Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Hello 👀

Black cat in a packaging box

This is the home of a collection of open-source networking software written in Rust.

More specifically, the current projects are:

  • Antennas: Raspberry Pi wifi router
  • Toe Beans: DHCPv4 library, client, and server
  • inherface: Get network interface data
  • wpa_passphrase: Rust rewrite of the wpa_passphrase program written for wpa_supplicant

Use the menu in the top-left or the arrows at the bottom of the page to see more.

Antennas

black cat with wifi signal coming from its antenna ears

This application turns your Raspberry Pi 4b or 5 into a wireless router.

Warning

Antennas makes no assumption about the locality of where it is used and may or may not satisfy the wireless regulations of the area you live.

Getting Started

Hardware

Below is the recommended hardware. All links to products are not sponsored, affiliate links, or make me money in any way.

HardwarePi 4bPi 5RequiredNotes
Raspberry PiPi 4b 2GBPi 5 2GBYes
Power Supply15W15W or 27WYesThird-party power supplies are not recommended.
MicroSD CardRecommendedRecommendedYesOr use any you already own. Must have at least 16 Gb storage capacity. Prefer cards with at least “V30” and “A2” speeds. Beware of fake cards on Amazon and Alibaba.
Ethernet CableRecommendedRecommendedYesOr use any you already own. Prefer cables that are at least CAT 6, 6a, or higher. Beware of fake cables on Amazon and AliExpress.
CaseiUnikerBlack or WhiteNoOptional. Metal cases are not recommended. The Pi 5 cases come with a fan and a single heatsink.
Cooling40mm case fan + heatsinksActive CoolerOnly if overclockingThe Pi 4b case fan is too loud.

Additional Hardware

  • To write Ubuntu Core to your MicroSD card:
    • MicroSD card reader/writer (built in or via usb)
  • To complete Ubuntu Core installation:
    • USB keyboard
    • Micro HDMI (pi) to standard HDMI (tv/monitor) cable. Tested with this.
    • Monitor or television

Setup

Preparation

Antennas would ideally be installed on a dedicated Raspberry Pi. Why? Constrained computational resources aside, Antennas must change system firewall and networking rules in order to function. For example: we clear the firewall rules before setting a default drop policy and flush wlan0’s ip addresses before adding some.

Ask yourself how will these side effects interact with any other firewall/networking snaps you have installed (if any). If you think it might then install Antennas on a separate MicroSD card.

Install Operating System

Ubuntu Core is officially supported. See the Common Questions for more information on supported devices and operating systems.

Download the Ubuntu Core 26 operating system img then follow the official installation guide.

Install Antennas

Assume all commands from this point forward are run on the Raspberry Pi after SSH’ing into it.

sudo snap install antennas

All permissions should be granted automatically. Check with snap connections antennas. Otherwise, you can manually grant permissions.

Finish Setup

Setting a wifi password is the last step before Antennas is running. See the Configure section below for how to set a password.

After setting a password you should see a message that says “Enabled snap services”. Congratulations Antennas is now running!

If you don’t see that message after setting a password you can manually enable services with sudo snap start --enable antennas.

Configure

View all currently set or default options with sudo antennas.config get. Or get a single item with sudo antennas.config get wifi-channel.

Learn how to set options with sudo antennas.config set --help. You may change the default options. It is common to change the country, ssid, and passphrase:

sudo antennas.config set --country-code=us --wifi-ssid=Test --wifi-password

On some systems, you may need to use sudo /snap/bin/antennas.config if you get an error that says “sudo: antennas.config: command not found”.

You will need to run sudo snap restart antennas if you want the config changes to take effect.

Debugging

Warnings

Antennas automatically updates to the latest version. When it does so, all of its services are restarted. This causes a roughly 30 second drop in wireless connection. Therefore, what you though was a bug might just be your system updating. Care is taken to batch up releases to prevent frequent downtime.

Using the network-manager snap is not recommended. It and other snaps that manipulate the system networking may or may not conflict with Antennas.

