# RaspAP uap0 configuration\ninterface uap0\nstatic ip_address=192.168.50.1/24\nnohook wpa_supplicant\n

hostapd.conf:

# RaspAP wireless client AP mode\ninterface=uap0\n

dnsmasq.conf:

# RaspAP uap0 configuration\ninterface=lo,uap0               # Use interfaces lo and uap0\nbind-interfaces                 # Bind to the interfaces\ndomain-needed                   # Don't forward short names\nbogus-priv                      # Never forward addresses in the non-routed address spaces\n

On AP-STA startup and system reboots, RaspAP's service control script adds the virtual uap0 interface and brings it up, like so:

iw dev wlan0 interface add uap0 type __ap\nifconfig uap0 up\n

After the virtual uap0 interface is added to the wlan0 physical device, we can then start up hostapd. It is important that the virtual interface is brought up first, otherwise it will fail with the message \"could not configure driver mode\". We also need to be sure that the interface is not managed by systemd-networkd, so this service should be disabled. These steps are handled by the RaspAP daemon.

With a basic understanding of AP-STA mode, we can proceed with the installation.

"},{"location":"ap-sta/#installation","title":"Installation","text":"
  1. Begin by flashing an SD card with the latest release of Raspberry Pi OS (32- or 64-bit) Lite.
  2. Prepare the SD card to connect to your WiFi network in headless mode according to this FAQ.
  3. Enable ssh access by creating an empty file called \"ssh\" (no extension) in the SD card's root.
  4. Insert the SD card into the Pi Zero W and connect it to power. Note: the standard power supply for the Raspberry Pi is 5.1V @ 2.5A. Other power sources may result in undervoltage or other issues. Do not use the micro USB connection.
  5. Connect to your Pi via ssh. ssh pi@raspberrypi.local is typical.
  6. Follow the project prerequisites exactly. Do not skip any of these steps.
  7. Invoke the Quick Installer as normal: curl -sL https://install.raspap.com | bash.
  8. The installer automatically detects a Pi (or other device) without an active eth0 interface. In this case, you will not be prompted to reboot your Pi.
  9. Open the RaspAP admin interface in your browser, usually http://raspberrypi.local.
  10. The status widget should indicate that hostapd is inactive. This is expected.
  11. Confirm that the Wireless Client dashboard widget displays an active connection.
  12. Choose Hotspot > Advanced and enable the WiFi client AP mode option.
  13. Optionally, enable Logfile output as this is often helpful for troubleshooting.
  14. Choose Save settings and Start hotspot.
  15. Wait a few moments and confirm that your AP has started.

Note

The WiFi client AP mode option will be disabled, or \"greyed out\", until a wireless client is configured.

"},{"location":"ap-sta/#when-to-reboot","title":"When to reboot?","text":"

Rebooting before configuring AP-STA mode is likely the main cause of problems for users with the Pi Zero W. The reason is the default configuration is designed for a wired (ethernet) AP.

Once the Pi Zero W is configured in AP-STA mode, RaspAP will store several values in /etc/raspap/hostapd.ini:

LogEnable = 1\nWifiAPEnable = 1\nBridgedEnable = 0\nWifiManaged = wlan0\n
These are used by RaspAP's systemd control service raspapd to determine that a managed mode AP is enabled for the Pi and restore the connection after subsequent reboots.

"},{"location":"ap-sta/#changing-hostapd-settings","title":"Changing hostapd settings","text":"

Changes to the hotspot configuration should be applied to the wlan0 physical device, not uap0 (a virtual interface). In other words, if you wish to change hostapd settings, stop the hotspot, disable AP-STA, make your config changes on wlan0, re-enable AP-STA and finally restart hostapd. An explanation is available here.

"},{"location":"ap-sta/#discussions","title":"Discussions","text":"

Questions or comments about using AP-STA mode? Join the discussion here.

"},{"location":"authentication/","title":"Authentication","text":""},{"location":"authentication/#overview","title":"Overview","text":"

RaspAP's authentication module uses HTTP's built-in framework to limit access to authorized users. Known as the HTTP \"Basic\" scheme, when first accessing RaspAP on your device the server will respond with a 401 (unauthorized) status. Authentication is then handled with a response header that presents a login challenge in the browser.

The default administrator credentials are:

Username: admin Password: secret

After performing the initial login, it is strongly recommended to change these default credentials on the Authentication > Basic tab. This is a first-line defense against unauthorized users taking control of your wireless network.

Note

The \"Basic\" HTTP authentication scheme is defined in RFC 7617, which transmits credentials as user ID/password pairs, encoded using base64.

"},{"location":"authentication/#how-secure-is-basic-auth","title":"How secure is basic auth?","text":"

The HTTP Basic Authentication scheme is not considered to be secure on its own, especially over plain HTTP. This is because it sends the username and password in an easily decodable Base64-encoded format. Without an additional encryption layer, credentials are sent over the network in plain text. This makes it highly vulnerable to interception by attackers via man-in-the-middle (MITM) attacks or by packet sniffing.

"},{"location":"authentication/#best-security-practices","title":"Best security practices","text":"

The overall security of your RaspAP install can be greatly enhanced by applying some rudimentary changes to it. Taken together, these have the effect of hardening your router against potential external threats.

"},{"location":"authentication/#using-httpstls","title":"Using HTTPS/TLS","text":"

Basic Authentication can be used securely if transmitted over HTTPS, which encrypts the entire communication channel. For this reason, RaspAP has simplified the process of creating locally-trusted SSL certificates with the Quick installer. When HTTPS/TLS is enabled with a RaspAP install, this authentication process is significantly more secure.

"},{"location":"authentication/#using-a-strong-passphrase","title":"Using a strong passphrase","text":"

In most scenarios, a potential attacker can only access RaspAP's admin login prompt if they are already associated with your wireless access point. To mitigate this, change the default raspap-webgui SSID and choose a strong pre-shared key (PSK) or passphrase. RaspAP will automatically generate a secure passphrase for you, as illustrated below:

On the Hotspot > Security tab, click or tap the magic icon next to the PSK input. Choose Save settings followed by Restart hotspot. Thereafter, you may share RaspAP's QR code with your wireless clients to assist them with authentication.

Tip

Given RaspAP's popularity, assume that both the default admin login credentials and the default access point SSID and password are well known to third-parties. Failure to change these default settings is an invitation to attackers.

"},{"location":"authentication/#access-point-settings","title":"Access point settings","text":"

RaspAP enables Wi-Fi Protected Access 2 (WPA2) as the default security type for the access point. This includes support for AES-based encryption and a multi-step 4-way handshake. For greater security, the newer WPA3 standard increases the key length to 192 bits (compared with the 128-bit key used by WPA2), further improving the password defense strength.

"},{"location":"authentication/#limited-privilege-user-role","title":"Limited privilege user role","text":"

Experimental \u00b7 Insiders only

The administrator may enable a user who is able to access RaspAP's management interface, but is restricted in their ability to modify the existing configuration. In this case, the limited privilege user may configure a wireless client connection on the WiFi client page, but is unable to change any other settings.

This is useful in a multi-user environment where the admin user may want to initially configure a wireless router, and then delegate client connection duties to other users of the network.

To enable the limited privilege user, slide the corresponding toggle on the Basic tab, enter the limited privilege user's login and password and choose Save settings. The current admin user will be prompted to logout. Thereafter, the limited privilege user role will be active. The limited user may then login with the credentials you've defined. To disable the limited privilege user role, simply login with the administrator account again.

"},{"location":"authentication/#custom-user-avatars","title":"Custom user avatars","text":"

Experimental \u00b7 Insiders only

The default administrator user icon may be replaced with a custom one of your choosing. From the Avatar tab, click or tap on the existing avatar to upload a new one. The new custom avatar will be displayed in RaspAP's header.

Image files of type .jpg, .gif or .png up to a maximum of 2 MB are supported. To restore the avatar to the default, choose Reset avatar.

"},{"location":"authentication/#restoring-defaults","title":"Restoring defaults","text":"

Login credentials are stored in /etc/raspap/raspap.auth. The password is encrypted and cannot be edited manually. If you've forgotten your admin login or wish to temporarily reset the defaults, you may do so by simply deleting this file:

sudo rm /etc/raspap/raspap.auth\n

This will restore the default admin login and password pair.

Note

RaspAP uses PHP's built-in password_hash function which leverages the Blowfish (CRYPT_BLOWFISH) algorithm. Blowfish is an adaptive hashing algorithm that is widely considered to be very secure.

"},{"location":"authentication/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's authentication? Join the discussions here.

"},{"location":"bridged/","title":"Bridged AP mode","text":""},{"location":"bridged/#overview","title":"Overview","text":"

By default RaspAP configures a routed AP as its hotspot, where your device creates a subnet and assigns IP addresses to connected clients. If you would rather have your upstream router assign IP addresses, RaspAP lets you change the hotspot configuration to an alternative bridged AP. This is also useful if you want your device and its hotspot clients to be visible to other devices in your router's network.

"},{"location":"bridged/#enabling-bridged-ap-mode","title":"Enabling bridged AP mode","text":"

From RaspAP's Hotspot > Advanced tab, select the Bridged AP mode option. Choose Save settings and then Restart hotspot.

At this stage, you will no longer be able to access RaspAP's web interface from the default 10.3.141.1 address. See accessing the web interface, below.

"},{"location":"bridged/#limitations","title":"Limitations","text":"

Bridged AP mode operates under some constraints as compared to RaspAP's default routed AP mode. These are discussed below.

"},{"location":"bridged/#wifi-client-mode","title":"WiFi client mode","text":"

On the Hotspot > Advanced tab the Wifi Client AP mode option is disabled or \"greyed out\". The reason for this is your device cannot connect as a client to another wireless network while simultaneously hosting its own bridged access point.

"},{"location":"bridged/#dhcp-server","title":"DHCP server","text":"

The DHCP Server page is disabled and hidden from the adminstration interface. This is because in bridged AP mode all DHCP functions are delegated to your upstream router. To configure DHCP settings for your network, access your router's web interface.

"},{"location":"bridged/#vpn-considerations","title":"VPN considerations","text":"

Clients connected to a bridged AP with OpenVPN enabled will not have their traffic routed through the VPN server. Your device itself will still have its own traffic routed through the VPN server, however.

Note

Bridged AP mode is not currently supported on Ubuntu Server. This is because Ubuntu has standardized on Netplan, which differs considerably from other Linux distributions supported by RaspAP.

"},{"location":"bridged/#accessing-the-web-interface","title":"Accessing the web interface","text":"

In bridged AP mode, you will no longer be able to access RaspAP's web interface using the default 10.3.141.1 address. This is because your device no longer creates its own 10.3.141.0/24 subnet for its access point. Instead, access RaspAP's web interface by entering your device's hostname followed by .local. On Raspberry Pi devices running the avahi daemon, this will look like raspberrypi.local.

Some browsers have trouble resolving .local addresses. You may also need to modify the address depending on your browser. For example, try entering http://raspberrypi.local or raspberrypi.local/ in your browser's address field.

If the above methods don't work, the nmap command (Network Mapper) can be used to scan your subnet for devices connected to your network. For example, invoke nmap with the -sn flag (ping scan) on your subnet range:

nmap -sn 192.168.1.0/24\n

This scan pings all the IP addresses in a subnet to see if they respond. For each device that responds to the ping, the output will show the hostname and IP address like so:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-23 10:04 CET\nNmap scan report for iPhone 192.168.1.31\nHost is up (0.037s latency).\nNmap scan report for raspberrypi 192.168.1.8\nHost is up (0.031s latency).\nNmap scan report for Chromecast 192.168.1.45\nHost is up (0.0015s latency).\nNmap scan report for mbp15 192.168.1.48\nHost is up (0.074s latency).\nNmap done: 256 IP addresses (4 hosts up) scanned in 6.08 seconds\n

More information on finding your device's IP address can be found here.

"},{"location":"bridged/#troubleshooting","title":"Troubleshooting","text":"

If you are unable to connect clients to your bridged AP, start by following the recommendations in this FAQ. Client connectivity issues in bridged AP mode are most often the result of your upstream router, not RaspAP. For this reason, please check your router's web interface and DHCP settings before reporting a bug.

"},{"location":"bridged/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's bridged AP mode? Join the discussion here.

"},{"location":"captive/","title":"Captive portal setup","text":""},{"location":"captive/#overview","title":"Overview","text":"

The nodogsplash project is a lightweight, highly configurable captive portal solution. It integrates nicely with RaspAP and is recommended over other methods. No configuration changes are needed with RaspAP, however you will need to modify some default settings in the nodogsplash config. This step-by-step guide assumes you have already installed RaspAP, either with the Quick Installer or manual setup instructions.

Note

This walkthrough is provided as a courtesy only; there is no support for NDS or any integration with this project.

"},{"location":"captive/#installing-the-software","title":"Installing the software","text":"

Begin by updating your RPi with the latest package information:

sudo apt-get update\n

With our package manager up to date, install a dependency required by nodogsplash:

sudo apt-get install libmicrohttpd-dev\n

Next, clone the nodogsplash GitHub repository to your home directory:

cd ~/\ngit clone https://github.com/nodogsplash/nodogsplash.git\n

We can now compile nodogsplash from the source:

cd nodogsplash\nmake\nsudo make install\n

"},{"location":"captive/#configuration-changes","title":"Configuration changes","text":"

With nodogsplash installed in the Pi's system, we will make two small changes to its configuration. The nodogsplash GatewayInterface should be set to the interface RaspAP runs on (wlan0 is the default). You will also need to change the GateWayAddress to 10.3.141.1.

Note

If you have modified RaspAP's default configuration, be sure this setting reflects your changes, otherwise the captive portal will not work correctly.

sudo nano /etc/nodogsplash/nodogsplash.conf\n

# GatewayInterface is not autodetected, has no default, and must be set here.\n# Set GatewayInterface to the interface on your router\n# that is to be managed by Nodogsplash.\n# Typically br-lan for the wired and wireless lan.\n#\nGatewayInterface wlan0\n#\n# Parameter: GatewayAddress\n# Default: Discovered from GatewayInterface\n#\n# This should be autodetected on an OpenWRT system, but if not:\n# Set GatewayAddress to the IP address of the router on\n# the GatewayInterface.  This is the address that the Nodogsplash\n# server listens on.\nGatewayAddress 10.3.141.1\n
Save and quit out of the editor by pressing Ctrl+X and then pressing Y and finally Enter.

"},{"location":"captive/#starting-the-captive-portal","title":"Starting the captive portal","text":"

We are now ready to start up the software. This can be done by simply executing the binary with sudo nodogsplash. However, we'll make things a bit easier by adding a systemd service provided by the project. Copy the service control file and enable it:

sudo cp ~/nodogsplash/debian/nodogsplash.service /lib/systemd/system/\nsudo systemctl enable nodogsplash.service \n

Next, start the service and check its status:

sudo systemctl start nodogsplash.service \nsudo systemctl status nodogsplash.service\n

You should see output similar to the following:

\u25cf nodogsplash.service - NoDogSplash Captive Portal\n   Loaded: loaded (/lib/systemd/system/nodogsplash.service; enabled; vendor preset: enabled)\n   Active: active (running) since Tue 2020-02-11 09:19:44 GMT; 34min ago\n Main PID: 10539 (nodogsplash)\n    Tasks: 4 (limit: 1599)\n   Memory: 1.7M\n   CGroup: /system.slice/nodogsplash.service\n           \u2514\u250010539 /usr/bin/nodogsplash\n\nFeb 11 09:19:44 raspberrypi systemd[1]: Starting NoDogSplash Captive Portal...\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10538](src/main.c:496) Starting as daemon, forking to background\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:271) Detected gateway wlan0 at 10.3.141.1 (dc:a6:32:3d:ff:9d)\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:275) MHD Unescape Callback is Disabled\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:305) Created web server on 10.3.141.1:2050\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:319) Using config options for FAS or Templated Splash.\nFeb 11 09:19:44 raspberrypi systemd[1]: Started NoDogSplash Captive Portal.\nFeb 11 09:19:46 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:46 2020][10539](src/fw_iptables.c:382) Initializing firewall rules\n

Note

The captive portal may be stopped with sudo systemctl stop nodogsplash.service or disabled completely with sudo systemctl disable nodogsplash.service.

"},{"location":"captive/#connecting-clients","title":"Connecting clients","text":"

Connect a client to RaspAP's hotspot. You should now see nodogsplash's captive portal screen:

Optional: you can customize the captive portal screen by modifying the files located in /etc/nodogsplash/htdocs/.

"},{"location":"captive/#more-information","title":"More information","text":"

Full documentation of nodogsplash is available here.

"},{"location":"captive/#discussions","title":"Discussions","text":"

Questions or comments about using nodogsplash with RaspAP? Join the discussion here.

"},{"location":"custom-plugins/","title":"Custom user plugins","text":""},{"location":"custom-plugins/#overview","title":"Overview","text":"

The PluginManager provides a framework for developers to create custom plugins to extend RaspAP's functionality. To facilitate this, the SamplePlugin repository was created to make it easy for developers to get started creating their own plugins. Using the SamplePlugin is described in the following sections.

"},{"location":"custom-plugins/#the-sampleplugin","title":"The SamplePlugin","text":"

The SamplePlugin implements a PluginInterface and is automatically loaded by RaspAP's PluginManager.

Several common plugin functions are demonstrated in SamplePlugin, as well as a method for persisting session data in plugin instances. Each plugin has its own namespace, meaning that classes and functions are organized to avoid naming conflicts. Plugins are self-contained and render templates from inside their own /templates directory.

"},{"location":"custom-plugins/#getting-started","title":"Getting started","text":"

The SamplePlugin requires an installation of RaspAP, either via the Quick install method or with a Docker container. The default application path /var/www/html is used here. If you've chosen a different install location, substitute this in the steps below.

  1. Begin by creating a fork of the SamplePlugin repository.
  2. Change to your RaspAP install location and create a /plugins directory.
    cd /var/www/html\nsudo mkdir plugins\n
  3. Change to the /plugins directory and clone your SamplePlugin fork:
    cd plugins\nsudo git clone https://github.com/[your-username]/SamplePlugin\n
  4. The PluginManager will detect and autoload the plugin; a new Sample Plugin item will appear in the sidebar.

You may now proceed with customizing your plugin by using the tips in the next sections.

"},{"location":"custom-plugins/#scope-of-functionality","title":"Scope of functionality","text":"

The SamplePlugin implements the server-side methods needed to support basic plugin functionality. It initalizes a Sidebar object and adds a custom navigation item. User input is processed with handlePageAction() and several common operations are performed, including:

  1. Saving plugin settings.
  2. Starting a sample service.
  3. Stopping a sample service.

Template data is then collected in $__template_data and rendered by the main.php template file located in /templates. Property get/set methods are demonstrated with apiKey and serviceStatus values. A method is then used in persistData() to save the SamplePlugin object data.

Caution

Importantly, SamplePlugin does not use the PHP $_SESSION object. Known as a \"superglobal\", or automatic global variable, this is available in all scopes throughout a script. Using the $_SESSION object in a plugin context can lead to conflicts with other plugin instances.

On the front-end, Bootstrap's form validation is used to validate user input. A custom JavaScript function responds to a click event to generate a random apiKey value. The sample.service LED indicator is functional, as are the service stop/start form buttons.

"},{"location":"custom-plugins/#customizing","title":"Customizing","text":"

The SamplePlugin demonstrates basic plugin functions without being overly complex. It's designed with best practices in mind and made to be easily modified by developers.

"},{"location":"custom-plugins/#unique-plugin-names","title":"Unique plugin names","text":"

Most plugin authors will probably begin by renaming SamplePlugin to something unique. The PluginManager expects the plugin folder, file, namespace and class to follow the same naming convention. When renaming the SamplePlugin ensure that each of the following entities uses the same plugin name:

Entity Type plugins/SamplePlugin folder plugins/SamplePlugin/SamplePlugin.php file namespace RaspAP\\Plugins\\SamplePlugin namespace class SamplePlugin implements PluginInterface class

That is, replace each occurrence of SamplePlugin with your plugin name in these entities.

"},{"location":"custom-plugins/#plugin-logic-and-templates","title":"Plugin logic and templates","text":"

Plugin classes and functions are contained in SamplePlugin.php. The parent template main.php and child tab templates are used to render template data.

\u251c\u2500\u2500 SamplePlugin/\n\u2502   \u251c\u2500\u2500 SamplePlugin.php\n\u2502   \u2514\u2500\u2500 templates/\n\u2502       \u251c\u2500\u2500 main.php\n\u2502       \u2514\u2500\u2500 tabs/\n\u2502           \u251c\u2500\u2500 about.php\n\u2502           \u251c\u2500\u2500 basic.php\n\u2502           \u2514\u2500\u2500 status.php\n

You may wish to omit, modify or create new tabs. This is done by editing main.php and modifying the contents of the /tabs directory.

"},{"location":"custom-plugins/#sidebar-item","title":"Sidebar item","text":"

The PluginInterface exposes an initalize() method that is used to create a unique sidebar item. The properties below can be customized for your plugin:

$label = _('Sample Plugin');\n$icon = 'fas fa-plug';\n$action = 'plugin__'.$this->getName();\n$priority = 65;\n

You may specify any icon in the Font Awesome 6.6 free library for the sidebar item. The priority value sets the position of the item in the sidebar (lower values = a higher priority).

"},{"location":"custom-plugins/#permissions","title":"Permissions","text":"

For security reasons, the www-data user which the lighttpd web service runs under is not allowed to start or stop daemons or execute commands. RaspAP's installer adds the www-data user to sudoers, but with restrictions on what commands the user can run. If your plugin requires execute permissions on a Linux binary not present in RaspAP's sudoers file, you will need to add this yourself. To edit this file, the visudo command should be used. This tool safely edits sudoers and performs basic validity checks before installing the edited file.

Execute visudo and edit RaspAP's sudoers file like so:

sudo visudo /etc/sudoers.d/090_raspap\n

An example of adding entries to support a plugin's service is shown below:

www-data ALL=(ALL) NOPASSWD:/bin/systemctl start sample.service\nwww-data ALL=(ALL) NOPASSWD:/bin/systemctl stop sample.service\nwww-data ALL=(ALL) NOPASSWD:/bin/systemctl status sample.service\n

Wildcards ('*') and regular expressions are supported by sudoers but care should be taken when using them.

"},{"location":"custom-plugins/#multiple-instances","title":"Multiple instances","text":"

The PluginManager is a managerial class responsible for locating, instantiating and coordinating plugins. Through the use of namespaces and object data persistence in SamplePlugin, any number of user plugins may be installed to /plugins and run concurrently.

As previously noted, developers should avoid using PHP's $_SESSION object in their plugins to prevent conflicts with other plugin instances. An alternative method for session data storage is provided in the SamplePlugin persistData() function.

Note

The persistData() function writes serialized data to the volatile /tmp directory which is cleared on each system boot. For this reason, it should not be used as a method of permanent data storage. However, this functionality roughly approximates PHP's $_SESSION object; the difference being that each plugin's data is isolated from other plugin instances.

"},{"location":"custom-plugins/#publishing-your-plugin","title":"Publishing your plugin","text":"

The SamplePlugin contains an \"About\" tab where you may provide author information, a description and link to your project. If you've authored a plugin you feel would be useful to the RaspAP community, you're encouraged to share it in the SamplePlugin repository's discussions.

"},{"location":"custom-plugins/#discussions","title":"Discussions","text":"

Questions or comments about creating user plugins? Join the discussion here.

"},{"location":"defaults/","title":"Default settings","text":""},{"location":"defaults/#overview","title":"Overview","text":"

Creating a software routed access point (AP) requires the installation and setup of several related Linux services. RaspAP uses a known-good default configuration as a starting point. This facilitates a faster setup by not prompting the user for various network settings during the installation. More importantly, it eliminates guesswork that can lead to conflicts down the road. When the manual or quick installation is completed, you will have a functional AP that you may then administer with RaspAP's web interface.

While this project handles every facet of this process for you, it's still recommended that users familiarize themselves with the steps involved in building a software AP from start to finish.

"},{"location":"defaults/#configuration-directory","title":"Configuration directory","text":"

To every extent possible, RaspAP's default settings are contained within the project's /config folder. The networking defaults, DNS servers, wireless regulatory data and so on are found here. In this way, the user may modify RaspAP's baseline application settings without touching code.

The exception to this is hostapd.conf which is managed by includes/hostapd.php and effectively rewritten depending on user input. This is due to the complexity of this configuration relative to other services managed by the project. For this reason, manual edits to this file will not be preserved.

Baseline configurations for dhcpcd, dnsmasq (described below) and bridged AP configurations are contained here.

"},{"location":"defaults/#managing-config-values","title":"Managing config values","text":"

The interface itself, default Linux file paths and so on may be changed by modifying the project's configuration file config.php.

Note

The file config/config.php is copied during the installation to includes/config.php and ignored by Git. This way, users can modify includes/config.php without git pull or upgrades complaining about local changes. The file includes/defaults.php loads corresponding default values if they are not set.

For example, you can change the brand text that appears in the interface header simply by modifying the value of this constant:

define('RASPI_BRAND_TEXT', 'RaspAP');\n

RaspAP's interface may be further customized by changing the following values:

// Optional services, set to true to enable.\ndefine('RASPI_WIFICLIENT_ENABLED', true);\ndefine('RASPI_HOTSPOT_ENABLED', true);\ndefine('RASPI_NETWORK_ENABLED', true);\ndefine('RASPI_DHCP_ENABLED', true);\ndefine('RASPI_ADBLOCK_ENABLED', false);\ndefine('RASPI_OPENVPN_ENABLED', false);\ndefine('RASPI_VPN_PROVIDER_ENABLED', false);\ndefine('RASPI_WIREGUARD_ENABLED', false);\ndefine('RASPI_TORPROXY_ENABLED', false);\ndefine('RASPI_CONFAUTH_ENABLED', true);\ndefine('RASPI_CHANGETHEME_ENABLED', true);\ndefine('RASPI_VNSTAT_ENABLED', true);\ndefine('RASPI_SYSTEM_ENABLED', true);\ndefine('RASPI_MONITOR_ENABLED', false);\n

The constants defined for Linux configuration file paths are typical and needn't be changed, in most cases. However, you could easily do so simply by modifying this file.

"},{"location":"defaults/#networking-defaults","title":"Networking defaults","text":"

The default AP interface used by RaspAP is wlan0. This is a typical setting if you are using the RPi's onboard wireless adapter. You can change this to a different interface by modifying the following value in config.php:

define('RASPI_WIFI_AP_INTERFACE', 'wlan0');\n

Tip

If a second wireless adapter is configured for your device, for example bound to the wlan1 interface, RaspAP will automatically detect it and assign it as the default wireless client interface. You may change this setting simply by selecting wlan1 as the AP interface in the Hotspot > Basic panel. After restarting the hotspot, RaspAP will use wlan0 as the client interface.

Default values for the dnsmasq and dhcpcd services can be modified as well. The file config/defaults.json was introduced with the version 2.6 release. This file is copied during the installation to /etc/raspap/networking/, so any changes to it must be made at this location.

The defaults.json file uses the standard JSON data-interchange format. For example, the default dhcp settings for wlan0 are displayed below:

\"dhcp\": {\n    \"wlan0\": { \n      \"static ip_address\": [ \"10.3.141.1/24\" ],\n      \"static routers\": [ \"10.3.141.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    }\n

Likewise, the DHCP ranges for both wlan0 and the virtual uap0 interface are shown below:

\"dnsmasq\": {\n    \"wlan0\": {\n      \"dhcp-range\": [ \"10.3.141.50,10.3.141.254,255.255.255.0,12h\" ]\n    },\n    \"uap0\": {\n      \"dhcp-range\": [ \"192.168.50.50,192.168.50.150,12h\" ]\n    }\n

These default settings are defined as fallback values. That is, if a user-defined value is missing these will be used in their place.

"},{"location":"defaults/#dns-servers","title":"DNS servers","text":"

The list of hosted DNS servers available in the Upstream DNS servers panel in DHCP > Advanced may be modified to suit your needs. The file config/dns-servers.json contains a JSON formatted collection of hostnames and IPv4 addresses, like so:

\"Google\": [\n    \"8.8.4.4\",\n    \"8.8.8.8\"\n  ],\n  \"OpenDNS\": [\n    \"208.67.220.220\",\n    \"208.67.222.222\"\n  ],\n  \"Quad9\": [\n    \"9.9.9.9\"\n  ],\n

Edits to this file in place will immediately be reflected in the user interface.

"},{"location":"defaults/#vpn-providers","title":"VPN providers","text":"

RaspAP version 3.0 introduced beta support for a select number of VPN providers. These services are largely defined in the config/vpn-providers.json file. An example provider definiton is shown below:

\"id\": 1,\n\"name\": \"ExpressVPN\",\n\"bin_path\": \"/usr/bin/expressvpn\",\n\"install_page\": \"https://www.expressvpn.com/support/vpn-setup/app-for-linux/\",\n\"account_page\": \"https://www.expressvpn.com/subscriptions\",\n\"cmd_overrides\": {\n   \"countries\": \"list all\",\n   \"log\": \"diagnostics\",\n   \"version\": \"-v\"\n}\n

It is not necessary to modify these definitions, unless you would like to experiment by adding a provider not currently supported by RaspAP.

"},{"location":"defaults/#restoring-settings","title":"Restoring settings","text":"

If you've modified RaspAP's default configuration and the AP no longer works as expected, the defaults may be restored by performing a system reset. From the System > Tools tab, click or tap the Perform reset button. A dialog will appear to confirm this action.

Alternatively, you may follow the steps described in the manual installation.

"},{"location":"defaults/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's defaults? Join the discussions here.

"},{"location":"docker/","title":"Docker support","text":""},{"location":"docker/#overview","title":"Overview","text":"

As an alternative to the Quick installer or manual installation steps, you may also deploy RaspAP in an isolated and portable Docker container.

A container is an isolated environment for code. This means that a container has no knowledge of the host operating system, dependencies, or its files. It runs on the environment provided to you by either Docker Desktop or the Docker Engine. Containers have everything needed to run an application, down to a base operating system.

Here, we'll focus on using Docker Engine to deploy and manage a containerized RaspAP application stack.

"},{"location":"docker/#why-a-container","title":"Why a container?","text":"

Docker containers have several advantages over other methods of deploying code. As a sandboxed process, containers are isolated from all other processes running on a host machine. That isolation leverages things like kernel namespaces and cgroups, features that have been in Linux for a long time.

A RaspAP Docker container is a runnable instance of an image. This container can be started, stopped, moved or deleted using the Docker CLI. It can be run on a local device, virtual machines or deployed to the cloud. Isolation from other containers also means that it runs its own software, binaries and so on.

"},{"location":"docker/#installing-docker-engine","title":"Installing Docker Engine","text":"

Since RaspAP is built for Debian-based systems, the instructions here will focus on this OS family. To get started with Docker Engine on Debian, make sure you meet the prerequisites, and then follow the installation steps.

"},{"location":"docker/#prerequisites","title":"Prerequisites","text":"

To install Docker Engine, begin with the 64-bit version of one of these Debian versions:

Docker Engine for Debian is compatible with x86_64 (or amd64), armhf, arm64, and ppc64le (ppc64el) architectures.

"},{"location":"docker/#uninstall-old-versions","title":"Uninstall old versions","text":"

Before installing Docker Engine, we must first uninstall any conflicting packages.

Distro maintainers provide unofficial distributions of Docker packages in their repositories. These packages must be uninstalled prior to installing the official version of Docker Engine.

The unofficial packages to uninstall are:

Run the following command to uninstall these packages and their dependencies:

for pkg in docker.io \\\n    docker-doc \\\n    docker-compose \\\n    podman-docker \\\n    containerd \\\n    runc; do \\\n    sudo apt-get remove $pkg;\ndone\n

Note

apt-get might report that you have none of these packages installed.

"},{"location":"docker/#using-the-convenience-script","title":"Using the convenience script","text":"

Docker provides a convenience script at https://get.docker.com/ to install Docker non-interactively. Prior to executing it, be sure to familiarize yourself with the potential risks and limitations associated with this script.

Tip

You can run the script with the --dry-run option to learn what steps the script will run when invoked:

curl -fsSL https://get.docker.com -o get-docker.sh\nsudo sh ./get-docker.sh --dry-run\n

  1. Begin by changing into your home directory, then download and execute the convenience script to install the latest stable release of Docker:
    cd ~/\ncurl -fsSL https://get.docker.com -o get-docker.sh\nsudo sh get-docker.sh\n
  2. Verify that the installation is successful by running the hello-world image:
    sudo docker run hello-world\n
    This command downloads a test image and runs it in a container. When the container runs, it prints a confirmation message and exits. The output should appear similar to the example below:
    Unable to find image 'hello-world:latest' locally\nlatest: Pulling from library/hello-world\n478afc919002: Pull complete\nDigest: sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6\nStatus: Downloaded newer image for hello-world:latest\n\nHello from Docker!\nThis message shows that your installation appears to be working correctly.\n

You have now successfully installed and tested Docker Engine. The docker service starts automatically on Debian based distributions.

Note

If the test container fails to run or you encounter any errors, refer to the Docker Engine documentation for troubleshooting tips.

"},{"location":"docker/#post-installation-steps","title":"Post-installation steps","text":"

The Docker daemon binds to a Unix socket, not a TCP port. By default it's the root user that owns the Unix socket, and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

To create the docker group and add your user:

  1. Create the docker group.
    sudo groupadd docker\n
  2. Add your user to the docker group.
    sudo usermod -aG docker $USER\n
  3. Log out and log back in so that your group membership is re-evaluated.

With these steps completed, you have successfully installed and started Docker Engine. We're now ready to deploy RaspAP.

"},{"location":"docker/#deploying-raspap","title":"Deploying RaspAP","text":"

With Docker Engine installed, you have two ways of deploying RaspAP in a Docker container. Each of these methods is described in the sections below.

"},{"location":"docker/#using-docker-compose","title":"Using Docker compose","text":"

This method lets us deploy the entire RaspAP application stack with a single command (docker compose up) as well as configure things like environment variables, network settings and so on in a centralized manner. Advanced users may also use this option to define a multi-container environment of which RaspAP is one component. This may be done with the docker-compose.yml file.

Begin by cloning the raspap-docker GitHub repository into your home directory, then change into it:

cd ~/\ngit clone https://github.com/RaspAP/raspap-docker.git\ncd raspap-docker\n

For ARM devices, such as the Raspberry Pi, we must uncomment the cgroup: host line in the docker-compose.yaml file:

version: \"3.8\"\nservices:\n  raspap:\n    container_name: raspap\n    image: ghcr.io/raspap/raspap-docker:latest\n    #build: .\n    privileged: true\n    network_mode: host\n    cgroup: host # uncomment when using an ARM device \n    cap_add:\n      - SYS_ADMIN\n    volumes:\n      - /sys/fs/cgroup:/sys/fs/cgroup:rw\n    restart: unless-stopped\n

Edit this file with nano docker-compose.yaml, change the line to appear as above, then use Ctrl+O and press Enter to save and exit the file.

Important

Do not use docker-compose but rather docker compose. If the latter isn't present on your system, refer to Docker's installation steps.

With this configuration done, execute Docker compose like so:

docker compose up -d\n

You should see output similar to below to indicate the progress of RaspAP's Docker image being built:

docker compose up -d\n[+] Running 2/8\n \u2807 raspap 7 layers [\u2800\u2840\u28ff\u28ff\u2800\u2800\u2800] 12.83MB/337.8MB Pulling\n   \u280b 5665c1f9a9e1 Downloading [===>                        ]  3.547MB/49.59MB\n   \u280b 4311202aff18 Downloading [=========>                  ]   4.98MB/24.95MB\n   \u2714 ac4d205394f0 Download complete\n   \u2714 baf57b850085 Download complete\n   \u280b 18a1ed9b4ba8 Downloading [=>                          ]  4.307MB/263.3MB\n   \u280b 5bed08c889b9 Waiting\n   \u280b 09ed3fdeed88 Waiting\n

During this process, a Docker image containing RaspAP's application stack will be created on your system. This build always pulls the latest RaspAP release from the main GitHub repository.

Behind the scenes, Docker has used the image it created to start a containerized RaspAP application stack. You may confirm this by executing the following:

docker container ls\nCONTAINER ID   IMAGE           COMMAND                  CREATED        STATUS        PORTS     NAMES\n8d7b32b8373a   raspap:latest   \"/bin/bash -c '/home\u2026\"   2 hours ago    Up 2 hours             raspap\n

At this stage, the RaspAP application is running and you may access the web interface as you would normally. This will depend on the method you use to access your device, but is usually one of the following:

Take note that RaspAP and all its dependencies are wholly contained within the running Docker container. That is, the host system does not have any of the apt packages or application files used by RaspAP, unless you've explicitly installed them.

"},{"location":"docker/#using-the-container-registry","title":"Using the container registry","text":"

As an alternative to docker compose, described above, you may also deploy RaspAP using its hosted Docker container image. This is available as a raspap-docker package hosted on the GitHub Container registry. With this method, a single container is defined from its base image, the environment is setup and the application is configured within the container.

Given that everything needed to deploy RaspAP is stored within this package, it isn't necessary to clone the raspap-docker respository. Instead, you may simply execute one of the following docker run commands:

  1. For ARM devices, the cgroups must be made writable.
    docker run --name raspap -it -d --privileged --network=host --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest\n
  2. For non-ARM devices, execute the following.
    docker run --name raspap -it -d --privileged --network=host -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest\n

With either of the above commands, you should see output as below followed by progress indicating the state of the various package components as they are downloaded to your system:

Unable to find image 'ghcr.io/raspap/raspap-docker:latest' locally\nlatest: Pulling from raspap/raspap-docker\n

When the container image download is completed, you may verify its operational state like so:

docker container ls\nCONTAINER ID   IMAGE                                 COMMAND                  CREATED          STATUS          PORTS     NAMES\n4257b8aa3c7e   ghcr.io/raspap/raspap-docker:latest   \"/bin/bash -c '/home\u2026\"   32 minutes ago   Up 32 minutes             raspap\n

At this stage, the RaspAP application stack is running and you may access the web interface as you would normally. This will depend on the method you use to access your device, but is usually one of the following:

Take note that RaspAP and all its dependencies are wholly contained within the running Docker container. That is, the host system does not have any of the apt packages or application files used by RaspAP, unless you've explicitly installed them.

"},{"location":"docker/#tips-and-tricks","title":"Tips and tricks","text":"

The following section has some general advice that users of RaspAP's Docker container have found useful. If you have a tip or trick to contribute, feel free to join our discussions.

"},{"location":"docker/#allocating-a-terminal","title":"Allocating a terminal","text":"

While RaspAP's Docker container is running, you may obtain an interactive pseudo-TTY, or Linux terminal, connected to standard input. Do so by executing the following:

docker exec -it raspap bash\n

The above command combines the -i (interactive) and -t (tty) options together with the raspap named container. The bash command starts an interactive Bash shell within the running container. From here you can perform most of the same shell operations and commands within Docker's pseudo-TTY as you would in a regular Linux environment.

"},{"location":"docker/#iptables-rules-and-nat","title":"iptables rules and NAT","text":"

When either of the above methods are executed, RaspAP will apply iptables Network Address Translation (NAT) rules on the host. It's necessary to add these rules on the host due to Docker's network isolation and security defaults.

Note

You should not need to execute ./firewall-rules.sh manually; RaspAP will do this for you.

If your host's network interfaces are anything other than wlan0 and eth0, you may customize these rules to suit your own specific needs. After editing this file on your device, set execute permissions and run it like so:

sudo chmod +x firewall-rules.sh\n./firewall-rules.sh\n

"},{"location":"docker/#installer-options","title":"Installer options","text":"

The goal of the initial Docker rollout for RaspAP is to have a \"one shot\" command to get a container up quickly with minimal user input. For this reason, the RaspAP application stack is installed with some common options enabled by default. These optional components are Ad blocking, OpenVPN and WireGuard.

You may change this behavior by removing any or all of the Quick installer flags from RaspAP's Dockerfile. For example, to skip the WireGuard install option, remove the --wireguard 1 flag on the line below:

VOLUME [ \"/sys/fs/cgroup\" ]\n\nRUN curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --openvpn 1 --adblock 1\nCOPY firewall-rules.sh /home/firewall-rules.sh\nCOPY wpa_supplicant.conf /etc/wpa_supplicant/\n

With this done, you may proceed with building your Docker image as usual.

Tip

Alternatively, you may choose to install these optional components and disable them in RaspAP's configuration file, config.php.

"},{"location":"docker/#environment-variables","title":"Environment variables","text":"

Several environment variables are made available in RaspAP's Docker image to aid in configuration. These are summarized in the table below:

Environment Variable Description Default RASPAP_SSID SSID name raspap-webgui RASPAP_SSID_PASS SSID password ChangeMe RASPAP_COUNTRY SSID country code GB RASPAP_WEBGUI_USER Admin username admin RASPAP_WEBGUI_PASS Admin password secret RASPAP_WEBGUI_PORT Web user interface port 80

More fine-grained configuration is also possible through the use of the following prefixed environment variables, in the form RASAPAP_[target]_[key]:

Environment Variable Prefix Target File RASPAP_hostapd_ /etc/hostapd/hostapd.conf RASPAP_raspap_ /etc/dnsmasq.d/090_raspap.conf RASPAP_wlan0_ /etc/dnsmasq.d/090_wlan0.conf

For example, RASPAP_hostapd_driver would set the driver value in /etc/hostapd/hostapd.conf.

"},{"location":"docker/#troubleshooting","title":"Troubleshooting","text":"

The docker logs command shows information logged by a running container and is generally the best starting point for troubleshooting. To obtain logs for the raspap container, execute docker logs raspap.

The Docker daemon logs may also help you diagnose problems. Use the command journalctl -xu docker.service (or read /var/log/syslog or /var/log/messages, depending on your Linux Distribution).

For issues related to Docker Engine, refer to Docker's troubleshooting section.

"},{"location":"docker/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's Docker container? Join the discussions here.

"},{"location":"dynamicdns/","title":"Dynamic DNS","text":""},{"location":"dynamicdns/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

Accessing your device from anywhere in your local network is great, but there are times when you might want it to be reachable from remote locations. This is particularly true for projects such as media servers, network attached storage (NAS) and VPNs such as those provided by RaspAP. However, due to the shortage of IPv4 addresses, it's likely that you will receive a new and different external IP address from your ISP each time your router is rebooted.

Some ISPs offer a static external IP address, although often at an additional cost above a basic subscription. This is where using a Dynamic DNS (or DDNS) service on your home network can be extremely useful.

"},{"location":"dynamicdns/#solution","title":"Solution","text":"

Dynamic DNS solves this problem by providing a domain name that always points to the current IP address of your device, regardless of how often it changes. With DDNS, the IP assigned to your domain name is automatically updated by a piece of software (known as a daemon) running on your device. This means that you can access the server using the same domain name, without having to constantly update settings each time the IP address changes.

The daemon running on your device resolves your external IP address using one of several methods, then reports this to your DDNS provider. There are a number of different providers that offer Dynamics DNS free of charge. If you currently own a custom domain name, chances are your registrar provides DDNS or has a partner to support this.

"},{"location":"dynamicdns/#installation","title":"Installation","text":"

The Quick installer will give you the option to add the required packages to your system, and enable the configuration page in RaspAP. Simply press Enter at the prompt to accept the default \"Y\" (yes) response:

Install ddclient and enable DDNS configuration? [Y/n]:\n

When the installer completes, you will be able to administer the ddclient service as described in the sections below.

"},{"location":"dynamicdns/#basic-settings","title":"Basic settings","text":"

All the configuration settings needed to enable Dynamic DNS on your device are available on the Basic settings tab. These are described in the next section.

"},{"location":"dynamicdns/#service-provider","title":"Service provider","text":"

RaspAP makes use of the proven ddclient open source software for Linux to update dynamic DNS entries. The ddclient software is highly configurable and provides a daemon that updates your external IP at scheduled intervals. Many popular Dynamic DNS services are supported by ddclient and RaspAP.

Instructions on how to setup your domain for DDNS vary by provider, but the process is generally similar. Begin by selecting a Service provider from the dropdown. RaspAP will assist you by automatically populating the Protocol and Server fields. You may also manually configure the details for your service if so desired.

Note

Some DDNS providers, such as NoIP, distribute their own Linux client to use with their service. It isn't necessary to install this software because the ddclient daemon already includes this functionality.

"},{"location":"dynamicdns/#method-to-obtain-ip","title":"Method to obtain IP","text":"

There are a variety of different methods to determine your external IP address. A popular one involves a discovery page on the web that resolves your IP. If you choose this method, enter it in the Web address field after selecting this option from the Method to obtain IP select.

Tip

There are many freely available external IP discovery pages you can use. Examples include ChangeIP and this one from Namecheap. Each of these pages perform the same basic function.

Alternatively, you may want to use an IP address from a network interface, your router's firewall status page, or an external command. Each of these options can be specified, thereby giving you a great deal of flexibility.

"},{"location":"dynamicdns/#login-and-domain","title":"Login and domain","text":"

Enter your DDNS service credentials in the Username and Password fields. Finally, specify the Domain to be updated that will be associated with your device. DDNS providers may also refer to this as a \"zone\" or \"host\". These definitions may take several forms, for example:

myhost.dyndns.org\nmydomain.com\n@.mydomain.com\n

Check with your DDNS service provider to determine which entry is best for your configuration. To complete your setup, choose Save settings now or proceed with advanced options.

"},{"location":"dynamicdns/#advanced-settings","title":"Advanced settings","text":"

A subset of advanced options are provided for your configuration. These are not required for the DDNS service to be functional, but may be adjusted to suit your needs.

"},{"location":"dynamicdns/#enable-ssl","title":"Enable SSL","text":"

You may wish to Enable SSL to ensure that your credentials are not sent over the internet unencrypted. Not all providers support this, however, so this option is disabled by default. Enabling this option for a non-SSL supported provider may result in a connection timeout. Errors such as these have been reported:

WARNING:  cannot connect to checkip.dyndns.org:443 socket: Connection timed out SSL connect attempt failed\nWARNING:  found neither IPv4 nor IPv6 address\nDEBUG:    get_ip: using web, http://checkip.dyndns.org/ reports <undefined>\nWARNING:  unable to determine IP address\n

For this reason, it's recommended to check with your DDNS service provider before enabling this.

"},{"location":"dynamicdns/#daemon-check-interval","title":"Daemon check interval","text":"

Finally, you may define the Daemon check interval to control the length of time between updates performed by ddclient in the background. This value is specified in milliseconds and defaults to 300.

When you've completed your configuration, choose Save settings and Start Dynamic DNS.

"},{"location":"dynamicdns/#troubleshooting","title":"Troubleshooting","text":"

Behind the scenes, the ddclient daemon will determine your external IP using the method you've defined and send this to your DDNS provider. Your provider will then update the IP address corresponding to the DNS \"A\" (or \"address\") record for your domain.

If your DDNS provider fails to report your current IP address, or you suspect there might be a problem with the ddclient configuration on your device, you may generate a detailed debug log.

From the Logging tab, use the Generate log button to invoke the ddclient daemon and output a troubleshooting log:

This will provide a verbose output of everything ddclient is doing. If it ends with a SUCCESS message this indicates that the daemon successfully checked and updated the DNS \"A\" record with your provider, if neccessary. An example of this is shown below:

RECEIVE:  140.82.121.3\nDEBUG:    get_ip: using web\n dynamicdns.park-your-domain.com/getip reports 140.82.121.3\nSUCCESS:  @.mydomain.com: skipped: IP address was already set to 140.82.121.3.\n

If the daemon doesn\u2019t reply with SUCCESS, the debug output should give you some clues as to what the problem is.

"},{"location":"dynamicdns/#port-forwarding","title":"Port forwarding","text":"

If ddclient has successfully updated your DDNS provider's \"A\" record with your IP address, but you are unable to access your device remotely, it's likely your router needs to be configured for port forwarding. This instructs the router to send, or forward, data packets from the external WAN interface to the internal IP address belonging to your device.

You can enable this by using your router's port mapping/forwarding setup. This procedure allows remote computers to connect to a specific device within your internal LAN's private address space. Specifics are highly dependent on the router you have, although the steps are generally straightforward. Consult your router's documentation for details.

"},{"location":"dynamicdns/#demilitarized-zone","title":"Demilitarized zone","text":"

An alternative to forwarding specific ports to an internal IP is using a demilitarized zone (DMZ). A home router DMZ is a host on an internal network that has all UDP and TCP ports open and exposed, except those ports otherwise forwarded. By using this method, all the ports (and services) of your device will be directly accessible from the internet, with the attendant security risks that this implies.

This setup is often desirable when a host is running multiple public-facing services that need to be accessed over the internet. In this context, a DMZ provides greater isolation and granular control than is possible with port forwarding. It's also possible to configure different security policies for various DMZ segments. For these reasons, a properly configured DMZ can be a more secure way to expose services to the internet than port forwarding.

The specifics of creating a DMZ are beyond the scope of this document, although at minimum a firewall is strongly advised.

"},{"location":"dynamicdns/#discussions","title":"Discussions","text":"

Questions or comments about using Dynamic DNS? Join the discussion here.

"},{"location":"faq/","title":"FAQ","text":"

This guide was written to address some frequently asked questions among users of RaspAP. FAQ items are organized into thematic sections, below, for easier reference.

If you would like to see a new FAQ that you feel would assist other users, start a discussion or open an issue.

"},{"location":"faq/#general","title":"General","text":""},{"location":"faq/#troubleshooting","title":"Troubleshooting","text":""},{"location":"faq/#integrations","title":"Integrations","text":""},{"location":"faq/#openvpn","title":"OpenVPN","text":""},{"location":"faq/#wireguard","title":"WireGuard","text":""},{"location":"faq/#networking","title":"Networking","text":""},{"location":"faq/#install-upgrade","title":"Install & upgrade","text":""},{"location":"faq/#is-raspap-a-fork-of-openwrt-or-another-router-project","title":"Is RaspAP a fork of OpenWrt or another router project?","text":"

RaspAP is an independent wireless router project designed for embedded systems and created by a community of developers. By contrast, OpenWrt is an operating system built around the Linux kernel. While powerful, it's rather more difficult to tailor custom applications around OpenWrt. That is, users are generally limited to what is available in OpenWrt's package repository, unless they fork the project code and modify the OS.

RaspAP is popularly used to provide a variety of networking and wireless routing services to other Linux projects and applications. Moreover, with Docker support users are able to run RaspAP in an isolated container. This gives you much greater flexibility if you're hosting other Linux services and/or applications on your device.

"},{"location":"faq/#what-is-the-scope-of-support-for-desktop-distributions","title":"What is the scope of support for Desktop distributions?","text":"

A desktop distribution (or \"distro\") usually has a very different set of programs that handles various underlying OS functions and wraps it with a pretty GUI. While this project generally recommends non-desktop distros, such as Raspberry Pi OS Lite, it's understood that many users prefer using a desktop environment.

For this reason, Raspberry Pi OS (64-bit) Desktop has undergone extensive testing and is subsequently validated for use with this project with clean installs of the OS.

Please be aware that \"supported\" is not a guarantee. That is, if you experience issues with RaspAP in your desktop environment, it's your responsibility (not the maintainers of this project) to eliminate potential conflicts with other software that you've installed after booting a fresh desktop OS. Before reporting a bug, you may use one of several community support channels to help you determine the cause of your issue or find a potential workaround.

"},{"location":"faq/#what-do-all-these-settings-in-the-ui-do-changing-them-seems-to-have-no-effect","title":"What do all these settings in the UI do? Changing them seems to have no effect.","text":"

RaspAP manipulates several daemons, services and helper programs behind the scenes for you. In the footer of each management panel is a helpful \"Information provided by...\" label. These indicate which Linux daemon and/or program is being modified by the UI. Learning what these services are and how they work will go a long way toward demystifying things.

For example, two of the best starting points for understanding hostapd (the service that implements 802.11 AP management) include the hostapd Linux documentation page and hostapd Wifi homepage.

Info

After you choose Save settings for hostapd or dhcpcd, these services must be restarted for your changes to take effect. If you're not sure if your AP is behaving as expected, enable logging in the Logging tab of Hotspot and check the output.

"},{"location":"faq/#how-do-i-prepare-the-sd-card-to-connect-to-wifi-in-headless-mode","title":"How do I prepare the SD card to connect to WiFi in headless mode?","text":"

Since May 2016, Raspbian has been able to copy wifi details from /boot/wpa_supplicant.conf into /etc/wpa_supplicant/wpa_supplicant.conf to automatically configure wireless network access.

An example wpa_supplicant.conf file is shown below. Replace the fields with your settings:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev\nupdate_config=1\ncountry=your_ISO-3166_two-letter_country_code\n\nnetwork={\n    ssid=\"my_SSID\"\n    psk=\"my_PSK\"\n    key_mgmt=WPA-PSK\n}\n
"},{"location":"faq/#can-i-use-wlan0-and-wlan1-rather-than-eth0-for-my-ap","title":"Can I use wlan0 and wlan1 rather than eth0 for my AP?","text":"

Yes, this is supported by RaspAP. In this scenario, you may wish to use the wlan0 interface as the AP interface with wlan1 as the wireless client interface. Refer to the dedicated WiFi repeater walkthrough for steps to enable this configuration.

"},{"location":"faq/#can-i-use-raspap-as-a-monitor-only-without-changing-my-configuration","title":"Can I use RaspAP as a monitor only, without changing my configuration?","text":"

Yes, RaspAP has support for a so-called \"monitor mode\". In config.php change the setting RASPI_MONITOR_ENABLED to true. This disables the ability to modify settings, start/stop daemons, shutdown or reboot the RPi. RaspAP will continue to report interface statistics, service settings and data usage as normal. See this for more information.

"},{"location":"faq/#can-i-use-raspap-with-my-custom-dnsmasq-configuration","title":"Can I use RaspAP with my custom dnsmasq configuration?","text":"

Yes, RaspAP supports this through the use of dnsmasq.d. The primary /etc/dnsmasq.d/090_raspap.conf managed by the UI includes the following directive to enable your custom .conf files:

conf-dir=/etc/dnsmasq.d\n

Configuration files placed in this directory will be used by the dnsmasq service and are untouched by the UI.

"},{"location":"faq/#what-is-the-maximum-number-of-simultaneous-clients-that-i-can-connect-to-my-ap","title":"What is the maximum number of simultaneous clients that I can connect to my AP?","text":"

Short answer: it depends.

Longer answer: there are several factors that come into play including, but not limited to, the specific RPi model, firmware version, available RAM and so on.

Every update to the RPi's firmware takes up more of the limited RAM reserved for WiFi, resulting in less space to host AP clients. Users of RaspAP have reported up to 19 simultaneous clients with a RPi 3B, but a smaller number with a newer RPi model. If you are willing to modify your device's firmware and replace the brcmfmac driver with a specific version, a maximum of 20 simultaneous WiFi clients is theoretically possible.

Bottom line: if maximizing AP clients is your primary goal, you will have to either use a specific firmware version or purchase an external wireless adapter.

See also: https://github.com/raspberrypi/linux/issues/3010.

"},{"location":"faq/#where-can-i-find-a-list-of-usb-wifi-adapters-that-use-in-kernel-drivers","title":"Where can I find a list of USB WiFi adapters that use in-kernel drivers?","text":"

There are many USB WiFi adapters that work without the need to install a driver in Linux. The term \"in-kernel\" refers to drivers that are packaged and maintained by the Linux kernel.

This GitHub list currently has 60 links to USB WiFi adapters that work without installing drivers (ie., \"plug and play\") on devices like the Raspberry Pi.

With adapters that use in-kernel drivers, you may simply plug the adapter in and it will work. Many people find that using adapters with in-kernel drivers is a better solution than buying an adapter that requires drivers to be found, downloaded, compiled, installed, fixed and reinstalled.

"},{"location":"faq/#what-are-the-passphrase-requirements-used-by-raspap","title":"What are the passphrase requirements used by RaspAP?","text":"

The requirements are based on IEEE standard 802.11i-2004 which defines a passphrase as a sequence of between 8 and 63 ASCII-encoded characters. Furthermore, each character in the passphrase must have a decimal encoding in the range of 32 to 126 (IEEE Std. 802.11i-2004, Annex H.4.1). These are often known as printable characters that represent letters, digits, punctuation marks and a few miscellaneous symbols.

This means that so-called special characters, or extended ASCII codes, are not permitted in a passphrase. For example, the Euro sign \"\u20ac\", German \"\u00e4\" and British pound symbol \"\u00a3\" fall outside this range.

RaspAP will automatically generate a secure passphrase, or PSK, for you. On the Hotspot > Security tab, click or tap the magic icon next to the PSK input. Choose Save settings and Restart hotspot for the changes to take effect.

"},{"location":"faq/#can-i-remove-the-ap-password-to-create-an-open-wifi-network","title":"Can I remove the AP password to create an open WiFi network?","text":"

Yes. On the Hotspot > Security tab, select 'None' for Security type. Choose Save settings and Restart hotspot for the changes to take effect.

"},{"location":"faq/#how-do-i-prevent-wan-access-to-raspaps-web-administration","title":"How do I prevent WAN access to RaspAP's web administration?","text":"

There are two ways to do this. The simplest method is to set the web server's bind address in RaspAP's System > Advanced tab to the IPv4 address you wish to grant access to. Choose Save settings and Restart lighttpd. After this is done, the web server will refuse connections to all IP addresses other than the one you've defined.

A somewhat cleaner method with a \"403 Forbidden\" response can be done manually with lighttpd. You could modify lighttpd's main config directly, but to keep things neater we can use RaspAP's own configuration in lighttpd's /conf-available directory. Edit it like so:

sudo nano /etc/lighttpd/conf-available/50-raspap-router.conf\n

Add the following to the end, substituting the 192.168.0.0/16 private IPv4 address range (192.168.0.0 \u2013 192.168.255.255) for your own network:

# deny access to RaspAP admin for users that\n# are not in the 192.168.0.0/16 network\n$HTTP[\"remoteip\"] != \"192.168.0.0/16\" {\n    url.access-deny = ( \"\" )\n}\n

Save and exit the file, then restart the lighttpd service:

sudo systemctl restart lighttpd.service\n

Clients outside of your defined network range will receive a '403' response when accessing the web UI.

"},{"location":"faq/#can-i-reduce-the-risk-of-sd-card-corruption-and-extend-a-cards-lifespan","title":"Can I reduce the risk of SD card corruption and extend a card's lifespan?","text":"

Yes. RaspAP has developed a minimal write mode that substantially reduces disk I/O activity and helps to extend the life of microSD cards.

"},{"location":"faq/#after-a-clean-install-wifi-andor-raspap-behaves-unpredictably","title":"After a clean install, WiFi and/or RaspAP behaves unpredictably.","text":"

Issues like this are frequently reported. The vast majority of these problems stem from one (or a combination) of the following:

  1. The install was not performed on a clean OS.
  2. A faulty, corrupt, fake, poor quality and/or otherwise unsuitable SD card was used.
  3. The SD card has insufficient storage space.
  4. Raspberry Pi Imager software applied preconfigured wireless settings.

