Guest Wi-Pi

Get your PAs off your home network


Guests, PAs and carers want access to your Wi-Fi but that can intrude on your privacy.


Make a Raspberry Pi into a Guest Wifi point open to all, but separate from your network.



So you have lots of different people coming into your house, a lot of whom you don’t know and might never see again, and who all want to use the Internet. You’re fine with them using the Internet but maybe don’t want them to access all of your private computers and data. Using a Raspberry Pi, a cheap sort of computer costing about £30, you can build a Guest Wi-Fi access point specifically for those one-time PAs and carers and so on.

Step Awesome. This Is What Success Looks like

The video you can see below is every command contained within this post, I’ve followed along with it twice and come up with a working access point each time. You can, if you wish, either read the post in its entirety so you can understand what each command is doing or you can watch the video and simply copy and paste each of the commands directly from the video itself into your Terminal. Yes, you can copy and paste directly from this video, it’s a very cool feature of Asciinema, which is what I’m using to record my terminal session. Here’s a link to all of my terminal recordings

You could even watch the video then read the post, you crazy cat, you!


Step Zero. Using a Mac

This guide was written using a Mac laptop running OS X, so all of the tools you’ll see me using are for the Mac. However, as long as you have access to a Terminal Emulator you will be able to complete this tutorial. Every flavour of Linux comes with a Terminal built-in and Windows users can download PUTTY to get a decent Commandline experience. All of the commands that we will run on the Raspberry Pi are the same no matter what laptop or desktop you are using locally, but I really would get yourself a Mac if you can, especially if you’re disabled.

I use Apple laptops because after trying multiple Operating Systems over the years Apple offers quadriplegics and disabled people in general the best and easiest out-of-the-box experience by far, they really are world leaders in providing tools for people with severe motor skills disabilities. You are not confined to a subset of the operating system provided by some rubbish “accessibility” setting, rather you can access all of the OS on either OS X or iOS. This is why I use them, if I found somebody else who did the job better I would switch in a heartbeat.

I know this sounds like an advert for Apple but I’m speaking from direct personals experience and have found them to be incredibly reliable and robust which means they don’t crash and I can rely on them to run critical parts of my house infrastructure, such as my front door, heating and lighting.

Step One. Gathering your Materials

The step involves foraging on the Internet for all the pieces and parts you’ll need to assemble your guest Wi-Fi access point (Access Point from here on), they are readily available and not very expensive.

I used a Raspberry Pi 3 Model B because it’s the most powerful Pi. That’s it, no bigger reason, it had the biggest numbers on the specs sheet when I looked at which Raspberry Pi to buy. To be perfectly honest I didn’t even notice that it had on-board Wi-Fi until it arrived, the reason I’m not using the on-board Wi-Fi and instead using a USB Wi-Fi dongle for this tutorial is that I found that if more than one or two people is connected to the Access Point at any given time everything slows to a crawl. But honestly pretty much any of the Raspberry Pis will do the job.

If it’s only going to be one person at a time connected to the access point then you could easily get away with using the on-board Wi-Fi. The instructions are the same whether you use the Wi-Fi dongle or not, the only difference being that anywhere in the instructions that you see the word wlan1 just replace it with wlan0 to use the on-board Wi-Fi.

Total Cost: £55.64 English Pounds and Pence! Well worth the price for your privacy I think. You can easily shave off some of that price by getting an even cheaper case than I did or not using a case at all, and you could obviously buy a cheaper Raspberry Pi with lower numbers on the specs sheet (eww). But whatever you do, don’t skimp on the SD Card and the power cable, it’s just not worth the hassle. Those are two of the things you definitely don’t want to fail, and when I bought cheap versions of the SD Cards or power cable they have failed on me pretty quickly.

Step Two. Assemble all of your pieces and parts

Check out this make for how to build a Raspberry Pi. It’s easy but you will need hands. In the end you’ll have your Raspberry Pi in a case, connected to power and your home network using an ethernet cable.

I will wait here while you go and do that.

Step Three. Find the Raspberry Pi!

Now that you’ve assembled and plugged in your Raspberry Pi, it will power up and grab itself an IP Address from your home router. We need to track down that IP address before we can connect to our brand-new Raspberry Pi.

