Wi-Fi Hotspot in Linux
I often find myself in a situation where I need to temporarily connect to a certain network with a device that is usually offline. For various reasons, it is advantageous to create a temporary Wi-Fi hotspot for that specific device without granting it direct access to the router.
Creating a hotspot using a mobile phone is a quick and easy way, however, sometimes I prefer to use my laptop to do that.
Please note that it is also very useful when there is no wireless connectivity around you and you need to transfer data between devices.
Creating an Wi-Fi hotspot in Linux
For ease of managing and creating this wireless network, this guide will use nmcli, a command-line tool for controlling NetworkManager.
Typically, a single line command is all that is required in order to create the hotspot.
nmcli dev wifi hotspot ifname <device> ssid 'HelloWorld' password 'ChangeMe'
Here <device> corresponds to the name of the wireless device you wanna use for sharing the connectivity from. A neat command to obtain this name can be:
$ nmcli dev
DEVICE TYPE STATE CONNECTION
wlp3s0 wifi connected HaveANiceDay
lo loopback connected (externally) lo
wlp0s20f0u1 wifi disconnected --
p2p-dev-wlp3s0 wifi-p2p disconnected --
enp0s31f6 ethernet unavailable --
In the provided example, the device I’m looking for is wlp0s20f0u1, a USB Wi-Fi card.
After running the command above, you are now most likely able to find it within the Wi-Fi connections around you.
But perhaps you might realise that you aren’t able to connect your devices to it. That’s probably thanks to strict (good) firewall rules.
Changing firewall rules
Not everyone may experience issues when connecting devices, however, for those who do, the problem usually relies on the DHCP server is blocked, preventing the hotspot from assigning IP addresses to devices trying to connect.
Thankfully with ufw, or Uncomplicated Firewall tool, we can very easily allow our hotspot to give out IPs. (Replace with the appropriate interface)
sudo ufw allow in on wlp0s20f0u1 proto udp to 0.0.0.0/0 port 67
sudo ufw allow in on wlp0s20f0u1 from 10.42.0.0/24 to 10.42.0.1 port 53
The first command is meant to allow the client (our devices) to have an IP address, as 67 is the DHCP port. The second command is for domain name resolution, as 53 is the DNS port.
Now, if you re-test connecting to the hotspot you might realise that you are now able to connect to the hotspot, and have a proper connection to it.
Internet access throught Hotspot
All of the commands above allow for a functioning wireless connection between the clients and the PC, however they do not not route internet access through the Wi-Fi connection.
It may be perceived as a feature, for the sole purpose of having SSH connectivity or sharing documents, or for any other purpose. If that is your sole objective, you may even create a firewall rule to completely block routing (even though it may be explicitly denied in the firewall rules by default).
sudo ufw route deny in on wlp0s20f0u1 out on wlp3s0
Basically what this command does is blocking the route from the interface that we are connected wlp0s20f0u1 to the interface that is connected to the router wlp3s0, once again check with nmcli dev.
Now, for allowing internet access to be routed it’s only required the following command:
sudo ufw route allow in on wlp0s20f0u1 out on wlp3s0 from 10.42.0.0/24 to any
Stop the hotspot
To simply stop the hotspot we can execute the command:
nmcli con down Hotspot
Please note that Hotspot, correspond to the name of the connection, you can verify yours with the command nmcli con show.
To bring the hotspot back to live, you can just run the command:
nmcli con up Hotspot
If you simply desire to completely remove from the system, you can run the command:
nmcli con del Hotspot
Bonus: View connected devices
We might want to check if the number of the connected devices corresponds to the attended one. A nice quick command to display both MAC addresses, IP, and connection status is by running the command ip neigh show. In cases of displaying REACHABLE on the desired interface (wlp0s20f0u1), we can confirm that the particular device at that particular IP is connected.