If you observe RaspAP or your wireless AP behaving strangely, be sure to follow the project prerequisites and perform a clean install with a known-good SD card from a reputable manufacturer.

Problems such as this can be difficult to diagnose. In this case, the Raspberry Pi Imager was adding the user's old WiFi settings to an otherwise clean OS image. Be sure to check the \"OS customization\" options when using this software. When in doubt, use an alternative SD card imaging tool.

RaspAP has been successfully integrated with many popular open source projects. One of the best ways to use RaspAP in an existing project is to deploy it in an isolated Docker container.

"},{"location":"faq/#my-80211ac-5-ghz-hotspot-failed-to-start-what-now","title":"My 802.11ac 5 GHz hotspot failed to start. What now?","text":"

RaspAP uses iw and the wireless-regdb to determine which channels are allowed for your configured country. However, not all channels may be supported by your device's wireless adapter or firmware. If your 5 GHz access point fails to start, use the steps below to troubleshoot the problem.

Begin by enabling hostapd service logging by sliding the Logfile output toggle on the Hotspot > Logging tab. Choose Save settings followed by Restart hotspot and check the log output. The logs will often indicate when a selected channel is not supported by the hardware. For example:

wlan0: IEEE 802.11 Hardware does not support configured channel\nCould not select hw_mode and channel. (-3)\n

This may occur with the Raspberry Pi or another device's onboard wireless chipset, or an external wireless adapter. To mitigate this, select one of the following 5 GHz channels: 36, 40, 44 or 48, then choose Save settings. Click or tap the Clear log button on the Hotspot > Logging tab, if needed, and finally choose Restart hotspot. Check the logs again and see if the error persists.

If the 802.11ac AP still fails to start, an external AC wireless adapter with in-kernel drivers is an option worth considering.

"},{"location":"faq/#clients-cannot-obtain-an-ip-address-from-the-ap","title":"Clients cannot obtain an IP address from the AP.","text":"

Clients may receive a \"failed to obtain IP address\" or similar error message when connecting to your AP. These are the most frequent reasons for this error: 1. A poor WiFi signal from the access point. In this event, reduce the distance between your device and the AP. 2. Your device does not operate properly with the encryption method set by the AP. 3. The access point is misconfigured.

The first and simplest fix is to reconnect the client to your WiFi network. When you do this, the AP forgets the previous attempt and initiates a new process to assign an IP address to your device. Exact methods vary between devices, however most will have a 'Forget this network' option or similar in the WiFi settings. This is shown in iOS, below:

If clients still fail to connect, restart the AP. You may do this by choosing Restart hotspot from RaspAP. This reinitializes several related services in a predictable order and timing. Assuming these services are configured to restart automatically on reboot (the default behavior when RaspAP's installer is used) you may also simply reboot your Pi.

RaspAP gives you control over many aspects of your WiFi network, including DHCP. With its default settings, RaspAP has been rigorously tested and validated to provide connectivity in routed AP mode. If you suspect that RaspAP is misconfigured and not providing IP addresses to clients, you may troubleshoot this yourself.

Clients connecting to your AP are assigned, or leased, an IP address with dnsmasq. You can see how this process works by enabling the Log DHCP requests option in the DHCP Server > Logging tab. When a client connects to your AP, a typical dnsmasq-dhcp exchange follows this pattern:

dnsmasq-dhcp[2516]: DHCPDISCOVER(wlan0) [MAC address] \ndnsmasq-dhcp[2516]: DHCPOFFER(wlan0) 10.3.141.249 [MAC address] \ndnsmasq-dhcp[2516]: DHCPREQUEST(wlan0) 10.3.141.249 [MAC address] \ndnsmasq-dhcp[2516]: DHCPACK(wlan0) 10.3.141.249 [MAC address] iPhone\n

If one or more steps in this exchange are missing, either your device is unable to respond to the server's DHCPOFFER or the AP itself is misconfigured.

Tip

By default, the dnsmasq service listens on TCP/UDP port 53 and UDP port 67. If you have configured firewall software such as ufw or iptables to filter traffic on these ports, the service may not be able to respond to DHCP requests.

As a last resort, you can assign a static IP address to your device. Copy the MAC address for your device as it appears above and create a new entry in RaspAP's DHCP Server > Static Leases tab. Save settings, restart dnsmasq and try connecting your client again.

"},{"location":"faq/#my-wifi-network-disappeared-and-i-cant-access-the-web-ui","title":"My WiFi network disappeared and I can't access the web UI","text":"

If you are running your Pi headless and are unable to access RaspAP's web interface from the default http://10.3.141.1/ address, do the following:

  1. Be sure your browser isn't forcing SSL by appending https:// to the address, which can result in misleading errors. This may sound obvious but it's reported frequently. (Related: add SSL support for RaspAP.
  2. Connect your device to wired ethernet and access it via the browser or SSH on the eth0 interface using one of the methods described below. Check the logs for hostapd errors and reconfigure the service, or run the installer again to restore the default configuration.
  3. There are several methods you can use to determine your Pi's IP address. RaspAP's installer only configures a static IP address for the AP interface on wlan0. If the AP has entered a failed state, you may still be able to connect on an alternate interface.
  4. Recent versions of the RPi OS kernel include the avahi-daemon which facilitates local network discovery via multicast DNS (mDNS). On client computers with the Bonjour service installed (all macOS machines and Windows PCs with Apple iTunes), try accessing your Pi by entering http://raspberrypi.local/ in the browser or via SSH with ssh pi@raspberrypi.local.
  5. If you don't have access to wired ethernet or the above methods fail, configure your Pi for USB-OTG, also known as \"on-the-go\" or gadget mode. Instructions for enabling USB-OTG vary between various models and not all Pi hardware has support for this.
"},{"location":"faq/#my-custom-hostapdconf-phpini-is-gone","title":"My custom hostapd.conf / php.ini is gone.","text":"

The installer applies a \"known good\" default configuration to some services, including hostapd. It will also, optionally, optimize PHP by changing a very limited number of settings. Your custom configurations haven't been lost however; they've been moved to the backups directory in /etc/raspap/backups.

You are free to SSH in to restore those files to their rightful position. However, you may need to ensure that the RaspAP modifications are applied to your own custom configurations.

"},{"location":"faq/#i-changed-the-admin-password-and-forgot-what-it-was","title":"I changed the admin password and forgot what it was.","text":"

Login credentials are stored in /etc/raspap/raspap.auth. The password is encrypted and cannot be edited manually. However, deleting this file with sudo rm /etc/raspap/raspap.auth will restore the default admin password.

"},{"location":"faq/#raspap-control-panel-works-but-there-is-no-wifi-after-reboot","title":"RaspAP control panel works but there is no WiFi after reboot.","text":"

This problem often occurs when another program tries to reconfigure hostapd at startup. It can also happen when your RPi is configured as both a WiFi client and access point, also known as a managed mode AP. To address this, RaspAP has added a systemd init service to bring up networking services in a predictable order and timing after the Linux kernel is booted. You can check the status of this service with:

sudo systemctl status raspapd.service\n

The raspapd.service is optionally installed and enabled by the Quick Installer. It is also included in the manual setup steps.

"},{"location":"faq/#bridged-ap-mode-is-unstable-or-clients-cant-connect","title":"Bridged AP mode is unstable or clients can't connect.","text":"

RaspAP delegates all DHCP control to your router in bridged AP mode. If you have trouble connecting clients, start with this project's default configuration in routed AP mode first and try connecting a client. Enable logging for DHCP and hostapd to help you identify any problems. If you have no issues with client connectivity with the default routed AP, but cannot connect clients in bridged AP mode, in most cases the problem lies with your router\u2014not RaspAP. Check your router's web interface and DHCP settings.

If clients disconnect intermittently, this often indicates an undervoltage issue with your RPi. Check the kernel log for any Under-voltage detected! errors. Be sure you are using an official 5.1V power supply (each model has different power requirements) and detach any USB devices. Executing dmesg | grep br0 can also offer clues. Execute sudo dhclient -v to gain insights into DHCP requests between your device and router. A typical DHCP exchange follows this pattern:

CLIENT -> DHCPDISCOVER\nSERVER -> DHCPOFFER\nCLIENT -> DHCPREQUEST\nSERVER -> DHCPACK\n

If your device (the client) broadcasts DHCPDISCOVER, but there is no DHCPOFFER response from your router, you have a misconfiguration or other issue with your network. Troubleshooting client connectivity in bridged AP mode is not supported. No hard feelings.

"},{"location":"faq/#managed-mode-ap-doesnt-work-on-the-pi-zero-w","title":"Managed mode AP doesn't work on the Pi Zero W.","text":"

See this walkthrough where the installation is described in detail.

"},{"location":"faq/#wifi-scanning-doesnt-work-or-i-get-the-error-cannot-execute-wpa_cli-reconfigure","title":"WiFi scanning doesn't work or I get the error cannot execute \"wpa_cli reconfigure\".","text":"

On some configurations, the Configure WiFi client panel may appear empty. This project uses the wpa_supplicant command line client wpa_cli to populate a list of available wireless networks. If you can't execute this from the shell, neither can the web UI. For example, the results of this command:

sudo wpa_cli -i wlan0 scan_results\nFailed to connect to non-global ctrl_ifname: wlan0  error: No such file or directory\n
...indicate a problem with the socket used to communicate with wpa_supplicant. You may also encounter errors such as \"Could not connect to wpa_supplicant: wlan0 - re-trying\".

If this happens, first check the contents of wpa_supplicant with sudo cat /etc/wpa_supplicant/wpa_supplicant.conf. You should see, at minimum, the following:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev\nupdate_config=1\n

The above is present on clean installs of Raspbian. If you've made changes to this file, ensure that these lines appear first. Next, reinitialize the socket with:

sudo wpa_supplicant -B -Dnl80211,wext -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0\n

substituting wlan0 with your wireless interface, if necessary. You should then be able to perform scans as expected.

Tip

If you are using wpa_suplicant.conf to connect to your device with SSH on a wireless interface, do not reboot after running the Quick Installer. More information on this topic is available here.

"},{"location":"faq/#i-started-the-hotspot-but-it-shows-hostapd-down-whats-happening","title":"I started the hotspot but it shows \"hostapd down\". What's happening?","text":"

Hostapd, the Linux service that creates the access point, can fail to start for a variety of reasons. The following are common causes, with troubleshooting advice:

  1. If you've attached an external wireless adapter (bound to wlan1, for example) and have selected this as the AP interface, be sure that it either uses an in-kernel driver, also known as \"plug and play\" support, or that you have installed the correct driver for it.
  2. Confirm that the 802.11 wireless mode you've selected is supported by the adapter you've chosen in the list of available interfaces. For example, if you've selected the 802.11ac 5 GHz wireless mode with incompatible hardware, RaspAP will create the configuration for you but hostapd will fail to start.

In each of these cases, the hostapd service will report errors that can be useful for troubleshooting. Enable logging by selecting Logfile output on the Hostapd > Logging tab, choose Save settings then Restart hotspot.

Refer to this FAQ and this FAQ for more info.

"},{"location":"faq/#pinging-the-ap-from-a-connected-client-computer-or-vice-versa-results-in-an-intermittent-failure-can-i-troubleshoot-this","title":"Pinging the AP from a connected client computer (or vice versa) results in an intermittent failure. Can I troubleshoot this?","text":"

An intermittent ping failure on the wireless interface could indicate any number of things; a poor wireless signal, co-channel interference and disassociated client being among the most common. The following are methods for troubleshooting this:

  1. Get a signal strength report. A signal of -80 dBm or less from your AP is unreliable. If your client computer supports Linux, use sudo iw dev wlan0 scan | awk '/signal:/{sta=$2$3} /SSID:/{print $0\" \"sta}' and check your AP's dBm value. Alternatively, use any one of several graphical WiFi explorer type tools and obtain your signal strength this way.

  2. Use wavemon on the AP to scan for overlapping channels from nearby APs. Install it with sudo apt install wavemon. If it shows an AP with a strong signal on the same channel as your AP, you are likely experiencing co-channel interference. Select a different channel or band for your AP, restart it and compare the results.

  3. Use mtr to run a continuous scan that reports on latency and percentage packet loss. Install it with sudo apt install mtr-tiny. Obtain your client's IPv4 address from the dashboard or DHCP Server > Client list and start the utility, for example mtr 10.3.141.151. While the scan is running, reposition your client computer and/or your AP and observe the results.

  4. Enable hostapd service logging from RaspAP with Hotspot > Logging > Logfile output, followed by Save settings and restart your AP. Look for errors that indicate clients are being disassociated from the AP. Refer to this FAQ for more info.

"},{"location":"faq/#my-wlan1-keeps-being-disabled-andor-clients-are-repeatedly-disconnected","title":"My wlan1 keeps being disabled and/or clients are repeatedly disconnected.","text":"

Issues such as this can be tricky to diagnose. In this case, an AP is started with an external USB wireless adapter, but client devices are continuously authenticated and disconnected (or \"disassociated\"). This may appear in hostapd service logs like so:

wlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: authenticated\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: associated (aid 1)\nwlan1: AP-STA-CONNECTED 24:62:ab:fd:24:34\nwlan1: STA 24:62:ab:fd:24:34 RADIUS: starting accounting session 1D0030DD3176A315\nwlan1: STA 24:62:ab:fd:24:34 WPA: pairwise key handshake completed (RSN)\nwlan1: AP-STA-DISCONNECTED 24:62:ab:fd:24:34\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: disassociated\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)\n

The AP itself may also fail repeatedly with errors like the following:

wlan1: INTERFACE-ENABLED \nFailed to set beacon parameters\nwlan1: INTERFACE-DISABLED \nwlan1: INTERFACE-ENABLED \nFailed to set beacon parameters\nwlan1: interface state ENABLED->DISABLED\nwlan1: AP-DISABLED \nwlan1: CTRL-EVENT-TERMINATING \n

If you see messages indicating \"deauthenticated due to inactivity\", you can try the \"Disable disassoc_low_ack\" setting on the Hotspot > Advanced tab. Choose Save settings then restart your AP. Monitor the hostapd service logs and see if your clients are able to remain connected.

In this specific case, the user determined that the external RT3070 WiFi adapter was at fault.

"},{"location":"faq/#raspap-web-ui-fails-to-start-or-unable-to-save-settings","title":"RaspAP web UI fails to start or unable to save settings.","text":"

After performing a clean install of RaspAP or upgrading an existing installation, the web UI may fail to start or the admin panel may behave in unexpected ways. For example, pages may load but any attempt to save settings will fail. In other cases, the lighttpd web server may fail to respond completely. Errors such as these in /var/log/lighttpd/error.log are common:

(gw_backend.c.503) bind failed for: unix:/run/lighttpd/php.socket-0: No such file or directory\n(gw_backend.c.601) gw-backend failed to start: /usr/bin/php-cgi\n(gw_backend.c.1655) [ERROR]: spawning gw failed\n

These signs point to a corrupted filesystem on the SD card. If during a power disconnection the memory card is in a write operation, there is a high chance that one or more sectors will be damaged. In these cases, a fresh install on a new SD card can save you time and frustration. RaspAP's minimal SD card write mode can help in this case.

Tip

Be sure to use genuine MicroSD cards from a reputable manufacturer. Card clones are common and hard to distinguish from legitimately made ones, but certainly not subject to the same quality standards. Neither fake nor cheap cards are typically suitable for an entire OS to run from.

"},{"location":"faq/#why-do-i-receive-an-invalid-csrf-token-message-and-a-blank-screen","title":"Why do I receive an 'Invalid CSRF token' message and a blank screen?","text":"

A cross-site request forgery (CSRF) is a type of exploit where unauthorized commands are executed against a website on behalf of a trusted user. To guard against this, RaspAP generates a one-time token that is unique for every user and stored in the PHP session object. This token value is inserted into a hidden field on every form in the RaspAP application. If the token doesn\u2019t exist in the submitted form data or fails to match with the token on the server, the form will reject the submission and return an error.

The most common cause for this error message is when your PHP session expires. By default, the PHP session timeout is defined as 24 minutes (1440 seconds). When this timeout is reached stored data will be seen as \"garbage\" and cleaned up by the garbage collection process.

If you submit a form in RaspAP 24 minutes after the page was loaded, the application will return a CSRF token error. When this occurs, simply refresh the page to generate a new session token.

"},{"location":"faq/#can-i-restore-raspaps-default-settings","title":"Can I restore RaspAP's default settings?","text":"

Yes, two methods are described here.

"},{"location":"faq/#how-do-i-integrate-raspap-with-pi-hole","title":"How do I integrate RaspAP with Pi-hole?","text":"

There have been several discussions around integrating RaspAP with Pi-hole, with the end goal of hosting a complete AP and ad-blocker on a single device. Both projects rely on dnsmasq, so integration between them is tricky. There are now several options available to users of RaspAP.

  1. The first option is to configure RaspAP to use a Pi-Hole installation on a separate device. Go to RaspAP's DHCP Server > Advanced page and enable the \"Upstream DNS Server\" option, add your Pi-Hole's DNS, save settings and restart dnsmasq.

  2. Install RaspAP in an isolated Docker container together with Pi-Hole. You will need to configure Pi-Hole's dnsmasq service to listen on a port other than 53.

  3. Install Pi-Hole in a Docker container and proceed with a normal installation of RaspAP on the same device.

  4. Alternatively, you may use RaspAP's own ad blocking facility with support for custom blocklists.

"},{"location":"faq/#can-i-integrate-raspap-with-adguard-home","title":"Can I integrate RaspAP with Adguard Home?","text":"

Yes, you can run RaspAP and Adguard Home on the same device. Change Adguard Home\u2019s listening port to 5300 and bind to 127.0.0.1, then go to RaspAP's > DHCP Server > Advanced page and enable the \"Upstream DNS Server\". Add 127.0.0.1#5300 as an upstream DNS Server. Save settings and restart dnsmasq. Tip via @firestrife23

"},{"location":"faq/#can-i-configure-raspap-to-work-with-a-captive-portal","title":"Can I configure RaspAP to work with a captive portal?","text":"

Yes. The nodogsplash project works just fine with RaspAP and is recommended over other methods. A detailed setup guide is available here.

"},{"location":"faq/#how-do-i-create-an-ap-activation-schedule","title":"How do I create an AP activation schedule?","text":"

This is a common function in consumer wireless routers. For example, let's assume you want to disable your AP on Monday through Friday between 02:00 and 08:00. You can implement this with cron to stop/start RaspAP's service control script at certain times. Run sudo crontab -e and add entries like so:

# Stop RaspAP services at 02:00 on Monday through Friday\n0 2 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --action stop\n\n# Start RaspAP services at 08:00 on Monday through Friday\n0 8 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --seconds 3\n

For help with crontab, head over to crontab.guru.

"},{"location":"faq/#can-i-schedule-the-wifi-password-to-change-automatically","title":"Can I schedule the WiFi password to change automatically?","text":"

Yes. Here's one way to do it using bash. Save the script to your home directory (/home/pi for example) and set the execution bit with sudo chmod +x genpassphrase.sh. When executed, the script will automatically generate a strong password (or a weaker, pronounceable one), update the wpa_passphrase setting in hostapd.conf and finally restart the raspapd.service. The new passphrase and QR code will be visible on the Hotspot > Security tab.

This can be useful if you're using RaspAP to serve WiFi to clients in a public place, and need to update the passphrase regularly. Similar to creating an AP activation schedule, you can have this execute at specific intervals by using cron. Run sudo crontab -e and add an entry like so:

# Generate a new passphrase and restart RaspAP everyday at midnight\n@midnight /home/pi/genpassphrase.sh\n

For help with crontab, head over to crontab.guru.

"},{"location":"faq/#can-i-configure-a-managed-mode-ap-without-using-the-ui","title":"Can I configure a managed mode AP without using the UI?","text":"

Yes. Let's assume you are creating an RPi OS image (or other supported OS) with scripts that setup RaspAP at first startup. In this scenario, to configure a managed mode AP you must manually connect via a browser, make some changes via the UI and then save your settings. This can be also be done programmatically. Assuming you have wpa_supplicant.conf fully populated and a valid hostapd.conf, set the following values in /etc/raspap/hostapd.ini:

LogEnable = 0\nWifiAPEnable = 1\nBridgedEnable = 0\nWifiManaged = wlan0\n

substituting wlan0 for your AP interface, if necessary. You may then restart the raspap daemon with sudo systemctl restart raspapd.service.

"},{"location":"faq/#can-i-configure-an-alternate-port-for-raspaps-web-service","title":"Can I configure an alternate port for RaspAP's web service?","text":"

Yes. You can now do this from the Advanced tab in System. Manual steps for changing lighttpd's default port are included below.

Edit /etc/lighttpd/lighttpd.conf and change the following line:

server.port                 = 8080\n
then give the service a kick...
sudo systemctl restart lighttpd.service\n
You can then access RaspAP as before with the new port number in the URI, for example, http://raspberrypi.local:8080. This will allow you run another web server alongside lighttpd, if that is your goal.

"},{"location":"faq/#what-breaks-raspap-when-docker-is-installed-on-the-same-system-and-how-i-can-fix-it","title":"What breaks RaspAP when Docker is installed on the same system and how I can fix it?","text":"

Installing RaspAP after installing Docker often results in connected clients not having internet access from the AP. The reason for this is Docker manipulates iptables rules to provide network isolation. Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. Docker also sets the policy for the FORWARD chain to DROP.

When RaspAP is started in its default router mode, this will result in the AP not forwarding traffic anymore. If you want RaspAP to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:

sudo iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT

When Docker is correctly installed after RaspAP, the following iptables chain should be present:

Chain INPUT (policy ACCEPT) target prot opt source destination\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination DOCKER-USER all -- anywhere anywhere\nDOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere\nACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere\nACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere\nChain OUTPUT (policy ACCEPT) target prot opt source destination\nChain DOCKER (1 references) target prot opt source destination\n

Additional info here and here.

tl;dr: Install RaspAP first, followed by Docker, adding the explicit iptables rule sudo iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT.

"},{"location":"faq/#can-i-integrate-raspap-with-openmediavault","title":"Can I integrate RaspAP with OpenMediaVault?","text":"

Yes, you can run RaspAP alongside OpenMediaVault for a complete media center and wireless hotspot on a single device. In this way, you are able to share the media storage in your local network via a wireless hotspot while connected to a router via ethernet. This is illustrated in the schematic below:

[Router] <---- eth ----> [Pi] (RaspAP + OMV5)\n   |                      |\n WiFi 1              WiFi 2 (subnet)\n

Follow these steps to create this configuration:

  1. Follow RaspAP's Quick start guide and set up your network as you wish.
  2. Change the default Web server port to 8080 (so that it doesn't conflict with OMV5), from RaspAP's System > Advanced panel.
  3. Install OMV5 skipping network configuration.
  4. Configure your OMV5 install without changing the network settings.
  5. To make your OMV5 drives accessible from the subnet (WiFi 2), add the following settings at the end of OMV Control panel > Menu > SMB/CIFS > Settings Tab > Extra Options:
    bind interfaces only = yes\ninterfaces = lo eth0\n

Source: openmediavault forums.

"},{"location":"faq/#can-i-use-raspap-to-share-speedifys-aggregated-connections","title":"Can I use RaspAP to share Speedify's aggregated connections?","text":"

Yes, RaspAP is compatible with Speedify's connection bonding. In this scenario, you may want to combine several internet connections (for example, a DSL connection, 4G cellphone and an LTE router) and share these via RaspAP.

Begin by running Speedify's one step install, login with your credentials and connect Speedify. Next, configure Speedify for WiFi sharing by editing the following file:

sudo nano /etc/speedify/speedify.conf\n

Make sure to uncomment the following lines (remove the \"#\" symbol). To share over the Wi-Fi interface wlan0, set:

ENABLE_SHARE=1 \nSHARE_INTERFACE=\"wlan0\"\nWIFI_INTERFACE=\"wlan0\" \n

Once you have configured the sharing settings, save the file (if you are using nano, use Ctrl+O and press Enter to save). Exit the text editor and then execute:

sudo service speedify-sharing restart\n

Refer to Speedify's support article for additional tips and troubleshooting.

"},{"location":"faq/#how-do-i-serve-custom-pages-from-raspap","title":"How do I serve custom pages from RaspAP?","text":"

Several users have asked if they can extend RaspAP or otherwise serve their own custom directory with the existing lighttpd web service. Broadly, there are two approaches to achieve this. In the examples below, we will add support for a custom directory called \"admin\".

Option 1. Create a subdirectory of RaspAP's default install location (/var/www/html) called \"admin\": /var/www/html/admin. Now, modify RaspAP's application routing rules by adding this directory to the exclusion list. You may do this with sudo nano /etc/lighttpd/conf-available/50-raspap-router.conf. Next, modify the following line like so:

$HTTP[\"url\"] =~ \"^/(?!(dist|app|ajax|config|admin)).*\" {\n

Note that \"admin\" is appended above \"config\", above. This instructs lighttpd not to rewrite URLs that match this pattern. Reload the lighttpd service with sudo systemctl reload lighttpd.service.

You may now create your own index.php file in this folder and request it from the browser as http://10.3.141.1/admin/ or http://raspberrypi.local/admin.

Option 2. Reinstall RaspAP and specify a custom install destination, for example /var/www/html/raspap. This will leave the default web root free for you to create any files you wish, without attempting to rewrite the URLs (the installer will only apply routing rules to your custom RaspAP root).

"},{"location":"faq/#can-i-automatically-update-raspaps-adblock-lists","title":"Can I automatically update RaspAP's adblock lists?","text":"

RaspAP's adblock feature uses several blocklists that are aggregated and updated daily. In a typical setup, you may use the Ad blocking management page to manually update these lists. Alternatively, this user-contributed script will automatically fetch the latest blocklists on the schedule of your choosing (for example, daily, weekly, etc.) and reload dnsmasq.

#!/bin/sh\n#\nsleep $(shuf -i 0-3600 -n1)\ncurl -L https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts > /etc/raspap/adblock/hostnames.tmp\ncurl -L https://big.oisd.nl/dnsmasq > /etc/raspap/adblock/domains.tmp\n\nmv /etc/raspap/adblock/hostnames.tmp /etc/raspap/adblock/hostnames.txt\nmv /etc/raspap/adblock/domains.tmp /etc/raspap/adblock/domains.txt\nchown root:www-data /etc/raspap/adblock/hostnames.txt\nchown root:www-data /etc/raspap/adblock/domains.txt\n\nsudo systemctl reload dnsmasq.service\n
Credit to DanielLester83.

"},{"location":"faq/#openvpn-fails-to-start-andor-i-have-no-internet","title":"OpenVPN fails to start and/or I have no internet.","text":"

RaspAP supports OpenVPN clients by uploading a valid .ovpn file to /etc/openvpn/client and, optionally, creating a login.conf file with your client auth credentials. Additionally, in line with the project's default configuration, the following iptables rules are added to forward traffic from OpenVPN's tun0 interface to your configured wireless interface (wlan0 is the default):

-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -i wlan0 -o tun0 -j ACCEPT\n

After starting the OpenVPN service, you may check and validate these rules like so:

$ sudo iptables -L FORWARD -v -n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n 1955 1493K ACCEPT     all  --  tun0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED\n 1715  194K ACCEPT     all  --  wlan0  tun0    0.0.0.0/0            0.0.0.0/0\n

It is your responsibility to provide a valid .ovpn file. RaspAP does not attempt to validate the settings or RSA keys contained in this file. If OpenVPN fails to start, check for errors with sudo systemctl status openvpn-client@client and journalctl --identifier openvpn.

"},{"location":"faq/#openvpn-works-but-i-have-partial-or-no-internet-access","title":"OpenVPN works but I have partial or no internet access.","text":"

Issues like this are frequently reported. Begin by confirming the status of your connection:

$ sudo systemctl status openvpn-client@client\n\u25cf openvpn-client@client.service - OpenVPN tunnel for client\n   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: enabled)\n   Active: active (running) since Fri 2020-06-12 15:45:41 CDT; 1min 39s ago\n     Docs: man:openvpn(8)\n           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage\n           https://community.openvpn.net/openvpn/wiki/HOWTO\n Main PID: 2689 (openvpn)\n   Status: \"Initialization Sequence Completed\"\n    Tasks: 1 (limit: 2200)\n   Memory: 1.1M\n   CGroup: /system.slice/system-openvpn\\x2dclient.slice/openvpn-client@client.service\n           \u2514\u25002689 /usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf\n
You can also use journalctl --identifier openvpn to identify any errors. If your internet access is intermittent or otherwise degraded with the openvpn-client active, the next step is to test your connection for packet loss and latency. There are many Linux tools you can use to diagnose your network. mtr is a good choice as it combines functionality of the traceroute and ping programs. Install and use it to perform your own evaluation:

sudo apt install mtr -y\nsudo mtr -rwc 50 -i 0.2 -rw duckduckgo.com\n\nStart: 2021-06-13T11:42:26+0100\nHOST: raspberrypi                                Loss%   Snt   Last   Avg  Best  Wrst StDev\n  1.|-- 192.168.1.254                              0.0%    50   26.8  27.1  26.5  31.4   0.8\n  2.|-- somerouter.net                            88.0%    50   392.0 390.4 362.1 596.7  1.2\n

The results are reported as round-trip response times in milliseconds and the percentage of packet loss. If you see loss and/or latency like the above example, report it to your VPN provider or find another one. Read this for more on interpreting mtr results.

Protip: free VPNs are frequently oversubscribed and usually not worth the trouble.

"},{"location":"faq/#openvpn-is-enabled-but-i-am-still-blocked-from-country-restricted-websites","title":"OpenVPN is enabled but I am still blocked from country restricted websites.","text":"

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. Others have specific VPN nodes to use with popular streaming services.

Several users have reported that Firefox's DNS-over-HTTPS (DoH) has created problems with their VPN, in effect creating a DNS leak from the browser that circumvents RaspAP's DNS settings. Be sure to disable this \"feature\" when using a VPN service.

If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop\nsudo iftop -i [interface]\n
"},{"location":"faq/#uploading-my-wireguard-config-results-in-mime-type-not-allowed","title":"Uploading my WireGuard config results in \"MIME type not allowed\".","text":"

For security reasons, your OpenVPN or WireGuard .conf files must have a Linux MIME type of text/plain. Windows ignores MIME types, relying instead on extensions. To avoid errors, be sure your file has a text/plain MIME type embedded in it before uploading.

Most OpenVPN and WireGuard service providers give you the option of downloading a file formatted for Linux. Alternatively, you may convert your Windows config file for use with Linux with dos2unix or one of several online tools made for this purpose.

"},{"location":"faq/#i-think-my-traffic-isnt-being-routed-through-the-wireguard-vpn-can-i-debug-this","title":"I think my traffic isn't being routed through the WireGuard VPN. Can I debug this?","text":"

There are several things you can do to troubleshoot this. First, with the WireGuard service active, verify your public IPv4 address and check the external link, as shown below:

Next, you may check the WireGuard service status by executing sudo systemctl status wg-quick@wg0.service from the shell, like so:

$ sudo systemctl status wg-quick@wg0.service\n\u25cf wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0\n     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)\n     Active: active (exited) since Wed 2021-12-29 15:31:03 GMT; 1 day 18h ago\n       Docs: man:wg-quick(8)\n             man:wg(8)\n             https://www.wireguard.com/\n             https://www.wireguard.com/quickstart/\n             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8\n             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8\n   Main PID: 1450 (code=exited, status=0/SUCCESS)\n      Tasks: 0 (limit: 1438)\n        CPU: 0\n     CGroup: /system.slice/system-wg\\x2dquick.slice/wg-quick@wg0.service\n

You may also use RaspAP's built-in WireGuard logging facility. On the WireGuard > Logging tab, enable the \"Display WireGuard debug log\" option and choose Save settings. Check the log output in the tab and look for any errors.

Tip

The debug log facility queries the systemd journal with a one-time execution of journalctl --identifier wg-quick. If you want to update this log output, simply enable the option again. You may also execute this command directly from the shell, if you wish.

Finally, you may check and verify the WireGuard config itself, including PostUp / PostDown rules, by executing sudo cat /etc/wireguard/wg0.conf.

As a last piece of advice, be sure to test more than one client device connection with your WireGuard-enabled AP. Some users have reported traffic not routing as expected with one device, while a different device behaves normally.

Please note that RaspAP provides a front-end to the WireGuard service only. It has no way of validating your WireGuard configuration. For this reason, bug reports such as \"WireGuard not working\" won't be considered.

"},{"location":"faq/#how-can-i-clear-raspaps-wireguard-log","title":"How can I clear RaspAP's WireGuard log?","text":"

WireGuard doesn't do any logging by default. The quasi-logging done by RaspAP executes sudo journalctl --identifier wg-quick. The Linux journal is not something you usually clear by yourself, however you can use journalctl's self maintenance to retain only the past two days:

sudo journalctl --vacuum-time=2d\n

See man journalctl for more information.

"},{"location":"faq/#why-cant-i-access-wireless-mode-n-80211n","title":"Why can't I access wireless mode 'N' (802.11n)?","text":"

On the Configure hotspot > Security tab, be sure to select CCMP for the Encryption Type. Save the settings and restart the hotspot. The wireless mode should be reported on clients as 802.11b/g/n.

RaspAP:\n  PHY Mode:     802.11n\n  Channel:      1\n  Network Type:     Infrastructure\n  Security:     WPA2 Personal\n  Signal / Noise:   -49 dBm / -86 dBm\n  Transmit Rate:    73\n

If using TKIP for encryption with WPA, you will be restricted to 54 Mb/s. This is because the IEEE 802.11n draft prohibits using high throughput with WEP or TKIP ciphers.

"},{"location":"faq/#how-do-i-exclude-nat-rules-from-ip-traffic-on-localhost","title":"How do I exclude NAT rules from IP traffic on localhost?","text":"

RaspAP's Quick Installer configures network-address-translation (NAT) with iptables rules, so that the RPi can act as an internet gateway to multiple hosts on a local network with a single public IP address. This is done by rewriting the addresses of IP packets as they pass through the NAT system. Many access points, including RaspAP, use a combination of IP forwarding and masquerading to achieve this.

In some cases, NAT rules applied to localhost can interfere with other services running on an RPi. An example is the Plex Media Server, which has an API that listens on localhost. As of this writing, the Plex API has been built to not authenticate communication between service processes of the server. This can cause a failure to communicate with the Plex API or similar add-on services on your RPi.

The solution is to add a NAT rule ahead of the rule RaspAP installs to not apply NAT to connections destined to 127.0.0.0/8:

$ sudo iptables -t nat -I POSTROUTING -d 127.0.0.0/8 -j ACCEPT\n
The resulting iptables chain should look something like this:

$ sudo iptables -t nat -L -n -v\nChain PREROUTING (policy ACCEPT 31 packets, 4810 bytes)\n pkts bytes target prot opt in out source destination\n\nChain INPUT (policy ACCEPT 31 packets, 4810 bytes)\n pkts bytes target prot opt in out source destination\n\nChain OUTPUT (policy ACCEPT 23 packets, 1338 bytes)\n pkts bytes target prot opt in out source destination\n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n   17 999 ACCEPT all -- * * 0.0.0.0/0 127.0.0.0/8\n   2422 158K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0\n
Refer to this issue.

"},{"location":"faq/#why-is-the-channel-dropdown-disabled-on-the-hotspot-page","title":"Why is the channel dropdown disabled on the Hotspot page?","text":"

RaspAP is capable of detecting the frequencies (channels) supported by each of your device's wireless interfaces. If an interface is selected that is not capable of broadcasting on the 5 GHz band, the associated channels and the Save settings button are disabled. Next to the Wireless Mode selector, a tooltip will provide a brief explanation.

In this case, selecting a compatible 2.4 GHz wireless mode will populate the list of available channels for that interface. Alternatively, select another interface or connect a 5 GHz capable external wireless adapter. RaspAP will automatically detect the adapter and add it to the list of available interfaces.

"},{"location":"faq/#80211ac-is-supposed-to-operate-at-433-mbps-why-is-my-aps-throughput-so-much-less","title":"802.11ac is supposed to operate at 433 Mbps. Why is my AP's throughput so much less?","text":"

The 802.11ac wireless standard uses 433 Mbps per spatial stream in the 5GHz band. Therefore, the theoretical maximum speed for a single-stream device is 433 Mbps when using an 80 MHz wide channel. However, real-world speeds are often significantly less due to a number of factors.

In the Raspberry Pi's case, its onboard wireless chipset is connected to the primary System on a Chip (SoC) with a 4-bit SDIO link that runs at 41.7 MHz. 4 bits x 41.7 suggests about 160 Mbps should be possible with 802.11ac on this device. In practice, iPerf tests won't get close to this figure because SDIO is a simplex link (that is, half-duplex) with overhead in each of the protocol and transport layers. Given these restrictions, real-world iPerf tests in the range of 90-100 Mbps are actually quite good for this hardware.

"},{"location":"faq/#why-is-the-maximum-throughput-of-my-80211n-ap-reduced-by-half","title":"Why is the maximum throughput of my 802.11n AP reduced by half?","text":"

In order to achieve optimal throughput with 802.11n, the wireless stream must operate at a 40 MHz wide channel on the 2.4 GHz band. A 20 MHz channel will restrict you to 72 Mbps. Your hostapd.conf might have the required settings, but this is no guarantee of a 40 MHz channel.

In practice, this can be quite difficult due to interference on the 2.4 GHz band. There are many things that will cause an AP to fallback to 20 MHz. The most common reason is if an AP detects another wireless network within 40 MHz, i.e. two channels, of its own channel. For example, if an AP is set to channel 6, another network operating anywhere from channel 4 to 8 will trigger a fallback. hostapd will usually report a fallback like so:

20/40 MHz operation not permitted on channel pri=3 sec=7 based on overlapping BSSes\n

For more information on optimizing 802.11n, refer to this resource.

Generally speaking, the 5 GHz band has substantially greater capacity due to more non-overlapping radio channels and less radio interference as compared to the 2.4 GHz band.

"},{"location":"faq/#can-i-connect-the-wifi-client-to-a-wep-network","title":"Can I connect the WiFi client to a WEP network?","text":"

Wired Equivalent Privacy (WEP) has been deprecated for quite awhile but old routers still exist in the wild. Not all routers accept hex passwords, but you can try converting an ASCII password using an online tool like this one. A valid WEP key should be 5 or 13 characters or a 10- or 26-digit hexadecimal value. Be sure the hex values are unpadded and there are no trailing spaces. For example, 52617370415069734772656174 is a valid hex passphrase.

Paste your converted hex value into RaspAP's WiFi client passphrase field and try connecting.

If you're not able to connect with a hex passphrase, you can also try this alternate manual configuration method.

"},{"location":"faq/#can-i-turn-the-hotspot-onoff-over-ssh","title":"Can I turn the hotspot on/off over SSH?","text":"

Yes, RaspAP provides a front-end to several Linux systemd services, including hostapd. From the terminal, check the status of the hostapd.service like so:

$ sudo systemctl status hostapd.service \n\u25cf hostapd.service - Access point and authentication server for Wi-Fi and Ethernet\n     Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)\n

Stop the service with sudo systemctl stop hostapd.service and start it with sudo systemctl start hostapd.service.

If you're curious about which other services and Linux tools RaspAP controls for you, take a look at raspap.sudoers.

"},{"location":"faq/#can-i-share-internet-from-a-wireless-lan-with-ethernet-clients","title":"Can I share internet from a wireless LAN with Ethernet clients?","text":"

Yes, RaspAP simplifies this with an intuitive and easy-to-use WLAN routing solution.

"},{"location":"faq/#can-raspap-automatically-connect-to-a-known-wifi-network-at-boot","title":"Can RaspAP automatically connect to a known WiFi network at boot?","text":"

When rebooting, users must manually re-establish a connection to a known WiFi network by using the WiFi client UI. This is the default behavior of wpa_supplicant. That is, on startup the wpa_supplicant service is executed by systemd (not RaspAP) and enables logging and the DBus control interface; it does not automatically connect to any known networks.

However, you can change this behavior and have wpa_supplicant establish a connection on startup by editing the root user's crontab, like so:

$ sudo crontab -e\n

Using your editor, append a line like the following:

# m h  dom mon dow   command\n@reboot /sbin/wpa_supplicant -B -Dnl80211 -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0\n

Save the file and exit from your editor. On the next system boot, your RaspAP router will automatically connect to your preferred wireless network, if it's available.

"},{"location":"faq/#can-i-isolate-raspap-from-other-software-on-my-system","title":"Can I isolate RaspAP from other software on my system?","text":"

Yes, you have the option of installing RaspAP in an isolated and portable Docker container.

"},{"location":"faq/#how-do-i-upgrade-raspap","title":"How do I upgrade RaspAP?","text":"

Upgrading an existing install without changing your configuration is very straightforward. Several different methods are described below.

The version 3.0.2 release introduced a new feature to upgrade your RaspAP installation. To use this, simply navigate to the About page and click or tap on the Check for update button. This queries the GitHub API for the latest release version, compares it with your current install and prompts you to upgrade if a newer release is available.

No other actions are required on your behalf. Alternatively, you may also use the Quick installer to upgrade to the latest release version. This is done with the --upgrade option, as shown below:

curl -sL https://install.raspap.com | bash -s -- --upgrade\n

The installer upgrade is idempotent, meaning it can be repeated an arbitrary number of times and the result will be as if it had been done only once. If you choose this method, you're done! Confirm the upgrade by checking the release version on the About page.

If you want to install a specific version, you may do so by referencing a tag using git:

sudo git fetch -v --tags\nsudo git checkout 3.0.8\n

A tag is a pointer that isn't connected to the main development tree that git knows about. As a result, git will reply that you're in a \"detached HEAD\" state. This isn't a big deal, it just means that you have a specific version of the code that isn't connected to the git tree.

Alternatively, if you want the latest bleeding edge commits from the master branch, use the following:

sudo git checkout -b master\nsudo git pull origin master\n

If you've customized your installation by editing config.php, update the release version in this file:

sudo nano /var/www/html/includes/config.php\n
Change the value in this line to the release version, save the file and exit.

define('RASPI_VERSION', '3.0.8');\n

Whichever method you choose (about page button, installer upgrade, specific release or latest updates), your RaspAP configuration won't be changed.

"},{"location":"faq/#do-i-need-the-raspap-service-to-run-at-boot","title":"Do I need the RaspAP service to run at boot?","text":"

If you are using your RPi as a client on a WiFi network (also known as managed mode) and hosting an access point simultaneously, the raspapd.service will ensure that your hotspot is active after a reboot. It does this by detecting WiFi client AP mode, adding the uap0 interface and starting up networking services in a specific order.

If your RPi is configured with wired ethernet (eth0) or you haven't experienced problems with the AP starting on boot, you can disable the RaspAP daemon like so:

sudo systemctl disable raspapd.service\n
"},{"location":"faq/#can-the-quick-installer-accept-the-default-options-without-prompting-me","title":"Can the Quick Installer accept the default options without prompting me?","text":"

Yes, the Quick Installer has a non-interactive mode that lets you perform unattended setups. This mode assumes \"yes\" as an answer to all prompts. You can do an unattended install of RaspAP by appending the --yes command line option, like so:

curl -sL https://install.raspap.com | bash -s -- --yes\n

The options -y or --assume-yes are also accepted and have the same result.

"},{"location":"faq/#how-do-i-uninstall-raspap","title":"How do I uninstall RaspAP?","text":"

An uninstaller is provided to remove RaspAP cleanly, and also restore any backups of your configuration that were created before RaspAP was installed. Start the uninstaller with the following:

curl -sL https://install.raspap.com | bash -s -- --uninstall\n

Alternatively, you may execute the uninstaller directly from the project folder (default location is /var/www/html):

cd /var/www/html\nsource installers/uninstall.sh\n_remove_raspap\n

Whichever method you choose, the result is the same. Check your network configuration before rebooting to ensure you can still access your device.

"},{"location":"firewall/","title":"Firewall","text":""},{"location":"firewall/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

If your device is exposed to the outside world, firewall rules can provide a layer of security against intruders to your network. A firewall also gives us granularity in terms of what is allowed to be forwarded across interfaces. Using the rule sets described below, we can effectively control which packets are allowed to be inputted to, and outputted from, the RaspAP router itself.

Insiders have access to a UI designed for this purpose.

"},{"location":"firewall/#basic-rule-set","title":"Basic rule set","text":"

As with every other aspect of RaspAP's default settings, the application iptables rules are stored in an external JSON file, so they may be modified without touching code. During the install, the file iptables_rules.json is copied from /config to /etc/raspap/networking/firewall. Thereafter, they may be administered from the UI, shown below.

By default, the firewall will only allow outgoing and already established traffic. There are no restrictions to the currently configured AP interface (wlan0 is the default). The remaining firewall rules are grouped into four distinct classes. These are described below.

"},{"location":"firewall/#pre-rules","title":"Pre-rules","text":"

These rules define pre- and post-routing network address translation (NAT) policies, allow ping requests (IPv4 and IPv6), the loopback device, NTP requests via UDP and DNS requests via TCP and UDP.

"},{"location":"firewall/#main-rules","title":"Main rules","text":"

Main rules cover many functions, including allowing unrestricted traffic over the AP interface, rules for client interfaces including the tunnel device (tun0 for OpenVPN) and WireGuard (wg0, for example). RaspAP will check for the presence of an active OpenVPN or WireGuard connection and automatically apply these rules.

"},{"location":"firewall/#exception-rules","title":"Exception rules","text":"

These types of rules include service exceptions, such as allowing ssh access on port 22 and http or https on ports 80 and 443, respectively. In addition, user-defined exception rules may be added to allow incoming or outgoing traffic from specific IP addresses or interfaces. These exception values may be entered in the UI, separated by a blank character or comma.

This rule type is required for OpenVPN via UDP and WireGuard. A list of currently active VPN server IP addresses is provided in the firewall UI.

"},{"location":"firewall/#restriction-rules","title":"Restriction rules","text":"

By contrast, restriction rules allow the user to block access from specific IP addresses.

"},{"location":"firewall/#json-rules-syntax","title":"JSON rules syntax","text":"

Most entries in iptables_rules.json are descriptive and should be straightforward. An optional entry for each set of rules called dependson allows for creation of rules that depend on device names and whether a service is active.

Each dependency refers to an entry in the firewall config file. For example, ap-device or openvpn-enabled, followed by a type definition (bool, string or list). The replace tag defines which variable in the actual iptables rule should be replaced. To illustrate this, the wireguard rule set is shown below:

\"name\": \"wireguard\",\n    \"comment\": \"Rules for wireguard device (wg)\",\n    \"ip-version\": 4,\n    \"dependson\": [\n        { \"var\": \"wireguard-enable\", \"type\": \"bool\" },\n        { \"var\": \"wireguard-serverip\", \"type\": \"string\", \"replace\": \"$IPADDRESS$\" },\n        { \"var\": \"client-device\", \"type\": \"string\", \"replace\": \"$INTERFACE$\" }\n    ],\n    \"rules\": [\n        \"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT\",\n        \"-A FORWARD -i wg+ -j ACCEPT\",\n        \"-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE\"\n    ]\n

In this way, interdependent firewall rules may be defined and administered by RaspAP.

"},{"location":"firewall/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's firewall? Join the discussion here.

"},{"location":"insiders/","title":"Insiders","text":"

Development of RaspAP is made possible thanks to a sponsorware release model. This means that new features are first exclusively released to sponsors as part of Insiders. Read on to learn what sponsorships achieve, how to become a sponsor and what's in it for you!

Paying it forward

We donate a percentage of all proceeds from Insiders to the Raspberry Pi Foundation each quarter, to help inspire future generations of makers together with their educators.

"},{"location":"insiders/#what-is-insiders","title":"What is Insiders?","text":"

RaspAP Insiders is a private fork of RaspAP, hosted as a private GitHub repository. Almost all new features are developed as part of this fork, which means that they are immediately available to all eligible sponsors, as they are made collaborators of this repository.

Every feature is tied to a funding goal in monthly subscriptions. When a funding goal is hit, the features that are tied to it are merged back into the RaspAP public repo and released for general availability, making them available to all users. Bugfixes are always released in tandem.

Sponsorships start as low as $10 per month.

"},{"location":"insiders/#what-sponsorships-achieve","title":"What sponsorships achieve","text":"

Sponsorships make this project sustainable, as they buy the maintainers of this project time \u2014 a very scarce resource \u2013 which is spent on the development of new features, bug fixes, stability improvement, issue triage and community support.

If you're unsure if you should sponsor this project, check out the list of completed funding goals to learn whether you're already using features that were developed with the help of sponsorships. You're most likely using at least a handful of them, thanks to our awesome sponsors!

"},{"location":"insiders/#whats-in-it-for-me","title":"What's in it for me?","text":"

The moment you become a sponsor, you'll get immediate access to the additional features below that you can start using right away, and which are currently exclusively available to sponsors:

Network device management Firewall settings WPA3-Personal AP security 802.11w Protected Management Frames Printable Wi-Fi signs Drag & drop dashboard widgets MAC address cloning Network diagnostics WireGuard kill switch Dynamic DNS Multiple WireGuard configs Wireless LAN routing Custom user avatars WiFi repeater mode NTP Service Limited privilege user role

A tangible side benefit of sponsorship is that Insiders are able to help steer future development of RaspAP. This is done through Insiders' access to discussions, feature requests, issues and pull requests in the private GitHub repository.

Look for the list above to grow as we add more exclusive features. Be sure to visit this page from time to time to learn about what's new, or follow @RaspAP on to stay updated.

"},{"location":"insiders/#how-to-become-a-sponsor","title":"How to become a sponsor","text":"

Thanks for your interest in sponsoring! You can become a sponsor using your individual or organization's GitHub account. Just pick any tier from $10/month and complete the checkout. You will be automatically granted access to the private GitHub repository containing the Insiders edition, which has all exclusive features. In addition, you will be added as a team member with access to Insiders-only team discussions and content.

Join our awesome sponsors

Info

If you're sponsoring RaspAP through a GitHub organization, please send a short email to sponsors@raspap.com with the name of your organization and the account that should be added as a collaborator.2

You can cancel your sponsorship anytime.3

"},{"location":"insiders/#funding-targets","title":"Funding targets","text":"

Below is a list of funding targets. When a funding target is reached, the features that are tied to it are merged back into RaspAP and released to the public for general availability.

"},{"location":"insiders/#goals","title":"Goals","text":"

The following section lists all funding goals. Each goal contains a list of features prefixed with a checkmark symbol, denoting whether a feature is already available or planned, but not yet implemented. When the funding goal is hit, the features are released for general availability.

"},{"location":"insiders/#1000-2nd-insiders-edition","title":"$1,000 - 2nd Insiders Edition","text":"

Network device management Firewall settings WPA3-Personal AP security 802.11w Protected Management Frames Printable Wi-Fi signs Drag & drop dashboard widgets MAC address cloning Network diagnostics

"},{"location":"insiders/#1500-3rd-insiders-edition","title":"$1,500 - 3rd Insiders Edition","text":"

WireGuard kill switch Dynamic DNS Multiple WireGuard configs Wireless LAN routing Custom user avatars WiFi repeater mode NTP Service Limited privilege user mode

"},{"location":"insiders/#completed-goals","title":"Completed goals","text":""},{"location":"insiders/#500-1st-insiders-edition","title":"$500 - 1st Insiders Edition","text":"

Multiple OpenVPN client configs OpenVPN certificate authentication OpenVPN service logging Night mode toggle Restrict network to static clients WireGuard support Set AP transmit power

"},{"location":"insiders/#transparency","title":"Transparency","text":"

We've chosen OpenCollective as the fiscal host for our GitHub sponsors organization. This means that our budget is completely transparent \u2014 financial contributions, expenses and payouts to project team members are automatically reported. Everyone can see where money comes from and what it's spent on. This committent to full transparency was central in our decision to implement Insiders.

"},{"location":"insiders/#quarterly-giving","title":"Quarterly giving","text":"

Beginning in 2022, each quarter 15% of all proceeds from Insiders will be donated directly to the Raspberry Pi Foundation. The Raspberry Pi Foundation is a UK-based charity that works to put the power of computing and digital making into the hands of people all over the world.

The Foundation supports initiatives like Coder Dojo, Astro Pi, Coolest Projects and much more.

When you become an Insider, not only do you support development of RaspAP but you also help inspire young people by harnessing the power of computing to solve problems and express themselves creatively.

"},{"location":"insiders/#support-for-educators","title":"Support for educators","text":"

We are big believers in the role that computing and digital technologies can play in shaping a better world. Many engineers, including members of the RaspAP team, got their first introduction to computing at an early age. This can take the form of a structured curriculum in a school setting, or less-formally through clubs, competitions and partnerships with youth organizations. Equally important is university, vocational and research training in digital technologies at all levels.

To this end, we have pledged to make Insiders freely available to all educators, their students, club participants and staff.

"},{"location":"insiders/#criteria","title":"Criteria","text":"

Educators, teacher trainers, researchers and club organizers engaged in digital and computing technologies for students of all ages are eligible. The only requirement is a GitHub account and a domain email address associated with an educational institution or organization with a focus on digital learning. Send a mail to sponsors@raspap.com with your GitHub account details and we'll get you started with Insiders.

"},{"location":"insiders/#frequently-asked-questions","title":"Frequently asked questions","text":""},{"location":"insiders/#repository-access","title":"Repository access","text":"

When you become a sponsor, GitHub will send you an invitation to the private Insiders repo. You must accept this invite before performing an upgrade or new install, as described below. Until you accept this invitation, running the Quick installer with the --insiders switch will result in the following:

RaspAP Install: Cloning latest files from GitHub\nCloning into '/tmp/raspap-webgui'...\nremote: Repository not found.\nfatal: repository 'https://github.com/RaspAP/raspap-insiders' not found\n

In this event, check your mail folders for an invitation from GitHub and accept it. You may also verify access to the Insiders repo with your token beforehand.

"},{"location":"insiders/#installing","title":"Installing","text":"

How do I install Insiders?

Invoke the Quick Installer with the --insiders switch, like so:

curl -sL https://install.raspap.com | bash -s -- --insiders\n

Tip

During the Insiders install, GitHub will ask you for your username and password in order to clone the private repository. You must enter a GitHub Personal Access Token at the password prompt. This is explained in the Authentication section below.

Alternatively, you may skip the GitHub authentication step by specifying your GitHub credentials with the --name and --token parameters:

curl -sL https://install.raspap.com | bash -s -- --insiders --name [username] --token [my-token]\n
"},{"location":"insiders/#upgrading","title":"Upgrading","text":"

I have an existing RaspAP installation. How do I upgrade to Insiders?

Upgrading is easy. Simply invoke the Quick Installer with the --upgrade switch, specifying the private Insiders option, like so:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders\n

Tip

When upgrading to Insiders, GitHub will ask you for your username and password in order to clone the private repository. You must enter a GitHub Personal Access Token at the password prompt. This is explained in the Authentication section below.

As with a fresh Insiders install, you may also skip the GitHub authentication step by specifying your GitHub credentials with the --name and --token parameters:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders --name [username] --token [my-token]\n
"},{"location":"insiders/#authentication","title":"Authentication","text":"

As of August 2021 GitHub removed support for password authentication, so you will need to generate a Personal Access Token and use this in place of your password. The process of creating a token is straightforward and described here.

Tip

Be sure to create a \"classic\" personal access token, rather than a fine-grained one. The latter has resulted in errors when cloning the private GitHub repository. Before invoking the Quick installer to perform an upgrade or new Insiders install, it's recommended to verify your token using the method described below.

If this is your first time using a GitHub personal access token, you can verify it by using curl and the GitHub API. Substitute your token value for MY_TOKEN below:

curl -sS -f -I -H \"Authorization: token MY_TOKEN\" https://api.github.com\n

If successful, GitHub should reply with HTTP/2 200 and a x-oauth-scopes: repo value in the response. If you receive a HTTP 401 or other error from curl, check your token and try again.

You will be asked to authenticate with GitHub when the installer clones the private Insiders repo. In this case, simply enter your GitHub username and token when prompted.

Note

Your token is sent securely via SSH to GitHub. The installer does not have access to or store your token.

If you're using GitHub with 2FA enabled the same process above applies.

"},{"location":"insiders/#scope-of-support","title":"Scope of support","text":"

Individual sponsors may use the main RaspAP repository for non-bug related discussions, including troubleshooting. If you've found a bug with an Insiders feature, please review our issue policy and create a report in the Insiders repository.

The RaspAP team will prioritize issues and feature requests for sponsors at the Business tier. Please create a report in the Insiders repository or contact us via email to discuss your requirements.

"},{"location":"insiders/#terms","title":"Terms","text":"

We're using RaspAP for a commercial project. Can we use Insiders under the same terms and conditions?

Yes. Whether you're an individual or a company, you may use RaspAP Insiders precisely under the same terms as RaspAP, which are defined by the GNU GPL 3.0 license. However, we kindly ask you to respect the following guidelines:

"},{"location":"insiders/#discussions","title":"Discussions","text":"

Questions or comments about Insiders? Join the discussion here.

  1. You may be wondering if the sponsorware model contradicts the ethos of Open Source software. It's true that some features are locked behind a payment, which means they are only accessible after pledging a small amount of money. However, these features are only exclusive until specific funding targets are reached. Making an Open Source project sustainable is exceptionally difficult. Maintainers invest significant time and energy developing software, testing, responding to issues, writing documentation and so on. Too often, this leads to burnout and abandoned projects. The sponsorware model ensures that if you decide to use RaspAP, you can be sure that the project remains healthy, bugs are fixed quickly and new features are added regularly.\u00a0\u21a9

  2. It's currently not possible to grant access to each member of an organization, as GitHub only allows for adding users. Thus, after sponsoring, please send an email to sponsors@raspap.com, stating which account should become a collaborator of the Insiders repository. We're working on a solution which will make access to organizations much simpler.\u00a0\u21a9

  3. If you cancel your sponsorship, GitHub schedules a cancellation request which will become effective at the end of the billing cycle, which ends at the 22nd of the month for monthly sponsorships. This means that even though you cancel your sponsorship, you will keep your access to Insiders as long as your cancellation isn't effective. All charges are processed by GitHub through Stripe. As we don't receive any information regarding your payment, and GitHub doesn't offer refunds, sponsorships are non-refundable.\u00a0\u21a9

"},{"location":"issues/","title":"Reporting issues","text":""},{"location":"issues/#overview","title":"Overview","text":"

RaspAP is free software. It is delivered to you, at no cost, and with no warranty of any kind. The community of developers who contribute to this project make every effort to deliver defect-free code. That said, no software is perfect. You can help us improve this project by accurately describing your issue.

"},{"location":"issues/#issue-policy","title":"Issue policy","text":"

This project is currently led by one developer (@billz) in his very limited spare time. Please respect our developers' time by using issues for reporting bugs only. RaspAP is not a boxed product with a free troubleshooting hotline. If your issue is of a general nature and not directly related to a defect with this project, try searching the official Raspberry Pi forums, RaspAP's GitHub discussions, or Raspberry Pi on Stack Exchange. Chances are your question has been discussed and answered before.