There are many many ways to find out the IP address of your new raspberry. You can download a program that will scan your network or you could use various different Terminal applications. I’ll show you one example of each:

For ease-of-use on OS X, I recommend downloading the very excellent wake on lan. Install it in the usual manner, open it up and select Scan Local Networks… From the Hosts menu. After a few seconds you will see something like the picture below, this is a list of all of the devices running on your local network and one of them should have the Hostname raspberrypi, this is the device we are looking for (obviously!”. You will now have the Hostname (raspberrypi), IP address which in this case is and the MAC Address of your new raspberry.

Wake on LAN

If you have arp installed your local machine and know where/what the Terminal is then the following command might be useful:

Using ARP to Find Our Raspberry Pi

arp -a | grep b8:27:eb | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

I’ve had good luck with this command, but for some reason it occasionally won’t find any of the eight or nine Raspberry Pis on my network. I have no idea why this is the case but it usually works. If this command does work for you, you will get back the IP address of any Raspberry Pi on your local network, I’m assuming this is your first Raspberry Pi so you should only get back one IP address and this is the one you need.

This command works because the clever folks at the Raspberry Pi Foundation gave every Raspberry Pi the same first three octets in their MAC Address, namely b8:27:eb. So the command above breaks down into the following parts written out in plain English:

  1. Output a list of everything on my network
  2. Look through that list for any MAC address that begins with b8:27:eb
  3. From this much smaller list, output each device showing only its IP Address

Arp Raspberry Pi Finding Command

Step Four. The Terminal

Now we get to the good stuff! Navigate your way to /Applications/Utilities in the Finder and open up the Terminal application. This is not the only way to open the Terminal as you can also use Spotlight, Alfred or even some other magic I’m not aware of. It doesn’t really matter how you do it, what matters is that you end up with a command line interface in a window that looks something like the one below. Yours should be identical except for where mine says server:~test$, yours will reflect the name of your computer and user account.

The Terminal

Step Five. Generate SSH Keys and Upload Them

If you already know what ssh keys are and have an ssh key pair on your local machine already, please skip to Step Six: Logging into your Raspberry Pi.

For the rest of you, don’t worry: it’s dead easy to quickly generate an ssh key pair so that we can securely login to our Raspberry Pi without having to type the password every time we want to login.

We are going to generate some nice and secure ssh keys with the following command:

Generating SSH Keys

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

Generate Strong Keys

There is some debate about whether to use a password with your keys. If your threat model involves skilled hackers or nationstate adversaries than I would advise you to use a password and/or get some different adversaries. But in this case we’re going to leave it blank and just press enter.

First Password Request

You will be asked to enter the passphrase again, just press enter again.

Second Password Request

After a little while you will see the following screen meaning everything was successful. The time this takes varies by how powerful your Raspberry Pi is: more powerful = less time to generate keys.

Successful Key Generation

Next we need to upload the Public Key part of our ssh key pair to our remote Raspberry Pi so that the Raspberry Pi will recognise us each time we want to login. Again, there are many ways to get your Public Key on to a remote server including dedicated pieces of software, but this one command will do everything for you. It will:

  1. Get the contents of your Public Key file
  2. Pass the contents of the Public Key to the ssh command
  3. The ssh command then logs into our remote Raspberry Pi
  4. We then create a new folder at ~/.ssh/ on our Raspberry Pi
  5. We now create the file authorized_keys to hold the keys this Pi knows about
  6. The contents of our Public Key file from the first part of this command will be appended to the authorized_keys file so we can login without our password in future

You will be asked for a password the first time you run this command. The default password for every Raspberry Pi is raspberry

NOTE: English people take note of the z in the word authorized, it has to be spelt with a Z !

Upload our Public Key to the Raspberry Pi

cat ~/.ssh/ | (ssh pi@ "mkdir ~/.ssh/ && touch ~/.ssh/authorized_keys && cat >> ~/.ssh/authorized_keys")

Upload Keys

The first time you give this command you will see what looks like a pretty scary message, but it isn’t! All the message is telling you is that the Raspberry Pi hasn’t seen your ssh key before and are you sure you want to accept it before you carry on the login process. If you get this message without expecting it, somebody could be trying to monkey about with the connection between you and your Raspberry Pi so pay attention to these warnings. In this case we obviously want to type the word yes and press enter.

scary message

You will be asked for the password of your Raspberry Pi, the default is raspberry. Type in the password and press enter.