Tips

View all logs with snap logs -n=all antennas or view the latest logs of a specific service with snap logs -n=99 antennas.hostapd. You can increase the verbosity of logs that are available to view by enabling Antennas’s debug mode with sudo antennas.config set --debug true. It is not recommended to leave debug mode on when not debugging.

To debug an Antennas build you can inspect it after building with snapcraft build --shell. Within the container you can see the state of various steps in the snap lifecycle. For example, go to /root/stage to see bin, sbin, and /usr/bin for your staged package binaries.

To debug an installed Antennas snap your can inspect it after installing with snap run --shell antennas.hostapd (where “hostapd” is the service). From there you can run commands like printenv.

To debug permissions check if permissions are assigned with snap connections antennas. Check if its using something protected by permissions with the snappy-debug snap or by checking dmesg.

To check what is inside the compressed snap, run unsquashfs ./antennas_1_arm64.snap.

To check port usage on Ubuntu Core, run sudo ss -lpnut.

Security

Security Features

Security is the top priority. A wifi router that isn’t secure isn’t worth using. And we’ve made significant improvements to security over the years…

#Security FeatureAntennas
1MaintenanceActively being developed
2Open SourceYes, on Codeberg. Two-factor authentication and signed commits enabled.
3HardwareOnly officially supporting Raspberry Pi 5 and its builtin wireless chip. The device does not reach end of life until 2036-01-01. Its wireless firmware has been promptly patched when issues are found. Ubuntu certifies that it works with Ubuntu Core.
4Operating SystemOnly officially supporting Ubuntu Core 26 which greatly improves security in ways such as an immutable base OS, confined applications, permissions, etc. Read more here and here.
5BaseBuilt with core26 (Ubuntu 26.04 LTS) as a base
6Programming LanguageRust was chosen for its memory and thread safety. Rust is compatible with arm64 and snapcraft.
7Application InterfaceThe application interface has been removed so that no other applications can directly control Antennas.
8Wifi EncryptionRemoved ability to configure an open, unencrypted access point.
9Wifi Password14 characters minimum, can’t contain only numbers. Password is not shown when typing it. Encrypted and NOT stored as plain text. Memory is properly zeroed after both prompting and encrypting a password.
10DNSEncrypted with DNS-over-HTTPS using TLS 1.3. Pi 4b uses TLS_CHACHA20_POLY1305_SHA256 and Pi 5 uses TLS_AES_128_GCM_SHA256. DNS encryption verified with this tool. DNS-level blocking of malware. DNS rebind attacks blocked.
11Third Party SoftwareUsing updated versions of dependencies (hostapd, dnsmasq, dnscrypt, etc). Each is downloaded from its official source, verified with sha512 checksums and GPG signatures, and only then compiled with unused features disabled. Any compilation change, such as disabling a feature, is auditable/reproducible from the snapcraft.yaml.
12ConfigThe only way to generate config is through the bundled rust program. Config is stored in non-executable toml format and validated before use. File permissions are limited. Must be root to set/get config via cli.
13ServicesSeparate services are defined via snapcraft.yaml, each having their minimum required permissions assigned.
14FirewallUses firewall for routing. Sets default drop policies with only required traffic allowed. Rate limits ssh connection. Uses nftables instead of legacy iptables.
15Web InterfaceNo web interface. Config is only accessible through key-protected SSH. This eliminates the possibility of a website to brute-force guess the router’s web interface credentials.

Hardware Cryptography

Pi 4bPi 5Notes
Hardware Random Number GeneratorYesYesCan be accessed by sudo cat /dev/hwrng. /dev/hwrng should be feeding the pool that /dev/random and /dev/urandom pull from. System entropy can be checked with cat /proc/sys/kernel/random/entropy_avail. Testing the RNG on both devices outputs what I interpret to be the same results. I’ve tested with both rng-tool’s sudo cat /dev/hwrng | rngtest -c 1000 and dieharder’s dieharder -a.
Cryptographic Hardware AccelerationNoYesThe Pi 5’s acceleration allows it to use AES algorithms for DNS (see table above).
Cryptographic Operation BenchmarksPBKDF2-sha512 (256b): 482,769 IPS