Issues are only valid for clean installs of this project's compatible operating systems. If you observe RaspAP behaving strangely and you did not begin with a clean install, be sure to test it on a fresh SD card before reporting an issue.

The project FAQ is continuously updated with answers to many common questions. Refer to this first before creating a new issue.

"},{"location":"issues/#guidelines","title":"Guidelines","text":"

You can help us improve this project by accurately describing defects. To that end, these guidelines have been established to streamline the reporting process:

  1. Please read and follow the Code of Conduct.
  2. Provide useful detail to reproduce your issue. \"Doesn't work\" or \"not working\" is not a valid report. Here's an example model issue.
  3. Generate a debug log and upload the contents to Pastebin.
  4. If an issue is unclear or needs further information, it will be labeled with question and awaiting-user.
  5. Issues that becomes stale due to inactivity are automatically managed by stale-bot.
"},{"location":"issues/#supported-devices","title":"Supported devices","text":"

RaspAP functions very well \"out of the box\" on fresh installs of the latest RPi OS Lite 64- or 32-bit distribution with recent hardware like the RPi 4, 3B+ and Zero 2 W. The version 2.3.1 release extends beta support to additional Debian-based distros, including Armbian and Ubuntu Server. Please note that \"supported\" is not a guarantee.

If you have installed other software packages on top of RaspAP, particularly those related to networking such as Pi-hole, please test RaspAP first on a clean install before reporting an issue. You may also use RaspAP's Docker container to mitigate conflicts with other software packages.

"},{"location":"issues/#external-hardware","title":"External hardware","text":"

RaspAP has been rigorously tested on the above supported distros and devices using the onboard wireless chipsets. While many good external wireless USB adapters, or \"dongles\", are available, a substantial number lack in-kernel driver support or are otherwise unsuitable for this project. It is not practical, or even possible, to individually test every dongle on the market with this project. For this reason, issues that concern external wireless adapters, or request troubleshooting of these devices, will not be considered.

If you suspect a driver problem with your USB adapter, RaspAP tools can assist you with installing missing WLAN driver modules. Beyond this, your best avenue for troubleshooting are the public forums mentioned above.

"},{"location":"issues/#default-settings","title":"Default settings","text":"

One of RaspAP's most popular features is the Quick Installer, which gets an AP up and running quickly and with a minimum of hassle. This works by applying a known-good default configuration that has been validated in testing with the project's supported devices. When the project prerequisites are followed, an AP with wired ethernet (eth0) or managed mode (wlan0) Wifi client AP will be functional with the default settings.

Important

RaspAP gives you control over many of the settings for hostapd, dhcpcd and dnsmasq. Once these default settings are changed, it's possible that one or all of the above services will enter a failed state.

"},{"location":"issues/#will-raspap-let-me-create-a-configuration-that-breaks-my-hotspot","title":"Will RaspAP let me create a configuration that \"breaks\" my hotspot?","text":"

In a word, yes. While the Quick Installer automates most of the work of creating an AP, RaspAP does not automagically validate your custom configurations. As a result, you may observe anomalous behavior when restarting these services and/or rebooting your device.

When in doubt, you may perform a system reset to restore the default settings.

Because of this, issues such as \"hotspot isn't working\" or \"gui doesn't work\" won't be considered. No hard feelings.

"},{"location":"issues/#submitting-an-issue","title":"Submitting an issue","text":"

If, after searching these community forums, consulting the FAQ and understanding the default settings, your issue still persists, please provide as much detailed information as possible. Use the provided issue template. Incomplete issue reports will not be considered. Thanks.

"},{"location":"manual/","title":"Manual installation","text":""},{"location":"manual/#overview","title":"Overview","text":"

These steps apply to the latest release of RaspAP, Raspberry Pi OS Lite, Debian and Armbian. Notes for previous versions, Ubuntu Server 18.04 TLS and 19.10 are provided, where applicable. Please refer to this regarding operating systems support.

"},{"location":"manual/#alternatives","title":"Alternatives","text":"

If your goal is to use RaspAP as a component of a larger project, or wish to isolate its dependencies from existing software on your system, consider deploying RaspAP in a Docker container instead.

"},{"location":"manual/#prerequisites","title":"Prerequisites","text":"

Start off by updating your system's package list, then upgrade the kernel, firmware and installed packages to their latest versions:

sudo apt-get update\nsudo apt-get full-upgrade\n

Note that full-upgrade is used rather than a simple upgrade, as this also picks up any dependency changes that may have been made. The kernel and firmware are installed as a Debian package, and so will also get updates when using the procedure above. These packages are updated infrequently and after extensive testing.

"},{"location":"manual/#enable-wireless-operation","title":"Enable wireless operation","text":"

Telecommunications radio bands are subject to regulatory restrictions to ensure interference-free operation. The Linux OS complies with these rules by requiring users to configure a two-letter \"WiFi country code\". In RPi OS, 5 GHz wireless networking is disabled until this country code has been set, usually as part of the initial installation process. If you have not set your country code or are unsure, check the \"WLAN Country\" setting in raspi-config's Localisation Options:

sudo raspi-config\n

To ensure the WiFi radio is not blocked on the Raspberry Pi, execute the following command:

sudo rfkill unblock wlan\n
"},{"location":"manual/#non-rpi-os-dependencies","title":"Non-RPi OS dependencies","text":"

Operating systems other than RPi OS have some additional dependencies. If you are using RPi OS Lite, skip this section. On Ubuntu Server, add a dependency and the ppa:ondrej/php apt package:

sudo apt-get install software-properties-common \nsudo add-apt-repository ppa:ondrej/php\n

On Debian, Armbian and Ubuntu, install dhcpcd5 with the following:

sudo apt-get install dhcpcd5\n

On Raspberry Pi OS Lite 32-bit (bookworm), install dhcpcd5 with a dependency:

sudo apt-get install dhcpcd dhcpcd-base\n
"},{"location":"manual/#ubuntu-specific-steps","title":"Ubuntu-specific steps","text":"

Note

This section concerns manual pre- and post-install steps required for the latest Ubuntu 23.04 (Lunar Lobster) and Armbian 23.11 (Jammy) releases. They are not necessary with other distributions.

RaspAP's installer will prompt you to stop and disable the systemd-resolved service listening on port 53 before installing dnsmasq. On Ubuntu 23.04 and Armbian 23.11 this results in a name resolution failure and the installation cannot continue. To resolve this, perform the following pre-install steps:

  1. Stop systemd-resolved with sudo systemctl stop systemd-resolved.service.
  2. Edit the systemd-resolved config file: sudo nano /etc/systemd/resolved.conf, un-hash and specify DNS=9.9.9.9 (for example) and set DNSStubListener=no. Save and exit the file.
  3. Symlink /etc/resolv.conf with sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf.
  4. Proceed with RaspAP install as normal. Disable systemd services when prompted by the installer.

Post-install: The dnsmasq service will report errors such as \"config error is REFUSED (EDE: not ready)\". DNS 'A' record queries will fail and the AP will not be usable for clients. This is easily resolved with the following steps:

  1. Edit the dnsmasq configuration with sudo nano /etc/default/dnsmasq and un-hash IGNORE_RESOLVCONF=yes. Save and exit the file.
  2. Restart the dnsmasq service with sudo systemctl restart dnsmasq.service.

Your RaspAP install on Ubuntu should now function as expected.

"},{"location":"manual/#install-packages","title":"Install packages","text":"

Install git, lighttpd, php8, hostapd, dnsmasq and some extra packages with the following:

sudo apt-get install lighttpd git hostapd dnsmasq iptables-persistent vnstat qrencode php8.2-cgi jq isoquery\n

Note

For Raspberry Pi OS Lite (bullseye), Debian 11 and Ubuntu Server 22.04, replace php8.2-cgi with php7.4-cgi. For Ubuntu Server 23.04, you may use php8.1-cgi.

"},{"location":"manual/#enable-php","title":"Enable PHP","text":"

Next, enable PHP for lighttpd and restart the service for the settings to take effect:

sudo lighttpd-enable-mod fastcgi-php    \nsudo service lighttpd force-reload\nsudo systemctl restart lighttpd.service\n

"},{"location":"manual/#create-the-web-application","title":"Create the web application","text":"

In these steps we will prepare the web destination and git clone the files to /var/www/html.

Caution

If this is not a clean installation, be sure you do not have existing files or directories in the web root before executing the rm -rf command.

sudo rm -rf /var/www/html\nsudo git clone https://github.com/RaspAP/raspap-webgui /var/www/html\n

Copy an extra lighttpd config file to support application routing. This step requires some text substitutions to support user changes to lighttpd's server.document-root setting:

WEBROOT=\"/var/www/html\"\nCONFSRC=\"$WEBROOT/config/50-raspap-router.conf\"\nLTROOT=$(grep \"server.document-root\" /etc/lighttpd/lighttpd.conf | awk -F '=' '{print $2}' | tr -d \" \\\"\")\n\nHTROOT=${WEBROOT/$LTROOT}\nHTROOT=$(echo \"$HTROOT\" | sed -e 's/\\/$//')\nawk \"{gsub(\\\"/REPLACE_ME\\\",\\\"$HTROOT\\\")}1\" $CONFSRC > /tmp/50-raspap-router.conf\nsudo cp /tmp/50-raspap-router.conf /etc/lighttpd/conf-available/\n

Link it into conf-enabled and restart the web service:

sudo ln -s /etc/lighttpd/conf-available/50-raspap-router.conf /etc/lighttpd/conf-enabled/50-raspap-router.conf\nsudo systemctl restart lighttpd.service\n

Now comes the fun part. For security reasons, the www-data user which lighttpd runs under is not allowed to start or stop daemons, or run commands like ip link, all of which we want our app to do. So we will add the www-data user to sudoers, but with restrictions on what commands the user can run. Copy the sudoers rules to their destination:

cd /var/www/html\nsudo cp installers/raspap.sudoers /etc/sudoers.d/090_raspap\n
"},{"location":"manual/#configuration-directories","title":"Configuration directories","text":"

RaspAP uses several directories to manage its own configuration. Create these with the following commands:

sudo mkdir /etc/raspap/\nsudo mkdir /etc/raspap/backups\nsudo mkdir /etc/raspap/networking\nsudo mkdir /etc/raspap/hostapd\nsudo mkdir /etc/raspap/lighttpd\nsudo mkdir /etc/raspap/system\n
"},{"location":"manual/#set-permissions","title":"Set permissions","text":"

Next, set the files ownership to the www-data user for the web files and RaspAP config:

sudo chown -R www-data:www-data /var/www/html\nsudo chown -R www-data:www-data /etc/raspap\n
"},{"location":"manual/#control-scripts","title":"Control scripts","text":"

RaspAP uses several shell scripts to manage various aspects of the application, including hostapd logging and raspapd, the RaspAP control service. Move these scripts to their destinations with the following:

sudo mv installers/enablelog.sh /etc/raspap/hostapd\nsudo mv installers/disablelog.sh /etc/raspap/hostapd\nsudo mv installers/servicestart.sh /etc/raspap/hostapd\nsudo mv installers/debuglog.sh /etc/raspap/system\n

Set ownership and permissions for the logging and service control scripts:

sudo chown -c root:root /etc/raspap/hostapd/*.sh\nsudo chmod 750 /etc/raspap/hostapd/*.sh\n\nsudo chown -c root:root /etc/raspap/system/*.sh\nsudo chmod 750 /etc/raspap/system/*.sh\n

Copy and set ownership of the lighttpd control scripts:

sudo cp installers/configport.sh /etc/raspap/lighttpd\nsudo chown -c root:root /etc/raspap/lighttpd/*.sh\n

Next, move the raspapd service file to the correct location and enable it:

sudo mv installers/raspapd.service /lib/systemd/system\nsudo systemctl daemon-reload\nsudo systemctl enable raspapd.service\n
"},{"location":"manual/#default-configuration","title":"Default configuration","text":"

To facilitate a faster setup, RaspAP uses a \"known-good\" default configuration as a starting point. Copy the configuration files for dhcpcd, dnsmasq, hostapd and defaults.json. Optionally, backup your existing hostapd.conf:

sudo mv /etc/default/hostapd ~/default_hostapd.old\nsudo cp /etc/hostapd/hostapd.conf ~/hostapd.conf.old\nsudo cp config/hostapd.conf /etc/hostapd/hostapd.conf\nsudo cp config/090_raspap.conf /etc/dnsmasq.d/090_raspap.conf\nsudo cp config/090_wlan0.conf /etc/dnsmasq.d/090_wlan0.conf\nsudo cp config/dhcpcd.conf /etc/dhcpcd.conf\nsudo cp config/config.php /var/www/html/includes/\nsudo cp config/defaults.json /etc/raspap/networking/\n

Tip

If you wish to modify RaspAP's default configuration for dnsmasq and dhcp, you may do so by changing these files and editing config/defaults.json.

Next, disable systemd-networkd and copy the bridge configuration with the following:

sudo systemctl stop systemd-networkd\nsudo systemctl disable systemd-networkd\nsudo cp config/raspap-bridge-br0.netdev /etc/systemd/network/raspap-bridge-br0.netdev\nsudo cp config/raspap-br0-member-eth0.network /etc/systemd/network/raspap-br0-member-eth0.network \n
"},{"location":"manual/#optimize-php","title":"Optimize PHP","text":"

Optionally, you may optimize PHP with the following, replacing php8.2-cgi with your installed version:

sudo sed -i -E 's/^session\\.cookie_httponly\\s*=\\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\\s*$/session.cookie_httponly = 1/' /etc/php/8.2/cgi/php.ini\nsudo sed -i -E 's/^;?opcache\\.enable\\s*=\\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\\s*$/opcache.enable = 1/' /etc/php/8.2/cgi/php.ini\nsudo phpenmod opcache\n
"},{"location":"manual/#routing-and-ip-masquerading","title":"Routing and IP masquerading","text":"

These steps allow WLAN clients to access computers on the main wired eth0 network, and from there the internet. Begin by enabling IP forwarding with the following commands:

echo \"net.ipv4.ip_forward=1\" | sudo tee /etc/sysctl.d/90_raspap.conf > /dev/null\nsudo sysctl -p /etc/sysctl.d/90_raspap.conf\nsudo /etc/init.d/procps restart\n

To enable traffic between clients on the WLAN and the internet, we add two iptables network address translation (NAT) \"masquerade\" firewall rules. Create these rules and persist them with the following:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE\nsudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE\nsudo iptables-save | sudo tee /etc/iptables/rules.v4\n
"},{"location":"manual/#enable-hostapd","title":"Enable hostapd","text":"

The hostapd service is disabled by default, as there is no configuration for it after its initial installation. Unmask and enable it with the following:

sudo systemctl unmask hostapd.service\nsudo systemctl enable hostapd.service\n
"},{"location":"manual/#optional-components","title":"Optional components","text":"

The following components are not required to operate RaspAP, but extend its usefulness in several ways. Each is independent of the others, so you may choose to add whichever one you need.

"},{"location":"manual/#openvpn","title":"OpenVPN","text":"

Install OpenVPN, enabling the option in RaspAP's config and the openvpn-client service, like so:

sudo apt-get install openvpn\nsudo sed -i \"s/\\('RASPI_OPENVPN_ENABLED', \\)false/\\1true/g\" /var/www/html/includes/config.php\nsudo systemctl enable openvpn-client@client\n

Copy the OpenVPN auth control script to its destination, setting ownership and permissions with the following:

sudo mkdir /etc/raspap/openvpn/\nsudo cp installers/configauth.sh /etc/raspap/openvpn/\nsudo chown -c root:root /etc/raspap/openvpn/*.sh\nsudo chmod 750 /etc/raspap/openvpn/*.sh\n
"},{"location":"manual/#wireguard","title":"WireGuard","text":"

Adding support for WireGuard is straightforward. The application files are already present in RaspAP, so you may simply install and enable the service, then activate the management option:

sudo apt-get install wireguard\nsudo sed -i \"s/\\('RASPI_WIREGUARD_ENABLED', \\)false/\\1true/g\" /var/www/html/includes/config.php\nsudo systemctl enable wg-quick@wg\n
"},{"location":"manual/#ad-blocking","title":"Ad blocking","text":"

There are several steps to enable Ad blocking, including downloading the blocklists, setting permissions and adding a dnsmasq configuration:

sudo mkdir /etc/raspap/adblock\nwget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /tmp/hostnames.txt\nwget https://big.oisd.nl/dnsmasq -O /tmp/domains.txt\nsudo cp /tmp/hostnames.txt /etc/raspap/adblock\nsudo cp /tmp/domains.txt /etc/raspap/adblock \nsudo cp installers/update_blocklist.sh /etc/raspap/adblock/\nsudo chown -c root:www-data /etc/raspap/adblock/*.*\nsudo chmod 750 /etc/raspap/adblock/*.sh\nsudo touch /etc/dnsmasq.d/090_adblock.conf\necho \"conf-file=/etc/raspap/adblock/domains.txt\" | sudo tee -a /etc/dnsmasq.d/090_adblock.conf > /dev/null \necho \"addn-hosts=/etc/raspap/adblock/hostnames.txt\" | sudo tee -a /etc/dnsmasq.d/090_adblock.conf > /dev/null\nsudo sed -i '/dhcp-option=6/d' /etc/dnsmasq.d/090_raspap.conf\nsudo sed -i \"s/\\('RASPI_ADBLOCK_ENABLED', \\)false/\\1true/g\" includes/config.php\n
"},{"location":"manual/#restart","title":"Restart","text":"

Finally, restart your device and verify that the wireless access point is available:

sudo systemctl reboot\n

After your device has restarted, search for wireless networks with your wireless client. The default SSID is raspi-webgui. The default username is \"admin\" and the default password is \"secret\".

Important

It is strongly recommended that you change these default login credentials in RaspAP's Authentication panel. APs managed by RaspAP in the wild have been administered by third parties with the default login.

"},{"location":"manual/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's manual install? Join the discussions here.

"},{"location":"minwrite/","title":"Minimal SD card write","text":""},{"location":"minwrite/#overview","title":"Overview","text":"

Linux, and indeed most substantial operating systems, is frequently writing logs files, cache files and temporary data to disk (or the microSD card with the Raspberry Pi). Performing a shutdown puts these files away into a known valid state. If power is unexpectedly cut to a Raspberry Pi, these unwritten system files can become corrupted and render a card unbootable.

What is more, most microSD cards were not designed with 24/7 operation in mind. Continuous writing to the card's flash memory shortens its lifespan. They often accumulate bad sectors rather quickly after a period of extended use. This is particularly true of so-called \"budget\" microSD cards.

Using a Raspberry Pi as wireless router requires reliable operation over a long period of time. While read-only mode operation for the SD card is one approach to prolong its use, this prevents user settings from being persisted to storage \u2014 meaning that any changes will be lost if the device is disconnected from power. This makes it less than ideal for RaspAP, or indeed any application that depends on persistent storage.

"},{"location":"minwrite/#solution","title":"Solution","text":"

Rather than force the system into a read-only mode, RaspAP has an alternative minimal write mode that substantially reduces the risk of SD card corruption and also helps to extend the card's lifespan.

This solution involves moving logging, cache and temporary data to a RAM-based file system. The default system log processor rsyslog is replaced with an in-memory logger and several log-related services are disabled. The tmpfs filesystem is used for most processes that require write access, such as sessions used by php-cgi, as well as paths for transient and cache data including /var/cache and /var/tmp.

In addition, the system's boot options are modified to disable swap and file system checks. A tangible side benefit of retaining a read/write boot partition is that your system will behave otherwise normally \u2014 you may install packages, add services and perform most operations as before.

"},{"location":"minwrite/#enabling-minimal-write","title":"Enabling minimal write","text":"

The minimal microSD card write utility, minwrite, may be invoked by using RaspAP's Quick installer. This does not (re)install RaspAP \u2014 only the minwrite shell script is loaded and executed. Users of this method are informed of which operations are performed at each step. Alternatively, manual configuration steps are also provided. Notes specific to Armbian are given where applicable.

Warning

These methods have been used successfully with many Debian-based systems. However, you still use this at your own risk. Best advice is to either create a backup image of your SD card before proceeding, or begin with a baseline setup that you can easily recreate if needed.

Both methods are reasonably straightforward. Bear in mind that RAM usage on your device will necessarily increase, since you'll be migrating the disk I/O activity of several system processes to the tmpfs ramdisk. For this reason, it's recommended to review the memory considerations before proceeding.

After you've enabled minwrite we'll look at a technique to evaluate its effectiveness.

"},{"location":"minwrite/#quick-install","title":"Quick install","text":"

The minwrite utility may be invoked remotely from the Quick installer like so:

curl -sL https://install.raspap.com | bash -s -- --minwrite\n

Alternatively, if you have a local install of RaspAP you may execute it from the /installers directory like so:

./raspbian.sh --minwrite.sh\n

You will be prompted at each step during the minwrite script's execution. As a final step, be sure to reboot your system.

$ curl -sL https://install.raspap.com | bash -s -- --minwrite\n\n\n 888888ba                              .d888888   888888ba\n 88     8b                            d8     88   88     8b\na88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P\n 88    8b. 88    88 Y8ooooo. 88    88 88     88   88\n 88     88 88.  .88       88 88.  .88 88     88   88\n dP     dP  88888P8  88888P  88Y888P  88     88   dP\n                             88\n                             dP      version 3.2.1\n\nThe Quick Installer will guide you through a few easy steps\n\n\nRaspAP Minwrite: Modify the OS to minimize microSD card write operation\nDetected OS: Debian GNU/Linux 11 (bullseye)\nRaspAP Minwrite: Removing packages\nThe following packages will be removed: dphys-swapfile logrotate\nProceed? [Y/n]:\nThe following packages will be REMOVED:\n  dphys-swapfile* logrotate*\n0 upgraded, 0 newly installed, 3 to remove and 65 not upgraded.\nAfter this operation, 351 kB disk space will be freed.\n(Reading database ... 65355 files and directories currently installed.)\nRemoving dphys-swapfile (20100506-7+rpt1) ...\nRemoving logrotate (3.18.0-2+deb11u1) ...\nProcessing triggers for man-db (2.9.4-2) ...\n(Reading database ... 65313 files and directories currently installed.)\nPurging configuration files for logrotate (3.18.0-2+deb11u1) ...\nPurging configuration files for dphys-swapfile (20100506-7+rpt1) ...\n[ \u2713 ok ]\nRaspAP Minwrite: Disabling services\nThe following services will be disabled: bootlogd.service bootlogs console-setup apt-daily\nProceed? [Y/n]:\n
"},{"location":"minwrite/#manual-steps","title":"Manual steps","text":"

These steps perform the same actions as the Quick install method. Details are provided so that you may choose to customize or skip some steps, if desired.

"},{"location":"minwrite/#remove-packages","title":"Remove packages","text":"

The goal here is to only remove packages that actively write to the filesystem, and that will be replaced or disabled entirely. In a subsequent step, logrotate will be replaced with busybox-syslogd. Additionally, dphys-swapfile, which manages a swapfile in the root filesystem on the SD card, is removed as it won\u2019t be able to work.

Remove these packages with the following:

sudo apt-get remove --purge dphys-swapfile logrotate\nsudo apt-get autoremove --purge\n
"},{"location":"minwrite/#disable-services","title":"Disable services","text":"

Linux is able to update packages autonomously without an external command. This task is scheduled by the apt-daily.service, which triggers the system to start apt tasks and scan installed packages for available updates. If updates are found, the apt-daily-upgrade.service downloads and installs them without user intervention. While useful for keeping your system updated, these are intensive processes in terms of disk I/O that may be safely disabled and handled manually.

Disable the bootlogd.service, apt-daily and related services like so:

sudo systemctl unmask bootlogd.service\nsudo systemctl disable bootlogs\nsudo systemctl disable apt-daily.service apt-daily.timer apt-daily-upgrade.timer apt-daily-upgrade.service\n

Note

By disabling these services, you will need to manually check for package updates periodically with sudo apt-get update && sudo apt-get upgrade.

"},{"location":"minwrite/#replace-logger","title":"Replace logger","text":"

In this step you'll replace the default system logger rsyslog with an in-memory logger, busybox-syslogd. BusyBox combines tiny versions of many common Linux utilities into a single small executable. It provides a fairly complete POSIX environment for any small or embedded system, including a minimal write Raspberry Pi.

Install it like so and remove rsyslog:

sudo apt-get install busybox-syslogd\nsudo dpkg --purge rsyslog\n

Be aware that because busybox-syslogd writes system logs to RAM, these logs will be lost if your device is disconnected from power.

"},{"location":"minwrite/#disable-swap","title":"Disable swap","text":"

Next you'll modify system boot options to disable swap and filesystem checks, as these are both intensive disk I/O processes. Edit this file with sudo nano /boot/cmdline.txt and append the following to the end:

fsck.mode=skip noswap\n

The resulting file will look something like this (copied from a Pi 3 Model B+):

console=serial0,115200 console=tty1 root=PARTUUID=bddffae9-02 rootfstype=ext4 fsck.repair=yes rootwait fsck.mode=skip noswap\n

Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Note

By default Armbian does not use any SD card-based swap, so unless you\u2019ve customized your installation there\u2019s nothing to disable.

"},{"location":"minwrite/#move-directories-to-ram","title":"Move directories to RAM","text":"

As a final step, several directories will be moved to the tmpfs filesystem. Storing these directories on a ramdisk instead of the SD card will substantially reduce the volume of I/O operations on the card's flash memory. Writing to tmpfs also provides fast sequential read/write speeds. The tradeoff is that tmpfs is volatile storage \u2014 meaning that you will lose all data stored on the filesystem if your device loses power.

Paths are selected here to migrate to tmpfs for transient and cache data, as well as those required for RaspAP's operation that are associated with disk I/O activity. Moving these directories to tmpfs is done by editing fstab with sudo nano /etc/fstab. Append the following lines to the end:

tmpfs /tmp tmpfs  nosuid,nodev 0 0\ntmpfs /var/log tmpfs  nosuid,nodev 0 0\ntmpfs /var/tmp tmpfs  nosuid,nodev 0 0\ntmpfs /var/lib/misc tmpfs  nosuid,nodev 0 0\ntmpfs /var/cache tmpfs  nosuid,nodev 0 0\ntmpfs /var/lib/vnstat tmpfs  nosuid,nodev 0 0\ntmpfs /var/php/sessions tmpfs  nosuid,nodev 0 0\n

Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Note

Armbian puts /tmp in RAM by default, while Raspberry Pi OS does not. On both Armbian and Raspberry Pi OS, /run is stored in RAM already and /var/run symlinks to it.

The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. Therefore, data stored in /var/tmp is more persistent than data in /tmp. In practice, however, few programs in common use with Raspberry Pi OS write to this directory so we can safely move it to RAM.

"},{"location":"minwrite/#reboot","title":"Reboot","text":"

A reboot is required for the above steps to take effect: sudo reboot.

"},{"location":"minwrite/#memory-considerations","title":"Memory considerations","text":"

The minwrite configuration migrates as much as possible from SD card storage to the tmpfs ramdisk. As a result, a concomitant increase in memory utilization is expected. To benchmark this, the change in memory usage on a Pi 3 Model B+ with 1GB of RAM and a typical RaspAP installation will be compared.

Execute the following to return the amount of free system memory expressed as a percentage of the total available:

free -m | awk '/Mem:/ { total=$2 ; used=$3 } END { print used/total*100}'\n
Pre-minwrite Post-minwrite 11.88% 29.70%

While this is a noticable increase in RAM usage, it's still well within the margin for reliable operation of the OS. If you have a higher rate of RAM utilization on your device, or have limited available system memory to begin with, bear this in mind before proceeding.

Note

Recall that with swap disabled, if the system runs out of physical memory (RAM) there is no partition available for the kernel to allocate virtual memory in its place. This will cause the kernel to throw an out of memory (OOM) error. Normally this causes the kernel to panic and stop functioning.

"},{"location":"minwrite/#file-system-metrics","title":"File system metrics","text":"

A minwrite configuration may be futher evaluated by using iotop, a utility that watches I/O usage information output by the Linux kernel. Install the package like so:

sudo apt-get install iotop -y\n

Execute it with the following switches to monitor accumulated activity of processes doing actual I/O:

sudo iotop -aoP\n

After a period of time, you will see disk I/O activity reported for a number of processes. Returning to the example Pi 3 Model B+ test bench, the before and after results may be compared:

Pre-minwrite I/O

Total DISK READ:         0.00 B/s | Total DISK WRITE:       191.31 B/s\nCurrent DISK READ:       0.00 B/s | Current DISK WRITE:      22.52 K/s\n    PID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN     IO>    COMMAND\n     95 ?sys root          0.00 B    860.00 K                 [jbd2/mmcblk0p2-]\n    145 ?sys root          0.00 B      3.03 M                 systemd-journald\n    412 ?sys root          0.00 B    112.00 K                 rsyslogd -n -iNONE\n    529 ?sys vnstat        0.00 B    264.00 K                 vnstatd -n\n   1080 ?sys www-data    800.00 K     48.00 K                 lighttpd -D -f /etc/lighttpd/lighttpd.conf\n   1186 ?sys www-data      2.25 M      0.00 B                 php-cgi\n   1187 ?sys www-data      4.00 K      0.00 B                 php-cgi\n   1188 ?sys www-data     52.00 K      0.00 B                 php-cgi\n   4752 ?sys root          0.00 B      4.00 K                 dhcpcd -w -q\n   5402 ?sys dnsmasq       0.00 B    140.00 K                 dnsmasq -x /run/dnsmasq/dnsmasq.pid\n

Post-minwrite I/O

Total DISK READ:         0.00 B/s | Total DISK WRITE:         0.00 B/s\nCurrent DISK READ:       0.00 B/s | Current DISK WRITE:       0.00 B/s\n    PID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN     IO>    COMMAND\n    101 ?sys root          0.00 B      8.00 K                 [jbd2/mmcblk0p2-8]\n    837 ?sys www-data     24.00 K      0.00 B                 lighttpd -D -f /etc/lighttpd/lighttpd.conf\n    890 ?sys www-data    170.00 K      0.00 B                 php-cgi\n    891 ?sys www-data      4.00 K      0.00 B                 php-cgi\n    892 ?sys www-data      4.00 K      0.00 B                 php-cgi\n    893 ?sys www-data     80.00 K      0.00 B                 php-cgi\n

Notice that in the latter iotop output, logging to disk is nearly absent and vnstatd now writes data to RAM. The remaining disk write activity originates mainly from the ext4 journal update process jbd2.

At the same time, RaspAP settings may be modified and persisted to the microSD card and the system otherwise operated normally.

"},{"location":"minwrite/#discussions","title":"Discussions","text":"

Questions or comments about using minwrite mode? Join the discussion here.

"},{"location":"net-devices/","title":"Network devices","text":""},{"location":"net-devices/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

Insiders are able to manage a variety of physical network devices as a source of data connectivity for RaspAP. Broadly, this includes devices such as tethered phones, USB modems/routers, WLAN adapters and so on. This expands the practicality of RaspAP as a truly mobile AP for travel and/or field applications.

"},{"location":"net-devices/#supported-device-types","title":"Supported device types","text":"

The following network devices are supported:

All devices require a driver in order to be available for use with RaspAP.

"},{"location":"net-devices/#listing-detected-devices","title":"Listing detected devices","text":"

The Networking > Devices tab displays a list of available devices with their attributes and assumed adapter type. The adapter type as well as the device name may be changed. Incorrect device types might appear for some devices, which advertise themselves to the system as an ethernet (e.g. eth0) or usb (e.g. usb0) device. This often happens for USB connected phones and external routers.

"},{"location":"net-devices/#changing-the-device-name","title":"Changing the device name","text":"

Changing the name helps to distinguish different devices. This is especially important if, for example, the Access Point device is connected via USB and the automatically assigned name is changed. This can sometimes occur when devices are connected in varying order.

To modify a device's name, enter a value in the Fixed name field and choose Change.

The only restriction for the device name is that it must only contain lowercase letters and numbers. The maximal length is limited to 20 characters. Devices names are automatically filtered accordingly.

"},{"location":"net-devices/#changing-the-mac-address","title":"Changing the MAC address","text":"

Sometimes you might need to set the MAC address of the WLAN interface to be the same as your PC or some other device on your network. This is known as MAC address cloning.

For example, some ISPs register your computer's MAC address when the service is first installed. When you place a router behind the cable or ADSL modem, the MAC address from the device WLAN port will not be recognized by the ISP.

External networking devices, like a Raspberry Pi, also have their own MAC addresses which can create authentication problems. This often occurs on guest Wi-Fi networks.

You can clone the MAC address of the WLAN interface (or any other valid interface) to be the same as your computer's MAC address. To create this configuration, follow the steps below:

  1. Open the Networking > Devices tab.
  2. Choose a MAC address for the interface you wish to clone.
  3. Enter a valid address in the MAC field and click or tap Change.
  4. The new MAC address will be configured immediately.

Note

Virtual interfaces such as OpenVPN's tun0 or WireGuard's wg0 do not have this capability. To avoid potential conflicts, change the MAC address and reconnect the device before modifying any other settings.

"},{"location":"net-devices/#ethernet-interfaces","title":"Ethernet interfaces","text":"

The built-in ethernet adapter as well as USB adapters are usually detected automatically. In these cases no configuration is required. Devices such as USB tethered phones might appear as an ethernet device as well. The same applies to mobile data adapters that also contain a router.

In these cases, the type may be adjusted in the device list and a name assigned to the device. This will have an effect on the network device widget shown on the dashboard.

"},{"location":"net-devices/#wireless-network-devices","title":"Wireless network devices","text":"

These devices are usually listed with the automatically assigned device name prefix wlan, for example wlan0. If multiple wlan interfaces are used, it can be advantageous to assign a unique name to the device.

Wireless devices will only appear if a supported driver exists in the currently installed OS. If your device does not appear in the list, this usually indicates that a required device driver is missing. The helper script install_wlan_driver_modules.sh available in RaspAP/raspap-tools can be used to search for and install existing driver modules.

"},{"location":"net-devices/#mobile-data-modems","title":"Mobile data modems","text":"

Modems or Point-to-Point Protocol (ppp) devices require login data. This includes a PIN number to unlock the SIM card, the Access Point Name (APN) and login data of your mobile network provider. These values may be entered under the Networking > Mobile Data tab.

Values entered here are stored in the file /etc/wvdial.conf. This configuration file contains the basic configuration needed to unlock the SIM card and connect to the network. This has been tested with a Huawei E1550. If your device requires different AT-commands, you will need to manually change this configuration.

When a connected modem is attached, the connection mode, signal quality and network provider will be displayed on the dashboard.

Note

The names of modems cannot be changed. The reason is that the device name ppp0 is directly coupled with the required system services.

"},{"location":"net-devices/#what-if-my-modem-device-doesnt-appear","title":"What if my modem device doesn't appear?","text":"

In this case your connected modem device is not recognized by the OS, or it has not been switched into modem mode by usb_modeswitch. Check the log file (journalctl) for problems with the device.

"},{"location":"net-devices/#mobile-data-adapters-with-built-in-routers","title":"Mobile data adapters with built-in routers","text":"

Mobile data USB devices which provide router functionality will usually appear as an ethernet device, for example eth1. This implies that the device has to be pre-configured to work without a PIN for the SIM card and without login data. Typically, this can be done via a browser based administration interface on any computer.

"},{"location":"net-devices/#huawei-hilink-device","title":"Huawei Hilink Device","text":"

A special case are Huawei Hilink devices (e.g. Huawei E3372h-320). RaspAP can communicate directly with these devices. Be sure that the administration interface is not locked with a user/password. The PIN number entered on the Networking > Mobile Data tab will be used to unlock the SIM card. In addition, connection information (mode, signal quality and network provider) are extracted from the device and displayed on the dashboard. The dashboard button to stop/start the device is active and will disconnect/connect the mobile network.

The model E3372h-320 will be detected as a Hilink device and appears with the name hilink0. Other Hilink devices require a corresponding assignment on the Networking > Devices tab.

"},{"location":"net-devices/#usb-tethered-phones","title":"USB tethered phones","text":"

A phone connected via USB and with USB tethering enabled will appear as either an ethernet device (e.g. eth1), or as a USB network device (e.g. usb0). Changing the device type to phone will result in a corresponding display on the dashboard. In this case the default name is phone0.

"},{"location":"net-devices/#configuration-files","title":"Configuration files","text":""},{"location":"net-devices/#diagnostics","title":"Diagnostics","text":"

A built-in tool to evaluate network performance is available on the Networking > Diagnostics tab. This permits testing of both local network throughput (that is, data transfer over a wired or wireless interface between RaspAP and a connected client) and internet speed (data transfer between a RaspAP instance and remote host). Ping, jitter download and upload metrics are included in the test.

The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"net-devices/#discussions","title":"Discussions","text":"

Questions or comments about network devices support? Join the discussion here.

"},{"location":"ntp/","title":"NTP Service","text":""},{"location":"ntp/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

One of the limitations of devices such as the Raspberry Pi is that it lacks an onboard real-time clock (RTC) to accurately keep track of the time, including when the device is powered off. To overcome this, two solutions are generally available: 1) install a hardware RTC module, or 2) synchronize time from the network.

The Network Time Protocol (NTP) is widely used to fulfill this need. This is a protocol that, together with its associated daemon and related tools, is able to keep all the system clocks in a local network in sync with authoritative millisecond precision.

"},{"location":"ntp/#use-cases","title":"Use cases","text":"

There are many scenarios in which accurate and synchronized timekeeping across networked devices can be extremely useful, if not essential. For example, a robotic controller or sensor may need to perform an operation at a specific interval but, for one reason or another, doesn't have reliable internet connectivity.

In this situation, a single internet connected device (the NTP server) will synchronize the time of the robot or sensor (NTP clients). These devices may already receive control instructions and/or exchange data with the server via a wireless network, such as the one provided by RaspAP. In this way, NTP functions as an additional service layer on top of an existing WiFi network.

Alternatively, a standalone configuration may be needed in which precision timekeeping is required for a network device.

"},{"location":"ntp/#installation","title":"Installation","text":"

An NTP server may be optionally installed by the Quick installer. To install NTP server support, respond by pressing Enter to accept the default Y option at the following prompt:

RaspAP Install: Configure NTP server support\nInstall ntp and enable NTP configuration? [Y/n]:\n

With the software requirements installed, the systemd ntpd.service control file will be enabled on your system, as well as the NTP server management UI:

Enabling ntpd.service\nEnabling NTP server management option\n[ \u2713 ok ]\n

Proceed with the Quick installer and accept the default Y prompt to reboot your system as a final step.

"},{"location":"ntp/#configuration","title":"Configuration","text":"

Following the installation, the NTP service should be up and running. You may check and control its current state by visiting RaspAP's NTP Server administration page. Basic Settings as well as Advanced controls are available on their respective tabs. The Status tab will display the operational state of connected peers by using the ntpq query tool. These status queries are examined in detail to assist you with interpreting them.

"},{"location":"ntp/#standalone-device","title":"Standalone device","text":"

In a standalone configuration, a single device will be automatically kept in sync by communicating with remote NTP servers tied to high quality clocks. As long as the ntpd.service is running (enabled on boot by default), the protocol will largely handle the time syncronization for you with its default settings. This of course assumes the device has internet connectivity.

The NTP Server > Settings tab will report the current system time synchronized from its remote NTP server peers.

You may add any number of public NTP servers by entering their IP address or fully qualified domain name (FQDN) under Add an NTP server.

Tip

Public NTP servers that support Network Time Security (NTS) may be specified by appending the nts suffix.

Click or tap the icon to add an entry to your list of servers and choose Save settings. The ntpd.service will be automatically restarted.

"},{"location":"ntp/#multiple-devices","title":"Multiple devices","text":"

In an environment with multiple networked devices, some of which may lack internet connectivity, an NTP server on your local network may be used to keep them synchronized. To create this configuration, under Add an NTP server (shown above) specify a private IP address or local network host address, for example time.raspberrypi.local, of the NTP server on your local network. Click or tap the icon to add it to your list of servers and choose Save settings. The ntpd.service will automatically restart for you.

Repeat this process for each of the devices you wish to keep synchronized on your network.

"},{"location":"ntp/#advanced-settings","title":"Advanced settings","text":"

For users who are familiar with the NTP protocol and configuration file, the NTP Server > Advanced tab permits you to view and edit this file directly. This gives you full control over the NTP server settings, beyond the basic configuration provided on the Settings tab.

To enable ntp.config editing, simply slide the Edit mode toggle. You may then make your edits to the configuration directly. When you are finished editing, choose Save settings. The ntpd.service will restart automatically.

Caution

Editing the ntp.config file may lead to unpredictable results and/or cause the NTP service to enter a failed state. For this reason, it's recommended to preserve a backup of your original NTP configuration.

"},{"location":"ntp/#peer-status-queries","title":"Peer status queries","text":"

The NTP query utility ntpq is used to monitor NTP daemon ntpd operations and give useful performance metrics. The -p or --peers option is used with ntpq to output a list of the peers known to the server as well as a summary of their state. This is available on the NTP Server > Status tab. Example output is shown below:

     remote           refid      st t when poll reach   delay   offset   jitter\n===============================================================================\n+time.cloudflare 10.109.8.98      3 u  723 1024  377  27.6182   1.8467   3.5095\n+185.198.109.227 150.214.94.10    2 u  403 1024  377  37.3427   0.1535   2.6619\n+time.cloudflare 10.56.8.4        3 u  433 1024  377  21.7662   2.6731   7.5725\n-ntp01.pingless. 189.97.54.122    2 u  181 1024  377  70.1582  -5.9882   3.3870\n-185.90.148.209  150.214.94.10    2 u  861 1024  337  63.1452   4.4984   6.3479\n*ip94-143-139-21 150.214.94.10    2 u  289 1024  377  36.6112   0.3700   2.5709\n

Looking at the column headers, this status output may be interpreted with the following:

Identifier Description remote The address of a remote NTP server your local server is talking to. refid A reference to where the remote server is synced from. st An abbreviation for \"stratum\" \u2013 the number of hops between that server and a high quality clock source, such as nuclear or GPS. Stratum 1 is the highest level, 15 the lowest. t An abbreviation for the peer \"type\" \u2013 local, unicast, multicast or broadcast. Most peers are accessed in unicast mode. when The number of seconds since your local server last polled the remote. poll The interval in seconds between polling of the remote server. reach An octal representation of the success/failure over time, 377 being 100% success. delay A measure of network latency to the remote server in milliseconds. offset The current offset, or time difference, between the peer and local system time, expressed in milliseconds. jitter A measure of the variation in latency or time delay over the network. * This marks the current preferred server as determined by the protocol.

In the above example, our local NTP server is within 0.37ms of the preferred remote server, which itself is closely tied (stratum=2) to a high quality clock source. Our local server is within \u00b1 6ms of the other remotes.

"},{"location":"ntp/#firewall-settings","title":"Firewall settings","text":"

If your system uses a network firewall, such as the one provided by RaspAP, you will need to be sure that it's configured for the NTP protocol. NTP uses UDP port 123 to communicate with peers. Therefore, you must ensure that the port is open in any firewall. To enable NTP traffic with iptables execute the following:

iptables -A INPUT -p udp --dport 123 -j ACCEPT\n

Alternatively, you may use ufw to achieve the same result:

ufw allow 123/udp\n

Note

If you're using RaspAP's firewall, an exception is already present to allow NTP traffic by default.

"},{"location":"ntp/#troubleshooting","title":"Troubleshooting","text":"

Output from the NTP system calls ntp_gettime() and ntp_adjtime() is displayed prominently on the NTP Server > Settings page. If present, the current synchronized timekeeping data are displayed with their associated status codes. A code 0 (OK) indicates that these system calls are functioning as expected, as shown below:

ntp_gettime() returns code 0 (OK)\n  time e9b1283b.89c0db28 2024-03-29T11:44:59.538Z, (.538099359),\n  maximum error 997469 us, estimated error 167 us, TAI offset 37\nntp_adjtime() returns code 0 (OK)\n  modes 0x0 (),\n  offset 456.591 us, frequency -1.317 ppm, interval 1 s,\n  maximum error 997469 us, estimated error 167 us,\n  status 0x2001 (PLL,NANO),\n  time constant 6, precision 1.000 us, tolerance 500 ppm,\n

On the other hand, the kernel may occasionally report NTP clock errors like the following:

raspberrypi ntpd[1279]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized\"\n

The NTP system calls shown above may also return a code 5 (ERROR) result. In most cases, this will resolve itself in a few minutes while the system clock is synchronized. Persistent errors may indicate a misconfiguration of the NTP protocol or a general networking problem. Refer to the firewall settings, above.

Detailed metrics from peer status queries are also useful for troubleshooting purposes.

Finally, ensure that no other time synchronization application is in use, such as timesyncd or any third party software.

"},{"location":"ntp/#discussions","title":"Discussions","text":"

Questions or comments about time synchronization with NTP? Join the discussion here.

"},{"location":"openvpn/","title":"OpenVPN","text":""},{"location":"openvpn/#overview","title":"Overview","text":"

OpenVPN may be optionally installed by the Quick Installer. Once this is done, you can create a client configuration and manage the openvpn-client service with RaspAP.

"},{"location":"openvpn/#enabling-openvpn","title":"Enabling OpenVPN","text":"

To configure an OpenVPN client, upload a valid .ovpn file from your provider and, optionally, specify your login credentials. For clarity, these steps are described below:

  1. Enter your credentials, if needed, into the Username and Password fields.
  2. Browse to your provider's .ovpn file and choose Save settings.
  3. Confirm that the OpenVPN client.conf uploaded successfully.
  4. Choose Start OpenVPN.

The video walkthrough below illustrates the steps of configuring an OpenVPN client from start to finish.

Your browser does not support the video tag."},{"location":"openvpn/#tunneling-traffic","title":"Tunneling traffic","text":"

RaspAP will store your client configuration and add firewall rules to forward traffic from OpenVPN\u2019s tun0 interface to your configured wireless interface. In the example below, the default AP interface wlan0 is used:

iptables -A POSTROUTING -o tun0 -j MASQUERADE\niptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT\n
"},{"location":"openvpn/#public-ip-address","title":"Public IP address","text":"

After a page reload, your new public IPv4 address will be indicated. Click or tap the icon to open a new window with details about your public IP.

"},{"location":"openvpn/#multiple-client-configs","title":"Multiple client configs","text":"

RaspAP lets you manage multiple OpenVPN client configurations. This includes the ability to upload, activate and delete any number of valid .ovpn files and associated login credentials. Thereafter, switching between them is done by simply activating the desired profile. Traffic is automatically routed to clients connected on the AP interface.

Activating a profile will restart the openvpn-client service automatically. Additionally, openvpn-service activity may be tracked in the Logging tab.

"},{"location":"openvpn/#certificate-authentication","title":"Certificate authentication","text":"

Alternatively, you may also authenticate with a signing certification authority (CA) certificate. This is an alternative to the default username and password authentication, and is often used with a private or self-hosted OpenVPN server.

To use this method, upload an OpenVPN configuration file (.ovpn) with the certificate authority (CA) certficate, client certificate and client private key enclosed in tags as described above.

"},{"location":"openvpn/#mitigating-dns-leaks","title":"Mitigating DNS leaks","text":"

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. You can also test for this with https://dnsleaktest.com/.

Other providers have specific VPN nodes to use with popular streaming services. It's recommended to check with your provider and follow their suggestions.

When an OpenVPN client is configured, RaspAP adds NAT rules with iptables to forward all packets from the AP interface to tun0. If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop\nsudo iftop -i [interface]\n
"},{"location":"openvpn/#browser-considerations","title":"Browser considerations","text":"

The Mozilla Foundation recently added a DNS over HTTPS (DoH) proprietary service to its Firefox browser. As of this writing, this \"feature\" is enabled by default for users in the United States. A consequence of DoH is that DNS requests will be resolved by Mozilla's DNS servers, instead of your VPN provider's. Instructions for disabling this DoH may be found here.

"},{"location":"openvpn/#troubleshooting","title":"Troubleshooting","text":"

See the FAQ section for OpenVPN.

"},{"location":"openvpn/#discussions","title":"Discussions","text":"

Questions or comments about using OpenVPN? Join the discussion here.

"},{"location":"providers/","title":"VPN Providers","text":""},{"location":"providers/#overview","title":"Overview","text":"

Experimental

Several popular VPN providers include a Linux Command Line Interface (CLI) for interacting with their services. As a new beta feature, you may optionally control these VPN services from within RaspAP. In this way, after your preferred CLI is installed on your system you may administer it thereafter by using RaspAP's UI.

"},{"location":"providers/#installation","title":"Installation","text":"

To configure VPN provider support, respond by pressing Enter to accept the default Y option when prompted by the Quick installer:

RaspAP Install: Configure VPN provider support (Beta)\nEnable VPN provider client configuration? [Y/n]:\n

Next, select an available VPN provider from the list. For the initial beta, we've identified three of the most popular VPN services that have Debian compatible Linux CLIs. Enter a number corresponding to your desired VPN provider followed by the Enter key.

Select an option from the list:\n  1) ExpressVPN\n  2) Mullvad VPN\n  3) NordVPN\n  0) None\nChoose an option: 3\nConfiguring support for NordVPN\nAdding /usr/bin/nordvpn to raspap.sudoers\nEnabling administration option for NordVPN\nAdding VPN provider to /etc/raspap/provider.ini\n[ \u2713 ok ]\n

The installer will configure RaspAP to administer the corresponding Linux CLI. Choosing 0 (None) followed by Enter will exit the VPN provider option and continue with the installer.

"},{"location":"providers/#provider-clis","title":"Provider CLIs","text":"

RaspAP provides a visual interface to interact with your chosen VPN provider's CLI. To facilitate this, you must first install and configure the CLI on your system. Specific steps will depend on your VPN provider; consult the online documentation for your chosen VPN service.

Note

The RaspAP project has no affiliation whatsoever with the supported VPN providers. Each provider was selected solely based on availability of their Debian compatible CLIs.

NordVPN is demonstrated in the following example. Begin by executing the install script:

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)\n

After the installer completes, verify the CLI by checking its version:

nordvpn --version\nNordVPN Version 3.16.6\n

Next, activate your account. The --callback and --token methods are useful for headless setups. The latter is shown below:

nordvpn login --token [myToken]\nWelcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.\n

Before establishing a VPN connection with the CLI, add a rule to whitelist port 22. This will prevent the VPN from disrupting access to the shell via SSH:

nordvpn whitelist add port 22\nPort 22 (UDP|TCP) is allowlisted successfully.\n

Now, execute the following to connect to a recommended VPN server:

nordvpn connect\nConnecting to France #817 (fr817.nordvpn.com)\nYou are connected to France #817 (fr817.nordvpn.com)!\n

With these setps completed, you are now ready to begin administering your VPN provider with RaspAP.

"},{"location":"providers/#administer-your-provider","title":"Administer your provider","text":"

Continuing from the above example, access your VPN provider's UI page from RaspAP. From the Settings page, you can view your account status, connect to a recommended VPN server or choose a specific country from the select list.

Below, RaspAP displays the CLI output when a country is selected from the list followed by Save settings:

On the Status tab, information about your installed provider CLI and current connection status are displyed:

You may perform the same operations with any of the supported VPN providers.

Tip

Many VPN providers have firewalls enabled by default that can disrupt access to your system via SSH. For this reason, it's recommended to perform these basic CLI functions from your terminal before using them with RaspAP. If your SSH session is disrupted, a reboot will usually restore the connection. Consult your VPN provider's documentation for more advice.

If a configured provider's CLI is not found, RaspAP will detect this and give you a helpful pointer to the CLI's installation instructions:

Likewise, if the CLI binary exists but RaspAP is unable to execute it, a diagnostic message will be displayed.

"},{"location":"providers/#control-scope","title":"Control scope","text":"

Each VPN provider's CLI offers different command sets to control various aspects of their service. For this beta release, RaspAP may be used to administer basic functions including connect, disconnect, status, account information and country (or city) selection for the remote VPN server.

nordvpn settings\nTechnology: NORDLYNX\nFirewall: disabled\nFirewall Mark: 0xe1f1\nRouting: enabled\nAnalytics: enabled\nKill Switch: disabled\nThreat Protection Lite: disabled\nNotify: disabled\nAuto-connect: disabled\nIPv6: disabled\nMeshnet: disabled\nDNS: disabled\nLAN Discovery: disabled\nAllowlisted ports:\n       22 (UDP|TCP)\n

More advanced CLI settings such as whitelists, kill switches, firewalls, protocols and so on (shown above) should be administered with your CLI directly.

Tip

Support for provider CLIs is intended for typical setups with RaspAP's default configuration, where the AP interface is wlan0 and internet connectivity is provided by eth0. If you need to control settings beyond these defaults with your provider, it's recommended to install either OpenVPN or WireGuard and administer these services directly.

"},{"location":"providers/#public-ip","title":"Public IP","text":"

After a VPN connection is established, your public IPv4 address will be displayed next to a globe icon below your provider name on the Settings tab. Click or tap on the external link icon to see details about your IP location.

"},{"location":"providers/#ap-clients","title":"AP clients","text":"

If your device is connected to the internet via Ethernet (eth0), clients connected on the AP interface (wlan0 for example) will have their traffic automatically routed through the VPN connection.

"},{"location":"providers/#troubleshooting","title":"Troubleshooting","text":"

RaspAP uses each CLI to fetch the most detailed available connection information and display this on the Status tab. The level of detail varies from one provider to the next. If you suspect a problem with your VPN service, it's recommended to check this output and use it for troubleshooting purposes with your VPN provider.

"},{"location":"providers/#whitelisting-services","title":"Whitelisting services","text":"

Additionally, you might want to consider whitelisting other ports that are commonly used for essential network services. For instance, with NordVPN's CLI you may whitelist TCP port 53 and UDP port 67 with the following commands:

nordvpn whitelist add port 53\nnordvpn whitelist add port 67\n
This will allow devices connecting to your AP to obtain an IP address.

Next, it's recommended to whitelist your network subnet. For example:

nordvpn whitelist add subnet 192.168.x.x/24\n
Substitute the placeholder value for your network. This will permit you to connect to the VPN while also preserving your access to SSH and RaspAP's web UI. Refer to your provider's CLI documentation for more information.

"},{"location":"providers/#discussions","title":"Discussions","text":"

Questions or comments about using VPN providers? Join the discussion here.

"},{"location":"quick/","title":"Quick installer","text":""},{"location":"quick/#overview","title":"Overview","text":"

The Quick installer has been designed to assist users with creating an instance of RaspAP both quickly and with a great deal of flexibility. The install loader will respond to several command line arguments, or switches, to customize your installation in a variety of ways, or install one of RaspAP's optional helper tools.

"},{"location":"quick/#alternatives","title":"Alternatives","text":"

The installer gives you the greatest level of flexibility for creating an instance of RaspAP. However, if your goal is to use RaspAP as a component of a larger project, or wish to isolate its dependencies from existing software on your system, consider deploying RaspAP in a Docker container instead.

"},{"location":"quick/#usage","title":"Usage","text":"

The Quick installer has several options for configuring a RaspAP installation. You can get usage notes from your command shell by requesting the installer like so:

curl -sL https://install.raspap.com | bash -s -- --help\n

Appending -s -- [option] to the Quick Install directive will activate one or more options. Several options may be chained together to customize an installation. Examples are given below.

"},{"location":"quick/#examples","title":"Examples","text":"

The installer may be invoked locally or remotely via curl. Examples with both cases and various options are given below.

Invoke installer remotely, run non-interactively with option flags:

curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --adblock 0\n

Invoke remotely, uprgrade an existing install to the Insiders Edition. The --name and --token arguments are optional; if they are not specified the user will be prompted to authenticate with GitHub:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders --name <name> --token <token>\n

Invoke remotely, perform an unattended update to the latest release version:

curl -sL https://install.raspap.com | bash -s -- --yes --update --path /var/www/html\n

Run locally specifying a GitHub repo and branch:

raspbian.sh --repo foo/bar --branch my/branch\n

Run locally requesting release info:

raspbian.sh --version\n

"},{"location":"quick/#switches","title":"Switches","text":""},{"location":"quick/#-y-yes-assume-yes","title":"-y, --yes, --assume-yes","text":"

This option enables unattended installations, such that the installer assumes \"yes\" as an answer to all user prompts. This behavior is identical to how the same option with the apt-get package handler works.

"},{"location":"quick/#-c-cert-certificate","title":"-c, --cert, --certificate","text":"

This option installs an SSL certificate with mkcert and configures lighttpd for HTTPS support. It does not (re)install RaspAP. Details are provided here.

"},{"location":"quick/#-o-openvpn-flag","title":"-o, --openvpn <flag>","text":"

Used with the -y, --yes option above, this sets the OpenVPN install option (0 = don't install OpenVPN). Given that OpenVPN support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-s-rest-restapi-flag","title":"-s, --rest, --restapi <flag>","text":"

Used with the -y, --yes option above, this sets RestAPI install option (0 = don't install the RestAPI). Given that the RestAPI is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-a-adblock-flag","title":"-a, --adblock <flag>","text":"

Used with the -y, --yes option above, this sets the Ad Blocking install option (0 = don't install Adblock). Given that Adblock support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-w-wireguard-flag","title":"-w, --wireguard <flag>","text":"

Used with the -y, --yes option above, this sets the WireGuard install option (0 = don't install WireGuard). Given that WireGuard support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-g-tcp-bbr-flag","title":"-g, --tcp-bbr <flag>","text":"

Used with the -y, --yes option above, this enables kernel support for TCP BBR congestion control (0 = don't configure TCP BBR). Given that TCB BBR support is optional, this enables an unattended setup without enabling it.

"},{"location":"quick/#-e-provider-value","title":"-e, --provider <value>","text":"

Used with the -y, --yes option above, this sets the VPN provider install option. Valid numeric option values are:

  1 = ExpressVPN\n  2 = Mullvad VPN\n  3 = NordVPN\n  0 = None\n

"},{"location":"quick/#-r-repo-repository-name","title":"-r, --repo, --repository <name>","text":"

If you have forked this project to your own GitHub repo, this option lets you override the default GitHub repo (RaspAP/raspap-webgui) used to install RaspAP. An alternate repository name is a required parameter.

"},{"location":"quick/#-b-branch-name","title":"-b, --branch <name>","text":"

Similarly, this option overrides the default git branch. This is useful if you have created a feature branch (my-feature) and wish to perform an installation using the Quick Installer. An alternate branch name is a required parameter.

An example combining the -r, --repo and -b, --branch options is given below:

curl -sL https://install.raspap.com | bash -s -- --repo foo/bar --branch my-feature\n

"},{"location":"quick/#-t-token-accesstoken","title":"-t, --token <accesstoken>","text":"

Specify a GitHub personal access token to authenticate with a private repository. Used together with the -n, --name option (below).

"},{"location":"quick/#-n-name-username","title":"-n, --name <username>","text":"

Specify a GitHub username to access a private repository. An example combining the --token and --name options is given below:

curl -sL https://install.raspap.com | bash -s -- --name billz --token [my-token]\n
"},{"location":"quick/#-u-upgrade","title":"-u, --upgrade","text":"

Upgrades an existing RaspAP installation to the latest release version.