Password prompt

If all goes well you will see the following screen showing that your public key has been successfully uploaded to the home folder of your remote Raspberry Pi:

Upload Successful


Step Six. Logging into your Raspberry Pi

Armed with the IP address we discovered earlier (, we are going to type the following command into our Terminal and do what is colloquially known as ssh’ing into a remote box. Because we uploaded our ssh key earlier, we won’t be asked for a password and will be logged straight in like a proper h4ck3r! :P

Login to your Raspberry Pi

ssh pi@

SSH into your Raspberry Pi


Step Seven. Making sure your Wi-Fi Dongle is Detected

We won’t be using the internal Wi-Fi card that comes with the Raspberry Pi 3 because it doesn’t quite do what we want. This means we need to check that our Wi-Fi dongle has been successfully recognised and loaded by our Raspberry Pi.

This is very easy to do, and involves this simple command:

Checking Our Wi-Fi Dongle Is Working Properly

ifconfig -a

The output will probably scroll off the top of the screen but you can scroll back up to have a look at all the network interfaces. The one we want will almost certainly be at the bottom of the list.

Checking for Wi-Fi Dongle

As you can see we have four network connections on our Raspberry Pi:

  • eth0 - This is your Ethernet connection.
  • lo - This is the loopback interface.
  • wlan0 - This is the on-board Wi-Fi.
  • wlan1 - This is our Wi-Fi dongle, success!

If you don’t use the Raspberry Pi 3 but instead use an earlier version of the Raspberry Pi which doesn’t come with on-board Wi-Fi, your Wi-Fi dongle will show up as wlan0 rather than wlan1 in this list. If that’s the case, everywhere you see wlan1 in this guide, replace it for wlan0.


Step Seven Point One. Check Your Pi Is Connected to the Internet

This one is a simple one, we’re going to use the tool ping to connect to a server on the Internet that is almost always up and awake, in this case we’re going to ping Google’s DNS servers.

The command you need to type into your command prompt is:

Ping Google’s DNS Servers

ping -c 10

This will send 10 network packets to Google’s DNS servers, these packets basically just ask for a simple response and the time it takes for those individual packets to do a round trip from our machine to googles and back again is measured. The part of the command that says -c 10 denotes that we only want to send 10 packets.

Ping Google


Step Eight. Clearing the Decks

I’m generally in the habit of typing the word clear before starting any new task in the Terminal. This is in no way essential or required but I find it helps me cut down on mistakes as each new task starts with a clean Terminal window. If you want to keep your Terminal all littered up with old commands like a slobby slob then that’s your business, frankly. (If you do, it won’t affect the outcome of this tutorial!)

A Nice Clean Terminal

Step Nine. Initial Housekeeping Tasks

Every new Raspberry Pi is a blank slate, there are certain tasks that need doing before you can get going with the project at hand. Now these tasks can be a matter of opinion and you will hear lots of advice from lots of different places, but I think the following three housekeeping tasks should be done on every new Raspberry Pi. I’m happy to be corrected on these, if anybody wants to chime in!

Updating the Kernel Firmware

Firstly I always check that I’ve got the latest Kernel or firmware for my version of the Raspberry Pi. As far as I understand it the terms kernel and firmware are interchangeable although I may have misunderstood this. This is what the Ubuntu Wiki has to say, and here is a Wikipedia article about firmware so that you can make your own mind up and hopefully correct me if I’m wrong.

Anyway, if you’re not already logged in, login with the command:

Login to your Raspberry Pi

ssh pi@

The software that checks and updates your kernel firmware is called rpi-update. We need to first check that it is installed by running the command:

Check to See If RPI-Update Is Installed

sudo apt-get install rpi-update

If rpi-update is already installed your Raspberry Pi will tell you so. If it isn’t installed then agree to the installation when prompted.

Once you issue the following command it may take a little while to run, possibly enough time to make a cup of coffee but YMMV. Anyway, the command is:

Running RPi-Update

sudo rpi-update

Start Firmware Update

To finalise the kernel update process, you need to reboot your Raspberry Pi with this command:

Reboot your Raspberry Pi

sudo reboot

Reboot after Firmware Update Finishes

You’ll then be logged out of your Raspberry Pi and you’ll see something like the image below whilst it reboots. Wait twenty or thirty seconds or so before you try logging in again.