aes-cbc (128b): 94.7 MiB/s encrypt, 99.2 MiB/s decrypt

aes-cbc (256b): 76.2 MiB/s encrypt, 77.9 MiB/s decrypt

aes-xts (256b): 90.3 MiB/s encrypt, 102.5 MiB/s decrypt

aes-xts (512b): 79.2 MiB/s encrypt, 80.0 MiB/s decrypt
PBKDF2-sha512 (256b): 958,478 IPS

aes-cbc (128b): 982.1 MiB/s encrypt, 1613.4 MiB/s decrypt

aes-cbc (256b): 810.3 MiB/s encrypt, 1379.9 MiB/s decrypt

aes-xts (256b): 1351.7 MiB/s encrypt, 1352.9 MiB/s decrypt

aes-xts (512b): 1199.8 MiB/s encrypt, 1199.3 MiB/s decrypt
Run with command: cryptsetup benchmark, which is preinstalled on most linux systems. Only a subset of results shown, run the command to see the full results.

Memory Safety

Approximately 70% of security issues are memory safety issues. Antennas makes heavy use of the Rust Programming Language which enforces memory safety at compile time. In Rust, the only way to write code that isn’t verified as memory safe is to explicitly mark the code as “unsafe”. Unsafe usage is rare and Rust code tends to be much safer than alternative code.

Antennas itself is 100% memory safe and forbids the usage of unsafe. The same applies to its dhcpv4 server (toe-beans) and its password encryption (wpa_passphrase). The only exceptions are:

  • Third-party libraries used by Rust programs that forbid unsafe may use unsafe. I’ve made progress on reducing this, and again, its still less than using alternative software.
  • The setup binary currently configures the system by calling other non-rust programs. Mostly nft and sysctl. Care is taken to only use trusted commands and to ensure a full path to the command is used.
  • Other daemons that Antennas starts such as hostapd and dnsmasq are written in C and are not memory safe.

Other

  • Verified that swap storage is off by default (via swapon --show). This is good when without full disk encryption and without encrypted swap.
  • USB devices are not auto mounted.

Privacy

Updated on: August 2, 2024

Introduction

  • We are in pursuit of creating products that are private, secure, and free.
  • We will attempt to make this privacy policy simple and informative. However, you may need technical knowledge to understand parts of it.
  • We do not implement tracking in the software we write. Therefore, we rely on you to report issues.
  • We do not sell information.
  • We do not monetize with advertisements.

Privacy Disclosures

  • Snapcraft collects anonymous metrics when installing a snap package.
  • Cloudflare, our hosting provider, collects anonymous server-side analytics when visiting this website. This does not happen when directly accessing the website through our onion service.
  • Cloudflare might create cookies in some situations. However, it is likely that no cookies will have been created. No cookies are created when directly accessing the website through our onion service.
  • Accessing the website will store anonymous access logs with the following information: datetime of access, url accessed, and user agent.

Application Privacy Features

  • DNS is encrypted with DNS-over-HTTPS using TLS 1.3, and validated with DNSSEC. See the 1.1.1.1 Resolver Privacy Policy for more information.
  • A tracking and advertisement blocklist is setup by default. Use the “blocklist” config option to change the blocklist.
  • No mobile app or website registration is required to configure Antennas. However, an Ubuntu SSO account is temporarily required, when installing Ubuntu Core, in order to download a ssh public key for enhanced security.

Website Privacy Features

Privacy Policy Changes

  • This privacy policy may be updated at any time.
  • Since we do not collect any information that we can use to notify you, you must check this website for updates periodically.

Performance

Wifi

Antennas enables wifi 5 (ac) speeds. The project it originally forked from only had wifi 4 (n) speeds.

Wireless speeds will vary based on the generation of Raspberry Pi used and whether it is overclocked or not. Speeds below are measured using fast.com.

Overclocking

You can safely overclock by enabling turbo mode. You should see performance gains of about 50%. This comes at the expense of higher energy usage.