"},{"location":"quick/#-d-update","title":"-d, --update","text":"

Performs a minimal update of an existing installation to the latest release version. This differs from the -u, --upgrade option in several ways. The user is not prompted to install optional RaspAP components, and several steps used for an initial installation are not performed. Existing configuration files remain intact.

"},{"location":"quick/#-p-path-path","title":"-p, --path <path>","text":"

Sets the application path for an existing RaspAP installation.

It may be combined with the -d, --update and -y, --yes options to perform an unattended update. An example is given below:

curl -sL https://install.raspap.com | bash -s -- --update --path /var/www/html --yes\n
"},{"location":"quick/#-i-insiders","title":"-i, --insiders","text":"

Installs from the Insiders Edition (RaspAP/raspap-insiders).

"},{"location":"quick/#-m-minwrite","title":"-m, --minwrite","text":"

Configures a microSD card for minimum write operation.

"},{"location":"quick/#-v-version","title":"-v, --version","text":"

Queries the Github API, outputs the latest RaspAP release version and exits.

"},{"location":"quick/#-n-uninstall","title":"-n, --uninstall","text":"

Loads and executes the uninstaller.

"},{"location":"quick/#-h-help","title":"-h, --help","text":"

Outputs these usage notes and exits.

"},{"location":"quick/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's Quick installer? Join the discussions here.

"},{"location":"repeater/","title":"WiFi repeater","text":""},{"location":"repeater/#overview","title":"Overview","text":"

A popular use case for RaspAP is to connect to your wireless network and rebroadcast an existing wireless signal. Often known as a wireless repeater or extender, this setup is particularly useful if you are experiencing problems with \"dead spots\" in your WiFi network. This step-by-step walkthrough will assist you in creating this configuration.

"},{"location":"repeater/#how-a-wifi-repeater-works","title":"How a WiFi repeater works","text":"

A WiFi repeater receives an existing WiFi signal, amplifies it and then transmits the boosted signal. With this arrangment you can effectively double the coverage area of your WiFi network \u2014 reaching far corners of your home or office, different floors, or even extend coverage outside to a yard or garage. A repeater effectively contains two wireless routers and a minimum of two antennas. One of these wireless routers picks up the existing WiFi network. It then transfers the signal to the other wireless router, which retransmits the boosted signal.

Note

A wireless repeater will restrict your maximum throughput. This is because WiFi is a half-duplex system, meaning only one device may transmit data at any given time. The repeater must accept incoming and outgoing packets from clients and forward those packets on to the next WiFi router and accept replies. In practice, you can expect half the bandwidth as a non-boosted signal, as each packet must go over the air twice.

We will create this setup with a WiFi-capable Raspberry Pi (or similar device) and an external USB wireless adapter, or dongle.

"},{"location":"repeater/#steps-to-create-a-repeater","title":"Steps to create a repeater","text":"

Refer to the diagram above as we walk through the steps of creating this configuration.

"},{"location":"repeater/#connect-a-usb-wifi-dongle","title":"Connect a USB WiFi dongle","text":"

Begin by connecting an external wireless adapter to a USB port on your device. Your choice of adapter is important \u2014 external WiFi adapters (ie, \"dongles\") vary greatly in terms of hardware capabilities and driver support. Many do not have support for AP mode, require a powered USB hub, manual driver and/or firmware installation or are otherwise not well suited for this application.

To determine if your USB WiFi adapter is capable of hosting an AP, execute the following:

$ iw list\n...\n    Supported interface modes:\n         * IBSS\n         * managed\n         * AP\n         * P2P-client\n         * P2P-GO\n         * P2P-device\n

If \"AP\" does not appear in the list above, save yourself some time and find another adapter.

You should also pair an adapter with the wireless mode you intend to operate from your device's onboard wireless chipset. For example, if you wish to use a Raspberry Pi 4's 802.11ac 5 GHz wireless mode, make sure your adpater also supports this mode.

We strongly recommend this resource which lists USB WiFi adapters with in-kernel Linux drivers. These will work out of the box on Debian-based devices without installing third-party drivers. You may also wish to skip directly to this short list of \"superstar\" USB WiFi adapters for Linux. Pay special attention to those that are excellent choices for 5 GHz AP mode, if this is desired.

"},{"location":"repeater/#create-the-access-point","title":"Create the access point","text":"

After installing RaspAP your device will broadcast an 802.11g 2.4 GHz access point with the SSID raspap-webgui. By default, this uses your device's onboard wireless adapter and the wlan0 interface. Your AP configuration may be changed at any time, however it's recommended to change the default password at minimum before proceeding. You may also wish to change the SSID and wireless mode.

Note

The 802.11ac 5 GHz option is disabled until you configure your device's wireless regulatory domain. See this FAQ for more information.

"},{"location":"repeater/#connect-device-to-wifi","title":"Connect device to WiFi","text":"

With your USB dongle connected and AP active, use RaspAP's WiFi client interface to select and authenticate with your existing wireless router.

Alternatively, if you've used software such as the Raspberry Pi imager to install an OS on your microSD card, you may choose the \"Configure wireless LAN\" option before booting your device for the first time. This will configure your wpa_supplicant.conf and your device should already be connected to your WLAN. In this case, you may skip this step.

"},{"location":"repeater/#configure-routing","title":"Configure routing","text":"

Your current network configuration will display two default routes. This may be confirmed by checking the Routing table output on RaspAP's Networking interface. In the example below, wlan0 is the AP interface and has a default route (identified by the default label) and a metric value of 303:

Note that our USB adapter is on the wlan1 interface and has a higher metric value of 304. It also has a default route. Until we configure these metrics, our WiFi repeater does not know how to route packets from wlan1 (the client interface) to wlan0 (the AP interface) and vice versa. Clients connected to the AP will not have internet connectivity. Fortunately, this is easily fixed.

Metrics and default routes are used by dhcpcd, the DHCP daemon. Contrary to popular belief, RaspAP does not manipulate the IP routing table or set interface priorities without user input. The Linux kernel sets default metric values when the interface is brought up and will usually choose the network routes it decides is best. The DHCP daemon uses these metrics to prioritize interfaces, where lower values are given a higher priority.

To configure routing for our repeater, select wlan0 (the AP interface, in this example) from the DHCP Server settings interface. Be sure that the \"Install a default route for this interface\" option is disabled.

Scroll to the bottom and set a metric value of 305 for this interface, then choose Save settings:

This instructs the DHCP daemon to treat the wlan0 interface with a lower priority than the wlan1 interface. There's nothing magic about the value \"305\" in this example \u2014 the important thing is that the AP interface has a higher value, and thus a lower priorty, than the wlan1 interface.

For your changes to take effect, choose Restart hotspot from the Hotspot interface.

Behind the scenes, RaspAP has configured the wlan0 interface in /etc/dhcpcd.conf like so:

# RaspAP wlan0 configuration\ninterface wlan0\nstatic ip_address=10.3.141.1/24\nstatic routers=10.3.141.1\nmetric 305\nnogateway\n

This is reflected in the updated routing table, visible on the Networking interface. In the example below, the wlan0 interface hosting the AP no longer has a default route and shows a higher metric value (lower priority) than the wlan1 interface:

If you don't see these changes in the routing table, be sure to restart the hotspot.

"},{"location":"repeater/#alternate-routing-method","title":"Alternate routing method","text":"

Experimental \u00b7 Insiders only

As a convenience, Insiders are able to configure routing automatically by enabling the WiFi repeater mode toggle on the Hotspot > Advanced tab.

Save settings and choose Start hotspot or Restart hotspot to activate the wireless repeater.

Info

As with WiFi client AP mode, the WiFi repeater mode option is disabled or \"greyed out\" until a wireless client is configured.

"},{"location":"repeater/#connecting-clients","title":"Connecting clients","text":"

At this stage, you may connect clients to the AP as you would normally. Two different methods are described here.

"},{"location":"repeater/#switching-interfaces","title":"Switching interfaces","text":"

If you would like to switch the wlan interfaces, select a different interface for the AP on the Hotspot > Basic tab, then choose Save settings. Reverse the DHCP settings in the previous step, then restart the AP or reboot your device. In order to still be able to access the web UI, connect your device via an ethernet cable.

"},{"location":"repeater/#troubleshooting","title":"Troubleshooting","text":"

If your clients do not have internet connectivity, start by following these troubleshooting steps. In most cases, problems may be diagosed and fixed by checking the service logs and RaspAP's Networking interface. Help is available from the sources mentioned here.

"},{"location":"repeater/#speed-testing","title":"Speed testing","text":"

RaspAP hosts a fast, open source and privacy-focused public speed test server that you can use to evaluate your WiFi repeater's performance. The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"repeater/#discussions","title":"Discussions","text":"

Questions or comments about configuring a WiFi repeater? Join the discussion here.

"},{"location":"restapi/","title":"RestAPI","text":""},{"location":"restapi/#overview","title":"Overview","text":"

Experimental

RaspAP includes support for stateless client-server data exchange via a high performance RESTful API. This allows clients to communicate with the API over HTTP with standard methods such as GET and POST and receive responses in JSON. RaspAP's API is powered by FastAPI, one of the fastest Python frameworks available.

FastAPI makes use of the Uvicorn ASGI web server implementation for Python. This is a minimal, low-level server interface for asynchronous frameworks.

"},{"location":"restapi/#use-cases","title":"Use cases","text":"

A RESTful API operates asynchronously, making it suited for building microservices\u2014small, independent services that function in the context of larger applications. Examples might include a dashboard widget or other integration that consumes JSON data from the API to perform live monitoring of RaspAP's operational state.

Using the API's POST methods (to be announced soon), RaspAP's functions may even be remotely controlled outside of its regular web interface.

"},{"location":"restapi/#installation","title":"Installation","text":"

The RestAPI may be optionally installed by the Quick installer. To install RestAPI support, respond by pressing Enter to accept the default Y option at the following prompt:

RaspAP Install: Configure RestAPI\nInstall and enable RestAPI? [Y/n]:\n

Tip

The RestAPI is enabled by default in RaspAP's Docker container, so if you choose this option there is nothing more for you to do.

The Python language is a requirement for the RestAPI. The Quick installer will detect if Python is not installed on your system and install it for you (Python 3 is installed by default on Raspberry Pi OS). In addition, Python's package manager pip will also be installed. The following Python packages are requirements for the RestAPI:

fastapi\nuvicorn\npsutil\npython-dotenv\n

Note

From Bookworm onwards, packages installed via pip must be installed into a Python Virtual Environment using venv. This has been introduced by the Python community, not by Raspberry Pi; see PEP 668 for more details. The Python modules listed above are installed system-wide with the --break-system-packages flag.

With the software requirements installed, the systemd restapi.service control file will be enabled on your system, as well as the RestAPI management UI:

Moving restapi systemd unit control file to /lib/systemd/system/\nEnabling RestAPI management option\n[ \u2713 ok ]\n

Proceed with the Quick installer and accept the default Y prompt to reboot your system as a final step.

"},{"location":"restapi/#configuration","title":"Configuration","text":"

Following a reboot, the RestAPI service should be up and running. You may check and control its current state by visiting RaspAP's RestAPI administration page. The Status tab will display the operational status of the restapi.service.

"},{"location":"restapi/#generate-an-api-key","title":"Generate an API key","text":"

While the API server is operational, you must generate an API key to authenticate with the service before interacting with it. These steps are described below.

  1. In the API Key field, use the magic icon to generate a 32-character key.
  2. Alternatively, you may create your own key\u2014just be sure it's of a sufficient length and complexity.
  3. Choose Save settings. Your API key is stored in /etc/raspap/api/.env.
  4. Copy your API key to the clipboard for use in the Authorization section.

The restapi.service will be automatically restarted when updating your API key. At this stage, you have a valid API key that may be used to authenticate with the RestAPI. This is described in the next section.

"},{"location":"restapi/#authorization","title":"Authorization","text":"

Now, click or tap the RestAPI docs link to open the documentation in a new window. The API docs are fully interactive, meaning you may test any of the available endpoints and receive a valid server response. Begin by choosing the green Authorize \u00a0 button, shown below:

This will open a dialog where you may enter your API key, which will be passed as an access_token in the HTTP request header. Paste the key you created in the previous step into the \"Value\" text field and choose the Authorize button:

At this stage, the dialog should indicated \"Authorized\". Dismiss the dialog by choosing Close. You may now proceed with testing the API interactively.

"},{"location":"restapi/#testing-endpoints","title":"Testing endpoints","text":"

With authorization done, you may test any of RaspAP's available RestAPI endpoints. Start with the first available /system (Get System) endpoint. Click or tap anywhere in this endpoint's header area and choose the Try it out button. This endpoint takes no parameters, so you may simply use the Execute button to query the API. An example client request and corresponding server response are shown below.

"},{"location":"restapi/#client-requests","title":"Client requests","text":"

Here, we can see a curl GET command with the -H (header) option used to specify the access_token and the API key as the value. The request URL in this example is http://raspberrypi.local:8081/system (yours may differ):

curl -X 'GET' \\\n  'http://raspberrypi.local:8081/system' \\\n  -H 'accept: application/json' \\\n  -H 'access_token: o2eycsnwzacgcukkdkxulmvcva7hou5q'\n
"},{"location":"restapi/#server-responses","title":"Server responses","text":"

The /system API endpoint responds to the above request with several key pieces of data in JSON format:

{\n  \"hostname\": \"raspberrypi\",\n  \"uptime\": \"up 23 hours, 2 minutes\",\n  \"systime\": \"Sun 10 Mar 11:11:11 CET 2024\",\n  \"usedMemory\": 35.46,\n  \"processorCount\": 4,\n  \"LoadAvg1Min\": 0.14,\n  \"systemLoadPercentage\": 3.5,\n  \"systemTemperature\": 46.16,\n  \"hostapdStatus\": 1,\n  \"operatingSystem\": \"Debian GNU/Linux 12 (bookworm)\",\n  \"kernelVersion\": \"6.1.0-rpi4-rpi-v8\",\n  \"rpiRevision\": \"Pi 3 Model B\"\n}\n

The hostapdStatus indicates the current state of the Linux hostapd service, which provides the AP or hotspot. You may copy this data to the clipboard or download it from the test console, if you wish.

"},{"location":"restapi/#systemd-service","title":"Systemd service","text":"

During the RestAPI installation, the Python modules installed by pip are stored in the current user's home directory. For the default pi user in Raspberry Pi OS, this path is /home/pi/.local/bin. In order for the uvicorn module to be found by Python, the systemd service control file specifies the pi user.

If your current user is something other than pi, edit the control file with:

sudo nano /lib/systemd/system/restapi.service\n

Modify the User line to reflect your current user, if necessary:

[Unit]\nDescription=raspap-restapi\nAfter=network.target\n\n[Service]\nUser=pi\nWorkingDirectory=/etc/raspap/api\nLimitNOFILE=4096\nExecStart=/usr/bin/python3 -m uvicorn main:app --host 0.0.0.0 --port 8081\nExecStop=/bin/kill -HUP ${MAINPID}\nRestart=on-failure\nRestartSec=5s\n\n[Install]\nWantedBy=multi-user.target\n

Save and exit the file, then reload the daemon with sudo systemctl daemon-reload.

"},{"location":"restapi/#docker-support","title":"Docker support","text":"

The RestAPI is installed by default in RaspAP's Docker container. This includes configuration of port 8081 used by the server to respond to client requests. Note that the API is also exposed on your system's WAN interface.

"},{"location":"restapi/#troubleshooting","title":"Troubleshooting","text":"

The current status of the restapi.service is available on the RestAPI > Status tab. This is generally the best starting point when diagnosing common problems, such as authorization errors. Note that the service records the most recent API queries, including the requesting IPv4 client address:

raspberrypi python3[3033]: INFO: 192.168.0.102:58844 - \"GET /clients/wlan0 HTTP/1.1\" 200 OK\n

If a remote client is using an invalid API key, for example, this will appear as a 403 Forbidden server response in the Status console. A successful response, like the one above, will return a 200 OK code.

You may also obtain journal entries from the service by executing journalctl -xeu restapi.service from the shell.

"},{"location":"restapi/#discussions","title":"Discussions","text":"

Questions or comments about using the RestAPI? Join the discussion here.

"},{"location":"speedtest/","title":"Speed testing","text":""},{"location":"speedtest/#overview","title":"Overview","text":"

An internet speed test measures the connection speed and quality of your connected device to a remote host. Many speed test services perform multiple consecutive tests that evaluate different aspects of your internet connection, including ping (latency), download and upload speed. A fourth metric, known as jitter, measures variation in the latency of a flow of packets between two systems. Jitter is said to occur when some packets take longer to travel from one system to the other. The most common causes of jitter are network congestion, timing drift and changes in packet routing.

"},{"location":"speedtest/#troubleshooting","title":"Troubleshooting","text":"

Speed tests can be useful in diagnosing many issues, such as a fault with a service provider or a misconfigured device on your network. The speed of your connection may also vary due to factors such as the time of day. This is especially true of places such as educational or work environments where many users may be sharing the same internet connection. Known as a contention ratio, this refers to how many other users are contending for their share of available bandwidth. The higher the contention the more likely you are to experience a slow connection at peak times.

Periodic speed tests can help you identify the best time of day to perform your tasks. They are also useful for sharing diagnostic results with an ISP or network engineer.

"},{"location":"speedtest/#raspaps-speedtest-server","title":"RaspAP's speedtest server","text":"RaspAP Speedtest - https://speedtest.raspap.com/

RaspAP provides a simple, fast and mobile-friendly public speedtest server that evaluates your internet speed using the criteria mentioned above. In addition, it reports your public IP address, ISP and distance from the speedtest server. When the test is complete, you can share the results of your test with a generated image and a link to results.

Importantly, and notably different from other services, RaspAP's Speedtest is completely open source and privacy focused \u2014 meaning we do not share your data with third-parties or attempt to monetize results in any way.

"},{"location":"speedtest/#wifi-speed-test","title":"WiFi speed test","text":"

Experimental \u00b7 Insiders only

A tool to evaluate your local WiFi network's performance is available on the Networking > Diagnostics tab. This permits testing of both local WiFi network throughput (that is, data transferred between the device hosting RaspAP and your wireless clients) and internet speed (data transfer between wireless clients and a remote host). A WiFi speed test is a useful diagnostic tool to determine if connectivity issues are due to your ISP, your wireless connection or an issue with the device hosting your AP.

The WiFi speed test uses a local speedtest instance hosted by your RaspAP installation. The test is performed on a device connected to RaspAP's wireless access point. The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"speedtest/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's speed test? Join the discussion here.

"},{"location":"ssl/","title":"SSL certificates","text":""},{"location":"ssl/#overview","title":"Overview","text":"

HTTPS prevents network attackers from observing or injecting page contents. This is desirable for server applications like RaspAP \u2014 or indeed any locally hosted web application. But HTTPS requires TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local web servers still mostly use HTTP because no one can get a universally valid certificate for localhost.

"},{"location":"ssl/#locally-trusted-certificates","title":"Locally trusted certificates","text":"

Managing your own Certificate Authority (CA) is the best solution, but this usually requires an involved manual setup routine. An excellent solution for local websites is mkcert. This is a zero-config tool for making locally-trusted certificates with any name you like. mkcert automatically creates and installs a local CA in the system root store and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (for example, raspap.local) or IP address because it only works for you.

Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA. This tool does not automatically configure servers or mobile clients to use the certificates, though \u2014 that's up to you. These steps are covered in detail below.

Read more about mkcert here and follow the project on GitHub.

"},{"location":"ssl/#creating-a-certificate","title":"Creating a certificate","text":"

There are two options to go about creating a self-signed certificate with mkcert: 1) manually, or 2) with the Quick installer. Both methods are described below.

"},{"location":"ssl/#manual-steps","title":"Manual steps","text":"

Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain raspap.local is used in the examples below. You may substitute this with the default raspberrypi.local or your own hostname.

Tip

If you've changed your hostname prior to starting this process, be sure to reboot your device for the change to take effect.

Start by installing the pre-built binary for Arch Linux ARM on your Raspberry Pi:

sudo wget https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm -O /usr/local/bin/mkcert\nsudo chmod +x /usr/local/bin/mkcert\nmkcert -install\n
You should see output like the following:
Using the local CA at \"/home/pi/.local/share/mkcert\" \u2728\nThe local CA is now installed in the system trust store! \u26a1\ufe0f\n
Generate a certificate for raspap.local:
cd /home/pi\nmkcert raspap.local \"*.raspap.local\" raspap.local\n
You should see output like the following:
Using the local CA at \"/home/pi/.local/share/mkcert\" \u2728\n\nCreated a new certificate valid for the following names \ud83d\udcdc\n - \"raspap.local\"\n - \"*.raspap.local\"\n - \"raspap.local\"\n\nReminder: X.509 wildcards only go one level deep, so this won't match a.b.raspap.local \u2139\ufe0f\nThe certificate is at \"./raspap.local+2.pem\" and the key at \"./raspap.local+2-key.pem\" \u2705\n
Next, combine the private key and certificate:
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem\n
Create a directory for the combined .pem file in lighttpd:
sudo mkdir /etc/lighttpd/ssl\n
Set permissions and move the .pem file:
chmod 400 /home/pi/raspap.local.pem\nsudo mv /home/pi/raspap.local.pem /etc/lighttpd/ssl\n
Edit the lighttpd configuration with sudo nano /etc/lighttpd/lighttpd.conf. Add the following block to enable SSL with your new certificate:

server.modules += (\"mod_openssl\")\n$SERVER[\"socket\"] == \":443\" {\n  ssl.engine = \"enable\"\n  ssl.pemfile = \"/etc/lighttpd/ssl/raspap.local.pem\"\n  ssl.ca-file = \"/home/pi/.local/share/mkcert/rootCA.pem\"\n  server.name = \"raspap.local\"\n  server.document-root = \"/var/www/html\"\n}\n

Optionally, you can redirect all HTTP requests to HTTPS like so:

$SERVER[\"socket\"] == \":80\" {\n  $HTTP[\"host\"] =~ \"(.*)\" {\n    url.redirect = ( \"^/(.*)\" => \"https://%1/$1\" )\n  }\n}\n
Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Restart the lighttpd service:

sudo systemctl restart lighttpd\n
Verify that lighttpd has restarted without errors:
sudo systemctl status lighttpd\n
You should see a response like the following:
\u25cf lighttpd.service - Lighttpd Daemon\n     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)\n     Active: active (running) since Sun 2023-03-26 10:09:46 CEST; 5 days ago\n   Main PID: 1080 (lighttpd)\n      Tasks: 6 (limit: 779)\n        CPU: 5min 17.332s\n     CGroup: /system.slice/lighttpd.service\n             \u251c\u25001080 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf\n             \u251c\u25001168 /usr/bin/php-cgi\n             \u251c\u25001185 /usr/bin/php-cgi\n             \u251c\u25001186 /usr/bin/php-cgi\n             \u251c\u25001187 /usr/bin/php-cgi\n             \u2514\u25001188 /usr/bin/php-cgi\n\nMar 30 18:23:38 raspap lighttpd[1433]: Syntax OK\nMar 30 18:23:38 raspap systemd[1]: Started Lighttpd Daemon.\n
Now, copy rootCA.pem to your lighttpd web root:
sudo cp /home/pi/.local/share/mkcert/rootCA.pem /var/www/html\n

Important

Do not share the rootCA-key.pem file.

Finish by following the client configuration steps below.

"},{"location":"ssl/#quick-installer","title":"Quick installer","text":"

The Quick Installer may also be used to generate SSL certs with mkcert. The installer automates the manual steps described above, including configuring lighttpd with SSL support. It's recommended to review these steps to have an idea of what is happening behind the scenes.

Invoke the Quick installer and specify the -c or --cert option, like so:

curl -sL https://install.raspap.com | bash -s -- --cert\n

Note

Executing the Quick installer only installs mkcert and generates an SSL certificate with the input you provide. It does not (re)install RaspAP.

The installer will walk you through the steps of creating a certificate. Complete the installation by following the client configuration steps below.

"},{"location":"ssl/#client-configuration","title":"Client configuration","text":"

Open a browser and enter the following address, substituting the domain name you chose in the steps above: http://raspap.local/rootCA.pem. Download the root certificate to your client and add it to your system keychain. Examples below illustrate this process on macOS:

Be sure to set this certificate to \"Always trust\" to avoid browser warnings.

Finally, enter the address https://raspap.local in your browser. Enjoy an encrypted SSL connection to RaspAP.

"},{"location":"ssl/#mobile-devices","title":"Mobile devices","text":"

For the certificates to be trusted on mobile devices and remote clients, you will have to install the root CA using the method described above. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, be sure to enable full trust.

More advanced topics are covered at mkcert.

"},{"location":"ssl/#discussions","title":"Discussions","text":"

Questions or comments about using SSL certificates? Join the discussion here.

"},{"location":"translations/","title":"Translations","text":""},{"location":"translations/#overview","title":"Overview","text":"

Owing to its utility and low cost, the Raspberry Pi's reach extends to all corners of the globe. As our way of honoring this, we've made an effort to support internationalization (often abbreviated i18n) with RaspAP. Given the response from this issue it became obvious that translations are something that the community both wanted and were willing to contribute to.

"},{"location":"translations/#about-locales","title":"About locales","text":"

On Linux systems, GNU's Gettext provides a standardized way of managing multi-lingual messages. In order for Gettext to work with different languages, you must configure a language package on your RPi corresponding to one of our supported translations.

To list languages currently installed on your system, use locale -a at the shell prompt. On a fresh install of Raspbian, this should return a list like the one below:

$ locale -a\nC\nC.UTF-8\nen_GB.utf8\nPOSIX\n

To generate new locales, run sudo dpkg-reconfigure locales and select any other desired locales. Here is a useful list of ISO 639 language codes. Important: be sure to select UTF-8 as this is the preferred encoding.

For example, on an RPi with many locales installed, locale -a would output something like this:

$ locale -a\nC           # fall-back, ASCII encoding, same as POSIX\nde_DE.utf8      # German language,     Germany,     UTF-8 encoding\nfr_FR.utf8      # French language,     France,      UTF-8 encoding\nit_IT.utf8      # Italian language,    Italy,       UTF-8 encoding\nja_JP.utf8      # Japanese language,   Japan,       UTF-8 encoding\nen_GB.utf8      # English language,    GB,          UTF-8 encoding\nen_US.utf8      # English language,    USA,         UTF-8 encoding\npt_BR.utf8      # Portuguese language, Brazil,      UTF-8 encoding\nPOSIX           # fall-back, ASCII encoding, same as C\n

Once you've configured a locale on your system, RaspAP will read the HTTP_ACCEPT_LANGUAGE string and use this to load your desired language in the UI. Alternatively, you can also select a different language from the Language tab in the System menu.

Important: If you configured a new locale after installing RaspAP, you must restart lighttpd for the changes to take effect:

sudo systemctl restart lighttpd.service\n
"},{"location":"translations/#supported-languages","title":"Supported languages","text":"

The following translations are currently maintained by the project:

Language Locale Deutsch de_DE.UTF-8 Dansk da_DK.UTF-8 Fran\u00e7ais fr_FR.UTF-8 Italiano it_IT.UTF-8 Portugu\u00eas pt_BR.UTF-8 Svenska sv_SE.UTF-8 Nederlands nl_NL.UTF-8 \u6b63\u9ad4\u4e2d\u6587 (Chinese traditional) zh_TW.UTF-8 \u7b80\u4f53\u4e2d\u6587 (Chinese simplified) zh_CN.UTF-8 Indonesian id_ID.UTF-8 \ud55c\uad6d\uc5b4 (Korean) ko_KR.UTF-8 \u65e5\u672c\u8a9e (Japanese) ja_JP.UTF-8 Ti\u1ebfng Vi\u1ec7t vi_VN.UTF-8 \u010ce\u0161tina cs_CZ.UTF-8 \u0420\u0443\u0441\u0441\u043a\u0438\u0439 ru_RU.UTF-8 Polskie pl_PL.UTF-8 Rom\u00e2n\u0103 ro_RO.UTF-8 Espa\u00f1ol es_MX.UTF-8 Finnish fi_FI.UTF-8 T\u00fcrk\u00e7e tr_TR.UTF-8 \u03b5\u03bb\u03bb\u03b7\u03bd\u03b9\u03ba\u03cc el_GR.UTF-8

We are certainly not limited to the above. If you are willing and able to translate RaspAP in your language, you will be credited as the original translator.

"},{"location":"translations/#contributing-to-a-translation","title":"Contributing to a translation","text":"

RaspAP now has a translation project home at Crowdin. This is the place to go for all volunteers who would like to contribute to our ongoing translation efforts.

"},{"location":"translations/#how-to-become-a-translator","title":"How to become a translator","text":"

The process is very straightforward. Start by signing up for a free account at Crowdin. Once you are logged in, head over to our project home.

Here you will find our supported translations, recent activity, discussions and so on. You can get started by simply choosing the language you'd like to contribute to. For more info, see Crowdin's detailed walkthrough of the translation process.

"},{"location":"translations/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's translations? Join the discussion here.

"},{"location":"wireguard/","title":"WireGuard","text":""},{"location":"wireguard/#overview","title":"Overview","text":"

WireGuard\u00ae is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be considerably more performant than OpenVPN, and is generally regarded as the most secure, easiest to use, and simplest VPN solution for modern Linux distributions.

WireGuard may be optionally installed by the Quick Installer. Once this is done, you can manage both local and remote server settings, create a peer configuration and control the wg-quick service with RaspAP.

"},{"location":"wireguard/#securing-your-wireless-network","title":"Securing your wireless network","text":"

RaspAP gives you two ways to create a secure WireGuard tunnel: 1) by uploading a .conf file from your VPN provider, or 2) by creating a manual configuration. Each method is described and demonstrated with a short video below.

"},{"location":"wireguard/#file-upload","title":"File upload","text":"

This method may be used if you are using a commerical WireGuard VPN provider, a self-hosted or other remote WG server. In these cases, it's assumed you have an existing WireGuard .conf file and wish to upload this to RaspAP.

Note

The term \"server\" is used here as a convenience. WireGuard does not make a distinction between client and server roles. Instead, each node is considered a \"peer\" in a WireGuard network.

To do this, select the Upload file option under Configuration Method, select a valid WireGuard configuration file and choose Save settings. If your .conf file does not contain iptables PostUp or PostDown rules and you wish to route traffic through the active AP interface, select the Apply iptables rules for AP interface option before uploading your configuration file.

Attention

For security reasons, your WireGuard .conf file must have a Linux MIME type of text/plain. Windows ignores MIME types, relying instead on extensions. To avoid errors, be sure your file has a text/plain MIME type embedded in it before uploading.

The complete process of creating a WireGuard configuration with Mullvad and activating it with RaspAP is demonstrated in the video below.

It should be noted that RaspAP has no affiliation whatsoever with Mullvad. In fact, Mullvad does not use affiliates or pay for reviews. Members of RaspAP's Insiders community have requested support for this VPN provider.

"},{"location":"wireguard/#starting-wireguard","title":"Starting WireGuard","text":"

RaspAP will handle uploading your .conf file and, optionally, applying any iptables rules. To enable the tunnel, choose Start WireGuard. The WireGuard protocol is extremely fast, so in most cases your new public IPv4 address will be indicated almost immediately. Click or tap the icon to open a new window with details about your public IP.

"},{"location":"wireguard/#verifying-client-connections","title":"Verifying client connections","text":"

If you have chosen to route traffic from the wg0 interface to the AP interface, you may verify that your clients are secured by the WireGuard VPN. Start by connecting a client to your AP while WireGuard is enabled. Again, using Mullvad as an example, visit their connection check page on your client device. If the tunnel is working correctly, you should see a result like the following:

If any of the above checks fail, enable WireGuard service logging in RaspAP and check the output. You may also consult your VPN provider's support.

"},{"location":"wireguard/#ipv6-considerations","title":"IPv6 considerations","text":"

RaspAP currently handles routing of IPv4 traffic only. For this reason, WireGuard server connections and traffic tunneled on IPv6 are incompatible. The solution is to specify IPv4 in your WireGuard VPN provider's advanced options (Mullvad is shown below):

Alternatively, open your .conf file in a text editor and ensure that the Address and AllowedIPs settings use IPv4 addresses only, like so:

[Interface]\nPrivateKey = \u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\nAddress = 10.64.171.100/32\nDNS = 193.138.218.74\n\n[Peer]\nPublicKey = /pS3lXg1jTJ7I58GD/s/4GNL2B0U8JNbjbH9Ddh0myw=\nAllowedIPs = 0.0.0.0/0\nEndpoint = 185.254.75.3:51820\n

When this is done, you are ready to upload your configuration to RaspAP.

"},{"location":"wireguard/#manual-configuration","title":"Manual configuration","text":"

Alternatively, RaspAP gives you full control over creating a manual WireGuard configuration. This method is useful if you wish to secure your local wireless network\u2014that is, between your device running RaspAP and the clients connected to it.

WireGuard requires a public and private keypair for each device you wish to have access to the VPN tunnel. RaspAP simplifies this process with a magic button associated with each public key input field. Simply click or tap this button to securely generate a cryptographic keypair for both the server and peer.

Several default values are provided for you as a starting point. These are intended to get a VPN tunnel up and running quickly. They may be modified to suit your needs.

After the keypairs are generated, simply choose Save settings followed by Start WireGuard.

The video walkthrough below illustrates the steps of configuring a WireGuard tunnel from start to finish.

Your browser does not support the video tag.

Due to WireGuard\u2019s design, both computers on either end of the VPN tunnel will need to have each other's public key. This is discussed below.

Note

For security reasons, the local (server) private key is not displayed in the UI. The peer private key is encoded in the QR code and available to download in the client.conf file.

If you wish to regenerate local or peer keypairs (or both), simply tap or click the magic button and choose Save settings. Alternatively, to remove a server or peer configuration entirely, disable the desired toggle and Save settings. This will delete the public/private keypair and the associated configuration.

"},{"location":"wireguard/#peer-configuration","title":"Peer configuration","text":"

RaspAP processes the values in the WireGuard Settings and Peer tabs and creates two configurations for you: wg0.conf and client.conf. The former is used to configure the local (server) side of the VPN tunnel. The latter peer configuration is generated as a QR code on the Peer tab. Clients such as mobile devices may scan the QR code to transfer client.conf and import it into an associated WireGuard client application.

Note

For this experimental release, a single peer configuration may be created. The ability to manage multiple peer configurations is on the project roadmap.

Your peer will need to have WireGuard installed as well. For installing WireGuard on other systems, please see Wireguard's website.

"},{"location":"wireguard/#tunneling-traffic","title":"Tunneling traffic","text":"

RaspAP uses WireGuard's PostUp and PostDown firewall rules to forward traffic from the wg0 interface to your configured wireless interface. In the example below, the default AP interface wlan0 is used:

iptables -A FORWARD -i wlan0 -o wg0 -j ACCEPT\niptables -A FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -t nat -A  POSTROUTING -o wg0 -j MASQUERADE\n

These iptables rules are defined in WireGuard's default settings and may be modified if you wish.

Note

If your VPN server is behind a NAT, you will need to open a UDP port of your choosing (51820 is the default).

"},{"location":"wireguard/#kill-switch","title":"Kill switch","text":"

Experimental \u00b7 Insiders only

In the event that the WireGuard tunnel accidentally goes down, unencrypted traffic may reveal your real IP address. To prevent this from happening, additional PostUp and PreDown rules may be added to the firewall. Simply choose the Enable kill switch option when uploading your WireGuard configuration:

These rules are automatically appended to your configuration.

Note

Some VPN providers give you the option of adding these rules to their Linux configurations. Skip this option as RaspAP needs to add an exclusion rule for your AP interface.

"},{"location":"wireguard/#multiple-configs","title":"Multiple configs","text":"

Experimental \u00b7 Insiders only

RaspAP lets you manage multiple WireGuard configurations. This includes the ability to upload, activate and delete any number of valid wg .conf files. Select the Apply iptables rules for AP interface option when uploading your .conf file to automatically route traffic to connected peers on the AP interface.

Thereafter, switching between your saved configurations is done by simply activating the desired profile. Activating a profile will restart the wg-quick service automatically. Additionally, WireGuard service activity may be tracked on the Logging tab.

"},{"location":"wireguard/#low-overhead","title":"Low overhead","text":"

Due to its low overhead compared with OpenVPN, WireGuard is well-suited for applications where battery longevity is a concern. As described by its developer, WireGuard isn't a chatty protocol. For the most part, it only transmits data when a peer wishes to send packets. When it's not being asked to send packets, it stops sending packets until it is asked again.

As a result, your wireless adapter has a higher likelihood of being able to idle down, which leads to better battery life.

"},{"location":"wireguard/#troubleshooting","title":"Troubleshooting","text":"

See the FAQ section for WireGuard.

"},{"location":"wireguard/#discussions","title":"Discussions","text":"

Questions or comments about using WireGuard? Join the discussion here.

"},{"location":"wlanrouting/","title":"Wireless LAN routing","text":""},{"location":"wlanrouting/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

RaspAP is often used to share internet from an Ethernet connection or other network device through a wireless access point (AP), or act as a wireless repeater. However, in certain scenarios, it can be extremely useful to share internet from a wireless LAN (WLAN) with clients connected via an Ethernet or USB-Ethernet connection. Many RaspAP users have requested this functionality, so an easy-to-use solution was developed to fulfill this need.

"},{"location":"wlanrouting/#solution","title":"Solution","text":"

To create this setup, the target interface must be configured with a static IP address and have DHCP enabled. This is similar to how RaspAP's default wireless access point is configured. To simplify this process, RaspAP uses predefined subnets for the eth0 and predictable enx interfaces. The relevant portions of this configuration are shown below:

\"dhcp\": {\n    ...\n    \"eth0\": {\n      \"static ip_address\": [ \"192.168.55.1/24\" ],\n      \"static routers\": [ \"192.168.55.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    },\n    \"enx\": {\n      \"static ip_address\": [ \"192.168.60.1/24\" ],\n      \"static routers\": [ \"192.168.60.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    }\n
\"dnsmasq\": {\n    ...\n    \"eth0\": {\n      \"dhcp-range\": [ \"192.168.55.50,192.168.55.150,12h\" ]\n    },\n    \"enx\": {\n      \"dhcp-range\": [ \"192.168.60.50,192.168.60.150,12h\" ]\n    }\n  }\n

These default settings are applied automatically, however you may modify them as you wish from the DHCP Server administration page.

In addition to these settings, Network Address Translation (NAT) rules must be applied to enable packet routing between the desired interfaces. These iptables rules also need to be added when the connection is active, and removed when the connection is deactivated. This is roughly analogous to how WireGuard's PostUp and PostDown rules function.

"},{"location":"wlanrouting/#steps-to-enable-wlan-routing","title":"Steps to enable WLAN routing","text":""},{"location":"wlanrouting/#configure-wireless-client","title":"Configure wireless client","text":"

To create this configuration, begin by configuring your device as a wireless client, or station, with RaspAP's WiFi client page or by preconfiguring your OS for wireless LAN operation. Optionally, connect an external wireless adapter to an available USB port.

"},{"location":"wlanrouting/#check-wireless-connectivity","title":"Check wireless connectivity","text":"

Ensure that you have a stable wireless connection to your router. The Wireless Client widget on RaspAP's dashboard will indicate its status and link quality.

"},{"location":"wlanrouting/#attach-ethernet-or-usb-ethernet-adapter","title":"Attach Ethernet or USB-Ethernet adapter","text":"

Next, attach an Ethernet cable or a USB-Ethernet adapter to an available port, and connect a device you wish to provide internet connectivity to. This could be a laptop, hub or other Ethernet-capable network device. This device will typically be assigned a network interface name by the operating system, such as eth0 or eth1. If your system is configured to use predictable interface names, it may incorporate the interfaces's MAC address (for example, enx78e7d1ea46da).

Verify your attached device by checking the output on RaspAP's Networking > Summary tab.

Tip

Many USB-Ethernet adapters are available at low cost. If you choose this option, buy one from a reputable brand. When in doubt, verify your adapter by testing it with a laptop or other device. Note that a regular USB cable, rather than a USB-Ethernet adapter, is not designed for direct Ethernet communication.

"},{"location":"wlanrouting/#configure-raspaps-settings","title":"Configure RaspAP's settings","text":"

Now, from RaspAP's Networking > WLAN Routing tab, choose your wireless client interface and output interface (typically, eth0 or enx). Select the \"Configure a static IP address and DHCP for output interface\" option toggle, choose Save settings and lastly Start WLAN routing.

A system configured with predictable interface names is shown, above.

Note

If a wireless client connection is not detected on your system, it will be indicated as \"not configured\" in the interface. The Start WLAN routing button will also be disabled until an active wireless client connection is present.

"},{"location":"wlanrouting/#check-ethernet-connectivity","title":"Check ethernet connectivity","text":"

Finally, confirm internet connectivity on your Ethernet-equipped client device. Optionally, you may wish to perform a speed test. If you want to stop wireless LAN routing, simply choose Stop WLAN routing. The iptables NAT rules added by RaspAP will be removed from your system. The associated DHCP and dnsmasq configurations will be removed as well.

Tip

RaspAP's default subnets are added for convenience. If you wish to create a custom configuration for your clients, you may do so from the DHCP Server page. Be sure to Save settings and restart dsnmasq to apply your changes. If your interface is named something other than eth0 or enx you must create your own DHCP configuration.

"},{"location":"wlanrouting/#troubleshooting","title":"Troubleshooting","text":"

If clients do not have internet connectivity, ensure that the attached Ethernet device appears on the Networking > Summary tab. Faulty Ethernet cables and USB-Ethernet adapters are common culprits.

Be sure that you've selected the option to configure a static IP address and DHCP for the output interface on the Networking > WLAN Routing tab. If you've configured your own subnet for this purpose, ensure that the settings are correct on the DHCP server page and that the dnsmasq service was restarted after saving them.

Finally, while wireless LAN routing is active, you may confirm that the iptables NAT rules are active by executing the following:

sudo iptables -t nat -L -v\n

This should output the POSTROUTING, MASQUERADE and FORWARD rules for the interfaces you've selected. If not, confirm that this option is active on the Networking > WLAN Routing tab, then choose Restart WLAN routing.

"},{"location":"wlanrouting/#discussions","title":"Discussions","text":"

Questions or comments about using wireless LAN routing? Join the discussion here.

"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Overview","text":"

Simple AP setup & WiFi management for Debian-based devices

"},{"location":"#about","title":"About","text":"

RaspAP is feature-rich wireless router software that just works on many popular Debian-based devices, including the Raspberry Pi. Our popular Quick installer and Docker container create a known-good default configuration in minutes on all current Raspberry Pis with onboard wireless.

"},{"location":"#quick-start","title":"Quick start","text":"

Start with a clean install of the latest release of Raspberry Pi OS Lite. Both the 32- and 64-bit release versions are supported, as well as the latest 64-bit Desktop distribution. Consult this FAQ before installing RaspAP in a desktop environment.

Tip

Be sure to use an official power supply with your device. Power supply requirements differ by Raspberry Pi model. Inadequate voltage is the source of many WiFi issues.

Update RPi OS to its latest version, including the kernel and firmware, followed by a reboot:

sudo apt-get update\nsudo apt-get full-upgrade\nsudo reboot\n
Set the WiFi country in raspi-config's Localisation Options: sudo raspi-config.

Important

Failure to perform this step will prevent the RPi from enabling wireless operation. When this happens, you will see the warning Wi-Fi is currently blocked by rfkill in the console.

Install RaspAP from your device's shell prompt:

curl -sL https://install.raspap.com | bash\n
The Quick installer will complete the steps in the manual installation for you.

After the reboot at the end of the installation the wireless AP network will be configured as follows:

IP address: 10.3.141.1 Username: admin Password: secret DHCP range: 10.3.141.50 to 10.3.141.254 SSID: raspi-webgui Password: ChangeMe

It's strongly recommended that your first post-install action is to change the default admin authentication settings. Thereafter, your AP's basic settings and many advanced options are now ready to be modified by RaspAP.

Tip

If this is not a clean install or you are configuring a device with a non-standard integration try following the manual installation instructions or deploy RaspAP in a Docker container.

"},{"location":"#get-insiders","title":"Get Insiders","text":"

RaspAP is free software, but powered by your support. If you find RaspAP useful for your personal or commercial projects, become a sponsor and get access to exclusive features in the Insiders Edition.

"},{"location":"#compatible-operating-systems","title":"Compatible operating systems","text":"

RaspAP was originally made for Raspbian, but now also installs on the following Debian-based distros.

Distribution Release Architecture Support Raspberry Pi OS (64-bit) Lite Bookworm ARM Official Raspberry Pi OS (32-bit) Lite Bookworm ARM Official Raspberry Pi OS (64-bit) Desktop Bookworm ARM Official Raspberry Pi OS (64-bit) Lite Bullseye ARM Official Raspberry Pi OS (32-bit) Lite Bullseye ARM Official Armbian 23.11 (Jammy) ARM Beta Debian Bookworm ARM / x86_64 Beta Ubuntu Server 23.04 (Lunar) ARM / x86_64 Beta

You are also encouraged to use RaspAP's community-led Docker container.

Please note that \"supported\" is not a guarantee. If you are able to improve support for your preferred distro, we encourage you to actively contribute to the project.

"},{"location":"#get-involved","title":"Get involved","text":"

We welcome all users of RaspAP to contribute to the project. This can take the form of issue reports, discussions, or pull requests. Developers can get started by following these steps:

  1. Fork the project in your account and create a new branch: your-great-feature.
  2. Open an issue in the repository describing the feature contribution you'd like to make.
  3. Commit changes in your feature branch.
  4. Open a pull request and reference the initial issue in the pull request message.

Find out more about our coding style guidelines and recommended tools.

"},{"location":"#discussions","title":"Discussions","text":"

Questions or comments about the Quick start? Join the discussion here.

"},{"location":"adblock/","title":"Ad blocking","text":"

RaspAP has introduced a new DNS based filter to stop ads, trackers, malware and other undesirable hosts in their tracks.

In the best of times, ads are usually just annoying. When access to online services served by our AP is hampered by ads, malware and trackers, the best tool in our arsenal is DNS blacklisting. RaspAP already uses dnsmasq to manage both DHCP and DNS, so we have the foundation for a highly effective ad blocking facility.

"},{"location":"adblock/#quick-installer","title":"Quick installer","text":"

To install ad blocking with DNS blacklists, simply respond with Y or press Enter when prompted by the installer:

Install ad blocking and enable list management? [Y/n]\n

The installer will download the blocklists, configure RaspAP to use them and enable the Ad blocking management page.

Ad blocking is enabled and active for clients connected to your AP. You may update the blocklists or disable ad blocking with the management page. These actions are described below.

"},{"location":"adblock/#manual-installation","title":"Manual installation","text":"

Ad blocking may also be installed manually. Refer to the detailed installation steps.

"},{"location":"adblock/#blocklist-sources","title":"Blocklist sources","text":"

Blocklists are sourced from multiple, continuously updated open source projects. These are divided into two groups: hosts and domain blocklists. By default, RaspAP's ad block facility uses StevenBlack's hosts as the primary hosts blocklist. This repository is a hosts file aggregator that consolidates several reputable hosts files and merges them into a unified, optimized hosts file with duplicates removed.

Alternatively, users may choose from a number of host blocklist sources maintained by the badmojr/1Hosts GitHub project. These lists are compiled daily into Mini, Lite, Pro and Xtra versions depending on specific user needs. Refer to the GitHub project for an explanation of these different blocklists.

In addition to blocking hosts, domain blocking gives us the ability to use wildcards with dnsmasq to block an entire domain (for example, baddomain.org) with a single rule. This includes all known and unknown subdomains, such as *.baddomain.org. Domain blocklists are provided by the OISD project. Similar to hosts lists, these are continuously updated and curated into several lists: Small, Big and NSFW. Refer to the OISD project for an explanation of these lists.

"},{"location":"adblock/#updating-lists","title":"Updating lists","text":"

Each of the hosts and domains blocklists are updated daily, so it's a good practice to refresh them periodically. You can do this from the Ad Blocking management page in RaspAP. Simply select the list from the dropdown and choose Update now.

Next to the update button, a gear icon will appear to indicate that the selected list is being downloaded. Thereafter, a timestamp after each list will indicate when it was last updated.

Note

To apply the latest blocklists, be sure to Restart Ad Blocking.

"},{"location":"adblock/#automatic-updates","title":"Automatic updates","text":"

Alternatively, you may wish to automate the process of keeping the ad block source lists up-to-date. A method to achieve this is described in this FAQ.

"},{"location":"adblock/#custom-blocklist","title":"Custom blocklist","text":"

In addition to the notracking blocklists, you may create your own host blocklist by adding entries on the Custom blocklist tab. Define custom hosts to be blocked by entering an IPv4 or IPv6 address followed by any whitespace (spaces or tabs) and the host name. An IPv4 example would take the form 0.0.0.0 badhost.com. Choose Save settings and Restart Ad Blocking.

Note

As the name suggests, this is effective at blocking individual hosts, but not entire domains (or subdomains).

"},{"location":"adblock/#enabling-logging","title":"Enabling logging","text":"

By default, DNS logging is disabled. If you'd like to see which hosts are being blocked, enable it on the DHCP Server > Logging tab by selecting the Log DNS queries toggle. Save settings and Restart Ad Blocking. The Logging tab on the Ad Blocking page will display blacklisted DNS queries with host addresses of 0.0.0.0. A sample of blocked ad/tracker requests is below.

dnsmasq[9633]: config static.ads-twitter.com is 0.0.0.0\ndnsmasq[9633]: config tag.bounceexchange.com is 0.0.0.0\ndnsmasq[9633]: config cdn.boomtrain.com is 0.0.0.0\ndnsmasq[9633]: config securepubads.g.doubleclick.net is 0.0.0.0\ndnsmasq[9633]: config c.amazon-adsystem.com is 0.0.0.0\ndnsmasq[9633]: config pixel.adsafeprotected.com is 0.0.0.0\ndnsmasq[9633]: config ad.doubleclick.net is 0.0.0.0\ndnsmasq[9633]: config www.summerhamster.com is 0.0.0.0\ndnsmasq[9633]: config c2.taboola.com is 0.0.0.0\ndnsmasq[9633]: config ads.servebom.com is 0.0.0.0\ndnsmasq[9633]: config s.cpx.to is 0.0.0.0\ndnsmasq[9633]: config pixel.quantserve.com is 0.0.0.0\ndnsmasq[9633]: config cdn.taboola.com is 0.0.0.0\ndnsmasq[9633]: config sdk.iad-01.braze.com is 0.0.0.0\n
"},{"location":"adblock/#disabling-ad-block","title":"Disabling ad block","text":"

To disable the ad blocking service, slide the Enable blocklists toggle to its off position, then choose Save settings. You may then restart your hotspot for the changes to take effect.

"},{"location":"adblock/#about-blocklist-policies","title":"About blocklist policies","text":"

The blocklist sources chosen for RaspAP adhere to these policies:

Users may tailor RaspAP's ad blocking to suit their needs by selecting from multiple blocklist sources. Furthermore, domain blocklists enable full use of domain name based wildcard filtering (for example, *.baddomain.org). This reduces the chance of missing any new subdomains and significantly reduces the size of the blocklists.

"},{"location":"adblock/#discussions","title":"Discussions","text":"

Questions or comments about using Ad blocking? Join the discussion here.

"},{"location":"ap-basics/","title":"Access point settings","text":""},{"location":"ap-basics/#basics","title":"Basics","text":"

After running the Quick installer, Docker setup or following the manual installation steps, RaspAP will start up a routed wireless access point (AP) with a default configuration. As part of this initial setup, the hostapd service broadcasts an AP with the following settings:

Interface: wlan0 SSID: raspi-webgui Wireless Mode: 802.11n - 2.4GHz Channel: 1 Security Type: WPA2 Encryption Type: CCMP Passphrase: ChangeMe

Each of these settings may be changed on the Hotspot > Basic and Security tabs to any values you wish. Your changes will be applied and made visible on the broadcasted AP by choosing Save settings followed by Restart hotspot.

At this point, a dialog will appear to indicate the progress of the RaspAP service. This is a Linux systemd process that is responsible for starting up several network services in a specific order and timing.

"},{"location":"ap-basics/#connecting-clients","title":"Connecting clients","text":"

When the AP is operational, you may connect clients to it by using one of two methods:

  1. Select the SSID from the list of available networks on your device and enter the passphrase.
  2. Scan the QR code displayed on the Hotspot > Security tab and join the AP.

By default, clients are assigned IP addresses from the DHCP range 10.3.141.50 \u2014 10.3.141.254. These values may be changed in the DHCP options section of the DHCP server settings UI. If for some reason a client is unable to obtain an IP address from your AP, consult this FAQ.

"},{"location":"ap-basics/#80211ac-5-ghz","title":"802.11ac 5 GHz","text":"

For devices with compatible wireless hardware, RaspAP version 3.0 largely removes the guesswork in creating a 5 GHz access point. It achieves this by being tightly integrated with the wireless regulatory database used by the Linux kernel. Behind the scenes, RaspAP queries iw and intelligently matches its output with the 5 GHz channels allowed by hostapd, the user space daemon access point software.

From the Hotspot > Advanced tab, select your country from the dropdown then choose Save settings. This sets the wireless regulatory domain for your device. Now, on the Hotspot > Basic tab choose an interface and select the 802.11ac - 5 GHz wireless mode option. RaspAP will automatically populate the available 5 GHz channels for your country. Select a channel followed by Save settings, then Start or Restart hotspot.

Tip

Not all AC channels may be compatible with your hardware. If your hotspot fails to start, enable hostapd service logging by sliding the Logfile output toggle on the Hotspot > Logging tab, followed by Save settings, then Restart hotspot. See this FAQ for more assistance.

If the Channel dropdown and Save settings button are disabled, refer to this FAQ.

"},{"location":"ap-basics/#security-settings","title":"Security settings","text":"

WPA2 is currently the most secure standard utilizing AES (Advanced Encryption Standard) and a pre-shared key for authentication. WPA2 is also backwards compatible with TKIP to allow interoperability with legacy devices. AES uses the CCMP encryption protocol which is a stronger algorithm for message integrity and confidentiality.

By default, RaspAP's access point is configured with WPA2 and CCMP encryption. You may of course change this to allow legacy clients (older mobile devices, for example) by selecting TKIP+CCMP as the encryption type. Choose Save settings and Restart hotspot for your changes to take effect.

"},{"location":"ap-basics/#wpa3-personal","title":"WPA3-Personal","text":"

Experimental \u00b7 Insiders only

WPA3 is an improved encryption standard, thanks to Simultaneous Authentication of Equals (SAE) which replaces the Pre-Shared Key (PSK) authentication method used in prior WPA versions. WPA3-Personal allows for better password-based authentication even when using simple passphrases. In general, WPA3-Personal networks with simple passphrases are more difficult to crack by using brute-force, dictionary-based methods, as with WPA/WPA2.

WPA3 also requires the use of Protected Management Frames (PMFs) to increase network security. If you wish to connect AP clients that may not have support for WPA3-Personal or PMFs, a transitional security mode is also available.

Note

The Raspberry Pi's onboard wireless chipsets do not currently support the WPA3 standard. For this reason, in order to use this setting you will need to configure your AP with an external wireless adapter that supports WPA3.

"},{"location":"ap-basics/#80211w","title":"802.11w","text":"

Experimental \u00b7 Insiders only

The 802.11w amendment was introduced as a way to secure Wi-Fi management frames against attacks by ensuring that these frames are legitimately exchanged between an AP and its clients, rather than a malicious third-party. These 802.11w Protected Management Frames (PMFs) can mitigate common types of \"deauthentication\" and \"disassociation\" attacks.

Similar to WPA3-Personal, 802.11w may be configured in one of two modes: enabled and required. Enabled allows for mixed operation by allowing legacy devices that do not support 802.11w to associate while also allowing devices that support 802.11w to use the PMF features. Required will prevent clients that do not support 802.11w from associating with the SSID.

"},{"location":"ap-basics/#drag-drop-widgets","title":"Drag & drop widgets","text":"

Experimental \u00b7 Insiders only

The default dashboard layout may be customized to suit your needs. Enable this option from the System > Theme menu by selecting the Dynamic widgets toggle. Next, from the Dashboard click or tap the icon to modify the widgets. Each widget may be resized, dragged and repositioned. Release the widget to drop it into a new location.

Tip

This option works best for large displays. The default dashboard widgets are optimized for mobile devices and smaller displays.

Click or tap the icon a second time when you're done making changes. The new responsive dashboard layout will be saved to your browser's local storage.

"},{"location":"ap-basics/#printable-signs","title":"Printable signs","text":"

Experimental \u00b7 Insiders only

Beneath the QR code on the Hotspot > Security tab, you will find a link to open a \"Wi-Fi connect\" sign suitable for printing. Click or tap the link after the printer icon to open a new window with your hotspot's QR code, SSID and password neatly formatted.

To print, select File > Print from your browser's toolbar and adjust print preferences as needed. This feature can be especially useful if you operate a public wireless access point. You may also opt to integrate a captive portal for your visitors.

"},{"location":"ap-basics/#advanced-options","title":"Advanced options","text":"

The above sections cover everything you will need for a basic routed AP. The Hotspot > Advanced tab has several options that allow you to control advanced settings for the Linux hostapd service. These are discussed in the following sections.

"},{"location":"ap-basics/#bridged-ap-mode","title":"Bridged AP mode","text":"

If you wish to configure RaspAP as a bridged AP, this may be done by sliding the Bridged AP mode toggle, saving settings and restarting the hotspot. Be aware that when the hotspot restarts you will no longer be able to access the web interface from the default 10.1.141.1 address. Refer to this explanation and tips for administering your bridged AP.

"},{"location":"ap-basics/#wifi-repeater-mode","title":"WiFi repeater mode","text":"

Experimental \u00b7 Insiders only

RaspAP is capable of acting as a wireless repeater to connect to your wireless network and rebroadcast an existing signal. This requires configuring interface metrics and default routes with DHCP. Alternatively, enabling the WiFi repeater mode toggle will create these settings for you automatically.

Save settings and choose Restart hotspot to active the wireless repeater. As with AP-STA mode, described below, this option is disabled or \"greyed out\" until a wireless client is configured.

"},{"location":"ap-basics/#wifi-client-ap-mode","title":"WiFi client AP mode","text":"

RaspAP has support for this special mode, also known as a micro-AP or simply AP-STA. Typically this can be difficult to configure manually, but RaspAP performs most of the config work behind the scenes for you.

Note

This option is disabled or \"greyed out\" until a wireless client is configured. This can be done via the WiFi client UI, or by manually configuring a valid wpa_supplicant.conf.

Before using this mode, it is recommended that users familiarize themselves with how AP-STA works. Users of AP-STA mode should also be aware of its limitations, and understand that performance and stability of this AP mode will not be equal to using a second wireless adapter bound to a separate interface. For the latter, refer to this FAQ.