This is what it looks like if you install the software and your firmware needs updating:

This is what it will look like if you install the software but your firmware is already up to date:

Running Raspi-Config

The next housekeeping task you should always carry out is to run the command sudo raspi-config on your new Raspberry Pi. You can see me doing it on the video at the beginning of this post. This is undeniably an essential task.

when the Raspberry Pi has rebooted log back in with:

Login to your Raspberry Pi

ssh pi@

And then run:

Running Raspi-Config

sudo raspi-config

After you invoke the command you need to know how to move around the menus that will appear in your terminal; you won’t be able to use your mouse. The up ↑ and down ↓ arrow keys will move you up and down the menu and when you reach the option you want, it will be highlighted in red. At this point you press enter/return ↩ key to select the option. You can use the tab ⇥ key to select options within these menus. Don’t worry about it now; it will become obvious as we go through the process.

These are the options I normally choose:

  1. Select the Expand Filesystem option, then select Ok on the next page
  2. Select the Change User Password option and choose a secure password
  3. Select the Advanced Options option and press enter which will drop you into a submenu
  4. From this submenu Choose the Hostname option, and change the Hostname to taste, pressing enter to confirm your selection.
  5. You will then be dropped back to the main menu, from there you need to select the Advanced Options menu again to be dropped back into the same submenu.
  6. This time we want to select the Memory Split option and change it from 64 to 16.
  7. Here we are again back at the main menu but we need to be in the Advanced Options menu, so you know what to do.
  8. Once in the right submenu, select the SSH option and press the tab key to select the Yes option if it is not already highlighted to enable the SSH server.
  9. This time when we are dropped into the main menu we can hit the tab key to select the word and you will be offered the option to reboot the machine. Agree to this and your Raspberry Pi will automatically reboot.
  10. Video:

Note: you will see me select No on the very last step when asked if I want to reboot the machine, I had to do this so that I could record the Terminal screen cast. You would obviously select Yes at that point.

Set the Timezone

After the reboot, and just to make sure that you are in the right time zone, run the following command and set it to the correct time. This one isn’t totally essential, but I think there are some programs that rely on accurate timings, so it’s something I’ve got into the habit of doing:

Setting the Correct Time Zone

sudo dpkg-reconfigure tzdata

Select the area of the world you are in from the first screen, then I pressed the letter L because I wanted to get to London as quickly as possible and didn’t want to press the Down Arrow ↓ 14.2 million times to get all the way down the list!

Obviously, if you live in Azerbaijan, you would press the letter A.


Step Ten. Updating and Upgrading your Raspberry Pi

Log back into your Raspberry Pi with ssh pi@ and when fully logged in we are going to update and upgrade the Operating System on our Raspberry Pi. It’s a good idea to do this regularly and before starting any major new project, as the command:

Update & Upgrade the OS

sudo apt-get update && sudo apt-get upgrade 

Update and Upgrade

After much scrolling of text you will be asked the question: Do you want to continue? [Y/n] like this:

Do you want to continue

In this case you will almost certainly want to agree to the update and upgrade, so just type the uppercase letter Y and then press enter. Top tip: whenever you’re presented with this option in the Terminal, pressing enter without typing a letter will automatically select whichever letter is in uppercase. So pressing enter in this case [Y/n] means that you want to continue whereas if you see [y/N] and just press enter you will decline to continue and be dropped back into a command prompt that will look something like this: pi@raspberrypi.


Step Eleven. Install Hostapd and DHCP Server

Finally we reach the point where we can start building our Access Point! When the update and upgrade text finishes and you are returned to your command prompt you can start installing software.

This next command will install hostapd and isc-dhcp-server, the first will control connections to the Access Point and the second will hand out IP addresses to any device that connects to our new Access Point.

Install Hostapd and DHCP Server

sudo apt-get install hostapd isc-dhcp-server

You will be presented with the Do you want to continue? [Y/n] option when you’re in this command and you will obviously want to say yes.

