Building an Evil-AP with TL-MR3020 – Part 1 – Setup

So, recently I got my hands on a cheap TP-Link TL-MR3020 and figured I could create an Evil-AP as a project.

Flashing OpenWRT
It ships with a firmware which makes it really easy to upgrade/flash OpenWrt to it. Check this for instructions how to do this. Once flashed you should be able to login to the web-page and set a root password, now you’ll be able to SSH to the device as well.

Installing necessary packages
Next we need to install drivers for a USB flash drive, filesystem and extroot. To do this connect the TL-MR3020 to the internet and then SSH (it should be root@ into the device and run the following to install the necessary packages.

opkg update
opkg install kmod-usb-storage scsi-generic kmod-fs-ext4 block-mount 

Now, plug in your USB flash drive and validate with dmesg that your USB flash drive is properly identified. I used a 8 GB drive but 4 GB is fine as well. Make sure the flash drive is formated with ext4.

Some USB flash drives might cause trouble. For example I got a bunch of USB flash drives from China and none of them work in the MR-3020 so I ended up using a drive from Sandisk. You can try installing kmod-usb-storage if you’re unable to get your flash drive to work but that didn’t help me.

Configure exroot
Alright, time to configure the flash drive as our root partition with extroot. The flash drive got a single partition and the device should be listed as /dev/sda, however, confirm with dmesg (or however you like) that it is correct.

mkdir /mnt/usb
mkdir /tmp/extroot
mount /dev/sda1 /mnt/usb
mount --bind / /tmp/extroot
tar -C /tmp/extroot -cvf - . | tar -C /mnt/usb -xf -

After the tar command is done it is time to update fstab to automount our flash drive upon boot. This is also a nice failsafe if you manage the break the install or lock yourself out from the device somehow. If that occur you can boot the MR-3020 without the flash drive and just redo the steps above. Or you can use dd (or similar) on another system to create an image of your flash drive!

Open /etc/config/fstab with vi and make your fstab look something like this.

config mount
     option target       /
     option device       /dev/sda1
     option fstype       ext4
     option options      rw,sync
     option enabled      1
     option enabled_fsck 0

Great. Now, reboot your device and SSH into it once again. Running df should confirm that you now have plenty of space to use.

Configuring the network
The idea is to create a wireless guest network on the MR-3020 and provide internet access through it. The internet access will be received through its ethernet port from my laptop running Linux.

ap-setup-hw <-> MR-3020 <->
By using the built in function in NM (NetworkManager) I’ll share its connection from the laptop to the MR-3020 with an ethernet cable. The laptop can be connected to another wireless network or perhaps a 3/4-G modem. Here’s a pretty picture that shows how easy it is done.

This will create the subnet and the laptop will receive the ip (might want to make sure this is true in your case and/or set it up some other way). Now, time to configure the network in the MR-3020. SSH back to the device and do the following configurations. Although do note that some of your settings might be different and some will be, like your macaddr and such. But it should be pretty straightforward.

vi /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr ''
    option netmask ''

config interface 'lan'
    option ifname 'eth0'
    option type 'bridge'
    option proto 'static'
    option netmask ''
    option ipaddr ''
    option gateway ''
    option dns ''

config interface 'guest'
    option proto 'static'
    option ipaddr ''
    option netmask ''


vi /etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option macaddr '00:00:DE:AD:CO:DE'
    option hwmode '11ng'
    option htmode 'HT20'
    list ht_capab 'SHORT-GI-20'
    list ht_capab 'SHORT-GI-40'
    list ht_capab 'RX-STBC1'
    list ht_capab 'DSSS_CCK-40'
    option txpower '27'
    option country 'SE'
    option disabled '0'
    option channel '1'

config wifi-iface
    option ssid 'Free Cookies'
    option encryption 'none'
    option device 'radio0'
    option mode 'ap'
    option hidden '0'
    option network 'guest'


vi /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'

    config dhcp 'guest'
    option interface 'guest'
    option start '5'
    option limit '200'
    option leasetime '1h'

Now we’ll restart the network and the dhcp daemon.

root@OpenWrt:~# /etc/init.d/network restart && /etc/init.d/dnsmasq restart
Configuration file: /var/run/hostapd-phy0.conf
Using interface wlan0 with hwaddr 00:00:DE:AD:CO:DE and ssid "Free Cookies"
command failed: Invalid argument (-22)

Don’t mind the error, afaik, its harmless. Now, the network should be available and we’re almost done with the initial setup.

To allow access to the internet we need to perform some actions on the Linux laptop. We need to add a route to the guest network and use iptables to NAT. If you don’t have iptables installed this is a good time to do it :). Now, replace (if needed) wlp3s0 with your laptops wireless interface and enp0s25 with your ethernet interface.

route add -net gw
iptables --flush
iptables -t nat -A POSTROUTING -o wlp3s0 -j MASQUERADE
iptables -A FORWARD -i wlp3s0 -o enp0s25 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp0s25 -o wlp3s0 -j ACCEPT

That should be it! Connect to the wireless network “Free Cookies” and make sure you can reach the internet.

Next part
We’ll start looking at the more fun parts! :)
You can find part 2 (setup of Captive Portal) here.