"},{"location":"ap-basics/#beacon-interval","title":"Beacon interval","text":"

Wireless APs continuously send beacon frames to indicate their presence, traffic load, and capabilities. The default hostapd beacon interval is 100ms. If desired, you may change this to any value between 15 and 65535.

"},{"location":"ap-basics/#disable-disassoc_low_ack","title":"Disable disassoc_low_ack","text":"

An AP may disassociate a client due to inactivity, transmission failures or other indications of connection loss. This phenomenon can usually be observed in the hostapd logs like so:

wlan0: AP-STA-DISCONNECTED 24:62:ab:fd:24:34\nwlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: disassociated\nwlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)\n

This option sets the disassoc_low_ack boolean value for hostapd. Be aware that this value is dependent on driver capabilities. Moreover, hostapd may disassociate a client (or station) for a variety of reasons, so this is not a silver bullet.

"},{"location":"ap-basics/#transmit-power","title":"Transmit power","text":"

RaspAP allows you to control the transmit power of the configured AP interface. The default \"auto\" setting will suffice for the vast majority of APs. A lower txpower value can be useful to mitigate WiFi radio interference, for example if you are hosting multiple APs in a given area. It can also be advantageous to set txpower to a lower value in IoT or similar applications where reduced power consumption is needed.

Set the transmit power by selecting a value from the dropdown and choosing Save settings. The transmit power setting is expressed as dBm, or decibels (dB) with reference to one milliwatt (mW). It is not necessary to restart the AP for this to take effect.

"},{"location":"ap-basics/#maximum-number-of-clients","title":"Maximum number of clients","text":"

This option sets the max_num_sta value for hostapd, and is effective for placing a limit on the number of clients (stations) that can connect to your AP. When the limit is reached, new client connections will be rejected.

Note

The default setting is 2007, but this is merely the value set by hostapd from the IEEE 802.11 specification. It should not be interpreted as a guarantee that RaspAP can support this many simultaneous clients. In practice, this number depends on several factors and is a much lower value, as discussed in this FAQ.

"},{"location":"ap-basics/#custom-user-settings","title":"Custom user settings","text":"

RaspAP gives you control over many common AP settings via the Hotspot > Basic, Security and Advanced tabs. However, hostapd has lots of other options that aren't exposed in the management UI. For this reason, RaspAP lets advanced users define any number of valid hostapd settings by adding them to a custom configuration file.

Begin by creating /etc/hostapd/hostapd.conf.users on your device's filesystem, then add your desired settings to this file. For example, to enable hostapd's built-in support for MAC address filtering, you may add the following:

# Accept/deny lists are read from separate files (containing list of\n# MAC addresses, one per line).\naccept_mac_file=/etc/hostapd.accept\ndeny_mac_file=/etc/hostapd.deny\n

Next, choose Hotspot > Save settings to parse this file and append your custom settings to RaspAP's hostapd configuration. Finally, choose Hotspot > Restart hotspot for your changes to take effect.

Tip

Direct manipulation of advanced hostapd settings may lead to your AP failing to start and/or other unanticipated behavior. For this reason, it's advisable to enable service logging on the Hotspot > Logging tab and monitor the log output for errors.

"},{"location":"ap-basics/#troubleshooting","title":"Troubleshooting","text":"

RaspAP gives you advanced control over several Linux networking-related services. As a result, your AP may fail to start for a variety of reasons. You may also encounter errors connecting clients to the AP, have no internet on AP clients, or observe clients being disconnected from the AP for no apparent reason.

If any of the above happens, one of the best diagnostic tools at your disposal is RaspAP's built-in service logging facility. You may enable the hostapd service log by sliding the Logfile output toggle on the Hotspot > Logging tab and choosing Save settings. Finally, choose Restart hotspot and check the log output.

Similarly, you may also enable DHCP server activity by sliding either of the two logging options on the DHCP server > Logging tab.

"},{"location":"ap-basics/#debug-log","title":"Debug log","text":"

In some situations, you may need more comprehensive information to self-diagnose a problem. RaspAP lets you generate a debug log with a detailed summary of your system including the installed OS, Linux kernel version, attached USB devices, RaspAP settings, network configuration and current state of several AP-related services.

To create this log, simply click or tap on the Generate debug log button from the System > Tools tab. You will be prompted to choose a location to store the generated raspap_debug.log file on your local computer or mobile device. An example portion of RaspAP's debug log is shown below:

System Info\n===========\nHardware: Raspberry Pi 3 Model B Rev 1.2\nDetected OS: Debian GNU/Linux 12 (bookworm) 64-bit\nKernel: Linux raspberrypi 6.1.0-rpi4-rpi-v8 (2023-10-05) aarch64 GNU/Linux\nSystem Uptime: 4 days, 20 hours, 45 minutes\nMemory Usage: 29.0749%\n\nInstalled Packages\n==================\nPHP Version: 8.2.7 (cli) (built: Jun  9 2023 19:37:27) (NTS)\nDnsmasq Version: 2.89\ndhcpcd Version: 9.4.1\nlighttpd Version: 1.4.69\nvnStat Version: 2.10\n\nRaspAP Install\n==============\nRaspAP Version: 2.9.9\nRaspAP Installation Directory: /var/www/html\nRaspAP hostapd.ini contents:\nWifiInterface = wlan0\n

Tip

If you are unable to perform a self-diagnosis and would like to share your debug log (or a portion of it) with another party, upload it to Pastebin or Ubuntu Pastebin. Please don't paste the log in its entirety to RaspAP's discussions, issues or other support channels.

RaspAP's debug log contains information about your system and local network configuration. However, no passwords or other senstive data are included.

"},{"location":"ap-basics/#diagnosing-problems","title":"Diagnosing problems","text":"

Look for any reported errors logged by the hostapd, dhcpcd or dnsmasq services. In most cases, errors thrown by one or more of these services have been discussed in various online forums. Start by searching the official Raspberry Pi forums or Raspberry Pi on Stack Exchange. Chances are the problems with your AP have been discussed and answered before.

For additional help and advice, the FAQ is a rich source of troubleshooting info that is continuously updated with answers to the most commonly asked questions. For issues not covered in the FAQ, you may find many topics in RaspAP discussions and the RaspAP subreddit.

Tip

Capture output from the Linux kernel's message buffer with dmesg to help diagnose failure events. Read the last 100 lines with dmesg | tail -100 and look for any anomalies.

The performance of WiFi radios may be impacted by many factors, including, but not limited to:

  1. Undervoltage due to inadequate power or too many peripherals connected to the USB bus
  2. Interference from a poorly shielded HDMI cable or using a specific HDMI screen resolution
  3. RF interference from overlapping WiFi networks on a crowded 2.4 GHz band.

Bear these things in mind if your AP exhibits unexpected behavior and do your best to mitigate them.

"},{"location":"ap-basics/#reverting-to-base-settings","title":"Reverting to base settings","text":"

It is generally advisable to begin with RaspAP's default configuration, which has been rigorously tested and validated with the project's supported operating systems. If, after modifying RaspAP's default settings, your AP no longer functions as expected, you may perform a system reset to restore these defaults.

"},{"location":"ap-basics/#accessing-backups","title":"Accessing backups","text":"

Each time you revert to RaspAP's base settings, your existing service configuration files are automatically backed up to /etc/raspap/backups. In this way, you can compare differences between your files and the default configuration, if needed. There are many ways to do this in Linux, such as using the built-in GNU diff tool. Another option is to install colordiff, a wrapper for diff that produces the same output but with colored syntax highligting. Install colordiff with sudo apt-get install colordiff.

Similarly, the web files located in the default /var/www/html root are backed up to /var/www in a directory named with a timestamp. Therefore, any changes you've made to RaspAP's internals are preserved.

"},{"location":"ap-basics/#discussions","title":"Discussions","text":"

Questions or comments about using access point settings? Join the discussion here.

"},{"location":"ap-sta/","title":"AP-STA mode","text":""},{"location":"ap-sta/#overview","title":"Overview","text":"

Experimental (Unsupported)

This describes an installation of RaspAP on the Raspberry Pi Zero W or Zero 2 W models. However, the same steps apply to any device with a chipset capable of supporting this mode.

A managed mode AP, variously known as WiFi client AP mode, a micro-AP or simply AP-STA, usually works with the Quick Installer if the steps below are followed carefully. This feature was added to RaspAP specifically to support Internet of Things (IoT) and embedded applications for the Pi Zero W, however it is equally useful for a broad range of projects.

Disclaimer

This mode is completely unsupported and should be used for educational purposes only. If you need a reliable solution with an access point (AP) and wireless client (STA) on the same device, obtain a second Wi-Fi adapter and follow this walkthrough instead. Issues related to this will be labeled as invalid and closed. No hard feelings.

Before proceeding with the installation, it's important to have a basic understanding of how AP-STA works.

"},{"location":"ap-sta/#what-is-ap-sta-mode","title":"What is AP-STA mode?","text":"

Many wireless devices support simultaneous operation as both an access point (AP) and as a wireless client/station (STA). This is sometimes called Wi-Fi AP/STA concurrency. In this configuration, it is possible to create a software AP acting as a wireless repeater for an existing network, using a single wireless device. This capability is listed in the following section in the output of iw list:

$ iw list | grep -A 4 'valid interface'\n    valid interface combinations:\n    * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,\n      total <= 3, #channels <= 2\n    * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,\n      total <= 4, #channels <= 1\n

The second valid interface combination indicates that both a managed and AP configuration is possible. The constraint #channels <= 1 means that your software AP must operate on the same channel as your Wi-Fi client connection.

Note

If you have a second wireless adapter bound to wlan1 on a Pi Zero W (or other device), refer to this FAQ.

"},{"location":"ap-sta/#use-cases","title":"Use cases","text":"

There are many scenarios in which AP-STA mode might be useful. These are some of the more popular ones:

  1. A device that connects to a wireless AP but needs an admin interface to configure the network and/or other services.
  2. A hub for Internet of Things devices, while also creating a bridge between them and the internet.
  3. A guest interface to your home wireless network.

Security is an important consideration with IoT and it can be beneficial to keep your devices on a separate network, for safety\u2019s sake. No one wants a random internet user turning your lights on and off.

"},{"location":"ap-sta/#how-does-ap-sta-work","title":"How does AP-STA work?","text":"

In this configuration, we create a virtual network interface (here uap0) and add it as the AP to the physical wlan0 device. This virtual interface is used by several of the services needed to operate a software access point. RaspAP manages these configurations in the background for you. Relevant sections are displayed below as examples.

dhcpcd.conf:

# RaspAP uap0 configuration\ninterface uap0\nstatic ip_address=192.168.50.1/24\nnohook wpa_supplicant\n

hostapd.conf:

# RaspAP wireless client AP mode\ninterface=uap0\n

dnsmasq.conf:

# RaspAP uap0 configuration\ninterface=lo,uap0               # Use interfaces lo and uap0\nbind-interfaces                 # Bind to the interfaces\ndomain-needed                   # Don't forward short names\nbogus-priv                      # Never forward addresses in the non-routed address spaces\n

On AP-STA startup and system reboots, RaspAP's service control script adds the virtual uap0 interface and brings it up, like so:

iw dev wlan0 interface add uap0 type __ap\nifconfig uap0 up\n

After the virtual uap0 interface is added to the wlan0 physical device, we can then start up hostapd. It is important that the virtual interface is brought up first, otherwise it will fail with the message \"could not configure driver mode\". We also need to be sure that the interface is not managed by systemd-networkd, so this service should be disabled. These steps are handled by the RaspAP daemon.

With a basic understanding of AP-STA mode, we can proceed with the installation.

"},{"location":"ap-sta/#installation","title":"Installation","text":"
  1. Begin by flashing an SD card with the latest release of Raspberry Pi OS (32- or 64-bit) Lite.
  2. Prepare the SD card to connect to your WiFi network in headless mode according to this FAQ.
  3. Enable ssh access by creating an empty file called \"ssh\" (no extension) in the SD card's root.
  4. Insert the SD card into the Pi Zero W and connect it to power. Note: the standard power supply for the Raspberry Pi is 5.1V @ 2.5A. Other power sources may result in undervoltage or other issues. Do not use the micro USB connection.
  5. Connect to your Pi via ssh. ssh pi@raspberrypi.local is typical.
  6. Follow the project prerequisites exactly. Do not skip any of these steps.
  7. Invoke the Quick Installer as normal: curl -sL https://install.raspap.com | bash.
  8. The installer automatically detects a Pi (or other device) without an active eth0 interface. In this case, you will not be prompted to reboot your Pi.
  9. Open the RaspAP admin interface in your browser, usually http://raspberrypi.local.
  10. The status widget should indicate that hostapd is inactive. This is expected.
  11. Confirm that the Wireless Client dashboard widget displays an active connection.
  12. Choose Hotspot > Advanced and enable the WiFi client AP mode option.
  13. Optionally, enable Logfile output as this is often helpful for troubleshooting.
  14. Choose Save settings and Start hotspot.
  15. Wait a few moments and confirm that your AP has started.

Note

The WiFi client AP mode option will be disabled, or \"greyed out\", until a wireless client is configured.

"},{"location":"ap-sta/#when-to-reboot","title":"When to reboot?","text":"

Rebooting before configuring AP-STA mode is likely the main cause of problems for users with the Pi Zero W. The reason is the default configuration is designed for a wired (ethernet) AP.

Once the Pi Zero W is configured in AP-STA mode, RaspAP will store several values in /etc/raspap/hostapd.ini:

LogEnable = 1\nWifiAPEnable = 1\nBridgedEnable = 0\nWifiManaged = wlan0\n
These are used by RaspAP's systemd control service raspapd to determine that a managed mode AP is enabled for the Pi and restore the connection after subsequent reboots.

"},{"location":"ap-sta/#changing-hostapd-settings","title":"Changing hostapd settings","text":"

Changes to the hotspot configuration should be applied to the wlan0 physical device, not uap0 (a virtual interface). In other words, if you wish to change hostapd settings, stop the hotspot, disable AP-STA, make your config changes on wlan0, re-enable AP-STA and finally restart hostapd. An explanation is available here.

"},{"location":"ap-sta/#discussions","title":"Discussions","text":"

Questions or comments about using AP-STA mode? Join the discussion here.

"},{"location":"authentication/","title":"Authentication","text":""},{"location":"authentication/#overview","title":"Overview","text":"

RaspAP's authentication module uses HTTP's built-in framework to limit access to authorized users. Known as the HTTP \"Basic\" scheme, when first accessing RaspAP on your device the server will respond with a 401 (unauthorized) status. Authentication is then handled with a response header that presents a login challenge in the browser.

The default administrator credentials are:

Username: admin Password: secret

After performing the initial login, it is strongly recommended to change these default credentials on the Authentication > Basic tab. This is a first-line defense against unauthorized users taking control of your wireless network.

Note

The \"Basic\" HTTP authentication scheme is defined in RFC 7617, which transmits credentials as user ID/password pairs, encoded using base64.

"},{"location":"authentication/#how-secure-is-basic-auth","title":"How secure is basic auth?","text":"

The HTTP Basic Authentication scheme is not considered to be secure on its own, especially over plain HTTP. This is because it sends the username and password in an easily decodable Base64-encoded format. Without an additional encryption layer, credentials are sent over the network in plain text. This makes it highly vulnerable to interception by attackers via man-in-the-middle (MITM) attacks or by packet sniffing.

"},{"location":"authentication/#best-security-practices","title":"Best security practices","text":"

The overall security of your RaspAP install can be greatly enhanced by applying some rudimentary changes to it. Taken together, these have the effect of hardening your router against potential external threats.

"},{"location":"authentication/#using-httpstls","title":"Using HTTPS/TLS","text":"

Basic Authentication can be used securely if transmitted over HTTPS, which encrypts the entire communication channel. For this reason, RaspAP has simplified the process of creating locally-trusted SSL certificates with the Quick installer. When HTTPS/TLS is enabled with a RaspAP install, this authentication process is significantly more secure.

"},{"location":"authentication/#using-a-strong-passphrase","title":"Using a strong passphrase","text":"

In most scenarios, a potential attacker can only access RaspAP's admin login prompt if they are already associated with your wireless access point. To mitigate this, change the default raspap-webgui SSID and choose a strong pre-shared key (PSK) or passphrase. RaspAP will automatically generate a secure passphrase for you, as illustrated below:

On the Hotspot > Security tab, click or tap the magic icon next to the PSK input. Choose Save settings followed by Restart hotspot. Thereafter, you may share RaspAP's QR code with your wireless clients to assist them with authentication.

Tip

Given RaspAP's popularity, assume that both the default admin login credentials and the default access point SSID and password are well known to third-parties. Failure to change these default settings is an invitation to attackers.

"},{"location":"authentication/#access-point-settings","title":"Access point settings","text":"

RaspAP enables Wi-Fi Protected Access 2 (WPA2) as the default security type for the access point. This includes support for AES-based encryption and a multi-step 4-way handshake. For greater security, the newer WPA3 standard increases the key length to 192 bits (compared with the 128-bit key used by WPA2), further improving the password defense strength.

"},{"location":"authentication/#limited-privilege-user-role","title":"Limited privilege user role","text":"

Experimental \u00b7 Insiders only

The administrator may enable a user who is able to access RaspAP's management interface, but is restricted in their ability to modify the existing configuration. In this case, the limited privilege user may configure a wireless client connection on the WiFi client page, but is unable to change any other settings.

This is useful in a multi-user environment where the admin user may want to initially configure a wireless router, and then delegate client connection duties to other users of the network.

To enable the limited privilege user, slide the corresponding toggle on the Basic tab, enter the limited privilege user's login and password and choose Save settings. The current admin user will be prompted to logout. Thereafter, the limited privilege user role will be active. The limited user may then login with the credentials you've defined. To disable the limited privilege user role, simply login with the administrator account again.

"},{"location":"authentication/#custom-user-avatars","title":"Custom user avatars","text":"

Experimental \u00b7 Insiders only

The default administrator user icon may be replaced with a custom one of your choosing. From the Avatar tab, click or tap on the existing avatar to upload a new one. The new custom avatar will be displayed in RaspAP's header.

Image files of type .jpg, .gif or .png up to a maximum of 2 MB are supported. To restore the avatar to the default, choose Reset avatar.

"},{"location":"authentication/#restoring-defaults","title":"Restoring defaults","text":"

Login credentials are stored in /etc/raspap/raspap.auth. The password is encrypted and cannot be edited manually. If you've forgotten your admin login or wish to temporarily reset the defaults, you may do so by simply deleting this file:

sudo rm /etc/raspap/raspap.auth\n

This will restore the default admin login and password pair.

Note

RaspAP uses PHP's built-in password_hash function which leverages the Blowfish (CRYPT_BLOWFISH) algorithm. Blowfish is an adaptive hashing algorithm that is widely considered to be very secure.

"},{"location":"authentication/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's authentication? Join the discussions here.

"},{"location":"bridged/","title":"Bridged AP mode","text":""},{"location":"bridged/#overview","title":"Overview","text":"

By default RaspAP configures a routed AP as its hotspot, where your device creates a subnet and assigns IP addresses to connected clients. If you would rather have your upstream router assign IP addresses, RaspAP lets you change the hotspot configuration to an alternative bridged AP. This is also useful if you want your device and its hotspot clients to be visible to other devices in your router's network.

"},{"location":"bridged/#enabling-bridged-ap-mode","title":"Enabling bridged AP mode","text":"

From RaspAP's Hotspot > Advanced tab, select the Bridged AP mode option. Choose Save settings and then Restart hotspot.

At this stage, you will no longer be able to access RaspAP's web interface from the default 10.3.141.1 address. See accessing the web interface, below.

"},{"location":"bridged/#limitations","title":"Limitations","text":"

Bridged AP mode operates under some constraints as compared to RaspAP's default routed AP mode. These are discussed below.

"},{"location":"bridged/#wifi-client-mode","title":"WiFi client mode","text":"

On the Hotspot > Advanced tab the Wifi Client AP mode option is disabled or \"greyed out\". The reason for this is your device cannot connect as a client to another wireless network while simultaneously hosting its own bridged access point.

"},{"location":"bridged/#dhcp-server","title":"DHCP server","text":"

The DHCP Server page is disabled and hidden from the adminstration interface. This is because in bridged AP mode all DHCP functions are delegated to your upstream router. To configure DHCP settings for your network, access your router's web interface.

"},{"location":"bridged/#vpn-considerations","title":"VPN considerations","text":"

Clients connected to a bridged AP with OpenVPN enabled will not have their traffic routed through the VPN server. Your device itself will still have its own traffic routed through the VPN server, however.

Note

Bridged AP mode is not currently supported on Ubuntu Server. This is because Ubuntu has standardized on Netplan, which differs considerably from other Linux distributions supported by RaspAP.

"},{"location":"bridged/#accessing-the-web-interface","title":"Accessing the web interface","text":"

In bridged AP mode, you will no longer be able to access RaspAP's web interface using the default 10.3.141.1 address. This is because your device no longer creates its own 10.3.141.0/24 subnet for its access point. Instead, access RaspAP's web interface by entering your device's hostname followed by .local. On Raspberry Pi devices running the avahi daemon, this will look like raspberrypi.local.

Some browsers have trouble resolving .local addresses. You may also need to modify the address depending on your browser. For example, try entering http://raspberrypi.local or raspberrypi.local/ in your browser's address field.

If the above methods don't work, the nmap command (Network Mapper) can be used to scan your subnet for devices connected to your network. For example, invoke nmap with the -sn flag (ping scan) on your subnet range:

nmap -sn 192.168.1.0/24\n

This scan pings all the IP addresses in a subnet to see if they respond. For each device that responds to the ping, the output will show the hostname and IP address like so:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-23 10:04 CET\nNmap scan report for iPhone 192.168.1.31\nHost is up (0.037s latency).\nNmap scan report for raspberrypi 192.168.1.8\nHost is up (0.031s latency).\nNmap scan report for Chromecast 192.168.1.45\nHost is up (0.0015s latency).\nNmap scan report for mbp15 192.168.1.48\nHost is up (0.074s latency).\nNmap done: 256 IP addresses (4 hosts up) scanned in 6.08 seconds\n

More information on finding your device's IP address can be found here.

"},{"location":"bridged/#troubleshooting","title":"Troubleshooting","text":"

If you are unable to connect clients to your bridged AP, start by following the recommendations in this FAQ. Client connectivity issues in bridged AP mode are most often the result of your upstream router, not RaspAP. For this reason, please check your router's web interface and DHCP settings before reporting a bug.

"},{"location":"bridged/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's bridged AP mode? Join the discussion here.

"},{"location":"captive/","title":"Captive portal setup","text":""},{"location":"captive/#overview","title":"Overview","text":"

The nodogsplash project is a lightweight, highly configurable captive portal solution. It integrates nicely with RaspAP and is recommended over other methods. No configuration changes are needed with RaspAP, however you will need to modify some default settings in the nodogsplash config. This step-by-step guide assumes you have already installed RaspAP, either with the Quick Installer or manual setup instructions.

Note

This walkthrough is provided as a courtesy only; there is no support for NDS or any integration with this project.

"},{"location":"captive/#installing-the-software","title":"Installing the software","text":"

Begin by updating your RPi with the latest package information:

sudo apt-get update\n

With our package manager up to date, install a dependency required by nodogsplash:

sudo apt-get install libmicrohttpd-dev\n

Next, clone the nodogsplash GitHub repository to your home directory:

cd ~/\ngit clone https://github.com/nodogsplash/nodogsplash.git\n

We can now compile nodogsplash from the source:

cd nodogsplash\nmake\nsudo make install\n

"},{"location":"captive/#configuration-changes","title":"Configuration changes","text":"

With nodogsplash installed in the Pi's system, we will make two small changes to its configuration. The nodogsplash GatewayInterface should be set to the interface RaspAP runs on (wlan0 is the default). You will also need to change the GateWayAddress to 10.3.141.1.

Note

If you have modified RaspAP's default configuration, be sure this setting reflects your changes, otherwise the captive portal will not work correctly.

sudo nano /etc/nodogsplash/nodogsplash.conf\n

# GatewayInterface is not autodetected, has no default, and must be set here.\n# Set GatewayInterface to the interface on your router\n# that is to be managed by Nodogsplash.\n# Typically br-lan for the wired and wireless lan.\n#\nGatewayInterface wlan0\n#\n# Parameter: GatewayAddress\n# Default: Discovered from GatewayInterface\n#\n# This should be autodetected on an OpenWRT system, but if not:\n# Set GatewayAddress to the IP address of the router on\n# the GatewayInterface.  This is the address that the Nodogsplash\n# server listens on.\nGatewayAddress 10.3.141.1\n
Save and quit out of the editor by pressing Ctrl+X and then pressing Y and finally Enter.

"},{"location":"captive/#starting-the-captive-portal","title":"Starting the captive portal","text":"

We are now ready to start up the software. This can be done by simply executing the binary with sudo nodogsplash. However, we'll make things a bit easier by adding a systemd service provided by the project. Copy the service control file and enable it:

sudo cp ~/nodogsplash/debian/nodogsplash.service /lib/systemd/system/\nsudo systemctl enable nodogsplash.service \n

Next, start the service and check its status:

sudo systemctl start nodogsplash.service \nsudo systemctl status nodogsplash.service\n

You should see output similar to the following:

\u25cf nodogsplash.service - NoDogSplash Captive Portal\n   Loaded: loaded (/lib/systemd/system/nodogsplash.service; enabled; vendor preset: enabled)\n   Active: active (running) since Tue 2020-02-11 09:19:44 GMT; 34min ago\n Main PID: 10539 (nodogsplash)\n    Tasks: 4 (limit: 1599)\n   Memory: 1.7M\n   CGroup: /system.slice/nodogsplash.service\n           \u2514\u250010539 /usr/bin/nodogsplash\n\nFeb 11 09:19:44 raspberrypi systemd[1]: Starting NoDogSplash Captive Portal...\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10538](src/main.c:496) Starting as daemon, forking to background\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:271) Detected gateway wlan0 at 10.3.141.1 (dc:a6:32:3d:ff:9d)\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:275) MHD Unescape Callback is Disabled\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:305) Created web server on 10.3.141.1:2050\nFeb 11 09:19:44 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:44 2020][10539](src/main.c:319) Using config options for FAS or Templated Splash.\nFeb 11 09:19:44 raspberrypi systemd[1]: Started NoDogSplash Captive Portal.\nFeb 11 09:19:46 raspberrypi nodogsplash[10538]: [5][Tue Feb 11 09:19:46 2020][10539](src/fw_iptables.c:382) Initializing firewall rules\n

Note

The captive portal may be stopped with sudo systemctl stop nodogsplash.service or disabled completely with sudo systemctl disable nodogsplash.service.

"},{"location":"captive/#connecting-clients","title":"Connecting clients","text":"

Connect a client to RaspAP's hotspot. You should now see nodogsplash's captive portal screen:

Optional: you can customize the captive portal screen by modifying the files located in /etc/nodogsplash/htdocs/.

"},{"location":"captive/#more-information","title":"More information","text":"

Full documentation of nodogsplash is available here.

"},{"location":"captive/#discussions","title":"Discussions","text":"

Questions or comments about using nodogsplash with RaspAP? Join the discussion here.

"},{"location":"custom-plugins/","title":"Custom user plugins","text":""},{"location":"custom-plugins/#overview","title":"Overview","text":"

The PluginManager provides a framework for developers to create custom plugins to extend RaspAP's functionality. To facilitate this, the SamplePlugin repository was created to make it easy for developers to get started creating their own plugins. Using the SamplePlugin is described in the following sections.

"},{"location":"custom-plugins/#the-sampleplugin","title":"The SamplePlugin","text":"

The SamplePlugin implements a PluginInterface and is automatically loaded by RaspAP's PluginManager.

Several common plugin functions are demonstrated in SamplePlugin, as well as a method for persisting session data in plugin instances. Each plugin has its own namespace, meaning that classes and functions are organized to avoid naming conflicts. Plugins are self-contained and render templates from inside their own /templates directory.

"},{"location":"custom-plugins/#getting-started","title":"Getting started","text":"

The SamplePlugin requires an installation of RaspAP, either via the Quick install method or with a Docker container. The default application path /var/www/html is used here. If you've chosen a different install location, substitute this in the steps below.

  1. Begin by creating a fork of the SamplePlugin repository.
  2. Change to your RaspAP install location and create a /plugins directory.
    cd /var/www/html\nsudo mkdir plugins\n
  3. Change to the /plugins directory and clone your SamplePlugin fork:
    cd plugins\nsudo git clone https://github.com/[your-username]/SamplePlugin\n
  4. The PluginManager will detect and autoload the plugin; a new Sample Plugin item will appear in the sidebar.

You may now proceed with customizing your plugin by using the tips in the next sections.

"},{"location":"custom-plugins/#scope-of-functionality","title":"Scope of functionality","text":"

The SamplePlugin implements the server-side methods needed to support basic plugin functionality. It initalizes a Sidebar object and adds a custom navigation item. User input is processed with handlePageAction() and several common operations are performed, including:

  1. Saving plugin settings.
  2. Starting a sample service.
  3. Stopping a sample service.

Template data is then collected in $__template_data and rendered by the main.php template file located in /templates. Property get/set methods are demonstrated with apiKey and serviceStatus values. A method is then used in persistData() to save the SamplePlugin object data.

Caution

Importantly, SamplePlugin does not use the PHP $_SESSION object. Known as a \"superglobal\", or automatic global variable, this is available in all scopes throughout a script. Using the $_SESSION object in a plugin context can lead to conflicts with other plugin instances.

On the front-end, Bootstrap's form validation is used to validate user input. A custom JavaScript function responds to a click event to generate a random apiKey value. The sample.service LED indicator is functional, as are the service stop/start form buttons.

"},{"location":"custom-plugins/#customizing","title":"Customizing","text":"

The SamplePlugin demonstrates basic plugin functions without being overly complex. It's designed with best practices in mind and made to be easily modified by developers.

"},{"location":"custom-plugins/#unique-plugin-names","title":"Unique plugin names","text":"

Most plugin authors will probably begin by renaming SamplePlugin to something unique. The PluginManager expects the plugin folder, file, namespace and class to follow the same naming convention. When renaming the SamplePlugin ensure that each of the following entities uses the same plugin name:

Entity Type plugins/SamplePlugin folder plugins/SamplePlugin/SamplePlugin.php file namespace RaspAP\\Plugins\\SamplePlugin namespace class SamplePlugin implements PluginInterface class

That is, replace each occurrence of SamplePlugin with your plugin name in these entities.

"},{"location":"custom-plugins/#plugin-logic-and-templates","title":"Plugin logic and templates","text":"

Plugin classes and functions are contained in SamplePlugin.php. The parent template main.php and child tab templates are used to render template data.

\u251c\u2500\u2500 SamplePlugin/\n\u2502   \u251c\u2500\u2500 SamplePlugin.php\n\u2502   \u2514\u2500\u2500 templates/\n\u2502       \u251c\u2500\u2500 main.php\n\u2502       \u2514\u2500\u2500 tabs/\n\u2502           \u251c\u2500\u2500 about.php\n\u2502           \u251c\u2500\u2500 basic.php\n\u2502           \u2514\u2500\u2500 status.php\n

You may wish to omit, modify or create new tabs. This is done by editing main.php and modifying the contents of the /tabs directory.

"},{"location":"custom-plugins/#sidebar-item","title":"Sidebar item","text":"

The PluginInterface exposes an initalize() method that is used to create a unique sidebar item. The properties below can be customized for your plugin:

$label = _('Sample Plugin');\n$icon = 'fas fa-plug';\n$action = 'plugin__'.$this->getName();\n$priority = 65;\n

You may specify any icon in the Font Awesome 6.6 free library for the sidebar item. The priority value sets the position of the item in the sidebar (lower values = a higher priority).

"},{"location":"custom-plugins/#permissions","title":"Permissions","text":"

For security reasons, the www-data user which the lighttpd web service runs under is not allowed to start or stop daemons or execute commands. RaspAP's installer adds the www-data user to sudoers, but with restrictions on what commands the user can run. If your plugin requires execute permissions on a Linux binary not present in RaspAP's sudoers file, you will need to add this yourself. To edit this file, the visudo command should be used. This tool safely edits sudoers and performs basic validity checks before installing the edited file.

Execute visudo and edit RaspAP's sudoers file like so:

sudo visudo /etc/sudoers.d/090_raspap\n

An example of adding entries to support a plugin's service is shown below:

www-data ALL=(ALL) NOPASSWD:/bin/systemctl start sample.service\nwww-data ALL=(ALL) NOPASSWD:/bin/systemctl stop sample.service\nwww-data ALL=(ALL) NOPASSWD:/bin/systemctl status sample.service\n

Wildcards ('*') and regular expressions are supported by sudoers but care should be taken when using them.

"},{"location":"custom-plugins/#multiple-instances","title":"Multiple instances","text":"

The PluginManager is a managerial class responsible for locating, instantiating and coordinating plugins. Through the use of namespaces and object data persistence in SamplePlugin, any number of user plugins may be installed to /plugins and run concurrently.

As previously noted, developers should avoid using PHP's $_SESSION object in their plugins to prevent conflicts with other plugin instances. An alternative method for session data storage is provided in the SamplePlugin persistData() function.

Note

The persistData() function writes serialized data to the volatile /tmp directory which is cleared on each system boot. For this reason, it should not be used as a method of permanent data storage. However, this functionality roughly approximates PHP's $_SESSION object; the difference being that each plugin's data is isolated from other plugin instances.

"},{"location":"custom-plugins/#publishing-your-plugin","title":"Publishing your plugin","text":"

The SamplePlugin contains an \"About\" tab where you may provide author information, a description and link to your project. If you've authored a plugin you feel would be useful to the RaspAP community, you're encouraged to share it in the SamplePlugin repository's discussions.

"},{"location":"custom-plugins/#discussions","title":"Discussions","text":"

Questions or comments about creating user plugins? Join the discussion here.

"},{"location":"defaults/","title":"Default settings","text":""},{"location":"defaults/#overview","title":"Overview","text":"

Creating a software routed access point (AP) requires the installation and setup of several related Linux services. RaspAP uses a known-good default configuration as a starting point. This facilitates a faster setup by not prompting the user for various network settings during the installation. More importantly, it eliminates guesswork that can lead to conflicts down the road. When the manual or quick installation is completed, you will have a functional AP that you may then administer with RaspAP's web interface.

While this project handles every facet of this process for you, it's still recommended that users familiarize themselves with the steps involved in building a software AP from start to finish.

"},{"location":"defaults/#configuration-directory","title":"Configuration directory","text":"

To every extent possible, RaspAP's default settings are contained within the project's /config folder. The networking defaults, DNS servers, wireless regulatory data and so on are found here. In this way, the user may modify RaspAP's baseline application settings without touching code.

The exception to this is hostapd.conf which is managed by includes/hostapd.php and effectively rewritten depending on user input. This is due to the complexity of this configuration relative to other services managed by the project. For this reason, manual edits to this file will not be preserved.

Baseline configurations for dhcpcd, dnsmasq (described below) and bridged AP configurations are contained here.

"},{"location":"defaults/#managing-config-values","title":"Managing config values","text":"

The interface itself, default Linux file paths and so on may be changed by modifying the project's configuration file config.php.

Note

The file config/config.php is copied during the installation to includes/config.php and ignored by Git. This way, users can modify includes/config.php without git pull or upgrades complaining about local changes. The file includes/defaults.php loads corresponding default values if they are not set.

For example, you can change the brand text that appears in the interface header simply by modifying the value of this constant:

define('RASPI_BRAND_TEXT', 'RaspAP');\n

RaspAP's interface may be further customized by changing the following values:

// Optional services, set to true to enable.\ndefine('RASPI_WIFICLIENT_ENABLED', true);\ndefine('RASPI_HOTSPOT_ENABLED', true);\ndefine('RASPI_NETWORK_ENABLED', true);\ndefine('RASPI_DHCP_ENABLED', true);\ndefine('RASPI_ADBLOCK_ENABLED', false);\ndefine('RASPI_OPENVPN_ENABLED', false);\ndefine('RASPI_VPN_PROVIDER_ENABLED', false);\ndefine('RASPI_WIREGUARD_ENABLED', false);\ndefine('RASPI_TORPROXY_ENABLED', false);\ndefine('RASPI_CONFAUTH_ENABLED', true);\ndefine('RASPI_CHANGETHEME_ENABLED', true);\ndefine('RASPI_VNSTAT_ENABLED', true);\ndefine('RASPI_SYSTEM_ENABLED', true);\ndefine('RASPI_MONITOR_ENABLED', false);\n

The constants defined for Linux configuration file paths are typical and needn't be changed, in most cases. However, you could easily do so simply by modifying this file.

"},{"location":"defaults/#networking-defaults","title":"Networking defaults","text":"

The default AP interface used by RaspAP is wlan0. This is a typical setting if you are using the RPi's onboard wireless adapter. You can change this to a different interface by modifying the following value in config.php:

define('RASPI_WIFI_AP_INTERFACE', 'wlan0');\n

Tip

If a second wireless adapter is configured for your device, for example bound to the wlan1 interface, RaspAP will automatically detect it and assign it as the default wireless client interface. You may change this setting simply by selecting wlan1 as the AP interface in the Hotspot > Basic panel. After restarting the hotspot, RaspAP will use wlan0 as the client interface.

Default values for the dnsmasq and dhcpcd services can be modified as well. The file config/defaults.json was introduced with the version 2.6 release. This file is copied during the installation to /etc/raspap/networking/, so any changes to it must be made at this location.

The defaults.json file uses the standard JSON data-interchange format. For example, the default dhcp settings for wlan0 are displayed below:

\"dhcp\": {\n    \"wlan0\": { \n      \"static ip_address\": [ \"10.3.141.1/24\" ],\n      \"static routers\": [ \"10.3.141.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    }\n

Likewise, the DHCP ranges for both wlan0 and the virtual uap0 interface are shown below:

\"dnsmasq\": {\n    \"wlan0\": {\n      \"dhcp-range\": [ \"10.3.141.50,10.3.141.254,255.255.255.0,12h\" ]\n    },\n    \"uap0\": {\n      \"dhcp-range\": [ \"192.168.50.50,192.168.50.150,12h\" ]\n    }\n

These default settings are defined as fallback values. That is, if a user-defined value is missing these will be used in their place.

"},{"location":"defaults/#dns-servers","title":"DNS servers","text":"

The list of hosted DNS servers available in the Upstream DNS servers panel in DHCP > Advanced may be modified to suit your needs. The file config/dns-servers.json contains a JSON formatted collection of hostnames and IPv4 addresses, like so:

\"Google\": [\n    \"8.8.4.4\",\n    \"8.8.8.8\"\n  ],\n  \"OpenDNS\": [\n    \"208.67.220.220\",\n    \"208.67.222.222\"\n  ],\n  \"Quad9\": [\n    \"9.9.9.9\"\n  ],\n

Edits to this file in place will immediately be reflected in the user interface.

"},{"location":"defaults/#vpn-providers","title":"VPN providers","text":"

RaspAP version 3.0 introduced beta support for a select number of VPN providers. These services are largely defined in the config/vpn-providers.json file. An example provider definiton is shown below:

\"id\": 1,\n\"name\": \"ExpressVPN\",\n\"bin_path\": \"/usr/bin/expressvpn\",\n\"install_page\": \"https://www.expressvpn.com/support/vpn-setup/app-for-linux/\",\n\"account_page\": \"https://www.expressvpn.com/subscriptions\",\n\"cmd_overrides\": {\n   \"countries\": \"list all\",\n   \"log\": \"diagnostics\",\n   \"version\": \"-v\"\n}\n

It is not necessary to modify these definitions, unless you would like to experiment by adding a provider not currently supported by RaspAP.

"},{"location":"defaults/#restoring-settings","title":"Restoring settings","text":"

If you've modified RaspAP's default configuration and the AP no longer works as expected, the defaults may be restored by performing a system reset. From the System > Tools tab, click or tap the Perform reset button. A dialog will appear to confirm this action.

Alternatively, you may follow the steps described in the manual installation.

"},{"location":"defaults/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's defaults? Join the discussions here.

"},{"location":"docker/","title":"Docker support","text":""},{"location":"docker/#overview","title":"Overview","text":"

As an alternative to the Quick installer or manual installation steps, you may also deploy RaspAP in an isolated and portable Docker container.

A container is an isolated environment for code. This means that a container has no knowledge of the host operating system, dependencies, or its files. It runs on the environment provided to you by either Docker Desktop or the Docker Engine. Containers have everything needed to run an application, down to a base operating system.

Here, we'll focus on using Docker Engine to deploy and manage a containerized RaspAP application stack.

"},{"location":"docker/#why-a-container","title":"Why a container?","text":"

Docker containers have several advantages over other methods of deploying code. As a sandboxed process, containers are isolated from all other processes running on a host machine. That isolation leverages things like kernel namespaces and cgroups, features that have been in Linux for a long time.

A RaspAP Docker container is a runnable instance of an image. This container can be started, stopped, moved or deleted using the Docker CLI. It can be run on a local device, virtual machines or deployed to the cloud. Isolation from other containers also means that it runs its own software, binaries and so on.

"},{"location":"docker/#installing-docker-engine","title":"Installing Docker Engine","text":"

Since RaspAP is built for Debian-based systems, the instructions here will focus on this OS family. To get started with Docker Engine on Debian, make sure you meet the prerequisites, and then follow the installation steps.

"},{"location":"docker/#prerequisites","title":"Prerequisites","text":"

To install Docker Engine, begin with the 64-bit version of one of these Debian versions:

Docker Engine for Debian is compatible with x86_64 (or amd64), armhf, arm64, and ppc64le (ppc64el) architectures.

"},{"location":"docker/#uninstall-old-versions","title":"Uninstall old versions","text":"

Before installing Docker Engine, we must first uninstall any conflicting packages.

Distro maintainers provide unofficial distributions of Docker packages in their repositories. These packages must be uninstalled prior to installing the official version of Docker Engine.

The unofficial packages to uninstall are:

Run the following command to uninstall these packages and their dependencies:

for pkg in docker.io \\\n    docker-doc \\\n    docker-compose \\\n    podman-docker \\\n    containerd \\\n    runc; do \\\n    sudo apt-get remove $pkg;\ndone\n

Note

apt-get might report that you have none of these packages installed.

"},{"location":"docker/#using-the-convenience-script","title":"Using the convenience script","text":"

Docker provides a convenience script at https://get.docker.com/ to install Docker non-interactively. Prior to executing it, be sure to familiarize yourself with the potential risks and limitations associated with this script.

Tip

You can run the script with the --dry-run option to learn what steps the script will run when invoked:

curl -fsSL https://get.docker.com -o get-docker.sh\nsudo sh ./get-docker.sh --dry-run\n

  1. Begin by changing into your home directory, then download and execute the convenience script to install the latest stable release of Docker:
    cd ~/\ncurl -fsSL https://get.docker.com -o get-docker.sh\nsudo sh get-docker.sh\n
  2. Verify that the installation is successful by running the hello-world image:
    sudo docker run hello-world\n
    This command downloads a test image and runs it in a container. When the container runs, it prints a confirmation message and exits. The output should appear similar to the example below:
    Unable to find image 'hello-world:latest' locally\nlatest: Pulling from library/hello-world\n478afc919002: Pull complete\nDigest: sha256:4bd78111b6914a99dbc560e6a20eab57ff6655aea4a80c50b0c5491968cbc2e6\nStatus: Downloaded newer image for hello-world:latest\n\nHello from Docker!\nThis message shows that your installation appears to be working correctly.\n

You have now successfully installed and tested Docker Engine. The docker service starts automatically on Debian based distributions.

Note

If the test container fails to run or you encounter any errors, refer to the Docker Engine documentation for troubleshooting tips.

"},{"location":"docker/#post-installation-steps","title":"Post-installation steps","text":"

The Docker daemon binds to a Unix socket, not a TCP port. By default it's the root user that owns the Unix socket, and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

To create the docker group and add your user:

  1. Create the docker group.
    sudo groupadd docker\n
  2. Add your user to the docker group.
    sudo usermod -aG docker $USER\n
  3. Log out and log back in so that your group membership is re-evaluated.

With these steps completed, you have successfully installed and started Docker Engine. We're now ready to deploy RaspAP.

"},{"location":"docker/#deploying-raspap","title":"Deploying RaspAP","text":"

With Docker Engine installed, you have two ways of deploying RaspAP in a Docker container. Each of these methods is described in the sections below.

"},{"location":"docker/#using-docker-compose","title":"Using Docker compose","text":"

This method lets us deploy the entire RaspAP application stack with a single command (docker compose up) as well as configure things like environment variables, network settings and so on in a centralized manner. Advanced users may also use this option to define a multi-container environment of which RaspAP is one component. This may be done with the docker-compose.yml file.

Begin by cloning the raspap-docker GitHub repository into your home directory, then change into it:

cd ~/\ngit clone https://github.com/RaspAP/raspap-docker.git\ncd raspap-docker\n

For ARM devices, such as the Raspberry Pi, we must uncomment the cgroup: host line in the docker-compose.yaml file:

version: \"3.8\"\nservices:\n  raspap:\n    container_name: raspap\n    image: ghcr.io/raspap/raspap-docker:latest\n    #build: .\n    privileged: true\n    network_mode: host\n    cgroup: host # uncomment when using an ARM device \n    cap_add:\n      - SYS_ADMIN\n    volumes:\n      - /sys/fs/cgroup:/sys/fs/cgroup:rw\n    restart: unless-stopped\n

Edit this file with nano docker-compose.yaml, change the line to appear as above, then use Ctrl+O and press Enter to save and exit the file.

Important

Do not use docker-compose but rather docker compose. If the latter isn't present on your system, refer to Docker's installation steps.

With this configuration done, execute Docker compose like so:

docker compose up -d\n

You should see output similar to below to indicate the progress of RaspAP's Docker image being built:

docker compose up -d\n[+] Running 2/8\n \u2807 raspap 7 layers [\u2800\u2840\u28ff\u28ff\u2800\u2800\u2800] 12.83MB/337.8MB Pulling\n   \u280b 5665c1f9a9e1 Downloading [===>                        ]  3.547MB/49.59MB\n   \u280b 4311202aff18 Downloading [=========>                  ]   4.98MB/24.95MB\n   \u2714 ac4d205394f0 Download complete\n   \u2714 baf57b850085 Download complete\n   \u280b 18a1ed9b4ba8 Downloading [=>                          ]  4.307MB/263.3MB\n   \u280b 5bed08c889b9 Waiting\n   \u280b 09ed3fdeed88 Waiting\n

During this process, a Docker image containing RaspAP's application stack will be created on your system. This build always pulls the latest RaspAP release from the main GitHub repository.

Behind the scenes, Docker has used the image it created to start a containerized RaspAP application stack. You may confirm this by executing the following:

docker container ls\nCONTAINER ID   IMAGE           COMMAND                  CREATED        STATUS        PORTS     NAMES\n8d7b32b8373a   raspap:latest   \"/bin/bash -c '/home\u2026\"   2 hours ago    Up 2 hours             raspap\n

At this stage, the RaspAP application is running and you may access the web interface as you would normally. This will depend on the method you use to access your device, but is usually one of the following:

Take note that RaspAP and all its dependencies are wholly contained within the running Docker container. That is, the host system does not have any of the apt packages or application files used by RaspAP, unless you've explicitly installed them.

"},{"location":"docker/#using-the-container-registry","title":"Using the container registry","text":"

As an alternative to docker compose, described above, you may also deploy RaspAP using its hosted Docker container image. This is available as a raspap-docker package hosted on the GitHub Container registry. With this method, a single container is defined from its base image, the environment is setup and the application is configured within the container.

Given that everything needed to deploy RaspAP is stored within this package, it isn't necessary to clone the raspap-docker respository. Instead, you may simply execute one of the following docker run commands:

  1. For ARM devices, the cgroups must be made writable.
    docker run --name raspap -it -d --privileged --network=host --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest\n
  2. For non-ARM devices, execute the following.
    docker run --name raspap -it -d --privileged --network=host -v /sys/fs/cgroup:/sys/fs/cgroup:ro --cap-add SYS_ADMIN ghcr.io/raspap/raspap-docker:latest\n

With either of the above commands, you should see output as below followed by progress indicating the state of the various package components as they are downloaded to your system:

Unable to find image 'ghcr.io/raspap/raspap-docker:latest' locally\nlatest: Pulling from raspap/raspap-docker\n

When the container image download is completed, you may verify its operational state like so:

docker container ls\nCONTAINER ID   IMAGE                                 COMMAND                  CREATED          STATUS          PORTS     NAMES\n4257b8aa3c7e   ghcr.io/raspap/raspap-docker:latest   \"/bin/bash -c '/home\u2026\"   32 minutes ago   Up 32 minutes             raspap\n

At this stage, the RaspAP application stack is running and you may access the web interface as you would normally. This will depend on the method you use to access your device, but is usually one of the following:

Take note that RaspAP and all its dependencies are wholly contained within the running Docker container. That is, the host system does not have any of the apt packages or application files used by RaspAP, unless you've explicitly installed them.

"},{"location":"docker/#tips-and-tricks","title":"Tips and tricks","text":"

The following section has some general advice that users of RaspAP's Docker container have found useful. If you have a tip or trick to contribute, feel free to join our discussions.

"},{"location":"docker/#allocating-a-terminal","title":"Allocating a terminal","text":"

While RaspAP's Docker container is running, you may obtain an interactive pseudo-TTY, or Linux terminal, connected to standard input. Do so by executing the following:

docker exec -it raspap bash\n

The above command combines the -i (interactive) and -t (tty) options together with the raspap named container. The bash command starts an interactive Bash shell within the running container. From here you can perform most of the same shell operations and commands within Docker's pseudo-TTY as you would in a regular Linux environment.

"},{"location":"docker/#iptables-rules-and-nat","title":"iptables rules and NAT","text":"

When either of the above methods are executed, RaspAP will apply iptables Network Address Translation (NAT) rules on the host. It's necessary to add these rules on the host due to Docker's network isolation and security defaults.

Note

You should not need to execute ./firewall-rules.sh manually; RaspAP will do this for you.

If your host's network interfaces are anything other than wlan0 and eth0, you may customize these rules to suit your own specific needs. After editing this file on your device, set execute permissions and run it like so:

sudo chmod +x firewall-rules.sh\n./firewall-rules.sh\n

"},{"location":"docker/#installer-options","title":"Installer options","text":"

The goal of the initial Docker rollout for RaspAP is to have a \"one shot\" command to get a container up quickly with minimal user input. For this reason, the RaspAP application stack is installed with some common options enabled by default. These optional components are Ad blocking, OpenVPN and WireGuard.

You may change this behavior by removing any or all of the Quick installer flags from RaspAP's Dockerfile. For example, to skip the WireGuard install option, remove the --wireguard 1 flag on the line below:

VOLUME [ \"/sys/fs/cgroup\" ]\n\nRUN curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --openvpn 1 --adblock 1\nCOPY firewall-rules.sh /home/firewall-rules.sh\nCOPY wpa_supplicant.conf /etc/wpa_supplicant/\n

With this done, you may proceed with building your Docker image as usual.

Tip

Alternatively, you may choose to install these optional components and disable them in RaspAP's configuration file, config.php.

"},{"location":"docker/#environment-variables","title":"Environment variables","text":"

Several environment variables are made available in RaspAP's Docker image to aid in configuration. These are summarized in the table below:

Environment Variable Description Default RASPAP_SSID SSID name raspap-webgui RASPAP_SSID_PASS SSID password ChangeMe RASPAP_COUNTRY SSID country code GB RASPAP_WEBGUI_USER Admin username admin RASPAP_WEBGUI_PASS Admin password secret RASPAP_WEBGUI_PORT Web user interface port 80

More fine-grained configuration is also possible through the use of the following prefixed environment variables, in the form RASAPAP_[target]_[key]:

Environment Variable Prefix Target File RASPAP_hostapd_ /etc/hostapd/hostapd.conf RASPAP_raspap_ /etc/dnsmasq.d/090_raspap.conf RASPAP_wlan0_ /etc/dnsmasq.d/090_wlan0.conf

For example, RASPAP_hostapd_driver would set the driver value in /etc/hostapd/hostapd.conf.

"},{"location":"docker/#troubleshooting","title":"Troubleshooting","text":"

The docker logs command shows information logged by a running container and is generally the best starting point for troubleshooting. To obtain logs for the raspap container, execute docker logs raspap.

The Docker daemon logs may also help you diagnose problems. Use the command journalctl -xu docker.service (or read /var/log/syslog or /var/log/messages, depending on your Linux Distribution).

For issues related to Docker Engine, refer to Docker's troubleshooting section.

"},{"location":"docker/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's Docker container? Join the discussions here.

"},{"location":"dynamicdns/","title":"Dynamic DNS","text":""},{"location":"dynamicdns/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

Accessing your device from anywhere in your local network is great, but there are times when you might want it to be reachable from remote locations. This is particularly true for projects such as media servers, network attached storage (NAS) and VPNs such as those provided by RaspAP. However, due to the shortage of IPv4 addresses, it's likely that you will receive a new and different external IP address from your ISP each time your router is rebooted.

Some ISPs offer a static external IP address, although often at an additional cost above a basic subscription. This is where using a Dynamic DNS (or DDNS) service on your home network can be extremely useful.

"},{"location":"dynamicdns/#solution","title":"Solution","text":"

Dynamic DNS solves this problem by providing a domain name that always points to the current IP address of your device, regardless of how often it changes. With DDNS, the IP assigned to your domain name is automatically updated by a piece of software (known as a daemon) running on your device. This means that you can access the server using the same domain name, without having to constantly update settings each time the IP address changes.

The daemon running on your device resolves your external IP address using one of several methods, then reports this to your DDNS provider. There are a number of different providers that offer Dynamics DNS free of charge. If you currently own a custom domain name, chances are your registrar provides DDNS or has a partner to support this.

"},{"location":"dynamicdns/#installation","title":"Installation","text":"

The Quick installer will give you the option to add the required packages to your system, and enable the configuration page in RaspAP. Simply press Enter at the prompt to accept the default \"Y\" (yes) response:

Install ddclient and enable DDNS configuration? [Y/n]:\n

When the installer completes, you will be able to administer the ddclient service as described in the sections below.

"},{"location":"dynamicdns/#basic-settings","title":"Basic settings","text":"

All the configuration settings needed to enable Dynamic DNS on your device are available on the Basic settings tab. These are described in the next section.

"},{"location":"dynamicdns/#service-provider","title":"Service provider","text":"

RaspAP makes use of the proven ddclient open source software for Linux to update dynamic DNS entries. The ddclient software is highly configurable and provides a daemon that updates your external IP at scheduled intervals. Many popular Dynamic DNS services are supported by ddclient and RaspAP.

Instructions on how to setup your domain for DDNS vary by provider, but the process is generally similar. Begin by selecting a Service provider from the dropdown. RaspAP will assist you by automatically populating the Protocol and Server fields. You may also manually configure the details for your service if so desired.

Note

Some DDNS providers, such as NoIP, distribute their own Linux client to use with their service. It isn't necessary to install this software because the ddclient daemon already includes this functionality.

"},{"location":"dynamicdns/#method-to-obtain-ip","title":"Method to obtain IP","text":"

There are a variety of different methods to determine your external IP address. A popular one involves a discovery page on the web that resolves your IP. If you choose this method, enter it in the Web address field after selecting this option from the Method to obtain IP select.

Tip

There are many freely available external IP discovery pages you can use. Examples include ChangeIP and this one from Namecheap. Each of these pages perform the same basic function.

Alternatively, you may want to use an IP address from a network interface, your router's firewall status page, or an external command. Each of these options can be specified, thereby giving you a great deal of flexibility.

"},{"location":"dynamicdns/#login-and-domain","title":"Login and domain","text":"

Enter your DDNS service credentials in the Username and Password fields. Finally, specify the Domain to be updated that will be associated with your device. DDNS providers may also refer to this as a \"zone\" or \"host\". These definitions may take several forms, for example:

myhost.dyndns.org\nmydomain.com\n@.mydomain.com\n

Check with your DDNS service provider to determine which entry is best for your configuration. To complete your setup, choose Save settings now or proceed with advanced options.

"},{"location":"dynamicdns/#advanced-settings","title":"Advanced settings","text":"

A subset of advanced options are provided for your configuration. These are not required for the DDNS service to be functional, but may be adjusted to suit your needs.

"},{"location":"dynamicdns/#enable-ssl","title":"Enable SSL","text":"

You may wish to Enable SSL to ensure that your credentials are not sent over the internet unencrypted. Not all providers support this, however, so this option is disabled by default. Enabling this option for a non-SSL supported provider may result in a connection timeout. Errors such as these have been reported:

WARNING:  cannot connect to checkip.dyndns.org:443 socket: Connection timed out SSL connect attempt failed\nWARNING:  found neither IPv4 nor IPv6 address\nDEBUG:    get_ip: using web, http://checkip.dyndns.org/ reports <undefined>\nWARNING:  unable to determine IP address\n

For this reason, it's recommended to check with your DDNS service provider before enabling this.

"},{"location":"dynamicdns/#daemon-check-interval","title":"Daemon check interval","text":"

Finally, you may define the Daemon check interval to control the length of time between updates performed by ddclient in the background. This value is specified in milliseconds and defaults to 300.

When you've completed your configuration, choose Save settings and Start Dynamic DNS.

"},{"location":"dynamicdns/#troubleshooting","title":"Troubleshooting","text":"

Behind the scenes, the ddclient daemon will determine your external IP using the method you've defined and send this to your DDNS provider. Your provider will then update the IP address corresponding to the DNS \"A\" (or \"address\") record for your domain.

If your DDNS provider fails to report your current IP address, or you suspect there might be a problem with the ddclient configuration on your device, you may generate a detailed debug log.

From the Logging tab, use the Generate log button to invoke the ddclient daemon and output a troubleshooting log:

This will provide a verbose output of everything ddclient is doing. If it ends with a SUCCESS message this indicates that the daemon successfully checked and updated the DNS \"A\" record with your provider, if neccessary. An example of this is shown below:

RECEIVE:  140.82.121.3\nDEBUG:    get_ip: using web\n dynamicdns.park-your-domain.com/getip reports 140.82.121.3\nSUCCESS:  @.mydomain.com: skipped: IP address was already set to 140.82.121.3.\n

If the daemon doesn\u2019t reply with SUCCESS, the debug output should give you some clues as to what the problem is.

"},{"location":"dynamicdns/#port-forwarding","title":"Port forwarding","text":"

If ddclient has successfully updated your DDNS provider's \"A\" record with your IP address, but you are unable to access your device remotely, it's likely your router needs to be configured for port forwarding. This instructs the router to send, or forward, data packets from the external WAN interface to the internal IP address belonging to your device.

You can enable this by using your router's port mapping/forwarding setup. This procedure allows remote computers to connect to a specific device within your internal LAN's private address space. Specifics are highly dependent on the router you have, although the steps are generally straightforward. Consult your router's documentation for details.

"},{"location":"dynamicdns/#demilitarized-zone","title":"Demilitarized zone","text":"

An alternative to forwarding specific ports to an internal IP is using a demilitarized zone (DMZ). A home router DMZ is a host on an internal network that has all UDP and TCP ports open and exposed, except those ports otherwise forwarded. By using this method, all the ports (and services) of your device will be directly accessible from the internet, with the attendant security risks that this implies.