Install Hostapd and isc-dhcp-server


Step Twelve. Install iptables-persistent

Next we want to install iptables-persistent. This program is going to help us setup the firewall rules that will tell the access point that when somebody connects to the Wi-Fi antenna their request should be redirected to the ethernet adapter, and from there out onto the Internet. In fact, iptables are already installed, this application just makes it much easier to save them so they survive across reboots. The you command will need is:

Install iptables-persistent

sudo apt-get install iptables-persistent

install iptables-persistent

After selecting yes and pressing enter you will be met with an interstitial window asking whether you’d like to save the current IPv4 firewall rules, press enter to select the <Yes> option:

Save IPv4 Rules

That done, you will be asked if you want to save the current IPv6 firewall rules, press enter again to select the <Yes> option:

Save IPv6 Rules

You will be dropped back into a command prompt where you should type clear so your Terminal isn’t too crowded and end up with this image:

A Clear Terminal


Step Thirteen. Configuring the DHCP Server

The DHCP Server is the software responsible for handing out IP addresses to any new device that connects to your Access Point, without an IP address the devices won’t be able to connect to the Internet so it’s a fairly vital piece of software! No worries though, it’s dead easy to configure!

We are going to use a text editor embedded into the Terminal called nano, it’s just like any other text editor you could use like Notepad on Windows or TextEdit on the Mac except that it’s inside the Terminal. All of the instructions on how to use nano are at the bottom of the screen when it is active meaning you don’t need to remember 1001 arcane commands to simply write a text document.

The command we need to use to edit the file /etc/dhcp/dhcpd.conf is:

Editing dhcpd.conf

sudo nano /etc/dhcp/dhcpd.conf

Opening Config File in Nano

After you press enter you will be greeted with the nano interface with loads of text filling the window which probably looks terrifying if you’ve never used a Terminal text editor before, but don’t worry, I am right here with you!

Configuring DHCP Server

We are going to use a process called “commenting in” and “commenting out”, this basically means that we are going to input a # at the beginning of a line to comment out something, or remove the # from the beginning of a line to comment it in. This means that when the computer goes to use this particular configuration file it ignores every line that begins with a #, so if we don’t want something to be run when the software runs we simply add a # to the beginning of that particular line.

Commenting Out Domain Names

option domain-name "";
option domain-name-servers,;

and change them to add a # in the beginning so they say

#option domain-name "";
#option domain-name-servers,;

Commenting out Domain Name Servers

Next we need to comment in the instruction to make our Wi-Fi access point the authoritative DHCP server for any device that connects to it. All we need to do to make that happen is to find the following line by pressing page down once usually:

Commenting In the Authoritative Command


And remove the # from in front of it so that it looks like this:


Commenting in DHCP Authoritative

Move down to the end of the file by repeatedly pressing page down until you see the following:

Bottom of the DHCPD File

Now we need to give the DHCP server instructions about which IP range it should use when handing out IP addresses, this basically means telling it to use one of a few different IP ranges. I’ve chosen the range because my home network uses the IP range It may be that your home network uses the IP range for all of your personal devices already, if that’s the case simply replace everything below that begins with 172.16.0. with 192.168.0. or you have the option of using the 10.0.0. range as well, so you have three IP ranges to choose from in total.

If you go back up to Step Ten, and look at the first declaration for the connection eth0 you will be able to see which IP address my device received via DHCP from my router. In this instance it was, which means the IP address range on my network is hence my using for this project.

Copy and paste the code below into the bottom of the file, the image below will show what you should see:

DHCP Settings

subnet netmask {
  option broadcast-address;
  option routers;
  default-lease-time 3600;
  max-lease-time 3600;
  option domain-name "local";
  option domain-name-servers,;

Entering DHCP Settings

Now we need to quit out of the nano text editor, we do this by holding down the control key and pressing the letter X. You will notice that nano will ask you if you want to save the modified buffer, you definitely want to do this so press the letter Y and then press enter.

Exiting Nano

You will now notice that the text at the bottom of the screen has changed and says “File Name to Write: /etc/dhcp/dhcpd.conf”. This is nano asking if this is the filename you would like to use for the file you’ve been working on, this is the name of the file we want so we simply press enter

DHCP consideration instructions

We are then dropped back into a nice clean terminal after pressing enter.