Warning

Changing other overclock settings, other than what is listed here, may void your warranty. Overclocking, especially without proper cooling, may slightly reduce the lifespan of your device.

To enable turbo mode in Ubuntu Core you can set force_turbo=1, then restart for the change to take effect:

sudo snap set system pi-config.force-turbo=1
sudo reboot

To verify that overclocking worked you can check the CPU frequency with lscpu | grep 'MHz' which returns:

DeviceOverclockedMin MHzMax MHzObservations
Pi 4bNo6001500Wireless speed is about 80 Mbps
Pi 4b, Ubuntu Core 20Yes15001500Increases wireless speed to about 100-110 Mbps
Pi 4b, Ubuntu Core 22Yes18001800Increases wireless speed to about 110-150 Mbps
Pi 5, Ubuntu Core 26No15002400Increases wireless speed to about 270 Mbps
Pi 5, Ubuntu Core 26Yes24002400Increases wireless speed to about 280 Mbps

Thermals

All Raspberry Pi models will throttle starting at 80 degrees celsius and throttle even more at 85 degrees celsius.

Temperature can be checked by running cat /sys/class/thermal/thermal_zone0/temp. The result will be a temperature in millidegrees celsius, so divide by 1000 to convert to celsius.

DNS

DNS caching is enabled and the size of the cache has been increased.

The toe-beans DHCP server is configured to advertise the dnscrypt server directly instead of relaying it.

Uses one of the fastest DNS resolvers: Cloudflare’s 1.1.1.1.

DHCP

Rapid commit is enabled for faster ipv4 address assignment.

Energy Usage

The Raspberry Pi is very energy efficient. In general, it should use less energy than most consumer grade routers.

The following results are measured with a kill-a-watt meter:

DeviceOverclockedResting WattsPeak Watts1
Pi 4bNo2.74.3
Pi 4b (core20)Yes3.14.3
Pi 4b (core22)Yes3.24.6
Pi 5No4.45.8
Linksys WRT 3200 ACMUnknown9.512.8

  1. Peak watts were measured while running a speed test. Your results may vary.

Permissions

See the snapcraft.yaml file to audit which services are using which permissions by looking at the “plugs” for each.

To check which of those permissions have been granted to an installed instance of Antennas, run snap connections antennas.

PermissionUsesAutomatic
networkEnables network accessYes
network-bindAllows services to listen on a port. dnsmasq listens on port 67 and dnscrypt listens on port 53Yes
network-controlEnables the configuration of networking and network namespacesYes*
firewall-controlCan make changes to the nftables firewall rules. Required for using device to forward packets correctly as a router.Yes*

If the automatic connection of network-control and firewall-control were ever to be revoked, you can manually connect them with these commands:

sudo snap connect antennas:firewall-control
sudo snap connect antennas:network-control

Common Questions

Will the Raspberry Pi 5 be supported?

Yes, it already is!

Will older versions, or other models, of the Raspberry Pi be supported?

Given most Raspberry Pi models use the same wifi chipset and due to how Antennas is packaged, yes, it would probably work on those devices. However, I don’t test, certify, or endorse doing so. Only the latest version, subject to my ability to acquire the hardware, is actively tested. That is currently the Raspberry Pi 5.

What operating systems are supported?

Ubuntu Core 26 is officially suported because it gives the best security which is vital for a wireless access point (which is usually the most vulnerable device in your home). If there is ever a bug with the operating system networking stack (like in the past with Ubuntu Core 24 and brcmfmac) then I recommend using Raspberry Pi OS Lite instead (because fixes have landed there sooner).

Will a heatsink worsen my wifi signal?

The wireless antennas are separate from the wireless chip. You can find the antennas by looking for a triangle next to the chip. Placing an appropriately sized heatsink on the wireless chip of your raspberry pi should not worsen signal because it doesn’t block the antennas. The same should apply for the heatsink on the official raspberry pi active cooler.

Will a case worsen my wifi signal?

Most plastic cases will have no significant impact on signal, but some metal cases might act as a faraday cage.

How much RAM (memory) do I need?