This setup is often desirable when a host is running multiple public-facing services that need to be accessed over the internet. In this context, a DMZ provides greater isolation and granular control than is possible with port forwarding. It's also possible to configure different security policies for various DMZ segments. For these reasons, a properly configured DMZ can be a more secure way to expose services to the internet than port forwarding.

The specifics of creating a DMZ are beyond the scope of this document, although at minimum a firewall is strongly advised.

"},{"location":"dynamicdns/#discussions","title":"Discussions","text":"

Questions or comments about using Dynamic DNS? Join the discussion here.

"},{"location":"faq/","title":"FAQ","text":"

This guide was written to address some frequently asked questions among users of RaspAP. FAQ items are organized into thematic sections, below, for easier reference.

If you would like to see a new FAQ that you feel would assist other users, start a discussion or open an issue.

"},{"location":"faq/#general","title":"General","text":""},{"location":"faq/#troubleshooting","title":"Troubleshooting","text":""},{"location":"faq/#integrations","title":"Integrations","text":""},{"location":"faq/#openvpn","title":"OpenVPN","text":""},{"location":"faq/#wireguard","title":"WireGuard","text":""},{"location":"faq/#networking","title":"Networking","text":""},{"location":"faq/#install-upgrade","title":"Install & upgrade","text":""},{"location":"faq/#is-raspap-a-fork-of-openwrt-or-another-router-project","title":"Is RaspAP a fork of OpenWrt or another router project?","text":"

RaspAP is an independent wireless router project designed for embedded systems and created by a community of developers. By contrast, OpenWrt is an operating system built around the Linux kernel. While powerful, it's rather more difficult to tailor custom applications around OpenWrt. That is, users are generally limited to what is available in OpenWrt's package repository, unless they fork the project code and modify the OS.

RaspAP is popularly used to provide a variety of networking and wireless routing services to other Linux projects and applications. Moreover, with Docker support users are able to run RaspAP in an isolated container. This gives you much greater flexibility if you're hosting other Linux services and/or applications on your device.

"},{"location":"faq/#what-is-the-scope-of-support-for-desktop-distributions","title":"What is the scope of support for Desktop distributions?","text":"

A desktop distribution (or \"distro\") usually has a very different set of programs that handles various underlying OS functions and wraps it with a pretty GUI. While this project generally recommends non-desktop distros, such as Raspberry Pi OS Lite, it's understood that many users prefer using a desktop environment.

For this reason, Raspberry Pi OS (64-bit) Desktop has undergone extensive testing and is subsequently validated for use with this project with clean installs of the OS.

Please be aware that \"supported\" is not a guarantee. That is, if you experience issues with RaspAP in your desktop environment, it's your responsibility (not the maintainers of this project) to eliminate potential conflicts with other software that you've installed after booting a fresh desktop OS. Before reporting a bug, you may use one of several community support channels to help you determine the cause of your issue or find a potential workaround.

"},{"location":"faq/#what-do-all-these-settings-in-the-ui-do-changing-them-seems-to-have-no-effect","title":"What do all these settings in the UI do? Changing them seems to have no effect.","text":"

RaspAP manipulates several daemons, services and helper programs behind the scenes for you. In the footer of each management panel is a helpful \"Information provided by...\" label. These indicate which Linux daemon and/or program is being modified by the UI. Learning what these services are and how they work will go a long way toward demystifying things.

For example, two of the best starting points for understanding hostapd (the service that implements 802.11 AP management) include the hostapd Linux documentation page and hostapd Wifi homepage.

Info

After you choose Save settings for hostapd or dhcpcd, these services must be restarted for your changes to take effect. If you're not sure if your AP is behaving as expected, enable logging in the Logging tab of Hotspot and check the output.

"},{"location":"faq/#how-do-i-prepare-the-sd-card-to-connect-to-wifi-in-headless-mode","title":"How do I prepare the SD card to connect to WiFi in headless mode?","text":"

Since May 2016, Raspbian has been able to copy wifi details from /boot/wpa_supplicant.conf into /etc/wpa_supplicant/wpa_supplicant.conf to automatically configure wireless network access.

An example wpa_supplicant.conf file is shown below. Replace the fields with your settings:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev\nupdate_config=1\ncountry=your_ISO-3166_two-letter_country_code\n\nnetwork={\n    ssid=\"my_SSID\"\n    psk=\"my_PSK\"\n    key_mgmt=WPA-PSK\n}\n
"},{"location":"faq/#can-i-use-wlan0-and-wlan1-rather-than-eth0-for-my-ap","title":"Can I use wlan0 and wlan1 rather than eth0 for my AP?","text":"

Yes, this is supported by RaspAP. In this scenario, you may wish to use the wlan0 interface as the AP interface with wlan1 as the wireless client interface. Refer to the dedicated WiFi repeater walkthrough for steps to enable this configuration.

"},{"location":"faq/#can-i-use-raspap-as-a-monitor-only-without-changing-my-configuration","title":"Can I use RaspAP as a monitor only, without changing my configuration?","text":"

Yes, RaspAP has support for a so-called \"monitor mode\". In config.php change the setting RASPI_MONITOR_ENABLED to true. This disables the ability to modify settings, start/stop daemons, shutdown or reboot the RPi. RaspAP will continue to report interface statistics, service settings and data usage as normal. See this for more information.

"},{"location":"faq/#can-i-use-raspap-with-my-custom-dnsmasq-configuration","title":"Can I use RaspAP with my custom dnsmasq configuration?","text":"

Yes, RaspAP supports this through the use of dnsmasq.d. The primary /etc/dnsmasq.d/090_raspap.conf managed by the UI includes the following directive to enable your custom .conf files:

conf-dir=/etc/dnsmasq.d\n

Configuration files placed in this directory will be used by the dnsmasq service and are untouched by the UI.

"},{"location":"faq/#what-is-the-maximum-number-of-simultaneous-clients-that-i-can-connect-to-my-ap","title":"What is the maximum number of simultaneous clients that I can connect to my AP?","text":"

Short answer: it depends.

Longer answer: there are several factors that come into play including, but not limited to, the specific RPi model, firmware version, available RAM and so on.

Every update to the RPi's firmware takes up more of the limited RAM reserved for WiFi, resulting in less space to host AP clients. Users of RaspAP have reported up to 19 simultaneous clients with a RPi 3B, but a smaller number with a newer RPi model. If you are willing to modify your device's firmware and replace the brcmfmac driver with a specific version, a maximum of 20 simultaneous WiFi clients is theoretically possible.

Bottom line: if maximizing AP clients is your primary goal, you will have to either use a specific firmware version or purchase an external wireless adapter.

See also: https://github.com/raspberrypi/linux/issues/3010.

"},{"location":"faq/#where-can-i-find-a-list-of-usb-wifi-adapters-that-use-in-kernel-drivers","title":"Where can I find a list of USB WiFi adapters that use in-kernel drivers?","text":"

There are many USB WiFi adapters that work without the need to install a driver in Linux. The term \"in-kernel\" refers to drivers that are packaged and maintained by the Linux kernel.

This GitHub list currently has 60 links to USB WiFi adapters that work without installing drivers (ie., \"plug and play\") on devices like the Raspberry Pi.

With adapters that use in-kernel drivers, you may simply plug the adapter in and it will work. Many people find that using adapters with in-kernel drivers is a better solution than buying an adapter that requires drivers to be found, downloaded, compiled, installed, fixed and reinstalled.

"},{"location":"faq/#what-are-the-passphrase-requirements-used-by-raspap","title":"What are the passphrase requirements used by RaspAP?","text":"

The requirements are based on IEEE standard 802.11i-2004 which defines a passphrase as a sequence of between 8 and 63 ASCII-encoded characters. Furthermore, each character in the passphrase must have a decimal encoding in the range of 32 to 126 (IEEE Std. 802.11i-2004, Annex H.4.1). These are often known as printable characters that represent letters, digits, punctuation marks and a few miscellaneous symbols.

This means that so-called special characters, or extended ASCII codes, are not permitted in a passphrase. For example, the Euro sign \"\u20ac\", German \"\u00e4\" and British pound symbol \"\u00a3\" fall outside this range.

RaspAP will automatically generate a secure passphrase, or PSK, for you. On the Hotspot > Security tab, click or tap the magic icon next to the PSK input. Choose Save settings and Restart hotspot for the changes to take effect.

"},{"location":"faq/#can-i-remove-the-ap-password-to-create-an-open-wifi-network","title":"Can I remove the AP password to create an open WiFi network?","text":"

Yes. On the Hotspot > Security tab, select 'None' for Security type. Choose Save settings and Restart hotspot for the changes to take effect.

"},{"location":"faq/#how-do-i-prevent-wan-access-to-raspaps-web-administration","title":"How do I prevent WAN access to RaspAP's web administration?","text":"

There are two ways to do this. The simplest method is to set the web server's bind address in RaspAP's System > Advanced tab to the IPv4 address you wish to grant access to. Choose Save settings and Restart lighttpd. After this is done, the web server will refuse connections to all IP addresses other than the one you've defined.

A somewhat cleaner method with a \"403 Forbidden\" response can be done manually with lighttpd. You could modify lighttpd's main config directly, but to keep things neater we can use RaspAP's own configuration in lighttpd's /conf-available directory. Edit it like so:

sudo nano /etc/lighttpd/conf-available/50-raspap-router.conf\n

Add the following to the end, substituting the 192.168.0.0/16 private IPv4 address range (192.168.0.0 \u2013 192.168.255.255) for your own network:

# deny access to RaspAP admin for users that\n# are not in the 192.168.0.0/16 network\n$HTTP[\"remoteip\"] != \"192.168.0.0/16\" {\n    url.access-deny = ( \"\" )\n}\n

Save and exit the file, then restart the lighttpd service:

sudo systemctl restart lighttpd.service\n

Clients outside of your defined network range will receive a '403' response when accessing the web UI.

"},{"location":"faq/#can-i-reduce-the-risk-of-sd-card-corruption-and-extend-a-cards-lifespan","title":"Can I reduce the risk of SD card corruption and extend a card's lifespan?","text":"

Yes. RaspAP has developed a minimal write mode that substantially reduces disk I/O activity and helps to extend the life of microSD cards.

"},{"location":"faq/#after-a-clean-install-wifi-andor-raspap-behaves-unpredictably","title":"After a clean install, WiFi and/or RaspAP behaves unpredictably.","text":"

Issues like this are frequently reported. The vast majority of these problems stem from one (or a combination) of the following:

  1. The install was not performed on a clean OS.
  2. A faulty, corrupt, fake, poor quality and/or otherwise unsuitable SD card was used.
  3. The SD card has insufficient storage space.
  4. Raspberry Pi Imager software applied preconfigured wireless settings.

If you observe RaspAP or your wireless AP behaving strangely, be sure to follow the project prerequisites and perform a clean install with a known-good SD card from a reputable manufacturer.

Problems such as this can be difficult to diagnose. In this case, the Raspberry Pi Imager was adding the user's old WiFi settings to an otherwise clean OS image. Be sure to check the \"OS customization\" options when using this software. When in doubt, use an alternative SD card imaging tool.

RaspAP has been successfully integrated with many popular open source projects. One of the best ways to use RaspAP in an existing project is to deploy it in an isolated Docker container.

"},{"location":"faq/#my-80211ac-5-ghz-hotspot-failed-to-start-what-now","title":"My 802.11ac 5 GHz hotspot failed to start. What now?","text":"

RaspAP uses iw and the wireless-regdb to determine which channels are allowed for your configured country. However, not all channels may be supported by your device's wireless adapter or firmware. If your 5 GHz access point fails to start, use the steps below to troubleshoot the problem.

Begin by enabling hostapd service logging by sliding the Logfile output toggle on the Hotspot > Logging tab. Choose Save settings followed by Restart hotspot and check the log output. The logs will often indicate when a selected channel is not supported by the hardware. For example:

wlan0: IEEE 802.11 Hardware does not support configured channel\nCould not select hw_mode and channel. (-3)\n

This may occur with the Raspberry Pi or another device's onboard wireless chipset, or an external wireless adapter. To mitigate this, select one of the following 5 GHz channels: 36, 40, 44 or 48, then choose Save settings. Click or tap the Clear log button on the Hotspot > Logging tab, if needed, and finally choose Restart hotspot. Check the logs again and see if the error persists.

If the 802.11ac AP still fails to start, an external AC wireless adapter with in-kernel drivers is an option worth considering.

"},{"location":"faq/#clients-cannot-obtain-an-ip-address-from-the-ap","title":"Clients cannot obtain an IP address from the AP.","text":"

Clients may receive a \"failed to obtain IP address\" or similar error message when connecting to your AP. These are the most frequent reasons for this error: 1. A poor WiFi signal from the access point. In this event, reduce the distance between your device and the AP. 2. Your device does not operate properly with the encryption method set by the AP. 3. The access point is misconfigured.

The first and simplest fix is to reconnect the client to your WiFi network. When you do this, the AP forgets the previous attempt and initiates a new process to assign an IP address to your device. Exact methods vary between devices, however most will have a 'Forget this network' option or similar in the WiFi settings. This is shown in iOS, below:

If clients still fail to connect, restart the AP. You may do this by choosing Restart hotspot from RaspAP. This reinitializes several related services in a predictable order and timing. Assuming these services are configured to restart automatically on reboot (the default behavior when RaspAP's installer is used) you may also simply reboot your Pi.

RaspAP gives you control over many aspects of your WiFi network, including DHCP. With its default settings, RaspAP has been rigorously tested and validated to provide connectivity in routed AP mode. If you suspect that RaspAP is misconfigured and not providing IP addresses to clients, you may troubleshoot this yourself.

Clients connecting to your AP are assigned, or leased, an IP address with dnsmasq. You can see how this process works by enabling the Log DHCP requests option in the DHCP Server > Logging tab. When a client connects to your AP, a typical dnsmasq-dhcp exchange follows this pattern:

dnsmasq-dhcp[2516]: DHCPDISCOVER(wlan0) [MAC address] \ndnsmasq-dhcp[2516]: DHCPOFFER(wlan0) 10.3.141.249 [MAC address] \ndnsmasq-dhcp[2516]: DHCPREQUEST(wlan0) 10.3.141.249 [MAC address] \ndnsmasq-dhcp[2516]: DHCPACK(wlan0) 10.3.141.249 [MAC address] iPhone\n

If one or more steps in this exchange are missing, either your device is unable to respond to the server's DHCPOFFER or the AP itself is misconfigured.

Tip

By default, the dnsmasq service listens on TCP/UDP port 53 and UDP port 67. If you have configured firewall software such as ufw or iptables to filter traffic on these ports, the service may not be able to respond to DHCP requests.

As a last resort, you can assign a static IP address to your device. Copy the MAC address for your device as it appears above and create a new entry in RaspAP's DHCP Server > Static Leases tab. Save settings, restart dnsmasq and try connecting your client again.

"},{"location":"faq/#my-wifi-network-disappeared-and-i-cant-access-the-web-ui","title":"My WiFi network disappeared and I can't access the web UI","text":"

If you are running your Pi headless and are unable to access RaspAP's web interface from the default http://10.3.141.1/ address, do the following:

  1. Be sure your browser isn't forcing SSL by appending https:// to the address, which can result in misleading errors. This may sound obvious but it's reported frequently. (Related: add SSL support for RaspAP.
  2. Connect your device to wired ethernet and access it via the browser or SSH on the eth0 interface using one of the methods described below. Check the logs for hostapd errors and reconfigure the service, or run the installer again to restore the default configuration.
  3. There are several methods you can use to determine your Pi's IP address. RaspAP's installer only configures a static IP address for the AP interface on wlan0. If the AP has entered a failed state, you may still be able to connect on an alternate interface.
  4. Recent versions of the RPi OS kernel include the avahi-daemon which facilitates local network discovery via multicast DNS (mDNS). On client computers with the Bonjour service installed (all macOS machines and Windows PCs with Apple iTunes), try accessing your Pi by entering http://raspberrypi.local/ in the browser or via SSH with ssh pi@raspberrypi.local.
  5. If you don't have access to wired ethernet or the above methods fail, configure your Pi for USB-OTG, also known as \"on-the-go\" or gadget mode. Instructions for enabling USB-OTG vary between various models and not all Pi hardware has support for this.
"},{"location":"faq/#my-custom-hostapdconf-phpini-is-gone","title":"My custom hostapd.conf / php.ini is gone.","text":"

The installer applies a \"known good\" default configuration to some services, including hostapd. It will also, optionally, optimize PHP by changing a very limited number of settings. Your custom configurations haven't been lost however; they've been moved to the backups directory in /etc/raspap/backups.

You are free to SSH in to restore those files to their rightful position. However, you may need to ensure that the RaspAP modifications are applied to your own custom configurations.

"},{"location":"faq/#i-changed-the-admin-password-and-forgot-what-it-was","title":"I changed the admin password and forgot what it was.","text":"

Login credentials are stored in /etc/raspap/raspap.auth. The password is encrypted and cannot be edited manually. However, deleting this file with sudo rm /etc/raspap/raspap.auth will restore the default admin password.

"},{"location":"faq/#raspap-control-panel-works-but-there-is-no-wifi-after-reboot","title":"RaspAP control panel works but there is no WiFi after reboot.","text":"

This problem often occurs when another program tries to reconfigure hostapd at startup. It can also happen when your RPi is configured as both a WiFi client and access point, also known as a managed mode AP. To address this, RaspAP has added a systemd init service to bring up networking services in a predictable order and timing after the Linux kernel is booted. You can check the status of this service with:

sudo systemctl status raspapd.service\n

The raspapd.service is optionally installed and enabled by the Quick Installer. It is also included in the manual setup steps.

"},{"location":"faq/#bridged-ap-mode-is-unstable-or-clients-cant-connect","title":"Bridged AP mode is unstable or clients can't connect.","text":"

RaspAP delegates all DHCP control to your router in bridged AP mode. If you have trouble connecting clients, start with this project's default configuration in routed AP mode first and try connecting a client. Enable logging for DHCP and hostapd to help you identify any problems. If you have no issues with client connectivity with the default routed AP, but cannot connect clients in bridged AP mode, in most cases the problem lies with your router\u2014not RaspAP. Check your router's web interface and DHCP settings.

If clients disconnect intermittently, this often indicates an undervoltage issue with your RPi. Check the kernel log for any Under-voltage detected! errors. Be sure you are using an official 5.1V power supply (each model has different power requirements) and detach any USB devices. Executing dmesg | grep br0 can also offer clues. Execute sudo dhclient -v to gain insights into DHCP requests between your device and router. A typical DHCP exchange follows this pattern:

CLIENT -> DHCPDISCOVER\nSERVER -> DHCPOFFER\nCLIENT -> DHCPREQUEST\nSERVER -> DHCPACK\n

If your device (the client) broadcasts DHCPDISCOVER, but there is no DHCPOFFER response from your router, you have a misconfiguration or other issue with your network. Troubleshooting client connectivity in bridged AP mode is not supported. No hard feelings.

"},{"location":"faq/#managed-mode-ap-doesnt-work-on-the-pi-zero-w","title":"Managed mode AP doesn't work on the Pi Zero W.","text":"

See this walkthrough where the installation is described in detail.

"},{"location":"faq/#wifi-scanning-doesnt-work-or-i-get-the-error-cannot-execute-wpa_cli-reconfigure","title":"WiFi scanning doesn't work or I get the error cannot execute \"wpa_cli reconfigure\".","text":"

On some configurations, the Configure WiFi client panel may appear empty. This project uses the wpa_supplicant command line client wpa_cli to populate a list of available wireless networks. If you can't execute this from the shell, neither can the web UI. For example, the results of this command:

sudo wpa_cli -i wlan0 scan_results\nFailed to connect to non-global ctrl_ifname: wlan0  error: No such file or directory\n
...indicate a problem with the socket used to communicate with wpa_supplicant. You may also encounter errors such as \"Could not connect to wpa_supplicant: wlan0 - re-trying\".

If this happens, first check the contents of wpa_supplicant with sudo cat /etc/wpa_supplicant/wpa_supplicant.conf. You should see, at minimum, the following:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev\nupdate_config=1\n

The above is present on clean installs of Raspbian. If you've made changes to this file, ensure that these lines appear first. Next, reinitialize the socket with:

sudo wpa_supplicant -B -Dnl80211,wext -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0\n

substituting wlan0 with your wireless interface, if necessary. You should then be able to perform scans as expected.

Tip

If you are using wpa_suplicant.conf to connect to your device with SSH on a wireless interface, do not reboot after running the Quick Installer. More information on this topic is available here.

"},{"location":"faq/#i-started-the-hotspot-but-it-shows-hostapd-down-whats-happening","title":"I started the hotspot but it shows \"hostapd down\". What's happening?","text":"

Hostapd, the Linux service that creates the access point, can fail to start for a variety of reasons. The following are common causes, with troubleshooting advice:

  1. If you've attached an external wireless adapter (bound to wlan1, for example) and have selected this as the AP interface, be sure that it either uses an in-kernel driver, also known as \"plug and play\" support, or that you have installed the correct driver for it.
  2. Confirm that the 802.11 wireless mode you've selected is supported by the adapter you've chosen in the list of available interfaces. For example, if you've selected the 802.11ac 5 GHz wireless mode with incompatible hardware, RaspAP will create the configuration for you but hostapd will fail to start.

In each of these cases, the hostapd service will report errors that can be useful for troubleshooting. Enable logging by selecting Logfile output on the Hostapd > Logging tab, choose Save settings then Restart hotspot.

Refer to this FAQ and this FAQ for more info.

"},{"location":"faq/#pinging-the-ap-from-a-connected-client-computer-or-vice-versa-results-in-an-intermittent-failure-can-i-troubleshoot-this","title":"Pinging the AP from a connected client computer (or vice versa) results in an intermittent failure. Can I troubleshoot this?","text":"

An intermittent ping failure on the wireless interface could indicate any number of things; a poor wireless signal, co-channel interference and disassociated client being among the most common. The following are methods for troubleshooting this:

  1. Get a signal strength report. A signal of -80 dBm or less from your AP is unreliable. If your client computer supports Linux, use sudo iw dev wlan0 scan | awk '/signal:/{sta=$2$3} /SSID:/{print $0\" \"sta}' and check your AP's dBm value. Alternatively, use any one of several graphical WiFi explorer type tools and obtain your signal strength this way.

  2. Use wavemon on the AP to scan for overlapping channels from nearby APs. Install it with sudo apt install wavemon. If it shows an AP with a strong signal on the same channel as your AP, you are likely experiencing co-channel interference. Select a different channel or band for your AP, restart it and compare the results.

  3. Use mtr to run a continuous scan that reports on latency and percentage packet loss. Install it with sudo apt install mtr-tiny. Obtain your client's IPv4 address from the dashboard or DHCP Server > Client list and start the utility, for example mtr 10.3.141.151. While the scan is running, reposition your client computer and/or your AP and observe the results.

  4. Enable hostapd service logging from RaspAP with Hotspot > Logging > Logfile output, followed by Save settings and restart your AP. Look for errors that indicate clients are being disassociated from the AP. Refer to this FAQ for more info.

"},{"location":"faq/#my-wlan1-keeps-being-disabled-andor-clients-are-repeatedly-disconnected","title":"My wlan1 keeps being disabled and/or clients are repeatedly disconnected.","text":"

Issues such as this can be tricky to diagnose. In this case, an AP is started with an external USB wireless adapter, but client devices are continuously authenticated and disconnected (or \"disassociated\"). This may appear in hostapd service logs like so:

wlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: authenticated\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: associated (aid 1)\nwlan1: AP-STA-CONNECTED 24:62:ab:fd:24:34\nwlan1: STA 24:62:ab:fd:24:34 RADIUS: starting accounting session 1D0030DD3176A315\nwlan1: STA 24:62:ab:fd:24:34 WPA: pairwise key handshake completed (RSN)\nwlan1: AP-STA-DISCONNECTED 24:62:ab:fd:24:34\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: disassociated\nwlan1: STA 24:62:ab:fd:24:34 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)\n

The AP itself may also fail repeatedly with errors like the following:

wlan1: INTERFACE-ENABLED \nFailed to set beacon parameters\nwlan1: INTERFACE-DISABLED \nwlan1: INTERFACE-ENABLED \nFailed to set beacon parameters\nwlan1: interface state ENABLED->DISABLED\nwlan1: AP-DISABLED \nwlan1: CTRL-EVENT-TERMINATING \n

If you see messages indicating \"deauthenticated due to inactivity\", you can try the \"Disable disassoc_low_ack\" setting on the Hotspot > Advanced tab. Choose Save settings then restart your AP. Monitor the hostapd service logs and see if your clients are able to remain connected.

In this specific case, the user determined that the external RT3070 WiFi adapter was at fault.

"},{"location":"faq/#raspap-web-ui-fails-to-start-or-unable-to-save-settings","title":"RaspAP web UI fails to start or unable to save settings.","text":"

After performing a clean install of RaspAP or upgrading an existing installation, the web UI may fail to start or the admin panel may behave in unexpected ways. For example, pages may load but any attempt to save settings will fail. In other cases, the lighttpd web server may fail to respond completely. Errors such as these in /var/log/lighttpd/error.log are common:

(gw_backend.c.503) bind failed for: unix:/run/lighttpd/php.socket-0: No such file or directory\n(gw_backend.c.601) gw-backend failed to start: /usr/bin/php-cgi\n(gw_backend.c.1655) [ERROR]: spawning gw failed\n

These signs point to a corrupted filesystem on the SD card. If during a power disconnection the memory card is in a write operation, there is a high chance that one or more sectors will be damaged. In these cases, a fresh install on a new SD card can save you time and frustration. RaspAP's minimal SD card write mode can help in this case.

Tip

Be sure to use genuine MicroSD cards from a reputable manufacturer. Card clones are common and hard to distinguish from legitimately made ones, but certainly not subject to the same quality standards. Neither fake nor cheap cards are typically suitable for an entire OS to run from.

"},{"location":"faq/#why-do-i-receive-an-invalid-csrf-token-message-and-a-blank-screen","title":"Why do I receive an 'Invalid CSRF token' message and a blank screen?","text":"

A cross-site request forgery (CSRF) is a type of exploit where unauthorized commands are executed against a website on behalf of a trusted user. To guard against this, RaspAP generates a one-time token that is unique for every user and stored in the PHP session object. This token value is inserted into a hidden field on every form in the RaspAP application. If the token doesn\u2019t exist in the submitted form data or fails to match with the token on the server, the form will reject the submission and return an error.

The most common cause for this error message is when your PHP session expires. By default, the PHP session timeout is defined as 24 minutes (1440 seconds). When this timeout is reached stored data will be seen as \"garbage\" and cleaned up by the garbage collection process.

If you submit a form in RaspAP 24 minutes after the page was loaded, the application will return a CSRF token error. When this occurs, simply refresh the page to generate a new session token.

"},{"location":"faq/#can-i-restore-raspaps-default-settings","title":"Can I restore RaspAP's default settings?","text":"

Yes, two methods are described here.

"},{"location":"faq/#how-do-i-integrate-raspap-with-pi-hole","title":"How do I integrate RaspAP with Pi-hole?","text":"

There have been several discussions around integrating RaspAP with Pi-hole, with the end goal of hosting a complete AP and ad-blocker on a single device. Both projects rely on dnsmasq, so integration between them is tricky. There are now several options available to users of RaspAP.

  1. The first option is to configure RaspAP to use a Pi-Hole installation on a separate device. Go to RaspAP's DHCP Server > Advanced page and enable the \"Upstream DNS Server\" option, add your Pi-Hole's DNS, save settings and restart dnsmasq.

  2. Install RaspAP in an isolated Docker container together with Pi-Hole. You will need to configure Pi-Hole's dnsmasq service to listen on a port other than 53.

  3. Install Pi-Hole in a Docker container and proceed with a normal installation of RaspAP on the same device.

  4. Alternatively, you may use RaspAP's own ad blocking facility with support for custom blocklists.

"},{"location":"faq/#can-i-integrate-raspap-with-adguard-home","title":"Can I integrate RaspAP with Adguard Home?","text":"

Yes, you can run RaspAP and Adguard Home on the same device. Change Adguard Home\u2019s listening port to 5300 and bind to 127.0.0.1, then go to RaspAP's > DHCP Server > Advanced page and enable the \"Upstream DNS Server\". Add 127.0.0.1#5300 as an upstream DNS Server. Save settings and restart dnsmasq. Tip via @firestrife23

"},{"location":"faq/#can-i-configure-raspap-to-work-with-a-captive-portal","title":"Can I configure RaspAP to work with a captive portal?","text":"

Yes. The nodogsplash project works just fine with RaspAP and is recommended over other methods. A detailed setup guide is available here.

"},{"location":"faq/#how-do-i-create-an-ap-activation-schedule","title":"How do I create an AP activation schedule?","text":"

This is a common function in consumer wireless routers. For example, let's assume you want to disable your AP on Monday through Friday between 02:00 and 08:00. You can implement this with cron to stop/start RaspAP's service control script at certain times. Run sudo crontab -e and add entries like so:

# Stop RaspAP services at 02:00 on Monday through Friday\n0 2 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --action stop\n\n# Start RaspAP services at 08:00 on Monday through Friday\n0 8 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --seconds 3\n

For help with crontab, head over to crontab.guru.

"},{"location":"faq/#can-i-schedule-the-wifi-password-to-change-automatically","title":"Can I schedule the WiFi password to change automatically?","text":"

Yes. Here's one way to do it using bash. Save the script to your home directory (/home/pi for example) and set the execution bit with sudo chmod +x genpassphrase.sh. When executed, the script will automatically generate a strong password (or a weaker, pronounceable one), update the wpa_passphrase setting in hostapd.conf and finally restart the raspapd.service. The new passphrase and QR code will be visible on the Hotspot > Security tab.

This can be useful if you're using RaspAP to serve WiFi to clients in a public place, and need to update the passphrase regularly. Similar to creating an AP activation schedule, you can have this execute at specific intervals by using cron. Run sudo crontab -e and add an entry like so:

# Generate a new passphrase and restart RaspAP everyday at midnight\n@midnight /home/pi/genpassphrase.sh\n

For help with crontab, head over to crontab.guru.

"},{"location":"faq/#can-i-configure-a-managed-mode-ap-without-using-the-ui","title":"Can I configure a managed mode AP without using the UI?","text":"

Yes. Let's assume you are creating an RPi OS image (or other supported OS) with scripts that setup RaspAP at first startup. In this scenario, to configure a managed mode AP you must manually connect via a browser, make some changes via the UI and then save your settings. This can be also be done programmatically. Assuming you have wpa_supplicant.conf fully populated and a valid hostapd.conf, set the following values in /etc/raspap/hostapd.ini:

LogEnable = 0\nWifiAPEnable = 1\nBridgedEnable = 0\nWifiManaged = wlan0\n

substituting wlan0 for your AP interface, if necessary. You may then restart the raspap daemon with sudo systemctl restart raspapd.service.

"},{"location":"faq/#can-i-configure-an-alternate-port-for-raspaps-web-service","title":"Can I configure an alternate port for RaspAP's web service?","text":"

Yes. You can now do this from the Advanced tab in System. Manual steps for changing lighttpd's default port are included below.

Edit /etc/lighttpd/lighttpd.conf and change the following line:

server.port                 = 8080\n
then give the service a kick...
sudo systemctl restart lighttpd.service\n
You can then access RaspAP as before with the new port number in the URI, for example, http://raspberrypi.local:8080. This will allow you run another web server alongside lighttpd, if that is your goal.

"},{"location":"faq/#what-breaks-raspap-when-docker-is-installed-on-the-same-system-and-how-i-can-fix-it","title":"What breaks RaspAP when Docker is installed on the same system and how I can fix it?","text":"

Installing RaspAP after installing Docker often results in connected clients not having internet access from the AP. The reason for this is Docker manipulates iptables rules to provide network isolation. Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. Docker also sets the policy for the FORWARD chain to DROP.

When RaspAP is started in its default router mode, this will result in the AP not forwarding traffic anymore. If you want RaspAP to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:

sudo iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT

When Docker is correctly installed after RaspAP, the following iptables chain should be present:

Chain INPUT (policy ACCEPT) target prot opt source destination\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination DOCKER-USER all -- anywhere anywhere\nDOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere\nACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere\nACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere\nChain OUTPUT (policy ACCEPT) target prot opt source destination\nChain DOCKER (1 references) target prot opt source destination\n

Additional info here and here.

tl;dr: Install RaspAP first, followed by Docker, adding the explicit iptables rule sudo iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT.

"},{"location":"faq/#can-i-integrate-raspap-with-openmediavault","title":"Can I integrate RaspAP with OpenMediaVault?","text":"

Yes, you can run RaspAP alongside OpenMediaVault for a complete media center and wireless hotspot on a single device. In this way, you are able to share the media storage in your local network via a wireless hotspot while connected to a router via ethernet. This is illustrated in the schematic below:

[Router] <---- eth ----> [Pi] (RaspAP + OMV5)\n   |                      |\n WiFi 1              WiFi 2 (subnet)\n

Follow these steps to create this configuration:

  1. Follow RaspAP's Quick start guide and set up your network as you wish.
  2. Change the default Web server port to 8080 (so that it doesn't conflict with OMV5), from RaspAP's System > Advanced panel.
  3. Install OMV5 skipping network configuration.
  4. Configure your OMV5 install without changing the network settings.
  5. To make your OMV5 drives accessible from the subnet (WiFi 2), add the following settings at the end of OMV Control panel > Menu > SMB/CIFS > Settings Tab > Extra Options:
    bind interfaces only = yes\ninterfaces = lo eth0\n

Source: openmediavault forums.

"},{"location":"faq/#can-i-use-raspap-to-share-speedifys-aggregated-connections","title":"Can I use RaspAP to share Speedify's aggregated connections?","text":"

Yes, RaspAP is compatible with Speedify's connection bonding. In this scenario, you may want to combine several internet connections (for example, a DSL connection, 4G cellphone and an LTE router) and share these via RaspAP.

Begin by running Speedify's one step install, login with your credentials and connect Speedify. Next, configure Speedify for WiFi sharing by editing the following file:

sudo nano /etc/speedify/speedify.conf\n

Make sure to uncomment the following lines (remove the \"#\" symbol). To share over the Wi-Fi interface wlan0, set:

ENABLE_SHARE=1 \nSHARE_INTERFACE=\"wlan0\"\nWIFI_INTERFACE=\"wlan0\" \n

Once you have configured the sharing settings, save the file (if you are using nano, use Ctrl+O and press Enter to save). Exit the text editor and then execute:

sudo service speedify-sharing restart\n

Refer to Speedify's support article for additional tips and troubleshooting.

"},{"location":"faq/#how-do-i-serve-custom-pages-from-raspap","title":"How do I serve custom pages from RaspAP?","text":"

Several users have asked if they can extend RaspAP or otherwise serve their own custom directory with the existing lighttpd web service. Broadly, there are two approaches to achieve this. In the examples below, we will add support for a custom directory called \"admin\".

Option 1. Create a subdirectory of RaspAP's default install location (/var/www/html) called \"admin\": /var/www/html/admin. Now, modify RaspAP's application routing rules by adding this directory to the exclusion list. You may do this with sudo nano /etc/lighttpd/conf-available/50-raspap-router.conf. Next, modify the following line like so:

$HTTP[\"url\"] =~ \"^/(?!(dist|app|ajax|config|admin)).*\" {\n

Note that \"admin\" is appended above \"config\", above. This instructs lighttpd not to rewrite URLs that match this pattern. Reload the lighttpd service with sudo systemctl reload lighttpd.service.

You may now create your own index.php file in this folder and request it from the browser as http://10.3.141.1/admin/ or http://raspberrypi.local/admin.

Option 2. Reinstall RaspAP and specify a custom install destination, for example /var/www/html/raspap. This will leave the default web root free for you to create any files you wish, without attempting to rewrite the URLs (the installer will only apply routing rules to your custom RaspAP root).

"},{"location":"faq/#can-i-automatically-update-raspaps-adblock-lists","title":"Can I automatically update RaspAP's adblock lists?","text":"

RaspAP's adblock feature uses several blocklists that are aggregated and updated daily. In a typical setup, you may use the Ad blocking management page to manually update these lists. Alternatively, this user-contributed script will automatically fetch the latest blocklists on the schedule of your choosing (for example, daily, weekly, etc.) and reload dnsmasq.

#!/bin/sh\n#\nsleep $(shuf -i 0-3600 -n1)\ncurl -L https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts > /etc/raspap/adblock/hostnames.tmp\ncurl -L https://big.oisd.nl/dnsmasq > /etc/raspap/adblock/domains.tmp\n\nmv /etc/raspap/adblock/hostnames.tmp /etc/raspap/adblock/hostnames.txt\nmv /etc/raspap/adblock/domains.tmp /etc/raspap/adblock/domains.txt\nchown root:www-data /etc/raspap/adblock/hostnames.txt\nchown root:www-data /etc/raspap/adblock/domains.txt\n\nsudo systemctl reload dnsmasq.service\n
Credit to DanielLester83.

"},{"location":"faq/#openvpn-fails-to-start-andor-i-have-no-internet","title":"OpenVPN fails to start and/or I have no internet.","text":"

RaspAP supports OpenVPN clients by uploading a valid .ovpn file to /etc/openvpn/client and, optionally, creating a login.conf file with your client auth credentials. Additionally, in line with the project's default configuration, the following iptables rules are added to forward traffic from OpenVPN's tun0 interface to your configured wireless interface (wlan0 is the default):

-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -i wlan0 -o tun0 -j ACCEPT\n

After starting the OpenVPN service, you may check and validate these rules like so:

$ sudo iptables -L FORWARD -v -n\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n 1955 1493K ACCEPT     all  --  tun0   wlan0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED\n 1715  194K ACCEPT     all  --  wlan0  tun0    0.0.0.0/0            0.0.0.0/0\n

It is your responsibility to provide a valid .ovpn file. RaspAP does not attempt to validate the settings or RSA keys contained in this file. If OpenVPN fails to start, check for errors with sudo systemctl status openvpn-client@client and journalctl --identifier openvpn.

"},{"location":"faq/#openvpn-works-but-i-have-partial-or-no-internet-access","title":"OpenVPN works but I have partial or no internet access.","text":"

Issues like this are frequently reported. Begin by confirming the status of your connection:

$ sudo systemctl status openvpn-client@client\n\u25cf openvpn-client@client.service - OpenVPN tunnel for client\n   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: enabled)\n   Active: active (running) since Fri 2020-06-12 15:45:41 CDT; 1min 39s ago\n     Docs: man:openvpn(8)\n           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage\n           https://community.openvpn.net/openvpn/wiki/HOWTO\n Main PID: 2689 (openvpn)\n   Status: \"Initialization Sequence Completed\"\n    Tasks: 1 (limit: 2200)\n   Memory: 1.1M\n   CGroup: /system.slice/system-openvpn\\x2dclient.slice/openvpn-client@client.service\n           \u2514\u25002689 /usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf\n
You can also use journalctl --identifier openvpn to identify any errors. If your internet access is intermittent or otherwise degraded with the openvpn-client active, the next step is to test your connection for packet loss and latency. There are many Linux tools you can use to diagnose your network. mtr is a good choice as it combines functionality of the traceroute and ping programs. Install and use it to perform your own evaluation:

sudo apt install mtr -y\nsudo mtr -rwc 50 -i 0.2 -rw duckduckgo.com\n\nStart: 2021-06-13T11:42:26+0100\nHOST: raspberrypi                                Loss%   Snt   Last   Avg  Best  Wrst StDev\n  1.|-- 192.168.1.254                              0.0%    50   26.8  27.1  26.5  31.4   0.8\n  2.|-- somerouter.net                            88.0%    50   392.0 390.4 362.1 596.7  1.2\n

The results are reported as round-trip response times in milliseconds and the percentage of packet loss. If you see loss and/or latency like the above example, report it to your VPN provider or find another one. Read this for more on interpreting mtr results.

Protip: free VPNs are frequently oversubscribed and usually not worth the trouble.

"},{"location":"faq/#openvpn-is-enabled-but-i-am-still-blocked-from-country-restricted-websites","title":"OpenVPN is enabled but I am still blocked from country restricted websites.","text":"

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. Others have specific VPN nodes to use with popular streaming services.

Several users have reported that Firefox's DNS-over-HTTPS (DoH) has created problems with their VPN, in effect creating a DNS leak from the browser that circumvents RaspAP's DNS settings. Be sure to disable this \"feature\" when using a VPN service.

If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop\nsudo iftop -i [interface]\n
"},{"location":"faq/#uploading-my-wireguard-config-results-in-mime-type-not-allowed","title":"Uploading my WireGuard config results in \"MIME type not allowed\".","text":"

For security reasons, your OpenVPN or WireGuard .conf files must have a Linux MIME type of text/plain. Windows ignores MIME types, relying instead on extensions. To avoid errors, be sure your file has a text/plain MIME type embedded in it before uploading.

Most OpenVPN and WireGuard service providers give you the option of downloading a file formatted for Linux. Alternatively, you may convert your Windows config file for use with Linux with dos2unix or one of several online tools made for this purpose.

"},{"location":"faq/#i-think-my-traffic-isnt-being-routed-through-the-wireguard-vpn-can-i-debug-this","title":"I think my traffic isn't being routed through the WireGuard VPN. Can I debug this?","text":"

There are several things you can do to troubleshoot this. First, with the WireGuard service active, verify your public IPv4 address and check the external link, as shown below:

Next, you may check the WireGuard service status by executing sudo systemctl status wg-quick@wg0.service from the shell, like so:

$ sudo systemctl status wg-quick@wg0.service\n\u25cf wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0\n     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)\n     Active: active (exited) since Wed 2021-12-29 15:31:03 GMT; 1 day 18h ago\n       Docs: man:wg-quick(8)\n             man:wg(8)\n             https://www.wireguard.com/\n             https://www.wireguard.com/quickstart/\n             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8\n             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8\n   Main PID: 1450 (code=exited, status=0/SUCCESS)\n      Tasks: 0 (limit: 1438)\n        CPU: 0\n     CGroup: /system.slice/system-wg\\x2dquick.slice/wg-quick@wg0.service\n

You may also use RaspAP's built-in WireGuard logging facility. On the WireGuard > Logging tab, enable the \"Display WireGuard debug log\" option and choose Save settings. Check the log output in the tab and look for any errors.

Tip

The debug log facility queries the systemd journal with a one-time execution of journalctl --identifier wg-quick. If you want to update this log output, simply enable the option again. You may also execute this command directly from the shell, if you wish.

Finally, you may check and verify the WireGuard config itself, including PostUp / PostDown rules, by executing sudo cat /etc/wireguard/wg0.conf.

As a last piece of advice, be sure to test more than one client device connection with your WireGuard-enabled AP. Some users have reported traffic not routing as expected with one device, while a different device behaves normally.

Please note that RaspAP provides a front-end to the WireGuard service only. It has no way of validating your WireGuard configuration. For this reason, bug reports such as \"WireGuard not working\" won't be considered.

"},{"location":"faq/#how-can-i-clear-raspaps-wireguard-log","title":"How can I clear RaspAP's WireGuard log?","text":"

WireGuard doesn't do any logging by default. The quasi-logging done by RaspAP executes sudo journalctl --identifier wg-quick. The Linux journal is not something you usually clear by yourself, however you can use journalctl's self maintenance to retain only the past two days:

sudo journalctl --vacuum-time=2d\n

See man journalctl for more information.

"},{"location":"faq/#why-cant-i-access-wireless-mode-n-80211n","title":"Why can't I access wireless mode 'N' (802.11n)?","text":"

On the Configure hotspot > Security tab, be sure to select CCMP for the Encryption Type. Save the settings and restart the hotspot. The wireless mode should be reported on clients as 802.11b/g/n.

RaspAP:\n  PHY Mode:     802.11n\n  Channel:      1\n  Network Type:     Infrastructure\n  Security:     WPA2 Personal\n  Signal / Noise:   -49 dBm / -86 dBm\n  Transmit Rate:    73\n

If using TKIP for encryption with WPA, you will be restricted to 54 Mb/s. This is because the IEEE 802.11n draft prohibits using high throughput with WEP or TKIP ciphers.

"},{"location":"faq/#how-do-i-exclude-nat-rules-from-ip-traffic-on-localhost","title":"How do I exclude NAT rules from IP traffic on localhost?","text":"

RaspAP's Quick Installer configures network-address-translation (NAT) with iptables rules, so that the RPi can act as an internet gateway to multiple hosts on a local network with a single public IP address. This is done by rewriting the addresses of IP packets as they pass through the NAT system. Many access points, including RaspAP, use a combination of IP forwarding and masquerading to achieve this.

In some cases, NAT rules applied to localhost can interfere with other services running on an RPi. An example is the Plex Media Server, which has an API that listens on localhost. As of this writing, the Plex API has been built to not authenticate communication between service processes of the server. This can cause a failure to communicate with the Plex API or similar add-on services on your RPi.

The solution is to add a NAT rule ahead of the rule RaspAP installs to not apply NAT to connections destined to 127.0.0.0/8:

$ sudo iptables -t nat -I POSTROUTING -d 127.0.0.0/8 -j ACCEPT\n
The resulting iptables chain should look something like this:

$ sudo iptables -t nat -L -n -v\nChain PREROUTING (policy ACCEPT 31 packets, 4810 bytes)\n pkts bytes target prot opt in out source destination\n\nChain INPUT (policy ACCEPT 31 packets, 4810 bytes)\n pkts bytes target prot opt in out source destination\n\nChain OUTPUT (policy ACCEPT 23 packets, 1338 bytes)\n pkts bytes target prot opt in out source destination\n\nChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n   17 999 ACCEPT all -- * * 0.0.0.0/0 127.0.0.0/8\n   2422 158K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0\n
Refer to this issue.

"},{"location":"faq/#why-is-the-channel-dropdown-disabled-on-the-hotspot-page","title":"Why is the channel dropdown disabled on the Hotspot page?","text":"

RaspAP is capable of detecting the frequencies (channels) supported by each of your device's wireless interfaces. If an interface is selected that is not capable of broadcasting on the 5 GHz band, the associated channels and the Save settings button are disabled. Next to the Wireless Mode selector, a tooltip will provide a brief explanation.

In this case, selecting a compatible 2.4 GHz wireless mode will populate the list of available channels for that interface. Alternatively, select another interface or connect a 5 GHz capable external wireless adapter. RaspAP will automatically detect the adapter and add it to the list of available interfaces.

"},{"location":"faq/#80211ac-is-supposed-to-operate-at-433-mbps-why-is-my-aps-throughput-so-much-less","title":"802.11ac is supposed to operate at 433 Mbps. Why is my AP's throughput so much less?","text":"

The 802.11ac wireless standard uses 433 Mbps per spatial stream in the 5GHz band. Therefore, the theoretical maximum speed for a single-stream device is 433 Mbps when using an 80 MHz wide channel. However, real-world speeds are often significantly less due to a number of factors.

In the Raspberry Pi's case, its onboard wireless chipset is connected to the primary System on a Chip (SoC) with a 4-bit SDIO link that runs at 41.7 MHz. 4 bits x 41.7 suggests about 160 Mbps should be possible with 802.11ac on this device. In practice, iPerf tests won't get close to this figure because SDIO is a simplex link (that is, half-duplex) with overhead in each of the protocol and transport layers. Given these restrictions, real-world iPerf tests in the range of 90-100 Mbps are actually quite good for this hardware.

"},{"location":"faq/#why-is-the-maximum-throughput-of-my-80211n-ap-reduced-by-half","title":"Why is the maximum throughput of my 802.11n AP reduced by half?","text":"

In order to achieve optimal throughput with 802.11n, the wireless stream must operate at a 40 MHz wide channel on the 2.4 GHz band. A 20 MHz channel will restrict you to 72 Mbps. Your hostapd.conf might have the required settings, but this is no guarantee of a 40 MHz channel.

In practice, this can be quite difficult due to interference on the 2.4 GHz band. There are many things that will cause an AP to fallback to 20 MHz. The most common reason is if an AP detects another wireless network within 40 MHz, i.e. two channels, of its own channel. For example, if an AP is set to channel 6, another network operating anywhere from channel 4 to 8 will trigger a fallback. hostapd will usually report a fallback like so:

20/40 MHz operation not permitted on channel pri=3 sec=7 based on overlapping BSSes\n

For more information on optimizing 802.11n, refer to this resource.

Generally speaking, the 5 GHz band has substantially greater capacity due to more non-overlapping radio channels and less radio interference as compared to the 2.4 GHz band.

"},{"location":"faq/#can-i-connect-the-wifi-client-to-a-wep-network","title":"Can I connect the WiFi client to a WEP network?","text":"

Wired Equivalent Privacy (WEP) has been deprecated for quite awhile but old routers still exist in the wild. Not all routers accept hex passwords, but you can try converting an ASCII password using an online tool like this one. A valid WEP key should be 5 or 13 characters or a 10- or 26-digit hexadecimal value. Be sure the hex values are unpadded and there are no trailing spaces. For example, 52617370415069734772656174 is a valid hex passphrase.

Paste your converted hex value into RaspAP's WiFi client passphrase field and try connecting.

If you're not able to connect with a hex passphrase, you can also try this alternate manual configuration method.

"},{"location":"faq/#can-i-turn-the-hotspot-onoff-over-ssh","title":"Can I turn the hotspot on/off over SSH?","text":"

Yes, RaspAP provides a front-end to several Linux systemd services, including hostapd. From the terminal, check the status of the hostapd.service like so:

$ sudo systemctl status hostapd.service \n\u25cf hostapd.service - Access point and authentication server for Wi-Fi and Ethernet\n     Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)\n

Stop the service with sudo systemctl stop hostapd.service and start it with sudo systemctl start hostapd.service.

If you're curious about which other services and Linux tools RaspAP controls for you, take a look at raspap.sudoers.

"},{"location":"faq/#can-i-share-internet-from-a-wireless-lan-with-ethernet-clients","title":"Can I share internet from a wireless LAN with Ethernet clients?","text":"

Yes, RaspAP simplifies this with an intuitive and easy-to-use WLAN routing solution.

"},{"location":"faq/#can-raspap-automatically-connect-to-a-known-wifi-network-at-boot","title":"Can RaspAP automatically connect to a known WiFi network at boot?","text":"

When rebooting, users must manually re-establish a connection to a known WiFi network by using the WiFi client UI. This is the default behavior of wpa_supplicant. That is, on startup the wpa_supplicant service is executed by systemd (not RaspAP) and enables logging and the DBus control interface; it does not automatically connect to any known networks.

However, you can change this behavior and have wpa_supplicant establish a connection on startup by editing the root user's crontab, like so:

$ sudo crontab -e\n

Using your editor, append a line like the following:

# m h  dom mon dow   command\n@reboot /sbin/wpa_supplicant -B -Dnl80211 -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0\n

Save the file and exit from your editor. On the next system boot, your RaspAP router will automatically connect to your preferred wireless network, if it's available.

"},{"location":"faq/#can-i-isolate-raspap-from-other-software-on-my-system","title":"Can I isolate RaspAP from other software on my system?","text":"

Yes, you have the option of installing RaspAP in an isolated and portable Docker container.

"},{"location":"faq/#how-do-i-upgrade-raspap","title":"How do I upgrade RaspAP?","text":"

Upgrading an existing install without changing your configuration is very straightforward. Several different methods are described below.

The version 3.0.2 release introduced a new feature to upgrade your RaspAP installation. To use this, simply navigate to the About page and click or tap on the Check for update button. This queries the GitHub API for the latest release version, compares it with your current install and prompts you to upgrade if a newer release is available.

No other actions are required on your behalf. Alternatively, you may also use the Quick installer to upgrade to the latest release version. This is done with the --upgrade option, as shown below:

curl -sL https://install.raspap.com | bash -s -- --upgrade\n

The installer upgrade is idempotent, meaning it can be repeated an arbitrary number of times and the result will be as if it had been done only once. If you choose this method, you're done! Confirm the upgrade by checking the release version on the About page.

If you want to install a specific version, you may do so by referencing a tag using git:

sudo git fetch -v --tags\nsudo git checkout 3.0.8\n

A tag is a pointer that isn't connected to the main development tree that git knows about. As a result, git will reply that you're in a \"detached HEAD\" state. This isn't a big deal, it just means that you have a specific version of the code that isn't connected to the git tree.

Alternatively, if you want the latest bleeding edge commits from the master branch, use the following:

sudo git checkout -b master\nsudo git pull origin master\n

If you've customized your installation by editing config.php, update the release version in this file:

sudo nano /var/www/html/includes/config.php\n
Change the value in this line to the release version, save the file and exit.

define('RASPI_VERSION', '3.0.8');\n

Whichever method you choose (about page button, installer upgrade, specific release or latest updates), your RaspAP configuration won't be changed.

"},{"location":"faq/#do-i-need-the-raspap-service-to-run-at-boot","title":"Do I need the RaspAP service to run at boot?","text":"

If you are using your RPi as a client on a WiFi network (also known as managed mode) and hosting an access point simultaneously, the raspapd.service will ensure that your hotspot is active after a reboot. It does this by detecting WiFi client AP mode, adding the uap0 interface and starting up networking services in a specific order.

If your RPi is configured with wired ethernet (eth0) or you haven't experienced problems with the AP starting on boot, you can disable the RaspAP daemon like so:

sudo systemctl disable raspapd.service\n
"},{"location":"faq/#can-the-quick-installer-accept-the-default-options-without-prompting-me","title":"Can the Quick Installer accept the default options without prompting me?","text":"

Yes, the Quick Installer has a non-interactive mode that lets you perform unattended setups. This mode assumes \"yes\" as an answer to all prompts. You can do an unattended install of RaspAP by appending the --yes command line option, like so:

curl -sL https://install.raspap.com | bash -s -- --yes\n

The options -y or --assume-yes are also accepted and have the same result.

"},{"location":"faq/#how-do-i-uninstall-raspap","title":"How do I uninstall RaspAP?","text":"

An uninstaller is provided to remove RaspAP cleanly, and also restore any backups of your configuration that were created before RaspAP was installed. Start the uninstaller with the following:

curl -sL https://install.raspap.com | bash -s -- --uninstall\n

Alternatively, you may execute the uninstaller directly from the project folder (default location is /var/www/html):

cd /var/www/html\nsource installers/uninstall.sh\n_remove_raspap\n

Whichever method you choose, the result is the same. Check your network configuration before rebooting to ensure you can still access your device.

"},{"location":"firewall/","title":"Firewall","text":""},{"location":"firewall/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

If your device is exposed to the outside world, firewall rules can provide a layer of security against intruders to your network. A firewall also gives us granularity in terms of what is allowed to be forwarded across interfaces. Using the rule sets described below, we can effectively control which packets are allowed to be inputted to, and outputted from, the RaspAP router itself.

Insiders have access to a UI designed for this purpose.

"},{"location":"firewall/#basic-rule-set","title":"Basic rule set","text":"

As with every other aspect of RaspAP's default settings, the application iptables rules are stored in an external JSON file, so they may be modified without touching code. During the install, the file iptables_rules.json is copied from /config to /etc/raspap/networking/firewall. Thereafter, they may be administered from the UI, shown below.

By default, the firewall will only allow outgoing and already established traffic. There are no restrictions to the currently configured AP interface (wlan0 is the default). The remaining firewall rules are grouped into four distinct classes. These are described below.

"},{"location":"firewall/#pre-rules","title":"Pre-rules","text":"

These rules define pre- and post-routing network address translation (NAT) policies, allow ping requests (IPv4 and IPv6), the loopback device, NTP requests via UDP and DNS requests via TCP and UDP.

"},{"location":"firewall/#main-rules","title":"Main rules","text":"

Main rules cover many functions, including allowing unrestricted traffic over the AP interface, rules for client interfaces including the tunnel device (tun0 for OpenVPN) and WireGuard (wg0, for example). RaspAP will check for the presence of an active OpenVPN or WireGuard connection and automatically apply these rules.

"},{"location":"firewall/#exception-rules","title":"Exception rules","text":"

These types of rules include service exceptions, such as allowing ssh access on port 22 and http or https on ports 80 and 443, respectively. In addition, user-defined exception rules may be added to allow incoming or outgoing traffic from specific IP addresses or interfaces. These exception values may be entered in the UI, separated by a blank character or comma.

This rule type is required for OpenVPN via UDP and WireGuard. A list of currently active VPN server IP addresses is provided in the firewall UI.

"},{"location":"firewall/#restriction-rules","title":"Restriction rules","text":"

By contrast, restriction rules allow the user to block access from specific IP addresses.

"},{"location":"firewall/#json-rules-syntax","title":"JSON rules syntax","text":"

Most entries in iptables_rules.json are descriptive and should be straightforward. An optional entry for each set of rules called dependson allows for creation of rules that depend on device names and whether a service is active.

Each dependency refers to an entry in the firewall config file. For example, ap-device or openvpn-enabled, followed by a type definition (bool, string or list). The replace tag defines which variable in the actual iptables rule should be replaced. To illustrate this, the wireguard rule set is shown below:

\"name\": \"wireguard\",\n    \"comment\": \"Rules for wireguard device (wg)\",\n    \"ip-version\": 4,\n    \"dependson\": [\n        { \"var\": \"wireguard-enable\", \"type\": \"bool\" },\n        { \"var\": \"wireguard-serverip\", \"type\": \"string\", \"replace\": \"$IPADDRESS$\" },\n        { \"var\": \"client-device\", \"type\": \"string\", \"replace\": \"$INTERFACE$\" }\n    ],\n    \"rules\": [\n        \"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT\",\n        \"-A FORWARD -i wg+ -j ACCEPT\",\n        \"-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE\"\n    ]\n

In this way, interdependent firewall rules may be defined and administered by RaspAP.

"},{"location":"firewall/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's firewall? Join the discussion here.

"},{"location":"insiders/","title":"Insiders","text":"

Development of RaspAP is made possible thanks to a sponsorware release model. This means that new features are first exclusively released to sponsors as part of Insiders. Read on to learn what sponsorships achieve, how to become a sponsor and what's in it for you!

Paying it forward

We donate a percentage of all proceeds from Insiders to the Raspberry Pi Foundation each quarter, to help inspire future generations of makers together with their educators.

"},{"location":"insiders/#what-is-insiders","title":"What is Insiders?","text":"

RaspAP Insiders is a private fork of RaspAP, hosted as a private GitHub repository. Almost all new features are developed as part of this fork, which means that they are immediately available to all eligible sponsors, as they are made collaborators of this repository.

Every feature is tied to a funding goal in monthly subscriptions. When a funding goal is hit, the features that are tied to it are merged back into the RaspAP public repo and released for general availability, making them available to all users. Bugfixes are always released in tandem.

Sponsorships start as low as $10 per month.

"},{"location":"insiders/#what-sponsorships-achieve","title":"What sponsorships achieve","text":"

Sponsorships make this project sustainable, as they buy the maintainers of this project time \u2014 a very scarce resource \u2013 which is spent on the development of new features, bug fixes, stability improvement, issue triage and community support.