DHCP Server Configured

We now need to tell the DHCP Server which wireless interface we want to use, we have a couple to choose from, namely wlan0 and wlan1. Because this is a Raspberry Pi 3 and has its on-board Wi-Fi designated as wlan0, we are going to choose our Wi-Fi dongle which is designated wlan1.

We’re going to edit the file with nano again so use the following command to open up the appropriate configuration file which is /etc/default/isc-dhcp-server:

Tell DHCP Which Interface to Use

sudo nano /etc/default/isc-dhcp-server

Another DHCP Configuration File

Nano will open with the another DHCP server configurations file for us, in this file we need to tell the DHCP server which wireless device we want to use, in this case we want to use wlan1.

Opened Configuration File

Press page down until you see the line that begins with::


Wireless Interface Option

And then we update it so it looks like this:


Wireless Interface Option Selected

That done we need to the exit out of the nano text editor which as we remember from before is done by holding down the control key and pressing X, selecting the letter Y and then pressing enter.

Quitting Nano

We are then asked if we want to write to the file called "/etc/default/isc-dhcp-server", and as this is the file we’ve been working on we can simply press enter.

Selecting The Correct Filename

Back where we began!

Back Where We Began

Step Fourteen. Give Our Wireless Interface A Static IP Address

Type the word clear and we will end up with a nice clean terminal again.

Clear Terminal

Just in case our wireless interface is active, we are going to shut it down. This isn’t strictly necessary but it won’t hurt and is good practice to turn things off before you start fiddling with them. The command is:

Take down Our Wireless Interface

sudo ifdown wlan1

Turn Off wlan1

Now we need to open the configuration file that controls all of the network interfaces on our Raspberry Pi, this file resides at /etc/network/interfaces, so to edit it with the nano text editor we need to use the command:

Edit Network Interfaces File

sudo nano /etc/network/interfaces

open Network Interfaces Config File

At the bottom of the file that opens you will see the following code:

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Network Interfaces File before change

As you can see it doesn’t have any #’s before it so that when your Raspberry Pi looks at that file it carries out those instructions, so we need to do as we did before and comment out the six lines by putting a # at the beginning of each one of them so that it ends up looking like this:

#allow-hotplug wlan0
#iface wlan0 inet manual
#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

#allow-hotplug wlan1
#iface wlan1 inet manual
#    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Network Interfaces File After Change

Press the page down key to get to the end of the file and add the following code, this code tells the interface wlan1 that it is not to get an IP address from our home router, that it is to have a static IP, and that static IP is to be

Set Static IP Address

allow-hotplug wlan1
iface wlan1 inet static

(be aware you don’t have any tabs in this file, the first time I tried this I used the tab key to indent the lines that begin with the word address and netmask, this is caused the whole thing to fail and I couldn’t connect to the Wi-Fi access point at all. I spent a very annoying hour chasing that one down!)

Code to assign Static IP Address to wlan1

We know how to exit out of nano now, we hit control x, press the letter Y, then press enter

Hit Control X And Pressed the Y

Here we hit enter to agree that we want to change the file named “/etc/network/interfaces”:

Agree to the File Name Change

And we are back at the clean terminal.

Back in a Clean Terminal

Instead of waiting, let’s assign that static IP address to the wireless interface immediately with the command:

Setting a Static IP Address Immediately

sudo ifconfig wlan1

Assign Static IP Address to wlan1

You won’t get any feedback if this was successful, you will just be dropped into your normal command prompt at the Terminal like this:

Back in the Terminal


Step Fifteen. Configuring Hostapd

DHCP sorted, we now need to configure a piece of software called hostapd. This software helps you to configure things like the name of your Wi-Fi access point, the password, the wireless interface to use and a number of of the things.

As this is a fresh install a configurations file for hostapd doesn’t exist yet, we can create one with the help of our new friend nano the text editor. This is the command you will need:

Editing Hostapd Config File

sudo nano /etc/hostapd/hostapd.conf

Create hostapd configurations file

After you press enter you will be presented with a blank file in the nano text editor, DON’T PANIC!! I know some of you out there are afraid of a clean blank piece of paper and don’t know what to do with one, but never fear, we know what we’re doing and there is nothing to fear from a blank config file which will look like this:

Blank hostapd configuration file

Copy and paste this code into the blank nano text editor window, below the code you will find a list of things you need to be aware of and change, pay attention to them! Also be aware that this particular configurations file is sensitive to unwanted spaces at the beginning and end of each line, so be aware of that and make sure there aren’t any.