A Raspberry Pi with at least 2 GB should be more than enough. Each RAM module has the same memory speed. Therefore, purchasing Raspberry Pis with more memory will have no effect on performance. An entire system with Ubuntu Core 26 and Antennas installed will only use about 393 megabytes of memory according to free --mega. For comparison, most consumer routers don’t have much memory, and an expensive one might have only 512 megabytes.

How much storage space do I need?

A micro sd card with at least 16 GB should be more than enough. Focus on getting a card that is faster (at least V30 and A2). There are recommendations on the Getting Started page. All storage on a fresh install of Ubuntu Core 26 with Antennas only takes 468 megabytes according to df --si.

Can I use a third-party wifi adapter?

Yes, see sudo antennas.config set --help for how to configure a custom “wifi-interface”. Then rerun the “antennas.setup-ap” service. Be warned that the firmware for the third-party wifi adapter will likely be proprietary and buggy leading to a lot of issues. I highly recommend just using the built-in wifi because it has the most stable firmware I’ve been able to find.

Development

This page explains how to build, test, and release the Antennas snap from source. Its only necessary for software developers who want to contribute to the project. The vast majority of users will likely want to just install the Antennas snap that was published to the official snap store using the Getting Started guide.

Build System

It is recommended that you have a dedicated Raspberry Pi to build the Antennas snap. Ideally, the build pi would be a Raspberry Pi 5 with at least 4gb of RAM and 32gb storage.

Install an operating system on your build system. I recommend installing Ubuntu Desktop 26.04 LTS.

Important

This snap must be built and run on the arm64 architecture. If you build the snap, or any parts, for a different architecture, you will receive a runtime error similar to this: cannot execute binary file: Exec format error.

Build tools

Install the snapcraft snap:

sudo snap install --classic snapcraft

Snapcraft needs to use one of two build providers: Multipass or LXD. Multipass hasn’t historically worked well with arm64 whereas LXD has. LXD is now the default build provider on linux.

Snapcraft will automatically try to install and configure LXD if you run it, or you can do so manually:

sudo snap install lxd
sudo lxd init --auto

Then add the lxd group to your user so you can run it as a non-root user:

sudo usermod -a -G lxd ${USER}

You must restart your computer for the new group assignment to take effect

Building

Run snapcraft clean && snapcraft pack --verbose for a fresh build. If you are sure you only changed a specific part, you can clean only that part with snapcraft clean part to save time on subsequent builds.

Installing and Testing

It is recommended that you have a dedicated Raspberry Pi to test this snap that is not the build system.

Transfer the built snap from your “build pi” to the “test pi” with sftp.

If you have previously installed this snap, remove it:

sudo snap remove --purge antennas

Since you are installing the snap we built locally, and not signed/asserted by the snap store, you must install it with the dangerous flag:

sudo snap install --dangerous ./antennas_1_arm64.snap

Tip: Add some aliases to your test pi’s ~/.bashrc (reconnect via ssh for changes to take effect):

alias resnap="reinstall && repermission && repassword && reenable"
alias reinstall="sudo snap remove --purge antennas && sudo snap install --dangerous antennas_1_arm64.snap"
alias repermission="sudo snap connect antennas:firewall-control && sudo snap connect antennas:network-control"
alias repassword="sudo antennas.config set --country-code=us --wifi-ssid=Test --wifi-password"
alias reenable="sudo snap start --enable antennas"

Releasing

After building the latest version and testing it, run:

snapcraft upload --release beta,stable --verbose antennas_1_arm64.snap

You may also choose to just upload to beta and then promote to stable later.

Toe Beans

The underside of a black cats paw showing its paw pads, also called toe beans. The paw is handing out an ip address, not all that unsimilar from the duty of DHCP.

This project is a DHCPv4 library, client, and server.

It is open-source on Codeberg, released on crates.io, and documented on docs.rs.

Inherface

a cat lovingly rubbing against a womans face

This project is a fork of network-interfaces with these fixes and improvements. It has been successfully integrated into toe-beans.

Find documentation and examples on docs.rs and crates.io. The code is open sourced on Codeberg.