If you're unsure if you should sponsor this project, check out the list of completed funding goals to learn whether you're already using features that were developed with the help of sponsorships. You're most likely using at least a handful of them, thanks to our awesome sponsors!

"},{"location":"insiders/#whats-in-it-for-me","title":"What's in it for me?","text":"

The moment you become a sponsor, you'll get immediate access to the additional features below that you can start using right away, and which are currently exclusively available to sponsors:

Network device management Firewall settings WPA3-Personal AP security 802.11w Protected Management Frames Printable Wi-Fi signs Drag & drop dashboard widgets MAC address cloning Network diagnostics WireGuard kill switch Dynamic DNS Multiple WireGuard configs Wireless LAN routing Custom user avatars WiFi repeater mode NTP Service Limited privilege user role

A tangible side benefit of sponsorship is that Insiders are able to help steer future development of RaspAP. This is done through Insiders' access to discussions, feature requests, issues and pull requests in the private GitHub repository.

Look for the list above to grow as we add more exclusive features. Be sure to visit this page from time to time to learn about what's new, or follow @RaspAP on to stay updated.

"},{"location":"insiders/#how-to-become-a-sponsor","title":"How to become a sponsor","text":"

Thanks for your interest in sponsoring! You can become a sponsor using your individual or organization's GitHub account. Just pick any tier from $10/month and complete the checkout. You will be automatically granted access to the private GitHub repository containing the Insiders edition, which has all exclusive features. In addition, you will be added as a team member with access to Insiders-only team discussions and content.

Join our awesome sponsors

Info

If you're sponsoring RaspAP through a GitHub organization, please send a short email to sponsors@raspap.com with the name of your organization and the account that should be added as a collaborator.2

You can cancel your sponsorship anytime.3

"},{"location":"insiders/#funding-targets","title":"Funding targets","text":"

Below is a list of funding targets. When a funding target is reached, the features that are tied to it are merged back into RaspAP and released to the public for general availability.

"},{"location":"insiders/#goals","title":"Goals","text":"

The following section lists all funding goals. Each goal contains a list of features prefixed with a checkmark symbol, denoting whether a feature is already available or planned, but not yet implemented. When the funding goal is hit, the features are released for general availability.

"},{"location":"insiders/#1000-2nd-insiders-edition","title":"$1,000 - 2nd Insiders Edition","text":"

Network device management Firewall settings WPA3-Personal AP security 802.11w Protected Management Frames Printable Wi-Fi signs Drag & drop dashboard widgets MAC address cloning Network diagnostics

"},{"location":"insiders/#1500-3rd-insiders-edition","title":"$1,500 - 3rd Insiders Edition","text":"

WireGuard kill switch Dynamic DNS Multiple WireGuard configs Wireless LAN routing Custom user avatars WiFi repeater mode NTP Service Limited privilege user mode

"},{"location":"insiders/#completed-goals","title":"Completed goals","text":""},{"location":"insiders/#500-1st-insiders-edition","title":"$500 - 1st Insiders Edition","text":"

Multiple OpenVPN client configs OpenVPN certificate authentication OpenVPN service logging Night mode toggle Restrict network to static clients WireGuard support Set AP transmit power

"},{"location":"insiders/#transparency","title":"Transparency","text":"

We've chosen OpenCollective as the fiscal host for our GitHub sponsors organization. This means that our budget is completely transparent \u2014 financial contributions, expenses and payouts to project team members are automatically reported. Everyone can see where money comes from and what it's spent on. This committent to full transparency was central in our decision to implement Insiders.

"},{"location":"insiders/#quarterly-giving","title":"Quarterly giving","text":"

Beginning in 2022, each quarter 15% of all proceeds from Insiders will be donated directly to the Raspberry Pi Foundation. The Raspberry Pi Foundation is a UK-based charity that works to put the power of computing and digital making into the hands of people all over the world.

The Foundation supports initiatives like Coder Dojo, Astro Pi, Coolest Projects and much more.

When you become an Insider, not only do you support development of RaspAP but you also help inspire young people by harnessing the power of computing to solve problems and express themselves creatively.

"},{"location":"insiders/#support-for-educators","title":"Support for educators","text":"

We are big believers in the role that computing and digital technologies can play in shaping a better world. Many engineers, including members of the RaspAP team, got their first introduction to computing at an early age. This can take the form of a structured curriculum in a school setting, or less-formally through clubs, competitions and partnerships with youth organizations. Equally important is university, vocational and research training in digital technologies at all levels.

To this end, we have pledged to make Insiders freely available to all educators, their students, club participants and staff.

"},{"location":"insiders/#criteria","title":"Criteria","text":"

Educators, teacher trainers, researchers and club organizers engaged in digital and computing technologies for students of all ages are eligible. The only requirement is a GitHub account and a domain email address associated with an educational institution or organization with a focus on digital learning. Send a mail to sponsors@raspap.com with your GitHub account details and we'll get you started with Insiders.

"},{"location":"insiders/#frequently-asked-questions","title":"Frequently asked questions","text":""},{"location":"insiders/#repository-access","title":"Repository access","text":"

When you become a sponsor, GitHub will send you an invitation to the private Insiders repo. You must accept this invite before performing an upgrade or new install, as described below. Until you accept this invitation, running the Quick installer with the --insiders switch will result in the following:

RaspAP Install: Cloning latest files from GitHub\nCloning into '/tmp/raspap-webgui'...\nremote: Repository not found.\nfatal: repository 'https://github.com/RaspAP/raspap-insiders' not found\n

In this event, check your mail folders for an invitation from GitHub and accept it. You may also verify access to the Insiders repo with your token beforehand.

"},{"location":"insiders/#installing","title":"Installing","text":"

How do I install Insiders?

Invoke the Quick Installer with the --insiders switch, like so:

curl -sL https://install.raspap.com | bash -s -- --insiders\n

Tip

During the Insiders install, GitHub will ask you for your username and password in order to clone the private repository. You must enter a GitHub Personal Access Token at the password prompt. This is explained in the Authentication section below.

Alternatively, you may skip the GitHub authentication step by specifying your GitHub credentials with the --name and --token parameters:

curl -sL https://install.raspap.com | bash -s -- --insiders --name [username] --token [my-token]\n
"},{"location":"insiders/#upgrading","title":"Upgrading","text":"

I have an existing RaspAP installation. How do I upgrade to Insiders?

Upgrading is easy. Simply invoke the Quick Installer with the --upgrade switch, specifying the private Insiders option, like so:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders\n

Tip

When upgrading to Insiders, GitHub will ask you for your username and password in order to clone the private repository. You must enter a GitHub Personal Access Token at the password prompt. This is explained in the Authentication section below.

As with a fresh Insiders install, you may also skip the GitHub authentication step by specifying your GitHub credentials with the --name and --token parameters:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders --name [username] --token [my-token]\n
"},{"location":"insiders/#authentication","title":"Authentication","text":"

As of August 2021 GitHub removed support for password authentication, so you will need to generate a Personal Access Token and use this in place of your password. The process of creating a token is straightforward and described here.

Tip

Be sure to create a \"classic\" personal access token, rather than a fine-grained one. The latter has resulted in errors when cloning the private GitHub repository. Before invoking the Quick installer to perform an upgrade or new Insiders install, it's recommended to verify your token using the method described below.

If this is your first time using a GitHub personal access token, you can verify it by using curl and the GitHub API. Substitute your token value for MY_TOKEN below:

curl -sS -f -I -H \"Authorization: token MY_TOKEN\" https://api.github.com\n

If successful, GitHub should reply with HTTP/2 200 and a x-oauth-scopes: repo value in the response. If you receive a HTTP 401 or other error from curl, check your token and try again.

You will be asked to authenticate with GitHub when the installer clones the private Insiders repo. In this case, simply enter your GitHub username and token when prompted.

Note

Your token is sent securely via SSH to GitHub. The installer does not have access to or store your token.

If you're using GitHub with 2FA enabled the same process above applies.

"},{"location":"insiders/#scope-of-support","title":"Scope of support","text":"

Individual sponsors may use the main RaspAP repository for non-bug related discussions, including troubleshooting. If you've found a bug with an Insiders feature, please review our issue policy and create a report in the Insiders repository.

The RaspAP team will prioritize issues and feature requests for sponsors at the Business tier. Please create a report in the Insiders repository or contact us via email to discuss your requirements.

"},{"location":"insiders/#terms","title":"Terms","text":"

We're using RaspAP for a commercial project. Can we use Insiders under the same terms and conditions?

Yes. Whether you're an individual or a company, you may use RaspAP Insiders precisely under the same terms as RaspAP, which are defined by the GNU GPL 3.0 license. However, we kindly ask you to respect the following guidelines:

"},{"location":"insiders/#discussions","title":"Discussions","text":"

Questions or comments about Insiders? Join the discussion here.

  1. You may be wondering if the sponsorware model contradicts the ethos of Open Source software. It's true that some features are locked behind a payment, which means they are only accessible after pledging a small amount of money. However, these features are only exclusive until specific funding targets are reached. Making an Open Source project sustainable is exceptionally difficult. Maintainers invest significant time and energy developing software, testing, responding to issues, writing documentation and so on. Too often, this leads to burnout and abandoned projects. The sponsorware model ensures that if you decide to use RaspAP, you can be sure that the project remains healthy, bugs are fixed quickly and new features are added regularly.\u00a0\u21a9

  2. It's currently not possible to grant access to each member of an organization, as GitHub only allows for adding users. Thus, after sponsoring, please send an email to sponsors@raspap.com, stating which account should become a collaborator of the Insiders repository. We're working on a solution which will make access to organizations much simpler.\u00a0\u21a9

  3. If you cancel your sponsorship, GitHub schedules a cancellation request which will become effective at the end of the billing cycle, which ends at the 22nd of the month for monthly sponsorships. This means that even though you cancel your sponsorship, you will keep your access to Insiders as long as your cancellation isn't effective. All charges are processed by GitHub through Stripe. As we don't receive any information regarding your payment, and GitHub doesn't offer refunds, sponsorships are non-refundable.\u00a0\u21a9

"},{"location":"issues/","title":"Reporting issues","text":""},{"location":"issues/#overview","title":"Overview","text":"

RaspAP is free software. It is delivered to you, at no cost, and with no warranty of any kind. The community of developers who contribute to this project make every effort to deliver defect-free code. That said, no software is perfect. You can help us improve this project by accurately describing your issue.

"},{"location":"issues/#issue-policy","title":"Issue policy","text":"

This project is currently led by one developer (@billz) in his very limited spare time. Please respect our developers' time by using issues for reporting bugs only. RaspAP is not a boxed product with a free troubleshooting hotline. If your issue is of a general nature and not directly related to a defect with this project, try searching the official Raspberry Pi forums, RaspAP's GitHub discussions, or Raspberry Pi on Stack Exchange. Chances are your question has been discussed and answered before.

Issues are only valid for clean installs of this project's compatible operating systems. If you observe RaspAP behaving strangely and you did not begin with a clean install, be sure to test it on a fresh SD card before reporting an issue.

The project FAQ is continuously updated with answers to many common questions. Refer to this first before creating a new issue.

"},{"location":"issues/#guidelines","title":"Guidelines","text":"

You can help us improve this project by accurately describing defects. To that end, these guidelines have been established to streamline the reporting process:

  1. Please read and follow the Code of Conduct.
  2. Provide useful detail to reproduce your issue. \"Doesn't work\" or \"not working\" is not a valid report. Here's an example model issue.
  3. Generate a debug log and upload the contents to Pastebin.
  4. If an issue is unclear or needs further information, it will be labeled with question and awaiting-user.
  5. Issues that becomes stale due to inactivity are automatically managed by stale-bot.
"},{"location":"issues/#supported-devices","title":"Supported devices","text":"

RaspAP functions very well \"out of the box\" on fresh installs of the latest RPi OS Lite 64- or 32-bit distribution with recent hardware like the RPi 4, 3B+ and Zero 2 W. The version 2.3.1 release extends beta support to additional Debian-based distros, including Armbian and Ubuntu Server. Please note that \"supported\" is not a guarantee.

If you have installed other software packages on top of RaspAP, particularly those related to networking such as Pi-hole, please test RaspAP first on a clean install before reporting an issue. You may also use RaspAP's Docker container to mitigate conflicts with other software packages.

"},{"location":"issues/#external-hardware","title":"External hardware","text":"

RaspAP has been rigorously tested on the above supported distros and devices using the onboard wireless chipsets. While many good external wireless USB adapters, or \"dongles\", are available, a substantial number lack in-kernel driver support or are otherwise unsuitable for this project. It is not practical, or even possible, to individually test every dongle on the market with this project. For this reason, issues that concern external wireless adapters, or request troubleshooting of these devices, will not be considered.

If you suspect a driver problem with your USB adapter, RaspAP tools can assist you with installing missing WLAN driver modules. Beyond this, your best avenue for troubleshooting are the public forums mentioned above.

"},{"location":"issues/#default-settings","title":"Default settings","text":"

One of RaspAP's most popular features is the Quick Installer, which gets an AP up and running quickly and with a minimum of hassle. This works by applying a known-good default configuration that has been validated in testing with the project's supported devices. When the project prerequisites are followed, an AP with wired ethernet (eth0) or managed mode (wlan0) Wifi client AP will be functional with the default settings.

Important

RaspAP gives you control over many of the settings for hostapd, dhcpcd and dnsmasq. Once these default settings are changed, it's possible that one or all of the above services will enter a failed state.

"},{"location":"issues/#will-raspap-let-me-create-a-configuration-that-breaks-my-hotspot","title":"Will RaspAP let me create a configuration that \"breaks\" my hotspot?","text":"

In a word, yes. While the Quick Installer automates most of the work of creating an AP, RaspAP does not automagically validate your custom configurations. As a result, you may observe anomalous behavior when restarting these services and/or rebooting your device.

When in doubt, you may perform a system reset to restore the default settings.

Because of this, issues such as \"hotspot isn't working\" or \"gui doesn't work\" won't be considered. No hard feelings.

"},{"location":"issues/#submitting-an-issue","title":"Submitting an issue","text":"

If, after searching these community forums, consulting the FAQ and understanding the default settings, your issue still persists, please provide as much detailed information as possible. Use the provided issue template. Incomplete issue reports will not be considered. Thanks.

"},{"location":"manual/","title":"Manual installation","text":""},{"location":"manual/#overview","title":"Overview","text":"

These steps apply to the latest release of RaspAP, Raspberry Pi OS Lite, Debian and Armbian. Notes for previous versions, Ubuntu Server 18.04 TLS and 19.10 are provided, where applicable. Please refer to this regarding operating systems support.

"},{"location":"manual/#alternatives","title":"Alternatives","text":"

If your goal is to use RaspAP as a component of a larger project, or wish to isolate its dependencies from existing software on your system, consider deploying RaspAP in a Docker container instead.

"},{"location":"manual/#prerequisites","title":"Prerequisites","text":"

Start off by updating your system's package list, then upgrade the kernel, firmware and installed packages to their latest versions:

sudo apt-get update\nsudo apt-get full-upgrade\n

Note that full-upgrade is used rather than a simple upgrade, as this also picks up any dependency changes that may have been made. The kernel and firmware are installed as a Debian package, and so will also get updates when using the procedure above. These packages are updated infrequently and after extensive testing.

"},{"location":"manual/#enable-wireless-operation","title":"Enable wireless operation","text":"

Telecommunications radio bands are subject to regulatory restrictions to ensure interference-free operation. The Linux OS complies with these rules by requiring users to configure a two-letter \"WiFi country code\". In RPi OS, 5 GHz wireless networking is disabled until this country code has been set, usually as part of the initial installation process. If you have not set your country code or are unsure, check the \"WLAN Country\" setting in raspi-config's Localisation Options:

sudo raspi-config\n

To ensure the WiFi radio is not blocked on the Raspberry Pi, execute the following command:

sudo rfkill unblock wlan\n
"},{"location":"manual/#non-rpi-os-dependencies","title":"Non-RPi OS dependencies","text":"

Operating systems other than RPi OS have some additional dependencies. If you are using RPi OS Lite, skip this section. On Ubuntu Server, add a dependency and the ppa:ondrej/php apt package:

sudo apt-get install software-properties-common \nsudo add-apt-repository ppa:ondrej/php\n

On Debian, Armbian and Ubuntu, install dhcpcd5 with the following:

sudo apt-get install dhcpcd5\n

On Raspberry Pi OS Lite 32-bit (bookworm), install dhcpcd5 with a dependency:

sudo apt-get install dhcpcd dhcpcd-base\n
"},{"location":"manual/#ubuntu-specific-steps","title":"Ubuntu-specific steps","text":"

Note

This section concerns manual pre- and post-install steps required for the latest Ubuntu 23.04 (Lunar Lobster) and Armbian 23.11 (Jammy) releases. They are not necessary with other distributions.

RaspAP's installer will prompt you to stop and disable the systemd-resolved service listening on port 53 before installing dnsmasq. On Ubuntu 23.04 and Armbian 23.11 this results in a name resolution failure and the installation cannot continue. To resolve this, perform the following pre-install steps:

  1. Stop systemd-resolved with sudo systemctl stop systemd-resolved.service.
  2. Edit the systemd-resolved config file: sudo nano /etc/systemd/resolved.conf, un-hash and specify DNS=9.9.9.9 (for example) and set DNSStubListener=no. Save and exit the file.
  3. Symlink /etc/resolv.conf with sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf.
  4. Proceed with RaspAP install as normal. Disable systemd services when prompted by the installer.

Post-install: The dnsmasq service will report errors such as \"config error is REFUSED (EDE: not ready)\". DNS 'A' record queries will fail and the AP will not be usable for clients. This is easily resolved with the following steps:

  1. Edit the dnsmasq configuration with sudo nano /etc/default/dnsmasq and un-hash IGNORE_RESOLVCONF=yes. Save and exit the file.
  2. Restart the dnsmasq service with sudo systemctl restart dnsmasq.service.

Your RaspAP install on Ubuntu should now function as expected.

"},{"location":"manual/#install-packages","title":"Install packages","text":"

Install git, lighttpd, php8, hostapd, dnsmasq and some extra packages with the following:

sudo apt-get install lighttpd git hostapd dnsmasq iptables-persistent vnstat qrencode php8.2-cgi jq isoquery\n

Note

For Raspberry Pi OS Lite (bullseye), Debian 11 and Ubuntu Server 22.04, replace php8.2-cgi with php7.4-cgi. For Ubuntu Server 23.04, you may use php8.1-cgi.

"},{"location":"manual/#enable-php","title":"Enable PHP","text":"

Next, enable PHP for lighttpd and restart the service for the settings to take effect:

sudo lighttpd-enable-mod fastcgi-php    \nsudo service lighttpd force-reload\nsudo systemctl restart lighttpd.service\n

"},{"location":"manual/#create-the-web-application","title":"Create the web application","text":"

In these steps we will prepare the web destination and git clone the files to /var/www/html.

Caution

If this is not a clean installation, be sure you do not have existing files or directories in the web root before executing the rm -rf command.

sudo rm -rf /var/www/html\nsudo git clone https://github.com/RaspAP/raspap-webgui /var/www/html\n

Copy an extra lighttpd config file to support application routing. This step requires some text substitutions to support user changes to lighttpd's server.document-root setting:

WEBROOT=\"/var/www/html\"\nCONFSRC=\"$WEBROOT/config/50-raspap-router.conf\"\nLTROOT=$(grep \"server.document-root\" /etc/lighttpd/lighttpd.conf | awk -F '=' '{print $2}' | tr -d \" \\\"\")\n\nHTROOT=${WEBROOT/$LTROOT}\nHTROOT=$(echo \"$HTROOT\" | sed -e 's/\\/$//')\nawk \"{gsub(\\\"/REPLACE_ME\\\",\\\"$HTROOT\\\")}1\" $CONFSRC > /tmp/50-raspap-router.conf\nsudo cp /tmp/50-raspap-router.conf /etc/lighttpd/conf-available/\n

Link it into conf-enabled and restart the web service:

sudo ln -s /etc/lighttpd/conf-available/50-raspap-router.conf /etc/lighttpd/conf-enabled/50-raspap-router.conf\nsudo systemctl restart lighttpd.service\n

Now comes the fun part. For security reasons, the www-data user which lighttpd runs under is not allowed to start or stop daemons, or run commands like ip link, all of which we want our app to do. So we will add the www-data user to sudoers, but with restrictions on what commands the user can run. Copy the sudoers rules to their destination:

cd /var/www/html\nsudo cp installers/raspap.sudoers /etc/sudoers.d/090_raspap\n
"},{"location":"manual/#configuration-directories","title":"Configuration directories","text":"

RaspAP uses several directories to manage its own configuration. Create these with the following commands:

sudo mkdir /etc/raspap/\nsudo mkdir /etc/raspap/backups\nsudo mkdir /etc/raspap/networking\nsudo mkdir /etc/raspap/hostapd\nsudo mkdir /etc/raspap/lighttpd\nsudo mkdir /etc/raspap/system\n
"},{"location":"manual/#set-permissions","title":"Set permissions","text":"

Next, set the files ownership to the www-data user for the web files and RaspAP config:

sudo chown -R www-data:www-data /var/www/html\nsudo chown -R www-data:www-data /etc/raspap\n
"},{"location":"manual/#control-scripts","title":"Control scripts","text":"

RaspAP uses several shell scripts to manage various aspects of the application, including hostapd logging and raspapd, the RaspAP control service. Move these scripts to their destinations with the following:

sudo mv installers/enablelog.sh /etc/raspap/hostapd\nsudo mv installers/disablelog.sh /etc/raspap/hostapd\nsudo mv installers/servicestart.sh /etc/raspap/hostapd\nsudo mv installers/debuglog.sh /etc/raspap/system\n

Set ownership and permissions for the logging and service control scripts:

sudo chown -c root:root /etc/raspap/hostapd/*.sh\nsudo chmod 750 /etc/raspap/hostapd/*.sh\n\nsudo chown -c root:root /etc/raspap/system/*.sh\nsudo chmod 750 /etc/raspap/system/*.sh\n

Copy and set ownership of the lighttpd control scripts:

sudo cp installers/configport.sh /etc/raspap/lighttpd\nsudo chown -c root:root /etc/raspap/lighttpd/*.sh\n

Next, move the raspapd service file to the correct location and enable it:

sudo mv installers/raspapd.service /lib/systemd/system\nsudo systemctl daemon-reload\nsudo systemctl enable raspapd.service\n
"},{"location":"manual/#default-configuration","title":"Default configuration","text":"

To facilitate a faster setup, RaspAP uses a \"known-good\" default configuration as a starting point. Copy the configuration files for dhcpcd, dnsmasq, hostapd and defaults.json. Optionally, backup your existing hostapd.conf:

sudo mv /etc/default/hostapd ~/default_hostapd.old\nsudo cp /etc/hostapd/hostapd.conf ~/hostapd.conf.old\nsudo cp config/hostapd.conf /etc/hostapd/hostapd.conf\nsudo cp config/090_raspap.conf /etc/dnsmasq.d/090_raspap.conf\nsudo cp config/090_wlan0.conf /etc/dnsmasq.d/090_wlan0.conf\nsudo cp config/dhcpcd.conf /etc/dhcpcd.conf\nsudo cp config/config.php /var/www/html/includes/\nsudo cp config/defaults.json /etc/raspap/networking/\n

Tip

If you wish to modify RaspAP's default configuration for dnsmasq and dhcp, you may do so by changing these files and editing config/defaults.json.

Next, disable systemd-networkd and copy the bridge configuration with the following:

sudo systemctl stop systemd-networkd\nsudo systemctl disable systemd-networkd\nsudo cp config/raspap-bridge-br0.netdev /etc/systemd/network/raspap-bridge-br0.netdev\nsudo cp config/raspap-br0-member-eth0.network /etc/systemd/network/raspap-br0-member-eth0.network \n
"},{"location":"manual/#optimize-php","title":"Optimize PHP","text":"

Optionally, you may optimize PHP with the following, replacing php8.2-cgi with your installed version:

sudo sed -i -E 's/^session\\.cookie_httponly\\s*=\\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\\s*$/session.cookie_httponly = 1/' /etc/php/8.2/cgi/php.ini\nsudo sed -i -E 's/^;?opcache\\.enable\\s*=\\s*(0|([O|o]ff)|([F|f]alse)|([N|n]o))\\s*$/opcache.enable = 1/' /etc/php/8.2/cgi/php.ini\nsudo phpenmod opcache\n
"},{"location":"manual/#routing-and-ip-masquerading","title":"Routing and IP masquerading","text":"

These steps allow WLAN clients to access computers on the main wired eth0 network, and from there the internet. Begin by enabling IP forwarding with the following commands:

echo \"net.ipv4.ip_forward=1\" | sudo tee /etc/sysctl.d/90_raspap.conf > /dev/null\nsudo sysctl -p /etc/sysctl.d/90_raspap.conf\nsudo /etc/init.d/procps restart\n

To enable traffic between clients on the WLAN and the internet, we add two iptables network address translation (NAT) \"masquerade\" firewall rules. Create these rules and persist them with the following:

sudo iptables -t nat -A POSTROUTING -j MASQUERADE\nsudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE\nsudo iptables-save | sudo tee /etc/iptables/rules.v4\n
"},{"location":"manual/#enable-hostapd","title":"Enable hostapd","text":"

The hostapd service is disabled by default, as there is no configuration for it after its initial installation. Unmask and enable it with the following:

sudo systemctl unmask hostapd.service\nsudo systemctl enable hostapd.service\n
"},{"location":"manual/#optional-components","title":"Optional components","text":"

The following components are not required to operate RaspAP, but extend its usefulness in several ways. Each is independent of the others, so you may choose to add whichever one you need.

"},{"location":"manual/#openvpn","title":"OpenVPN","text":"

Install OpenVPN, enabling the option in RaspAP's config and the openvpn-client service, like so:

sudo apt-get install openvpn\nsudo sed -i \"s/\\('RASPI_OPENVPN_ENABLED', \\)false/\\1true/g\" /var/www/html/includes/config.php\nsudo systemctl enable openvpn-client@client\n

Copy the OpenVPN auth control script to its destination, setting ownership and permissions with the following:

sudo mkdir /etc/raspap/openvpn/\nsudo cp installers/configauth.sh /etc/raspap/openvpn/\nsudo chown -c root:root /etc/raspap/openvpn/*.sh\nsudo chmod 750 /etc/raspap/openvpn/*.sh\n
"},{"location":"manual/#wireguard","title":"WireGuard","text":"

Adding support for WireGuard is straightforward. The application files are already present in RaspAP, so you may simply install and enable the service, then activate the management option:

sudo apt-get install wireguard\nsudo sed -i \"s/\\('RASPI_WIREGUARD_ENABLED', \\)false/\\1true/g\" /var/www/html/includes/config.php\nsudo systemctl enable wg-quick@wg\n
"},{"location":"manual/#ad-blocking","title":"Ad blocking","text":"

There are several steps to enable Ad blocking, including downloading the blocklists, setting permissions and adding a dnsmasq configuration:

sudo mkdir /etc/raspap/adblock\nwget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /tmp/hostnames.txt\nwget https://big.oisd.nl/dnsmasq -O /tmp/domains.txt\nsudo cp /tmp/hostnames.txt /etc/raspap/adblock\nsudo cp /tmp/domains.txt /etc/raspap/adblock \nsudo cp installers/update_blocklist.sh /etc/raspap/adblock/\nsudo chown -c root:www-data /etc/raspap/adblock/*.*\nsudo chmod 750 /etc/raspap/adblock/*.sh\nsudo touch /etc/dnsmasq.d/090_adblock.conf\necho \"conf-file=/etc/raspap/adblock/domains.txt\" | sudo tee -a /etc/dnsmasq.d/090_adblock.conf > /dev/null \necho \"addn-hosts=/etc/raspap/adblock/hostnames.txt\" | sudo tee -a /etc/dnsmasq.d/090_adblock.conf > /dev/null\nsudo sed -i '/dhcp-option=6/d' /etc/dnsmasq.d/090_raspap.conf\nsudo sed -i \"s/\\('RASPI_ADBLOCK_ENABLED', \\)false/\\1true/g\" includes/config.php\n
"},{"location":"manual/#restart","title":"Restart","text":"

Finally, restart your device and verify that the wireless access point is available:

sudo systemctl reboot\n

After your device has restarted, search for wireless networks with your wireless client. The default SSID is raspi-webgui. The default username is \"admin\" and the default password is \"secret\".

Important

It is strongly recommended that you change these default login credentials in RaspAP's Authentication panel. APs managed by RaspAP in the wild have been administered by third parties with the default login.

"},{"location":"manual/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's manual install? Join the discussions here.

"},{"location":"minwrite/","title":"Minimal SD card write","text":""},{"location":"minwrite/#overview","title":"Overview","text":"

Linux, and indeed most substantial operating systems, is frequently writing logs files, cache files and temporary data to disk (or the microSD card with the Raspberry Pi). Performing a shutdown puts these files away into a known valid state. If power is unexpectedly cut to a Raspberry Pi, these unwritten system files can become corrupted and render a card unbootable.

What is more, most microSD cards were not designed with 24/7 operation in mind. Continuous writing to the card's flash memory shortens its lifespan. They often accumulate bad sectors rather quickly after a period of extended use. This is particularly true of so-called \"budget\" microSD cards.

Using a Raspberry Pi as wireless router requires reliable operation over a long period of time. While read-only mode operation for the SD card is one approach to prolong its use, this prevents user settings from being persisted to storage \u2014 meaning that any changes will be lost if the device is disconnected from power. This makes it less than ideal for RaspAP, or indeed any application that depends on persistent storage.

"},{"location":"minwrite/#solution","title":"Solution","text":"

Rather than force the system into a read-only mode, RaspAP has an alternative minimal write mode that substantially reduces the risk of SD card corruption and also helps to extend the card's lifespan.

This solution involves moving logging, cache and temporary data to a RAM-based file system. The default system log processor rsyslog is replaced with an in-memory logger and several log-related services are disabled. The tmpfs filesystem is used for most processes that require write access, such as sessions used by php-cgi, as well as paths for transient and cache data including /var/cache and /var/tmp.

In addition, the system's boot options are modified to disable swap and file system checks. A tangible side benefit of retaining a read/write boot partition is that your system will behave otherwise normally \u2014 you may install packages, add services and perform most operations as before.

"},{"location":"minwrite/#enabling-minimal-write","title":"Enabling minimal write","text":"

The minimal microSD card write utility, minwrite, may be invoked by using RaspAP's Quick installer. This does not (re)install RaspAP \u2014 only the minwrite shell script is loaded and executed. Users of this method are informed of which operations are performed at each step. Alternatively, manual configuration steps are also provided. Notes specific to Armbian are given where applicable.

Warning

These methods have been used successfully with many Debian-based systems. However, you still use this at your own risk. Best advice is to either create a backup image of your SD card before proceeding, or begin with a baseline setup that you can easily recreate if needed.

Both methods are reasonably straightforward. Bear in mind that RAM usage on your device will necessarily increase, since you'll be migrating the disk I/O activity of several system processes to the tmpfs ramdisk. For this reason, it's recommended to review the memory considerations before proceeding.

After you've enabled minwrite we'll look at a technique to evaluate its effectiveness.

"},{"location":"minwrite/#quick-install","title":"Quick install","text":"

The minwrite utility may be invoked remotely from the Quick installer like so:

curl -sL https://install.raspap.com | bash -s -- --minwrite\n

Alternatively, if you have a local install of RaspAP you may execute it from the /installers directory like so:

./raspbian.sh --minwrite.sh\n

You will be prompted at each step during the minwrite script's execution. As a final step, be sure to reboot your system.

$ curl -sL https://install.raspap.com | bash -s -- --minwrite\n\n\n 888888ba                              .d888888   888888ba\n 88     8b                            d8     88   88     8b\na88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P\n 88    8b. 88    88 Y8ooooo. 88    88 88     88   88\n 88     88 88.  .88       88 88.  .88 88     88   88\n dP     dP  88888P8  88888P  88Y888P  88     88   dP\n                             88\n                             dP      version 3.2.1\n\nThe Quick Installer will guide you through a few easy steps\n\n\nRaspAP Minwrite: Modify the OS to minimize microSD card write operation\nDetected OS: Debian GNU/Linux 11 (bullseye)\nRaspAP Minwrite: Removing packages\nThe following packages will be removed: dphys-swapfile logrotate\nProceed? [Y/n]:\nThe following packages will be REMOVED:\n  dphys-swapfile* logrotate*\n0 upgraded, 0 newly installed, 3 to remove and 65 not upgraded.\nAfter this operation, 351 kB disk space will be freed.\n(Reading database ... 65355 files and directories currently installed.)\nRemoving dphys-swapfile (20100506-7+rpt1) ...\nRemoving logrotate (3.18.0-2+deb11u1) ...\nProcessing triggers for man-db (2.9.4-2) ...\n(Reading database ... 65313 files and directories currently installed.)\nPurging configuration files for logrotate (3.18.0-2+deb11u1) ...\nPurging configuration files for dphys-swapfile (20100506-7+rpt1) ...\n[ \u2713 ok ]\nRaspAP Minwrite: Disabling services\nThe following services will be disabled: bootlogd.service bootlogs console-setup apt-daily\nProceed? [Y/n]:\n
"},{"location":"minwrite/#manual-steps","title":"Manual steps","text":"

These steps perform the same actions as the Quick install method. Details are provided so that you may choose to customize or skip some steps, if desired.

"},{"location":"minwrite/#remove-packages","title":"Remove packages","text":"

The goal here is to only remove packages that actively write to the filesystem, and that will be replaced or disabled entirely. In a subsequent step, logrotate will be replaced with busybox-syslogd. Additionally, dphys-swapfile, which manages a swapfile in the root filesystem on the SD card, is removed as it won\u2019t be able to work.

Remove these packages with the following:

sudo apt-get remove --purge dphys-swapfile logrotate\nsudo apt-get autoremove --purge\n
"},{"location":"minwrite/#disable-services","title":"Disable services","text":"

Linux is able to update packages autonomously without an external command. This task is scheduled by the apt-daily.service, which triggers the system to start apt tasks and scan installed packages for available updates. If updates are found, the apt-daily-upgrade.service downloads and installs them without user intervention. While useful for keeping your system updated, these are intensive processes in terms of disk I/O that may be safely disabled and handled manually.

Disable the bootlogd.service, apt-daily and related services like so:

sudo systemctl unmask bootlogd.service\nsudo systemctl disable bootlogs\nsudo systemctl disable apt-daily.service apt-daily.timer apt-daily-upgrade.timer apt-daily-upgrade.service\n

Note

By disabling these services, you will need to manually check for package updates periodically with sudo apt-get update && sudo apt-get upgrade.

"},{"location":"minwrite/#replace-logger","title":"Replace logger","text":"

In this step you'll replace the default system logger rsyslog with an in-memory logger, busybox-syslogd. BusyBox combines tiny versions of many common Linux utilities into a single small executable. It provides a fairly complete POSIX environment for any small or embedded system, including a minimal write Raspberry Pi.

Install it like so and remove rsyslog:

sudo apt-get install busybox-syslogd\nsudo dpkg --purge rsyslog\n

Be aware that because busybox-syslogd writes system logs to RAM, these logs will be lost if your device is disconnected from power.

"},{"location":"minwrite/#disable-swap","title":"Disable swap","text":"

Next you'll modify system boot options to disable swap and filesystem checks, as these are both intensive disk I/O processes. Edit this file with sudo nano /boot/cmdline.txt and append the following to the end:

fsck.mode=skip noswap\n

The resulting file will look something like this (copied from a Pi 3 Model B+):

console=serial0,115200 console=tty1 root=PARTUUID=bddffae9-02 rootfstype=ext4 fsck.repair=yes rootwait fsck.mode=skip noswap\n

Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Note

By default Armbian does not use any SD card-based swap, so unless you\u2019ve customized your installation there\u2019s nothing to disable.

"},{"location":"minwrite/#move-directories-to-ram","title":"Move directories to RAM","text":"

As a final step, several directories will be moved to the tmpfs filesystem. Storing these directories on a ramdisk instead of the SD card will substantially reduce the volume of I/O operations on the card's flash memory. Writing to tmpfs also provides fast sequential read/write speeds. The tradeoff is that tmpfs is volatile storage \u2014 meaning that you will lose all data stored on the filesystem if your device loses power.

Paths are selected here to migrate to tmpfs for transient and cache data, as well as those required for RaspAP's operation that are associated with disk I/O activity. Moving these directories to tmpfs is done by editing fstab with sudo nano /etc/fstab. Append the following lines to the end:

tmpfs /tmp tmpfs  nosuid,nodev 0 0\ntmpfs /var/log tmpfs  nosuid,nodev 0 0\ntmpfs /var/tmp tmpfs  nosuid,nodev 0 0\ntmpfs /var/lib/misc tmpfs  nosuid,nodev 0 0\ntmpfs /var/cache tmpfs  nosuid,nodev 0 0\ntmpfs /var/lib/vnstat tmpfs  nosuid,nodev 0 0\ntmpfs /var/php/sessions tmpfs  nosuid,nodev 0 0\n

Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Note

Armbian puts /tmp in RAM by default, while Raspberry Pi OS does not. On both Armbian and Raspberry Pi OS, /run is stored in RAM already and /var/run symlinks to it.

The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. Therefore, data stored in /var/tmp is more persistent than data in /tmp. In practice, however, few programs in common use with Raspberry Pi OS write to this directory so we can safely move it to RAM.

"},{"location":"minwrite/#reboot","title":"Reboot","text":"

A reboot is required for the above steps to take effect: sudo reboot.

"},{"location":"minwrite/#memory-considerations","title":"Memory considerations","text":"

The minwrite configuration migrates as much as possible from SD card storage to the tmpfs ramdisk. As a result, a concomitant increase in memory utilization is expected. To benchmark this, the change in memory usage on a Pi 3 Model B+ with 1GB of RAM and a typical RaspAP installation will be compared.

Execute the following to return the amount of free system memory expressed as a percentage of the total available:

free -m | awk '/Mem:/ { total=$2 ; used=$3 } END { print used/total*100}'\n
Pre-minwrite Post-minwrite 11.88% 29.70%

While this is a noticable increase in RAM usage, it's still well within the margin for reliable operation of the OS. If you have a higher rate of RAM utilization on your device, or have limited available system memory to begin with, bear this in mind before proceeding.

Note

Recall that with swap disabled, if the system runs out of physical memory (RAM) there is no partition available for the kernel to allocate virtual memory in its place. This will cause the kernel to throw an out of memory (OOM) error. Normally this causes the kernel to panic and stop functioning.

"},{"location":"minwrite/#file-system-metrics","title":"File system metrics","text":"

A minwrite configuration may be futher evaluated by using iotop, a utility that watches I/O usage information output by the Linux kernel. Install the package like so:

sudo apt-get install iotop -y\n

Execute it with the following switches to monitor accumulated activity of processes doing actual I/O:

sudo iotop -aoP\n

After a period of time, you will see disk I/O activity reported for a number of processes. Returning to the example Pi 3 Model B+ test bench, the before and after results may be compared:

Pre-minwrite I/O

Total DISK READ:         0.00 B/s | Total DISK WRITE:       191.31 B/s\nCurrent DISK READ:       0.00 B/s | Current DISK WRITE:      22.52 K/s\n    PID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN     IO>    COMMAND\n     95 ?sys root          0.00 B    860.00 K                 [jbd2/mmcblk0p2-]\n    145 ?sys root          0.00 B      3.03 M                 systemd-journald\n    412 ?sys root          0.00 B    112.00 K                 rsyslogd -n -iNONE\n    529 ?sys vnstat        0.00 B    264.00 K                 vnstatd -n\n   1080 ?sys www-data    800.00 K     48.00 K                 lighttpd -D -f /etc/lighttpd/lighttpd.conf\n   1186 ?sys www-data      2.25 M      0.00 B                 php-cgi\n   1187 ?sys www-data      4.00 K      0.00 B                 php-cgi\n   1188 ?sys www-data     52.00 K      0.00 B                 php-cgi\n   4752 ?sys root          0.00 B      4.00 K                 dhcpcd -w -q\n   5402 ?sys dnsmasq       0.00 B    140.00 K                 dnsmasq -x /run/dnsmasq/dnsmasq.pid\n

Post-minwrite I/O

Total DISK READ:         0.00 B/s | Total DISK WRITE:         0.00 B/s\nCurrent DISK READ:       0.00 B/s | Current DISK WRITE:       0.00 B/s\n    PID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN     IO>    COMMAND\n    101 ?sys root          0.00 B      8.00 K                 [jbd2/mmcblk0p2-8]\n    837 ?sys www-data     24.00 K      0.00 B                 lighttpd -D -f /etc/lighttpd/lighttpd.conf\n    890 ?sys www-data    170.00 K      0.00 B                 php-cgi\n    891 ?sys www-data      4.00 K      0.00 B                 php-cgi\n    892 ?sys www-data      4.00 K      0.00 B                 php-cgi\n    893 ?sys www-data     80.00 K      0.00 B                 php-cgi\n

Notice that in the latter iotop output, logging to disk is nearly absent and vnstatd now writes data to RAM. The remaining disk write activity originates mainly from the ext4 journal update process jbd2.

At the same time, RaspAP settings may be modified and persisted to the microSD card and the system otherwise operated normally.

"},{"location":"minwrite/#discussions","title":"Discussions","text":"

Questions or comments about using minwrite mode? Join the discussion here.

"},{"location":"net-devices/","title":"Network devices","text":""},{"location":"net-devices/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

Insiders are able to manage a variety of physical network devices as a source of data connectivity for RaspAP. Broadly, this includes devices such as tethered phones, USB modems/routers, WLAN adapters and so on. This expands the practicality of RaspAP as a truly mobile AP for travel and/or field applications.

"},{"location":"net-devices/#supported-device-types","title":"Supported device types","text":"

The following network devices are supported:

All devices require a driver in order to be available for use with RaspAP.

"},{"location":"net-devices/#listing-detected-devices","title":"Listing detected devices","text":"

The Networking > Devices tab displays a list of available devices with their attributes and assumed adapter type. The adapter type as well as the device name may be changed. Incorrect device types might appear for some devices, which advertise themselves to the system as an ethernet (e.g. eth0) or usb (e.g. usb0) device. This often happens for USB connected phones and external routers.

"},{"location":"net-devices/#changing-the-device-name","title":"Changing the device name","text":"

Changing the name helps to distinguish different devices. This is especially important if, for example, the Access Point device is connected via USB and the automatically assigned name is changed. This can sometimes occur when devices are connected in varying order.

To modify a device's name, enter a value in the Fixed name field and choose Change.

The only restriction for the device name is that it must only contain lowercase letters and numbers. The maximal length is limited to 20 characters. Devices names are automatically filtered accordingly.

"},{"location":"net-devices/#changing-the-mac-address","title":"Changing the MAC address","text":"

Sometimes you might need to set the MAC address of the WLAN interface to be the same as your PC or some other device on your network. This is known as MAC address cloning.

For example, some ISPs register your computer's MAC address when the service is first installed. When you place a router behind the cable or ADSL modem, the MAC address from the device WLAN port will not be recognized by the ISP.

External networking devices, like a Raspberry Pi, also have their own MAC addresses which can create authentication problems. This often occurs on guest Wi-Fi networks.

You can clone the MAC address of the WLAN interface (or any other valid interface) to be the same as your computer's MAC address. To create this configuration, follow the steps below:

  1. Open the Networking > Devices tab.
  2. Choose a MAC address for the interface you wish to clone.
  3. Enter a valid address in the MAC field and click or tap Change.
  4. The new MAC address will be configured immediately.

Note

Virtual interfaces such as OpenVPN's tun0 or WireGuard's wg0 do not have this capability. To avoid potential conflicts, change the MAC address and reconnect the device before modifying any other settings.

"},{"location":"net-devices/#ethernet-interfaces","title":"Ethernet interfaces","text":"

The built-in ethernet adapter as well as USB adapters are usually detected automatically. In these cases no configuration is required. Devices such as USB tethered phones might appear as an ethernet device as well. The same applies to mobile data adapters that also contain a router.

In these cases, the type may be adjusted in the device list and a name assigned to the device. This will have an effect on the network device widget shown on the dashboard.

"},{"location":"net-devices/#wireless-network-devices","title":"Wireless network devices","text":"

These devices are usually listed with the automatically assigned device name prefix wlan, for example wlan0. If multiple wlan interfaces are used, it can be advantageous to assign a unique name to the device.

Wireless devices will only appear if a supported driver exists in the currently installed OS. If your device does not appear in the list, this usually indicates that a required device driver is missing. The helper script install_wlan_driver_modules.sh available in RaspAP/raspap-tools can be used to search for and install existing driver modules.

"},{"location":"net-devices/#mobile-data-modems","title":"Mobile data modems","text":"

Modems or Point-to-Point Protocol (ppp) devices require login data. This includes a PIN number to unlock the SIM card, the Access Point Name (APN) and login data of your mobile network provider. These values may be entered under the Networking > Mobile Data tab.

Values entered here are stored in the file /etc/wvdial.conf. This configuration file contains the basic configuration needed to unlock the SIM card and connect to the network. This has been tested with a Huawei E1550. If your device requires different AT-commands, you will need to manually change this configuration.

When a connected modem is attached, the connection mode, signal quality and network provider will be displayed on the dashboard.

Note

The names of modems cannot be changed. The reason is that the device name ppp0 is directly coupled with the required system services.

"},{"location":"net-devices/#what-if-my-modem-device-doesnt-appear","title":"What if my modem device doesn't appear?","text":"

In this case your connected modem device is not recognized by the OS, or it has not been switched into modem mode by usb_modeswitch. Check the log file (journalctl) for problems with the device.

"},{"location":"net-devices/#mobile-data-adapters-with-built-in-routers","title":"Mobile data adapters with built-in routers","text":"

Mobile data USB devices which provide router functionality will usually appear as an ethernet device, for example eth1. This implies that the device has to be pre-configured to work without a PIN for the SIM card and without login data. Typically, this can be done via a browser based administration interface on any computer.

"},{"location":"net-devices/#huawei-hilink-device","title":"Huawei Hilink Device","text":"

A special case are Huawei Hilink devices (e.g. Huawei E3372h-320). RaspAP can communicate directly with these devices. Be sure that the administration interface is not locked with a user/password. The PIN number entered on the Networking > Mobile Data tab will be used to unlock the SIM card. In addition, connection information (mode, signal quality and network provider) are extracted from the device and displayed on the dashboard. The dashboard button to stop/start the device is active and will disconnect/connect the mobile network.

The model E3372h-320 will be detected as a Hilink device and appears with the name hilink0. Other Hilink devices require a corresponding assignment on the Networking > Devices tab.

"},{"location":"net-devices/#usb-tethered-phones","title":"USB tethered phones","text":"

A phone connected via USB and with USB tethering enabled will appear as either an ethernet device (e.g. eth1), or as a USB network device (e.g. usb0). Changing the device type to phone will result in a corresponding display on the dashboard. In this case the default name is phone0.

"},{"location":"net-devices/#configuration-files","title":"Configuration files","text":""},{"location":"net-devices/#diagnostics","title":"Diagnostics","text":"

A built-in tool to evaluate network performance is available on the Networking > Diagnostics tab. This permits testing of both local network throughput (that is, data transfer over a wired or wireless interface between RaspAP and a connected client) and internet speed (data transfer between a RaspAP instance and remote host). Ping, jitter download and upload metrics are included in the test.

The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"net-devices/#discussions","title":"Discussions","text":"

Questions or comments about network devices support? Join the discussion here.

"},{"location":"ntp/","title":"NTP Service","text":""},{"location":"ntp/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

One of the limitations of devices such as the Raspberry Pi is that it lacks an onboard real-time clock (RTC) to accurately keep track of the time, including when the device is powered off. To overcome this, two solutions are generally available: 1) install a hardware RTC module, or 2) synchronize time from the network.

The Network Time Protocol (NTP) is widely used to fulfill this need. This is a protocol that, together with its associated daemon and related tools, is able to keep all the system clocks in a local network in sync with authoritative millisecond precision.

"},{"location":"ntp/#use-cases","title":"Use cases","text":"

There are many scenarios in which accurate and synchronized timekeeping across networked devices can be extremely useful, if not essential. For example, a robotic controller or sensor may need to perform an operation at a specific interval but, for one reason or another, doesn't have reliable internet connectivity.

In this situation, a single internet connected device (the NTP server) will synchronize the time of the robot or sensor (NTP clients). These devices may already receive control instructions and/or exchange data with the server via a wireless network, such as the one provided by RaspAP. In this way, NTP functions as an additional service layer on top of an existing WiFi network.

Alternatively, a standalone configuration may be needed in which precision timekeeping is required for a network device.

"},{"location":"ntp/#installation","title":"Installation","text":"

An NTP server may be optionally installed by the Quick installer. To install NTP server support, respond by pressing Enter to accept the default Y option at the following prompt:

RaspAP Install: Configure NTP server support\nInstall ntp and enable NTP configuration? [Y/n]:\n

With the software requirements installed, the systemd ntpd.service control file will be enabled on your system, as well as the NTP server management UI:

Enabling ntpd.service\nEnabling NTP server management option\n[ \u2713 ok ]\n

Proceed with the Quick installer and accept the default Y prompt to reboot your system as a final step.

"},{"location":"ntp/#configuration","title":"Configuration","text":"

Following the installation, the NTP service should be up and running. You may check and control its current state by visiting RaspAP's NTP Server administration page. Basic Settings as well as Advanced controls are available on their respective tabs. The Status tab will display the operational state of connected peers by using the ntpq query tool. These status queries are examined in detail to assist you with interpreting them.

"},{"location":"ntp/#standalone-device","title":"Standalone device","text":"

In a standalone configuration, a single device will be automatically kept in sync by communicating with remote NTP servers tied to high quality clocks. As long as the ntpd.service is running (enabled on boot by default), the protocol will largely handle the time syncronization for you with its default settings. This of course assumes the device has internet connectivity.

The NTP Server > Settings tab will report the current system time synchronized from its remote NTP server peers.

You may add any number of public NTP servers by entering their IP address or fully qualified domain name (FQDN) under Add an NTP server.

Tip

Public NTP servers that support Network Time Security (NTS) may be specified by appending the nts suffix.

Click or tap the icon to add an entry to your list of servers and choose Save settings. The ntpd.service will be automatically restarted.

"},{"location":"ntp/#multiple-devices","title":"Multiple devices","text":"

In an environment with multiple networked devices, some of which may lack internet connectivity, an NTP server on your local network may be used to keep them synchronized. To create this configuration, under Add an NTP server (shown above) specify a private IP address or local network host address, for example time.raspberrypi.local, of the NTP server on your local network. Click or tap the icon to add it to your list of servers and choose Save settings. The ntpd.service will automatically restart for you.

Repeat this process for each of the devices you wish to keep synchronized on your network.

"},{"location":"ntp/#advanced-settings","title":"Advanced settings","text":"

For users who are familiar with the NTP protocol and configuration file, the NTP Server > Advanced tab permits you to view and edit this file directly. This gives you full control over the NTP server settings, beyond the basic configuration provided on the Settings tab.

To enable ntp.config editing, simply slide the Edit mode toggle. You may then make your edits to the configuration directly. When you are finished editing, choose Save settings. The ntpd.service will restart automatically.

Caution

Editing the ntp.config file may lead to unpredictable results and/or cause the NTP service to enter a failed state. For this reason, it's recommended to preserve a backup of your original NTP configuration.

"},{"location":"ntp/#peer-status-queries","title":"Peer status queries","text":"

The NTP query utility ntpq is used to monitor NTP daemon ntpd operations and give useful performance metrics. The -p or --peers option is used with ntpq to output a list of the peers known to the server as well as a summary of their state. This is available on the NTP Server > Status tab. Example output is shown below:

     remote           refid      st t when poll reach   delay   offset   jitter\n===============================================================================\n+time.cloudflare 10.109.8.98      3 u  723 1024  377  27.6182   1.8467   3.5095\n+185.198.109.227 150.214.94.10    2 u  403 1024  377  37.3427   0.1535   2.6619\n+time.cloudflare 10.56.8.4        3 u  433 1024  377  21.7662   2.6731   7.5725\n-ntp01.pingless. 189.97.54.122    2 u  181 1024  377  70.1582  -5.9882   3.3870\n-185.90.148.209  150.214.94.10    2 u  861 1024  337  63.1452   4.4984   6.3479\n*ip94-143-139-21 150.214.94.10    2 u  289 1024  377  36.6112   0.3700   2.5709\n

Looking at the column headers, this status output may be interpreted with the following:

Identifier Description remote The address of a remote NTP server your local server is talking to. refid A reference to where the remote server is synced from. st An abbreviation for \"stratum\" \u2013 the number of hops between that server and a high quality clock source, such as nuclear or GPS. Stratum 1 is the highest level, 15 the lowest. t An abbreviation for the peer \"type\" \u2013 local, unicast, multicast or broadcast. Most peers are accessed in unicast mode. when The number of seconds since your local server last polled the remote. poll The interval in seconds between polling of the remote server. reach An octal representation of the success/failure over time, 377 being 100% success. delay A measure of network latency to the remote server in milliseconds. offset The current offset, or time difference, between the peer and local system time, expressed in milliseconds. jitter A measure of the variation in latency or time delay over the network. * This marks the current preferred server as determined by the protocol.

In the above example, our local NTP server is within 0.37ms of the preferred remote server, which itself is closely tied (stratum=2) to a high quality clock source. Our local server is within \u00b1 6ms of the other remotes.

"},{"location":"ntp/#firewall-settings","title":"Firewall settings","text":"

If your system uses a network firewall, such as the one provided by RaspAP, you will need to be sure that it's configured for the NTP protocol. NTP uses UDP port 123 to communicate with peers. Therefore, you must ensure that the port is open in any firewall. To enable NTP traffic with iptables execute the following:

iptables -A INPUT -p udp --dport 123 -j ACCEPT\n

Alternatively, you may use ufw to achieve the same result:

ufw allow 123/udp\n

Note

If you're using RaspAP's firewall, an exception is already present to allow NTP traffic by default.

"},{"location":"ntp/#troubleshooting","title":"Troubleshooting","text":"

Output from the NTP system calls ntp_gettime() and ntp_adjtime() is displayed prominently on the NTP Server > Settings page. If present, the current synchronized timekeeping data are displayed with their associated status codes. A code 0 (OK) indicates that these system calls are functioning as expected, as shown below:

ntp_gettime() returns code 0 (OK)\n  time e9b1283b.89c0db28 2024-03-29T11:44:59.538Z, (.538099359),\n  maximum error 997469 us, estimated error 167 us, TAI offset 37\nntp_adjtime() returns code 0 (OK)\n  modes 0x0 (),\n  offset 456.591 us, frequency -1.317 ppm, interval 1 s,\n  maximum error 997469 us, estimated error 167 us,\n  status 0x2001 (PLL,NANO),\n  time constant 6, precision 1.000 us, tolerance 500 ppm,\n

On the other hand, the kernel may occasionally report NTP clock errors like the following:

raspberrypi ntpd[1279]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized\"\n

The NTP system calls shown above may also return a code 5 (ERROR) result. In most cases, this will resolve itself in a few minutes while the system clock is synchronized. Persistent errors may indicate a misconfiguration of the NTP protocol or a general networking problem. Refer to the firewall settings, above.

Detailed metrics from peer status queries are also useful for troubleshooting purposes.

Finally, ensure that no other time synchronization application is in use, such as timesyncd or any third party software.

"},{"location":"ntp/#discussions","title":"Discussions","text":"

Questions or comments about time synchronization with NTP? Join the discussion here.

"},{"location":"openvpn/","title":"OpenVPN","text":""},{"location":"openvpn/#overview","title":"Overview","text":"

OpenVPN may be optionally installed by the Quick Installer. Once this is done, you can create a client configuration and manage the openvpn-client service with RaspAP.

"},{"location":"openvpn/#enabling-openvpn","title":"Enabling OpenVPN","text":"

To configure an OpenVPN client, upload a valid .ovpn file from your provider and, optionally, specify your login credentials. For clarity, these steps are described below:

  1. Enter your credentials, if needed, into the Username and Password fields.
  2. Browse to your provider's .ovpn file and choose Save settings.
  3. Confirm that the OpenVPN client.conf uploaded successfully.
  4. Choose Start OpenVPN.

The video walkthrough below illustrates the steps of configuring an OpenVPN client from start to finish.

Your browser does not support the video tag."},{"location":"openvpn/#tunneling-traffic","title":"Tunneling traffic","text":"

RaspAP will store your client configuration and add firewall rules to forward traffic from OpenVPN\u2019s tun0 interface to your configured wireless interface. In the example below, the default AP interface wlan0 is used:

iptables -A POSTROUTING -o tun0 -j MASQUERADE\niptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT\n
"},{"location":"openvpn/#public-ip-address","title":"Public IP address","text":"

After a page reload, your new public IPv4 address will be indicated. Click or tap the icon to open a new window with details about your public IP.

"},{"location":"openvpn/#multiple-client-configs","title":"Multiple client configs","text":"

RaspAP lets you manage multiple OpenVPN client configurations. This includes the ability to upload, activate and delete any number of valid .ovpn files and associated login credentials. Thereafter, switching between them is done by simply activating the desired profile. Traffic is automatically routed to clients connected on the AP interface.

Activating a profile will restart the openvpn-client service automatically. Additionally, openvpn-service activity may be tracked in the Logging tab.

"},{"location":"openvpn/#certificate-authentication","title":"Certificate authentication","text":"

Alternatively, you may also authenticate with a signing certification authority (CA) certificate. This is an alternative to the default username and password authentication, and is often used with a private or self-hosted OpenVPN server.

To use this method, upload an OpenVPN configuration file (.ovpn) with the certificate authority (CA) certficate, client certificate and client private key enclosed in tags as described above.

"},{"location":"openvpn/#mitigating-dns-leaks","title":"Mitigating DNS leaks","text":"

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. You can also test for this with https://dnsleaktest.com/.

Other providers have specific VPN nodes to use with popular streaming services. It's recommended to check with your provider and follow their suggestions.

When an OpenVPN client is configured, RaspAP adds NAT rules with iptables to forward all packets from the AP interface to tun0. If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop\nsudo iftop -i [interface]\n
"},{"location":"openvpn/#browser-considerations","title":"Browser considerations","text":"

The Mozilla Foundation recently added a DNS over HTTPS (DoH) proprietary service to its Firefox browser. As of this writing, this \"feature\" is enabled by default for users in the United States. A consequence of DoH is that DNS requests will be resolved by Mozilla's DNS servers, instead of your VPN provider's. Instructions for disabling this DoH may be found here.

"},{"location":"openvpn/#troubleshooting","title":"Troubleshooting","text":"

See the FAQ section for OpenVPN.

"},{"location":"openvpn/#discussions","title":"Discussions","text":"

Questions or comments about using OpenVPN? Join the discussion here.