Hostapd Config Options

# This is the wireless interface we are going to be using
# If we have connection issues, the next line will be important
# driver=rtl871xdrv
# The name of our wi-fi network, puns are obviously best
# Change this line immediately and create a secure password

This is a list of things you need to change in the code above in order of importance:

  1. Change everything after the = on the line that begins wpa_passphrase= to a more secure password. You can technically stop here and everything should work perfectly, but you might want to change a couple of things so if that’s the case, read on Macduff!
  2. If you want to change the Wi-Fi access point name, change everything after the = on the line that begins ssid= to reflect your new access point name. If you want to call your access point Winterfell, your line would look like this ssid=Winterfell.
  3. This probably won’t come up, but if you have connection issues you may need to change the line driver=nl80211, but we will cover that later.

Modify hostapd configurations file to taste

I’m so confident that you know how to exit nano that I’m not going to give you the specific instructions, just do the necessary and get yourself to the next step. 1

Exiting nano

Excellent, I knew you could do it! Since we are creating the new file called hostapd.conf in the location /etc/hostapd/, what we can see in the image below is correct and all we need to do is press enter to create the new file.

Saving the hostapd config file

Another job down and we’re back to our favourite command prompt!

Back to the Prompt


Step Fifteen Point One: Tell hostapd Where the DHCP Configuration File Is

Hostapd needs to know where its configuration file lives, we do this with the following command:

Edit Hostapd File

sudo nano /etc/default/hostapd

Open hostapd file

Near the top of the file you will find a line that begins: #DAEMON_CONF=”“, this is the one we are going to change.

Finding the appropriate line to change

Like we did in an earlier step we want the computer to take notice of this line when it runs this file, so we first remove the # at the beginning of the line so the whole line eventually ends up looking like this:


Location of hostapd file

Let’s exit nano.

Exiting nano

Agreeing to the file name.

Agreeing to the file name

Likewise we need to tell the file /etc/init.d/hostapd where to find the configuration file with the command:

Edit init Hostapd File

sudo nano /etc/init.d/hostapd 

Where is hostapd config file

Find the line:


Find the line

And change it to:


Change the line successfully

Exiting nano.

Exiting nano

Agreeing to the filename.

Agreeing to the filename

Back to the command line!

Back at the command prompt


Step Sixteen. Configuring NAT

Configuring Network Address Translation (NAT) is the software that allows multiple devices to connect to the Access Point at once, this means that you can connect your mobile phone, laptop and tablet to the Access Point all at the same time. You should do this even if you only plan to connect to the Access Point with one device only:

Configuring NAT

sudo nano /etc/sysctl.conf

Opening sysctl configurations

This is what the file will look like when you first open it:

opening file

keep hitting the page down key until you reached bottom of the file which looks like this:

Bottom of file

On a new line at the bottom of that file add the following line:


Adding forwarding

we now need to exit nano Exiting nano

Agree to the filename

Agree to the filename

Now that we’ve saved that configuration file, IP forwarding will be automatically started every time the Raspberry Pi reboots, bonus! And here we are again back at the prompt:

Back at the prompt

For those Type-A monsters amongst you, you can start IP forwarding immediately with the following command in your Terminal:

Activate IP Forwarding Immediately

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

Activating IP forwarding immediately

Let’s let our tidiness get the better of us and breakout the clear command so that things don’t get too confusing in to the Terminal:

Clear the decks


IPTables Rules

IPTables rules govern what happens to packets when they arrive at a particular network interface. The following rules will tell packets that arrive at the wireless interface (wlan1) to be redirected to the ethernet interface (eth0) meaning your guests get lovely lovely Internet.

There are three separate commands below each beginning with the word sudo, each one of these commands is a new firewall rule. Input each line one at a time and then press Enter ⌤ before moving onto the next command, you will hopefully end up with a Terminal looks something like this:

Inputting Firewall Rules

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
sudo iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT

IP table rules

If you want to scratch that itch and verify that your NAT firewall settings are correct you can use the following command:

Verifying NAT Firewall Rules

sudo iptables -t nat -S

Nat IP tables

Which will give you the following output:

Nat IP table output

To verify all of your IPTables rules, use following command:

Verify All Firewall Rules

sudo iptables -S

all IP tables

With the following output shown below:

All IP tables output

The iptables-persistent tool that we installed all those many moons ago is going to help us have our IPTables rules start properly each time we boot the Raspberry Pi.

To do so use the following command:

Save Firewall Rules

sudo netfilter-persistent save

Clear the decks


Step Seventeen. Are We There yet?!

Okay, assuming that everything went well it’s time to set up our access point so that all the software becomes a daemon, demonised if you will! This means we are going to use a process called systemd which will automatically turn on and keep running all of the software needed to keep our Access Point happy:

Firstly let’s reload the services on the Raspberry Pi:

Reload All Services

sudo systemctl daemon-reload

Reloading system services

Enabling Hostapd so that it starts at boot:

Enabling Hostapd To Start at Boot

sudo systemctl enable hostapd.service

enable hostapd

Let’s start hostapd:

Start Hostapd

sudo systemctl start hostapd

starting hostapd

Now let’s check its status, the words you’re looking for are active (exited) in the colour green:

Check Hostapd Status

sudo systemctl status hostapd

Hostapd status

Enabling DHCP Server to Start at Boot

sudo systemctl enable isc-dhcp-server.service

enabled DHCP

Start DHCP server:

Start the DHCP Server

sudo systemctl start isc-dhcp-server

starting DHCP server

Checking status of DHCP server, again you’re looking for the words “active (running)” in the colour green:

Check the Status of the DHCP Server

sudo systemctl status isc-dhcp-server

DHCP status


Step Eighteen. All Done!

You should reboot at this point and see if everything is working by connecting to your new Wi-Fi access point called “Wi-Pi”, this is what it looks like on my iPhone when I connect for the first time. I’ve included a couple of videos and some pictures, just so you get the full Connecting Experience™!:

Here we can see that Wi-Pi has shown up in the list of available Wi-Fi networks. Next you need to put in your super secure password from Step Eighteen, then click join. Hopefully you should be returned back to your list of available Wi-Fi access points, only this time Wi-Pi will be at the top of the list with the little blue tick next to it; this means you’ve got a successful connection.

wi-pi is available Putting in the password Successful connection

Troubleshooting (hopefully not needed!)

If this procedure is a successful is only a few things that could be wrong, and they are fairly easy to check for. Here’s a list of things you could try although YMMV obviously:

  1. Comment out the line: driver=nl80211 in configuration file in step eighteen, and comment IN the line # driver=rtl871xdrv by removing the #beginning of the line. This might be because you are using the internal Wi-Fi of the Raspberry Pi, if so this should fix it.
  2. It’s also possible that you might be using a chipset that requires you to download and compile a different version of hostapd to get everything working. Luckily the awesome folks over at Adafruit have provided instructions on just how to do that here
  3. If you want to find out whet version OS kernal you are using, use the command uname -a and if the result is anything below 4.4.13-v7 then you should follow the instructions in the second step of this list

If you can’t connect to your access point at all then it’s probably something to do with hostapd, so go over the steps again carefully just to make sure you have not made any typos. If you haven’t, try compiling the version of hostapd that the folks at Adafruit have provided and mentioned above to see if that helps.

If it looks like your device has successfully connected to your new access point, you can easily check it by using the ping command we used earlier to ping Google:

ping -c 10

Where is the IP address of the access point, if you’re successful you’ll see something like this:

Pinging the access point

If that was successful best try something a little further afield, we can ping Google’s DNS servers which are pretty much guaranteed to be available when you need them with:

ping -c 10

Pinged in Google DNS

If you could ping the access point but couldn’t get through to Google then there is almost certainly something wrong with the DHCP configurations or the NAT configuration, go through the steps carefully again and make sure there are no mistakes, it’s probably just a straight character. :-)

Lastly we should check DNS servers are working, they probably will be if you’ve got this far but to do that we should just pick any website on the Internet and ping it and hopefully see successful things like we did when pinging the access point. Let’s one of the best sites on the Internet to check our DNS configurations with:

ping -c 10

Pinging to test DNS

If that works, congratulations you are up and running!

  1. Or, you know, you could just scroll up and have a look.