"},{"location":"providers/","title":"VPN Providers","text":""},{"location":"providers/#overview","title":"Overview","text":"

Experimental

Several popular VPN providers include a Linux Command Line Interface (CLI) for interacting with their services. As a new beta feature, you may optionally control these VPN services from within RaspAP. In this way, after your preferred CLI is installed on your system you may administer it thereafter by using RaspAP's UI.

"},{"location":"providers/#installation","title":"Installation","text":"

To configure VPN provider support, respond by pressing Enter to accept the default Y option when prompted by the Quick installer:

RaspAP Install: Configure VPN provider support (Beta)\nEnable VPN provider client configuration? [Y/n]:\n

Next, select an available VPN provider from the list. For the initial beta, we've identified three of the most popular VPN services that have Debian compatible Linux CLIs. Enter a number corresponding to your desired VPN provider followed by the Enter key.

Select an option from the list:\n  1) ExpressVPN\n  2) Mullvad VPN\n  3) NordVPN\n  0) None\nChoose an option: 3\nConfiguring support for NordVPN\nAdding /usr/bin/nordvpn to raspap.sudoers\nEnabling administration option for NordVPN\nAdding VPN provider to /etc/raspap/provider.ini\n[ \u2713 ok ]\n

The installer will configure RaspAP to administer the corresponding Linux CLI. Choosing 0 (None) followed by Enter will exit the VPN provider option and continue with the installer.

"},{"location":"providers/#provider-clis","title":"Provider CLIs","text":"

RaspAP provides a visual interface to interact with your chosen VPN provider's CLI. To facilitate this, you must first install and configure the CLI on your system. Specific steps will depend on your VPN provider; consult the online documentation for your chosen VPN service.

Note

The RaspAP project has no affiliation whatsoever with the supported VPN providers. Each provider was selected solely based on availability of their Debian compatible CLIs.

NordVPN is demonstrated in the following example. Begin by executing the install script:

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)\n

After the installer completes, verify the CLI by checking its version:

nordvpn --version\nNordVPN Version 3.16.6\n

Next, activate your account. The --callback and --token methods are useful for headless setups. The latter is shown below:

nordvpn login --token [myToken]\nWelcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.\n

Before establishing a VPN connection with the CLI, add a rule to whitelist port 22. This will prevent the VPN from disrupting access to the shell via SSH:

nordvpn whitelist add port 22\nPort 22 (UDP|TCP) is allowlisted successfully.\n

Now, execute the following to connect to a recommended VPN server:

nordvpn connect\nConnecting to France #817 (fr817.nordvpn.com)\nYou are connected to France #817 (fr817.nordvpn.com)!\n

With these setps completed, you are now ready to begin administering your VPN provider with RaspAP.

"},{"location":"providers/#administer-your-provider","title":"Administer your provider","text":"

Continuing from the above example, access your VPN provider's UI page from RaspAP. From the Settings page, you can view your account status, connect to a recommended VPN server or choose a specific country from the select list.

Below, RaspAP displays the CLI output when a country is selected from the list followed by Save settings:

On the Status tab, information about your installed provider CLI and current connection status are displyed:

You may perform the same operations with any of the supported VPN providers.

Tip

Many VPN providers have firewalls enabled by default that can disrupt access to your system via SSH. For this reason, it's recommended to perform these basic CLI functions from your terminal before using them with RaspAP. If your SSH session is disrupted, a reboot will usually restore the connection. Consult your VPN provider's documentation for more advice.

If a configured provider's CLI is not found, RaspAP will detect this and give you a helpful pointer to the CLI's installation instructions:

Likewise, if the CLI binary exists but RaspAP is unable to execute it, a diagnostic message will be displayed.

"},{"location":"providers/#control-scope","title":"Control scope","text":"

Each VPN provider's CLI offers different command sets to control various aspects of their service. For this beta release, RaspAP may be used to administer basic functions including connect, disconnect, status, account information and country (or city) selection for the remote VPN server.

nordvpn settings\nTechnology: NORDLYNX\nFirewall: disabled\nFirewall Mark: 0xe1f1\nRouting: enabled\nAnalytics: enabled\nKill Switch: disabled\nThreat Protection Lite: disabled\nNotify: disabled\nAuto-connect: disabled\nIPv6: disabled\nMeshnet: disabled\nDNS: disabled\nLAN Discovery: disabled\nAllowlisted ports:\n       22 (UDP|TCP)\n

More advanced CLI settings such as whitelists, kill switches, firewalls, protocols and so on (shown above) should be administered with your CLI directly.

Tip

Support for provider CLIs is intended for typical setups with RaspAP's default configuration, where the AP interface is wlan0 and internet connectivity is provided by eth0. If you need to control settings beyond these defaults with your provider, it's recommended to install either OpenVPN or WireGuard and administer these services directly.

"},{"location":"providers/#public-ip","title":"Public IP","text":"

After a VPN connection is established, your public IPv4 address will be displayed next to a globe icon below your provider name on the Settings tab. Click or tap on the external link icon to see details about your IP location.

"},{"location":"providers/#ap-clients","title":"AP clients","text":"

If your device is connected to the internet via Ethernet (eth0), clients connected on the AP interface (wlan0 for example) will have their traffic automatically routed through the VPN connection.

"},{"location":"providers/#troubleshooting","title":"Troubleshooting","text":"

RaspAP uses each CLI to fetch the most detailed available connection information and display this on the Status tab. The level of detail varies from one provider to the next. If you suspect a problem with your VPN service, it's recommended to check this output and use it for troubleshooting purposes with your VPN provider.

"},{"location":"providers/#whitelisting-services","title":"Whitelisting services","text":"

Additionally, you might want to consider whitelisting other ports that are commonly used for essential network services. For instance, with NordVPN's CLI you may whitelist TCP port 53 and UDP port 67 with the following commands:

nordvpn whitelist add port 53\nnordvpn whitelist add port 67\n
This will allow devices connecting to your AP to obtain an IP address.

Next, it's recommended to whitelist your network subnet. For example:

nordvpn whitelist add subnet 192.168.x.x/24\n
Substitute the placeholder value for your network. This will permit you to connect to the VPN while also preserving your access to SSH and RaspAP's web UI. Refer to your provider's CLI documentation for more information.

"},{"location":"providers/#discussions","title":"Discussions","text":"

Questions or comments about using VPN providers? Join the discussion here.

"},{"location":"quick/","title":"Quick installer","text":""},{"location":"quick/#overview","title":"Overview","text":"

The Quick installer has been designed to assist users with creating an instance of RaspAP both quickly and with a great deal of flexibility. The install loader will respond to several command line arguments, or switches, to customize your installation in a variety of ways, or install one of RaspAP's optional helper tools.

"},{"location":"quick/#alternatives","title":"Alternatives","text":"

The installer gives you the greatest level of flexibility for creating an instance of RaspAP. However, if your goal is to use RaspAP as a component of a larger project, or wish to isolate its dependencies from existing software on your system, consider deploying RaspAP in a Docker container instead.

"},{"location":"quick/#usage","title":"Usage","text":"

The Quick installer has several options for configuring a RaspAP installation. You can get usage notes from your command shell by requesting the installer like so:

curl -sL https://install.raspap.com | bash -s -- --help\n

Appending -s -- [option] to the Quick Install directive will activate one or more options. Several options may be chained together to customize an installation. Examples are given below.

"},{"location":"quick/#examples","title":"Examples","text":"

The installer may be invoked locally or remotely via curl. Examples with both cases and various options are given below.

Invoke installer remotely, run non-interactively with option flags:

curl -sL https://install.raspap.com | bash -s -- --yes --wireguard 1 --adblock 0\n

Invoke remotely, uprgrade an existing install to the Insiders Edition. The --name and --token arguments are optional; if they are not specified the user will be prompted to authenticate with GitHub:

curl -sL https://install.raspap.com | bash -s -- --upgrade --insiders --name <name> --token <token>\n

Invoke remotely, perform an unattended update to the latest release version:

curl -sL https://install.raspap.com | bash -s -- --yes --update --path /var/www/html\n

Run locally specifying a GitHub repo and branch:

raspbian.sh --repo foo/bar --branch my/branch\n

Run locally requesting release info:

raspbian.sh --version\n

"},{"location":"quick/#switches","title":"Switches","text":""},{"location":"quick/#-y-yes-assume-yes","title":"-y, --yes, --assume-yes","text":"

This option enables unattended installations, such that the installer assumes \"yes\" as an answer to all user prompts. This behavior is identical to how the same option with the apt-get package handler works.

"},{"location":"quick/#-c-cert-certificate","title":"-c, --cert, --certificate","text":"

This option installs an SSL certificate with mkcert and configures lighttpd for HTTPS support. It does not (re)install RaspAP. Details are provided here.

"},{"location":"quick/#-o-openvpn-flag","title":"-o, --openvpn <flag>","text":"

Used with the -y, --yes option above, this sets the OpenVPN install option (0 = don't install OpenVPN). Given that OpenVPN support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-s-rest-restapi-flag","title":"-s, --rest, --restapi <flag>","text":"

Used with the -y, --yes option above, this sets RestAPI install option (0 = don't install the RestAPI). Given that the RestAPI is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-a-adblock-flag","title":"-a, --adblock <flag>","text":"

Used with the -y, --yes option above, this sets the Ad Blocking install option (0 = don't install Adblock). Given that Adblock support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-w-wireguard-flag","title":"-w, --wireguard <flag>","text":"

Used with the -y, --yes option above, this sets the WireGuard install option (0 = don't install WireGuard). Given that WireGuard support is an optional extra, this enables an unattended setup without installing it.

"},{"location":"quick/#-g-tcp-bbr-flag","title":"-g, --tcp-bbr <flag>","text":"

Used with the -y, --yes option above, this enables kernel support for TCP BBR congestion control (0 = don't configure TCP BBR). Given that TCB BBR support is optional, this enables an unattended setup without enabling it.

"},{"location":"quick/#-e-provider-value","title":"-e, --provider <value>","text":"

Used with the -y, --yes option above, this sets the VPN provider install option. Valid numeric option values are:

  1 = ExpressVPN\n  2 = Mullvad VPN\n  3 = NordVPN\n  0 = None\n

"},{"location":"quick/#-r-repo-repository-name","title":"-r, --repo, --repository <name>","text":"

If you have forked this project to your own GitHub repo, this option lets you override the default GitHub repo (RaspAP/raspap-webgui) used to install RaspAP. An alternate repository name is a required parameter.

"},{"location":"quick/#-b-branch-name","title":"-b, --branch <name>","text":"

Similarly, this option overrides the default git branch. This is useful if you have created a feature branch (my-feature) and wish to perform an installation using the Quick Installer. An alternate branch name is a required parameter.

An example combining the -r, --repo and -b, --branch options is given below:

curl -sL https://install.raspap.com | bash -s -- --repo foo/bar --branch my-feature\n

"},{"location":"quick/#-t-token-accesstoken","title":"-t, --token <accesstoken>","text":"

Specify a GitHub personal access token to authenticate with a private repository. Used together with the -n, --name option (below).

"},{"location":"quick/#-n-name-username","title":"-n, --name <username>","text":"

Specify a GitHub username to access a private repository. An example combining the --token and --name options is given below:

curl -sL https://install.raspap.com | bash -s -- --name billz --token [my-token]\n
"},{"location":"quick/#-u-upgrade","title":"-u, --upgrade","text":"

Upgrades an existing RaspAP installation to the latest release version.

"},{"location":"quick/#-d-update","title":"-d, --update","text":"

Performs a minimal update of an existing installation to the latest release version. This differs from the -u, --upgrade option in several ways. The user is not prompted to install optional RaspAP components, and several steps used for an initial installation are not performed. Existing configuration files remain intact.

"},{"location":"quick/#-p-path-path","title":"-p, --path <path>","text":"

Sets the application path for an existing RaspAP installation.

It may be combined with the -d, --update and -y, --yes options to perform an unattended update. An example is given below:

curl -sL https://install.raspap.com | bash -s -- --update --path /var/www/html --yes\n
"},{"location":"quick/#-i-insiders","title":"-i, --insiders","text":"

Installs from the Insiders Edition (RaspAP/raspap-insiders).

"},{"location":"quick/#-m-minwrite","title":"-m, --minwrite","text":"

Configures a microSD card for minimum write operation.

"},{"location":"quick/#-v-version","title":"-v, --version","text":"

Queries the Github API, outputs the latest RaspAP release version and exits.

"},{"location":"quick/#-n-uninstall","title":"-n, --uninstall","text":"

Loads and executes the uninstaller.

"},{"location":"quick/#-h-help","title":"-h, --help","text":"

Outputs these usage notes and exits.

"},{"location":"quick/#discussions","title":"Discussions","text":"

Questions or comments about using RaspAP's Quick installer? Join the discussions here.

"},{"location":"repeater/","title":"WiFi repeater","text":""},{"location":"repeater/#overview","title":"Overview","text":"

A popular use case for RaspAP is to connect to your wireless network and rebroadcast an existing wireless signal. Often known as a wireless repeater or extender, this setup is particularly useful if you are experiencing problems with \"dead spots\" in your WiFi network. This step-by-step walkthrough will assist you in creating this configuration.

"},{"location":"repeater/#how-a-wifi-repeater-works","title":"How a WiFi repeater works","text":"

A WiFi repeater receives an existing WiFi signal, amplifies it and then transmits the boosted signal. With this arrangment you can effectively double the coverage area of your WiFi network \u2014 reaching far corners of your home or office, different floors, or even extend coverage outside to a yard or garage. A repeater effectively contains two wireless routers and a minimum of two antennas. One of these wireless routers picks up the existing WiFi network. It then transfers the signal to the other wireless router, which retransmits the boosted signal.

Note

A wireless repeater will restrict your maximum throughput. This is because WiFi is a half-duplex system, meaning only one device may transmit data at any given time. The repeater must accept incoming and outgoing packets from clients and forward those packets on to the next WiFi router and accept replies. In practice, you can expect half the bandwidth as a non-boosted signal, as each packet must go over the air twice.

We will create this setup with a WiFi-capable Raspberry Pi (or similar device) and an external USB wireless adapter, or dongle.

"},{"location":"repeater/#steps-to-create-a-repeater","title":"Steps to create a repeater","text":"

Refer to the diagram above as we walk through the steps of creating this configuration.

"},{"location":"repeater/#connect-a-usb-wifi-dongle","title":"Connect a USB WiFi dongle","text":"

Begin by connecting an external wireless adapter to a USB port on your device. Your choice of adapter is important \u2014 external WiFi adapters (ie, \"dongles\") vary greatly in terms of hardware capabilities and driver support. Many do not have support for AP mode, require a powered USB hub, manual driver and/or firmware installation or are otherwise not well suited for this application.

To determine if your USB WiFi adapter is capable of hosting an AP, execute the following:

$ iw list\n...\n    Supported interface modes:\n         * IBSS\n         * managed\n         * AP\n         * P2P-client\n         * P2P-GO\n         * P2P-device\n

If \"AP\" does not appear in the list above, save yourself some time and find another adapter.

You should also pair an adapter with the wireless mode you intend to operate from your device's onboard wireless chipset. For example, if you wish to use a Raspberry Pi 4's 802.11ac 5 GHz wireless mode, make sure your adpater also supports this mode.

We strongly recommend this resource which lists USB WiFi adapters with in-kernel Linux drivers. These will work out of the box on Debian-based devices without installing third-party drivers. You may also wish to skip directly to this short list of \"superstar\" USB WiFi adapters for Linux. Pay special attention to those that are excellent choices for 5 GHz AP mode, if this is desired.

"},{"location":"repeater/#create-the-access-point","title":"Create the access point","text":"

After installing RaspAP your device will broadcast an 802.11g 2.4 GHz access point with the SSID raspap-webgui. By default, this uses your device's onboard wireless adapter and the wlan0 interface. Your AP configuration may be changed at any time, however it's recommended to change the default password at minimum before proceeding. You may also wish to change the SSID and wireless mode.

Note

The 802.11ac 5 GHz option is disabled until you configure your device's wireless regulatory domain. See this FAQ for more information.

"},{"location":"repeater/#connect-device-to-wifi","title":"Connect device to WiFi","text":"

With your USB dongle connected and AP active, use RaspAP's WiFi client interface to select and authenticate with your existing wireless router.

Alternatively, if you've used software such as the Raspberry Pi imager to install an OS on your microSD card, you may choose the \"Configure wireless LAN\" option before booting your device for the first time. This will configure your wpa_supplicant.conf and your device should already be connected to your WLAN. In this case, you may skip this step.

"},{"location":"repeater/#configure-routing","title":"Configure routing","text":"

Your current network configuration will display two default routes. This may be confirmed by checking the Routing table output on RaspAP's Networking interface. In the example below, wlan0 is the AP interface and has a default route (identified by the default label) and a metric value of 303:

Note that our USB adapter is on the wlan1 interface and has a higher metric value of 304. It also has a default route. Until we configure these metrics, our WiFi repeater does not know how to route packets from wlan1 (the client interface) to wlan0 (the AP interface) and vice versa. Clients connected to the AP will not have internet connectivity. Fortunately, this is easily fixed.

Metrics and default routes are used by dhcpcd, the DHCP daemon. Contrary to popular belief, RaspAP does not manipulate the IP routing table or set interface priorities without user input. The Linux kernel sets default metric values when the interface is brought up and will usually choose the network routes it decides is best. The DHCP daemon uses these metrics to prioritize interfaces, where lower values are given a higher priority.

To configure routing for our repeater, select wlan0 (the AP interface, in this example) from the DHCP Server settings interface. Be sure that the \"Install a default route for this interface\" option is disabled.

Scroll to the bottom and set a metric value of 305 for this interface, then choose Save settings:

This instructs the DHCP daemon to treat the wlan0 interface with a lower priority than the wlan1 interface. There's nothing magic about the value \"305\" in this example \u2014 the important thing is that the AP interface has a higher value, and thus a lower priorty, than the wlan1 interface.

For your changes to take effect, choose Restart hotspot from the Hotspot interface.

Behind the scenes, RaspAP has configured the wlan0 interface in /etc/dhcpcd.conf like so:

# RaspAP wlan0 configuration\ninterface wlan0\nstatic ip_address=10.3.141.1/24\nstatic routers=10.3.141.1\nmetric 305\nnogateway\n

This is reflected in the updated routing table, visible on the Networking interface. In the example below, the wlan0 interface hosting the AP no longer has a default route and shows a higher metric value (lower priority) than the wlan1 interface:

If you don't see these changes in the routing table, be sure to restart the hotspot.

"},{"location":"repeater/#alternate-routing-method","title":"Alternate routing method","text":"

Experimental \u00b7 Insiders only

As a convenience, Insiders are able to configure routing automatically by enabling the WiFi repeater mode toggle on the Hotspot > Advanced tab.

Save settings and choose Start hotspot or Restart hotspot to activate the wireless repeater.

Info

As with WiFi client AP mode, the WiFi repeater mode option is disabled or \"greyed out\" until a wireless client is configured.

"},{"location":"repeater/#connecting-clients","title":"Connecting clients","text":"

At this stage, you may connect clients to the AP as you would normally. Two different methods are described here.

"},{"location":"repeater/#switching-interfaces","title":"Switching interfaces","text":"

If you would like to switch the wlan interfaces, select a different interface for the AP on the Hotspot > Basic tab, then choose Save settings. Reverse the DHCP settings in the previous step, then restart the AP or reboot your device. In order to still be able to access the web UI, connect your device via an ethernet cable.

"},{"location":"repeater/#troubleshooting","title":"Troubleshooting","text":"

If your clients do not have internet connectivity, start by following these troubleshooting steps. In most cases, problems may be diagosed and fixed by checking the service logs and RaspAP's Networking interface. Help is available from the sources mentioned here.

"},{"location":"repeater/#speed-testing","title":"Speed testing","text":"

RaspAP hosts a fast, open source and privacy-focused public speed test server that you can use to evaluate your WiFi repeater's performance. The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"repeater/#discussions","title":"Discussions","text":"

Questions or comments about configuring a WiFi repeater? Join the discussion here.

"},{"location":"restapi/","title":"RestAPI","text":""},{"location":"restapi/#overview","title":"Overview","text":"

Experimental

RaspAP includes support for stateless client-server data exchange via a high performance RESTful API. This allows clients to communicate with the API over HTTP with standard methods such as GET and POST and receive responses in JSON. RaspAP's API is powered by FastAPI, one of the fastest Python frameworks available.

FastAPI makes use of the Uvicorn ASGI web server implementation for Python. This is a minimal, low-level server interface for asynchronous frameworks.

"},{"location":"restapi/#use-cases","title":"Use cases","text":"

A RESTful API operates asynchronously, making it suited for building microservices\u2014small, independent services that function in the context of larger applications. Examples might include a dashboard widget or other integration that consumes JSON data from the API to perform live monitoring of RaspAP's operational state.

Using the API's POST methods (to be announced soon), RaspAP's functions may even be remotely controlled outside of its regular web interface.

"},{"location":"restapi/#installation","title":"Installation","text":"

The RestAPI may be optionally installed by the Quick installer. To install RestAPI support, respond by pressing Enter to accept the default Y option at the following prompt:

RaspAP Install: Configure RestAPI\nInstall and enable RestAPI? [Y/n]:\n

Tip

The RestAPI is enabled by default in RaspAP's Docker container, so if you choose this option there is nothing more for you to do.

The Python language is a requirement for the RestAPI. The Quick installer will detect if Python is not installed on your system and install it for you (Python 3 is installed by default on Raspberry Pi OS). In addition, Python's package manager pip will also be installed. The following Python packages are requirements for the RestAPI:

fastapi\nuvicorn\npsutil\npython-dotenv\n

Note

From Bookworm onwards, packages installed via pip must be installed into a Python Virtual Environment using venv. This has been introduced by the Python community, not by Raspberry Pi; see PEP 668 for more details. The Python modules listed above are installed system-wide with the --break-system-packages flag.

With the software requirements installed, the systemd restapi.service control file will be enabled on your system, as well as the RestAPI management UI:

Moving restapi systemd unit control file to /lib/systemd/system/\nEnabling RestAPI management option\n[ \u2713 ok ]\n

Proceed with the Quick installer and accept the default Y prompt to reboot your system as a final step.

"},{"location":"restapi/#configuration","title":"Configuration","text":"

Following a reboot, the RestAPI service should be up and running. You may check and control its current state by visiting RaspAP's RestAPI administration page. The Status tab will display the operational status of the restapi.service.

"},{"location":"restapi/#generate-an-api-key","title":"Generate an API key","text":"

While the API server is operational, you must generate an API key to authenticate with the service before interacting with it. These steps are described below.

  1. In the API Key field, use the magic icon to generate a 32-character key.
  2. Alternatively, you may create your own key\u2014just be sure it's of a sufficient length and complexity.
  3. Choose Save settings. Your API key is stored in /etc/raspap/api/.env.
  4. Copy your API key to the clipboard for use in the Authorization section.

The restapi.service will be automatically restarted when updating your API key. At this stage, you have a valid API key that may be used to authenticate with the RestAPI. This is described in the next section.

"},{"location":"restapi/#authorization","title":"Authorization","text":"

Now, click or tap the RestAPI docs link to open the documentation in a new window. The API docs are fully interactive, meaning you may test any of the available endpoints and receive a valid server response. Begin by choosing the green Authorize \u00a0 button, shown below:

This will open a dialog where you may enter your API key, which will be passed as an access_token in the HTTP request header. Paste the key you created in the previous step into the \"Value\" text field and choose the Authorize button:

At this stage, the dialog should indicated \"Authorized\". Dismiss the dialog by choosing Close. You may now proceed with testing the API interactively.

"},{"location":"restapi/#testing-endpoints","title":"Testing endpoints","text":"

With authorization done, you may test any of RaspAP's available RestAPI endpoints. Start with the first available /system (Get System) endpoint. Click or tap anywhere in this endpoint's header area and choose the Try it out button. This endpoint takes no parameters, so you may simply use the Execute button to query the API. An example client request and corresponding server response are shown below.

"},{"location":"restapi/#client-requests","title":"Client requests","text":"

Here, we can see a curl GET command with the -H (header) option used to specify the access_token and the API key as the value. The request URL in this example is http://raspberrypi.local:8081/system (yours may differ):

curl -X 'GET' \\\n  'http://raspberrypi.local:8081/system' \\\n  -H 'accept: application/json' \\\n  -H 'access_token: o2eycsnwzacgcukkdkxulmvcva7hou5q'\n
"},{"location":"restapi/#server-responses","title":"Server responses","text":"

The /system API endpoint responds to the above request with several key pieces of data in JSON format:

{\n  \"hostname\": \"raspberrypi\",\n  \"uptime\": \"up 23 hours, 2 minutes\",\n  \"systime\": \"Sun 10 Mar 11:11:11 CET 2024\",\n  \"usedMemory\": 35.46,\n  \"processorCount\": 4,\n  \"LoadAvg1Min\": 0.14,\n  \"systemLoadPercentage\": 3.5,\n  \"systemTemperature\": 46.16,\n  \"hostapdStatus\": 1,\n  \"operatingSystem\": \"Debian GNU/Linux 12 (bookworm)\",\n  \"kernelVersion\": \"6.1.0-rpi4-rpi-v8\",\n  \"rpiRevision\": \"Pi 3 Model B\"\n}\n

The hostapdStatus indicates the current state of the Linux hostapd service, which provides the AP or hotspot. You may copy this data to the clipboard or download it from the test console, if you wish.

"},{"location":"restapi/#systemd-service","title":"Systemd service","text":"

During the RestAPI installation, the Python modules installed by pip are stored in the current user's home directory. For the default pi user in Raspberry Pi OS, this path is /home/pi/.local/bin. In order for the uvicorn module to be found by Python, the systemd service control file specifies the pi user.

If your current user is something other than pi, edit the control file with:

sudo nano /lib/systemd/system/restapi.service\n

Modify the User line to reflect your current user, if necessary:

[Unit]\nDescription=raspap-restapi\nAfter=network.target\n\n[Service]\nUser=pi\nWorkingDirectory=/etc/raspap/api\nLimitNOFILE=4096\nExecStart=/usr/bin/python3 -m uvicorn main:app --host 0.0.0.0 --port 8081\nExecStop=/bin/kill -HUP ${MAINPID}\nRestart=on-failure\nRestartSec=5s\n\n[Install]\nWantedBy=multi-user.target\n

Save and exit the file, then reload the daemon with sudo systemctl daemon-reload.

"},{"location":"restapi/#docker-support","title":"Docker support","text":"

The RestAPI is installed by default in RaspAP's Docker container. This includes configuration of port 8081 used by the server to respond to client requests. Note that the API is also exposed on your system's WAN interface.

"},{"location":"restapi/#troubleshooting","title":"Troubleshooting","text":"

The current status of the restapi.service is available on the RestAPI > Status tab. This is generally the best starting point when diagnosing common problems, such as authorization errors. Note that the service records the most recent API queries, including the requesting IPv4 client address:

raspberrypi python3[3033]: INFO: 192.168.0.102:58844 - \"GET /clients/wlan0 HTTP/1.1\" 200 OK\n

If a remote client is using an invalid API key, for example, this will appear as a 403 Forbidden server response in the Status console. A successful response, like the one above, will return a 200 OK code.

You may also obtain journal entries from the service by executing journalctl -xeu restapi.service from the shell.

"},{"location":"restapi/#discussions","title":"Discussions","text":"

Questions or comments about using the RestAPI? Join the discussion here.

"},{"location":"speedtest/","title":"Speed testing","text":""},{"location":"speedtest/#overview","title":"Overview","text":"

An internet speed test measures the connection speed and quality of your connected device to a remote host. Many speed test services perform multiple consecutive tests that evaluate different aspects of your internet connection, including ping (latency), download and upload speed. A fourth metric, known as jitter, measures variation in the latency of a flow of packets between two systems. Jitter is said to occur when some packets take longer to travel from one system to the other. The most common causes of jitter are network congestion, timing drift and changes in packet routing.

"},{"location":"speedtest/#troubleshooting","title":"Troubleshooting","text":"

Speed tests can be useful in diagnosing many issues, such as a fault with a service provider or a misconfigured device on your network. The speed of your connection may also vary due to factors such as the time of day. This is especially true of places such as educational or work environments where many users may be sharing the same internet connection. Known as a contention ratio, this refers to how many other users are contending for their share of available bandwidth. The higher the contention the more likely you are to experience a slow connection at peak times.

Periodic speed tests can help you identify the best time of day to perform your tasks. They are also useful for sharing diagnostic results with an ISP or network engineer.

"},{"location":"speedtest/#raspaps-speedtest-server","title":"RaspAP's speedtest server","text":"RaspAP Speedtest - https://speedtest.raspap.com/

RaspAP provides a simple, fast and mobile-friendly public speedtest server that evaluates your internet speed using the criteria mentioned above. In addition, it reports your public IP address, ISP and distance from the speedtest server. When the test is complete, you can share the results of your test with a generated image and a link to results.

Importantly, and notably different from other services, RaspAP's Speedtest is completely open source and privacy focused \u2014 meaning we do not share your data with third-parties or attempt to monetize results in any way.

"},{"location":"speedtest/#wifi-speed-test","title":"WiFi speed test","text":"

Experimental \u00b7 Insiders only

A tool to evaluate your local WiFi network's performance is available on the Networking > Diagnostics tab. This permits testing of both local WiFi network throughput (that is, data transferred between the device hosting RaspAP and your wireless clients) and internet speed (data transfer between wireless clients and a remote host). A WiFi speed test is a useful diagnostic tool to determine if connectivity issues are due to your ISP, your wireless connection or an issue with the device hosting your AP.

The WiFi speed test uses a local speedtest instance hosted by your RaspAP installation. The test is performed on a device connected to RaspAP's wireless access point. The remote host is RaspAP's public speedtest server located in the United States. Additional speedtest hosts distributed in other geographic centers are forthcoming.

"},{"location":"speedtest/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's speed test? Join the discussion here.

"},{"location":"ssl/","title":"SSL certificates","text":""},{"location":"ssl/#overview","title":"Overview","text":"

HTTPS prevents network attackers from observing or injecting page contents. This is desirable for server applications like RaspAP \u2014 or indeed any locally hosted web application. But HTTPS requires TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local web servers still mostly use HTTP because no one can get a universally valid certificate for localhost.

"},{"location":"ssl/#locally-trusted-certificates","title":"Locally trusted certificates","text":"

Managing your own Certificate Authority (CA) is the best solution, but this usually requires an involved manual setup routine. An excellent solution for local websites is mkcert. This is a zero-config tool for making locally-trusted certificates with any name you like. mkcert automatically creates and installs a local CA in the system root store and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (for example, raspap.local) or IP address because it only works for you.

Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA. This tool does not automatically configure servers or mobile clients to use the certificates, though \u2014 that's up to you. These steps are covered in detail below.

Read more about mkcert here and follow the project on GitHub.

"},{"location":"ssl/#creating-a-certificate","title":"Creating a certificate","text":"

There are two options to go about creating a self-signed certificate with mkcert: 1) manually, or 2) with the Quick installer. Both methods are described below.

"},{"location":"ssl/#manual-steps","title":"Manual steps","text":"

Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain raspap.local is used in the examples below. You may substitute this with the default raspberrypi.local or your own hostname.

Tip

If you've changed your hostname prior to starting this process, be sure to reboot your device for the change to take effect.

Start by installing the pre-built binary for Arch Linux ARM on your Raspberry Pi:

sudo wget https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm -O /usr/local/bin/mkcert\nsudo chmod +x /usr/local/bin/mkcert\nmkcert -install\n
You should see output like the following:
Using the local CA at \"/home/pi/.local/share/mkcert\" \u2728\nThe local CA is now installed in the system trust store! \u26a1\ufe0f\n
Generate a certificate for raspap.local:
cd /home/pi\nmkcert raspap.local \"*.raspap.local\" raspap.local\n
You should see output like the following:
Using the local CA at \"/home/pi/.local/share/mkcert\" \u2728\n\nCreated a new certificate valid for the following names \ud83d\udcdc\n - \"raspap.local\"\n - \"*.raspap.local\"\n - \"raspap.local\"\n\nReminder: X.509 wildcards only go one level deep, so this won't match a.b.raspap.local \u2139\ufe0f\nThe certificate is at \"./raspap.local+2.pem\" and the key at \"./raspap.local+2-key.pem\" \u2705\n
Next, combine the private key and certificate:
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem\n
Create a directory for the combined .pem file in lighttpd:
sudo mkdir /etc/lighttpd/ssl\n
Set permissions and move the .pem file:
chmod 400 /home/pi/raspap.local.pem\nsudo mv /home/pi/raspap.local.pem /etc/lighttpd/ssl\n
Edit the lighttpd configuration with sudo nano /etc/lighttpd/lighttpd.conf. Add the following block to enable SSL with your new certificate:

server.modules += (\"mod_openssl\")\n$SERVER[\"socket\"] == \":443\" {\n  ssl.engine = \"enable\"\n  ssl.pemfile = \"/etc/lighttpd/ssl/raspap.local.pem\"\n  ssl.ca-file = \"/home/pi/.local/share/mkcert/rootCA.pem\"\n  server.name = \"raspap.local\"\n  server.document-root = \"/var/www/html\"\n}\n

Optionally, you can redirect all HTTP requests to HTTPS like so:

$SERVER[\"socket\"] == \":80\" {\n  $HTTP[\"host\"] =~ \"(.*)\" {\n    url.redirect = ( \"^/(.*)\" => \"https://%1/$1\" )\n  }\n}\n
Save your changes and quit out of the editor with Ctrl+X followed by Y and finally Enter.

Restart the lighttpd service:

sudo systemctl restart lighttpd\n
Verify that lighttpd has restarted without errors:
sudo systemctl status lighttpd\n
You should see a response like the following:
\u25cf lighttpd.service - Lighttpd Daemon\n     Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)\n     Active: active (running) since Sun 2023-03-26 10:09:46 CEST; 5 days ago\n   Main PID: 1080 (lighttpd)\n      Tasks: 6 (limit: 779)\n        CPU: 5min 17.332s\n     CGroup: /system.slice/lighttpd.service\n             \u251c\u25001080 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf\n             \u251c\u25001168 /usr/bin/php-cgi\n             \u251c\u25001185 /usr/bin/php-cgi\n             \u251c\u25001186 /usr/bin/php-cgi\n             \u251c\u25001187 /usr/bin/php-cgi\n             \u2514\u25001188 /usr/bin/php-cgi\n\nMar 30 18:23:38 raspap lighttpd[1433]: Syntax OK\nMar 30 18:23:38 raspap systemd[1]: Started Lighttpd Daemon.\n
Now, copy rootCA.pem to your lighttpd web root:
sudo cp /home/pi/.local/share/mkcert/rootCA.pem /var/www/html\n

Important

Do not share the rootCA-key.pem file.

Finish by following the client configuration steps below.

"},{"location":"ssl/#quick-installer","title":"Quick installer","text":"

The Quick Installer may also be used to generate SSL certs with mkcert. The installer automates the manual steps described above, including configuring lighttpd with SSL support. It's recommended to review these steps to have an idea of what is happening behind the scenes.

Invoke the Quick installer and specify the -c or --cert option, like so:

curl -sL https://install.raspap.com | bash -s -- --cert\n

Note

Executing the Quick installer only installs mkcert and generates an SSL certificate with the input you provide. It does not (re)install RaspAP.

$ curl -sL https://install.raspap.com | bash -s -- --cert\n\n\n 888888ba                              .d888888   888888ba\n 88     8b                            d8     88   88     8b\na88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P\n 88    8b. 88    88 Y8ooooo. 88    88 88     88   88\n 88     88 88.  .88       88 88.  .88 88     88   88\n dP     dP  88888P8  88888P  88Y888P  88     88   dP\n                             88\n                             dP      version 3.2.1\n\nThe Quick Installer will guide you through a few easy steps\n\n\nRaspAP mkcert: Configure a new SSL certificate\nCurrent system hostname is raspap\nCreate an SSL certificate for raspap.local? (Recommended) [y/N] y\nInstall to lighttpd SSL directory: /etc/lighttpd/ssl? [y/N]: y\n***************************************************************\nA new SSL certificate for: raspap.local\nwill be installed to lighttpd SSL directory: /etc/lighttpd/ssl\n***************************************************************\nComplete installation with these values? [y/N]: y\nRaspAP mkcert: Fetching mkcert binary\nRaspAP mkcert: Installing mkcert\nUsing the local CA at \"/home/pi/.local/share/mkcert\" \u2728\nThe local CA is already installed in the system trust store! \ud83d\udc4d\nWarning: \"certutil\" is not available, so the CA can't be automatically installed in Firefox and/or Chrome/Chromium! \u26a0\ufe0f\nInstall \"certutil\" with \"apt install libnss3-tools\" and re-run \"mkcert -install\" \ud83d\udc48\n\nRaspAP mkcert: Generating a new certificate for raspap.local\nUsing the local CA at \"/home/pi/.local/share/mkcert\" \u2728\nWarning: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store! \u26a0\ufe0f\nRun \"mkcert -install\" to avoid verification errors \u203c\ufe0f\nCreated a new certificate valid for the following names \ud83d\udcdc\n - \"raspap.local\"\n - \"*.raspap.local.local\"\n - \"raspap.local\"\n\nReminder: X.509 wildcards only go one level deep, so this won't match a.b.raspap.local.local \u2139\ufe0f\n\nThe certificate is at \"./raspap.local+2.pem\" and the key at \"./raspap.local+2-key.pem\" \u2705\n

The installer will guide you through the steps of creating a certificate, as shown above. Complete the installation by following the client configuration steps below.

"},{"location":"ssl/#client-configuration","title":"Client configuration","text":"

Open a browser and enter the following address, substituting the domain name you chose in the steps above: http://raspap.local/rootCA.pem. Download the root certificate to your client and add it to your system keychain. Examples below illustrate this process on macOS:

Be sure to set this certificate to \"Always trust\" to avoid browser warnings.

Finally, enter the address https://raspap.local in your browser. Enjoy an encrypted SSL connection to RaspAP.

"},{"location":"ssl/#mobile-devices","title":"Mobile devices","text":"

For the certificates to be trusted on mobile devices and remote clients, you will have to install the root CA using the method described above. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, be sure to enable full trust.

More advanced topics are covered at mkcert.

"},{"location":"ssl/#discussions","title":"Discussions","text":"

Questions or comments about using SSL certificates? Join the discussion here.

"},{"location":"translations/","title":"Translations","text":""},{"location":"translations/#overview","title":"Overview","text":"

Owing to its utility and low cost, the Raspberry Pi's reach extends to all corners of the globe. As our way of honoring this, we've made an effort to support internationalization (often abbreviated i18n) with RaspAP. Given the response from this issue it became obvious that translations are something that the community both wanted and were willing to contribute to.

"},{"location":"translations/#about-locales","title":"About locales","text":"

On Linux systems, GNU's Gettext provides a standardized way of managing multi-lingual messages. In order for Gettext to work with different languages, you must configure a language package on your RPi corresponding to one of our supported translations.

To list languages currently installed on your system, use locale -a at the shell prompt. On a fresh install of Raspbian, this should return a list like the one below:

$ locale -a\nC\nC.UTF-8\nen_GB.utf8\nPOSIX\n

To generate new locales, run sudo dpkg-reconfigure locales and select any other desired locales. Here is a useful list of ISO 639 language codes. Important: be sure to select UTF-8 as this is the preferred encoding.

For example, on an RPi with many locales installed, locale -a would output something like this:

$ locale -a\nC           # fall-back, ASCII encoding, same as POSIX\nde_DE.utf8      # German language,     Germany,     UTF-8 encoding\nfr_FR.utf8      # French language,     France,      UTF-8 encoding\nit_IT.utf8      # Italian language,    Italy,       UTF-8 encoding\nja_JP.utf8      # Japanese language,   Japan,       UTF-8 encoding\nen_GB.utf8      # English language,    GB,          UTF-8 encoding\nen_US.utf8      # English language,    USA,         UTF-8 encoding\npt_BR.utf8      # Portuguese language, Brazil,      UTF-8 encoding\nPOSIX           # fall-back, ASCII encoding, same as C\n

Once you've configured a locale on your system, RaspAP will read the HTTP_ACCEPT_LANGUAGE string and use this to load your desired language in the UI. Alternatively, you can also select a different language from the Language tab in the System menu.

Important: If you configured a new locale after installing RaspAP, you must restart lighttpd for the changes to take effect:

sudo systemctl restart lighttpd.service\n
"},{"location":"translations/#supported-languages","title":"Supported languages","text":"

The following translations are currently maintained by the project:

Language Locale Deutsch de_DE.UTF-8 Dansk da_DK.UTF-8 Fran\u00e7ais fr_FR.UTF-8 Italiano it_IT.UTF-8 Portugu\u00eas pt_BR.UTF-8 Svenska sv_SE.UTF-8 Nederlands nl_NL.UTF-8 \u6b63\u9ad4\u4e2d\u6587 (Chinese traditional) zh_TW.UTF-8 \u7b80\u4f53\u4e2d\u6587 (Chinese simplified) zh_CN.UTF-8 Indonesian id_ID.UTF-8 \ud55c\uad6d\uc5b4 (Korean) ko_KR.UTF-8 \u65e5\u672c\u8a9e (Japanese) ja_JP.UTF-8 Ti\u1ebfng Vi\u1ec7t vi_VN.UTF-8 \u010ce\u0161tina cs_CZ.UTF-8 \u0420\u0443\u0441\u0441\u043a\u0438\u0439 ru_RU.UTF-8 Polskie pl_PL.UTF-8 Rom\u00e2n\u0103 ro_RO.UTF-8 Espa\u00f1ol es_MX.UTF-8 Finnish fi_FI.UTF-8 T\u00fcrk\u00e7e tr_TR.UTF-8 \u03b5\u03bb\u03bb\u03b7\u03bd\u03b9\u03ba\u03cc el_GR.UTF-8

We are certainly not limited to the above. If you are willing and able to translate RaspAP in your language, you will be credited as the original translator.

"},{"location":"translations/#contributing-to-a-translation","title":"Contributing to a translation","text":"

RaspAP now has a translation project home at Crowdin. This is the place to go for all volunteers who would like to contribute to our ongoing translation efforts.

"},{"location":"translations/#how-to-become-a-translator","title":"How to become a translator","text":"

The process is very straightforward. Start by signing up for a free account at Crowdin. Once you are logged in, head over to our project home.

Here you will find our supported translations, recent activity, discussions and so on. You can get started by simply choosing the language you'd like to contribute to. For more info, see Crowdin's detailed walkthrough of the translation process.

"},{"location":"translations/#discussions","title":"Discussions","text":"

Questions or comments about RaspAP's translations? Join the discussion here.

"},{"location":"wireguard/","title":"WireGuard","text":""},{"location":"wireguard/#overview","title":"Overview","text":"

WireGuard\u00ae is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be considerably more performant than OpenVPN, and is generally regarded as the most secure, easiest to use, and simplest VPN solution for modern Linux distributions.

WireGuard may be optionally installed by the Quick Installer. Once this is done, you can manage both local and remote server settings, create a peer configuration and control the wg-quick service with RaspAP.

"},{"location":"wireguard/#securing-your-wireless-network","title":"Securing your wireless network","text":"

RaspAP gives you two ways to create a secure WireGuard tunnel: 1) by uploading a .conf file from your VPN provider, or 2) by creating a manual configuration. Each method is described and demonstrated with a short video below.

"},{"location":"wireguard/#file-upload","title":"File upload","text":"

This method may be used if you are using a commerical WireGuard VPN provider, a self-hosted or other remote WG server. In these cases, it's assumed you have an existing WireGuard .conf file and wish to upload this to RaspAP.

Note

The term \"server\" is used here as a convenience. WireGuard does not make a distinction between client and server roles. Instead, each node is considered a \"peer\" in a WireGuard network.

To do this, select the Upload file option under Configuration Method, select a valid WireGuard configuration file and choose Save settings. If your .conf file does not contain iptables PostUp or PostDown rules and you wish to route traffic through the active AP interface, select the Apply iptables rules for AP interface option before uploading your configuration file.

Attention

For security reasons, your WireGuard .conf file must have a Linux MIME type of text/plain. Windows ignores MIME types, relying instead on extensions. To avoid errors, be sure your file has a text/plain MIME type embedded in it before uploading.

The complete process of creating a WireGuard configuration with Mullvad and activating it with RaspAP is demonstrated in the video below.

It should be noted that RaspAP has no affiliation whatsoever with Mullvad. In fact, Mullvad does not use affiliates or pay for reviews. Members of RaspAP's Insiders community have requested support for this VPN provider.

"},{"location":"wireguard/#starting-wireguard","title":"Starting WireGuard","text":"

RaspAP will handle uploading your .conf file and, optionally, applying any iptables rules. To enable the tunnel, choose Start WireGuard. The WireGuard protocol is extremely fast, so in most cases your new public IPv4 address will be indicated almost immediately. Click or tap the icon to open a new window with details about your public IP.

"},{"location":"wireguard/#verifying-client-connections","title":"Verifying client connections","text":"

If you have chosen to route traffic from the wg0 interface to the AP interface, you may verify that your clients are secured by the WireGuard VPN. Start by connecting a client to your AP while WireGuard is enabled. Again, using Mullvad as an example, visit their connection check page on your client device. If the tunnel is working correctly, you should see a result like the following:

If any of the above checks fail, enable WireGuard service logging in RaspAP and check the output. You may also consult your VPN provider's support.

"},{"location":"wireguard/#ipv6-considerations","title":"IPv6 considerations","text":"

RaspAP currently handles routing of IPv4 traffic only. For this reason, WireGuard server connections and traffic tunneled on IPv6 are incompatible. The solution is to specify IPv4 in your WireGuard VPN provider's advanced options (Mullvad is shown below):

Alternatively, open your .conf file in a text editor and ensure that the Address and AllowedIPs settings use IPv4 addresses only, like so:

[Interface]\nPrivateKey = \u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\nAddress = 10.64.171.100/32\nDNS = 193.138.218.74\n\n[Peer]\nPublicKey = /pS3lXg1jTJ7I58GD/s/4GNL2B0U8JNbjbH9Ddh0myw=\nAllowedIPs = 0.0.0.0/0\nEndpoint = 185.254.75.3:51820\n

When this is done, you are ready to upload your configuration to RaspAP.

"},{"location":"wireguard/#manual-configuration","title":"Manual configuration","text":"

Alternatively, RaspAP gives you full control over creating a manual WireGuard configuration. This method is useful if you wish to secure your local wireless network\u2014that is, between your device running RaspAP and the clients connected to it.

WireGuard requires a public and private keypair for each device you wish to have access to the VPN tunnel. RaspAP simplifies this process with a magic button associated with each public key input field. Simply click or tap this button to securely generate a cryptographic keypair for both the server and peer.

Several default values are provided for you as a starting point. These are intended to get a VPN tunnel up and running quickly. They may be modified to suit your needs.

After the keypairs are generated, simply choose Save settings followed by Start WireGuard.

The video walkthrough below illustrates the steps of configuring a WireGuard tunnel from start to finish.

Your browser does not support the video tag.

Due to WireGuard\u2019s design, both computers on either end of the VPN tunnel will need to have each other's public key. This is discussed below.

Note

For security reasons, the local (server) private key is not displayed in the UI. The peer private key is encoded in the QR code and available to download in the client.conf file.

If you wish to regenerate local or peer keypairs (or both), simply tap or click the magic button and choose Save settings. Alternatively, to remove a server or peer configuration entirely, disable the desired toggle and Save settings. This will delete the public/private keypair and the associated configuration.

"},{"location":"wireguard/#peer-configuration","title":"Peer configuration","text":"

RaspAP processes the values in the WireGuard Settings and Peer tabs and creates two configurations for you: wg0.conf and client.conf. The former is used to configure the local (server) side of the VPN tunnel. The latter peer configuration is generated as a QR code on the Peer tab. Clients such as mobile devices may scan the QR code to transfer client.conf and import it into an associated WireGuard client application.

Note

For this experimental release, a single peer configuration may be created. The ability to manage multiple peer configurations is on the project roadmap.

Your peer will need to have WireGuard installed as well. For installing WireGuard on other systems, please see Wireguard's website.

"},{"location":"wireguard/#tunneling-traffic","title":"Tunneling traffic","text":"

RaspAP uses WireGuard's PostUp and PostDown firewall rules to forward traffic from the wg0 interface to your configured wireless interface. In the example below, the default AP interface wlan0 is used:

iptables -A FORWARD -i wlan0 -o wg0 -j ACCEPT\niptables -A FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -t nat -A  POSTROUTING -o wg0 -j MASQUERADE\n

These iptables rules are defined in WireGuard's default settings and may be modified if you wish.

Note

If your VPN server is behind a NAT, you will need to open a UDP port of your choosing (51820 is the default).

"},{"location":"wireguard/#kill-switch","title":"Kill switch","text":"

Experimental \u00b7 Insiders only

In the event that the WireGuard tunnel accidentally goes down, unencrypted traffic may reveal your real IP address. To prevent this from happening, additional PostUp and PreDown rules may be added to the firewall. Simply choose the Enable kill switch option when uploading your WireGuard configuration:

These rules are automatically appended to your configuration.

Note

Some VPN providers give you the option of adding these rules to their Linux configurations. Skip this option as RaspAP needs to add an exclusion rule for your AP interface.

"},{"location":"wireguard/#multiple-configs","title":"Multiple configs","text":"

Experimental \u00b7 Insiders only

RaspAP lets you manage multiple WireGuard configurations. This includes the ability to upload, activate and delete any number of valid wg .conf files. Select the Apply iptables rules for AP interface option when uploading your .conf file to automatically route traffic to connected peers on the AP interface.

Thereafter, switching between your saved configurations is done by simply activating the desired profile. Activating a profile will restart the wg-quick service automatically. Additionally, WireGuard service activity may be tracked on the Logging tab.

"},{"location":"wireguard/#low-overhead","title":"Low overhead","text":"

Due to its low overhead compared with OpenVPN, WireGuard is well-suited for applications where battery longevity is a concern. As described by its developer, WireGuard isn't a chatty protocol. For the most part, it only transmits data when a peer wishes to send packets. When it's not being asked to send packets, it stops sending packets until it is asked again.

As a result, your wireless adapter has a higher likelihood of being able to idle down, which leads to better battery life.

"},{"location":"wireguard/#troubleshooting","title":"Troubleshooting","text":"

See the FAQ section for WireGuard.

"},{"location":"wireguard/#discussions","title":"Discussions","text":"

Questions or comments about using WireGuard? Join the discussion here.

"},{"location":"wlanrouting/","title":"Wireless LAN routing","text":""},{"location":"wlanrouting/#overview","title":"Overview","text":"

Experimental \u00b7 Insiders only

RaspAP is often used to share internet from an Ethernet connection or other network device through a wireless access point (AP), or act as a wireless repeater. However, in certain scenarios, it can be extremely useful to share internet from a wireless LAN (WLAN) with clients connected via an Ethernet or USB-Ethernet connection. Many RaspAP users have requested this functionality, so an easy-to-use solution was developed to fulfill this need.

"},{"location":"wlanrouting/#solution","title":"Solution","text":"

To create this setup, the target interface must be configured with a static IP address and have DHCP enabled. This is similar to how RaspAP's default wireless access point is configured. To simplify this process, RaspAP uses predefined subnets for the eth0 and predictable enx interfaces. The relevant portions of this configuration are shown below:

\"dhcp\": {\n    ...\n    \"eth0\": {\n      \"static ip_address\": [ \"192.168.55.1/24\" ],\n      \"static routers\": [ \"192.168.55.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    },\n    \"enx\": {\n      \"static ip_address\": [ \"192.168.60.1/24\" ],\n      \"static routers\": [ \"192.168.60.1\" ],\n      \"static domain_name_server\": [ \"1.1.1.1 8.8.8.8\" ],\n      \"subnetmask\": [ \"255.255.255.0\" ]\n    }\n
\"dnsmasq\": {\n    ...\n    \"eth0\": {\n      \"dhcp-range\": [ \"192.168.55.50,192.168.55.150,12h\" ]\n    },\n    \"enx\": {\n      \"dhcp-range\": [ \"192.168.60.50,192.168.60.150,12h\" ]\n    }\n  }\n

These default settings are applied automatically, however you may modify them as you wish from the DHCP Server administration page.

In addition to these settings, Network Address Translation (NAT) rules must be applied to enable packet routing between the desired interfaces. These iptables rules also need to be added when the connection is active, and removed when the connection is deactivated. This is roughly analogous to how WireGuard's PostUp and PostDown rules function.

"},{"location":"wlanrouting/#steps-to-enable-wlan-routing","title":"Steps to enable WLAN routing","text":""},{"location":"wlanrouting/#configure-wireless-client","title":"Configure wireless client","text":"

To create this configuration, begin by configuring your device as a wireless client, or station, with RaspAP's WiFi client page or by preconfiguring your OS for wireless LAN operation. Optionally, connect an external wireless adapter to an available USB port.

"},{"location":"wlanrouting/#check-wireless-connectivity","title":"Check wireless connectivity","text":"

Ensure that you have a stable wireless connection to your router. The Wireless Client widget on RaspAP's dashboard will indicate its status and link quality.

"},{"location":"wlanrouting/#attach-ethernet-or-usb-ethernet-adapter","title":"Attach Ethernet or USB-Ethernet adapter","text":"

Next, attach an Ethernet cable or a USB-Ethernet adapter to an available port, and connect a device you wish to provide internet connectivity to. This could be a laptop, hub or other Ethernet-capable network device. This device will typically be assigned a network interface name by the operating system, such as eth0 or eth1. If your system is configured to use predictable interface names, it may incorporate the interfaces's MAC address (for example, enx78e7d1ea46da).

Verify your attached device by checking the output on RaspAP's Networking > Summary tab.

Tip

Many USB-Ethernet adapters are available at low cost. If you choose this option, buy one from a reputable brand. When in doubt, verify your adapter by testing it with a laptop or other device. Note that a regular USB cable, rather than a USB-Ethernet adapter, is not designed for direct Ethernet communication.

"},{"location":"wlanrouting/#configure-raspaps-settings","title":"Configure RaspAP's settings","text":"

Now, from RaspAP's Networking > WLAN Routing tab, choose your wireless client interface and output interface (typically, eth0 or enx). Select the \"Configure a static IP address and DHCP for output interface\" option toggle, choose Save settings and lastly Start WLAN routing.

A system configured with predictable interface names is shown, above.

Note

If a wireless client connection is not detected on your system, it will be indicated as \"not configured\" in the interface. The Start WLAN routing button will also be disabled until an active wireless client connection is present.

"},{"location":"wlanrouting/#check-ethernet-connectivity","title":"Check ethernet connectivity","text":"

Finally, confirm internet connectivity on your Ethernet-equipped client device. Optionally, you may wish to perform a speed test. If you want to stop wireless LAN routing, simply choose Stop WLAN routing. The iptables NAT rules added by RaspAP will be removed from your system. The associated DHCP and dnsmasq configurations will be removed as well.

Tip

RaspAP's default subnets are added for convenience. If you wish to create a custom configuration for your clients, you may do so from the DHCP Server page. Be sure to Save settings and restart dsnmasq to apply your changes. If your interface is named something other than eth0 or enx you must create your own DHCP configuration.

"},{"location":"wlanrouting/#troubleshooting","title":"Troubleshooting","text":"

If clients do not have internet connectivity, ensure that the attached Ethernet device appears on the Networking > Summary tab. Faulty Ethernet cables and USB-Ethernet adapters are common culprits.

Be sure that you've selected the option to configure a static IP address and DHCP for the output interface on the Networking > WLAN Routing tab. If you've configured your own subnet for this purpose, ensure that the settings are correct on the DHCP server page and that the dnsmasq service was restarted after saving them.

Finally, while wireless LAN routing is active, you may confirm that the iptables NAT rules are active by executing the following:

sudo iptables -t nat -L -v\n

This should output the POSTROUTING, MASQUERADE and FORWARD rules for the interfaces you've selected. If not, confirm that this option is active on the Networking > WLAN Routing tab, then choose Restart WLAN routing.

"},{"location":"wlanrouting/#discussions","title":"Discussions","text":"

Questions or comments about using wireless LAN routing? Join the discussion here.

"}]} \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index 9e000f5..7607e6e 100644 Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ diff --git a/ssl/index.html b/ssl/index.html index 09b1733..26bf521 100644 --- a/ssl/index.html +++ b/ssl/index.html @@ -1245,8 +1245,51 @@

Quick installer

Note

Executing the Quick installer only installs mkcert and generates an SSL certificate with the input you provide. It does not (re)install RaspAP.

-

-

The installer will walk you through the steps of creating a certificate. Complete the installation by following the client configuration steps below.

+
$ curl -sL https://install.raspap.com | bash -s -- --cert
+
+
+ 888888ba                              .d888888   888888ba
+ 88     8b                            d8     88   88     8b
+a88aaaa8P' .d8888b. .d8888b. 88d888b. 88aaaaa88a a88aaaa8P
+ 88    8b. 88    88 Y8ooooo. 88    88 88     88   88
+ 88     88 88.  .88       88 88.  .88 88     88   88
+ dP     dP  88888P8  88888P  88Y888P  88     88   dP
+                             88
+                             dP      version 3.2.1
+
+The Quick Installer will guide you through a few easy steps
+
+
+RaspAP mkcert: Configure a new SSL certificate
+Current system hostname is raspap
+Create an SSL certificate for raspap.local? (Recommended) [y/N] y
+Install to lighttpd SSL directory: /etc/lighttpd/ssl? [y/N]: y
+***************************************************************
+A new SSL certificate for: raspap.local
+will be installed to lighttpd SSL directory: /etc/lighttpd/ssl
+***************************************************************
+Complete installation with these values? [y/N]: y
+RaspAP mkcert: Fetching mkcert binary
+RaspAP mkcert: Installing mkcert
+Using the local CA at "/home/pi/.local/share/mkcert" ✨
+The local CA is already installed in the system trust store! 👍
+Warning: "certutil" is not available, so the CA can't be automatically installed in Firefox and/or Chrome/Chromium! ⚠ī¸
+Install "certutil" with "apt install libnss3-tools" and re-run "mkcert -install" 👈
+
+RaspAP mkcert: Generating a new certificate for raspap.local
+Using the local CA at "/home/pi/.local/share/mkcert" ✨
+Warning: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store! ⚠ī¸
+Run "mkcert -install" to avoid verification errors â€ŧī¸
+Created a new certificate valid for the following names 📜
+ - "raspap.local"
+ - "*.raspap.local.local"
+ - "raspap.local"
+
+Reminder: X.509 wildcards only go one level deep, so this won't match a.b.raspap.local.local ℹī¸
+
+The certificate is at "./raspap.local+2.pem" and the key at "./raspap.local+2-key.pem" ✅
+
+

The installer will guide you through the steps of creating a certificate, as shown above. Complete the installation by following the client configuration steps below.

Client configuration

Open a browser and enter the following address, substituting the domain name you chose in the steps above: http://raspap.local/rootCA.pem. Download the root certificate to your client and add it to your system keychain. Examples below illustrate this process on macOS:

@@ -1278,7 +1321,7 @@

Discussions

- November 12, 2024 + November 21, 2024