{"id":13775864,"url":"https://github.com/garywill/linux-router","last_synced_at":"2025-05-14T11:12:15.910Z","repository":{"id":33907124,"uuid":"146877541","full_name":"garywill/linux-router","owner":"garywill","description":"Set Linux as router in one command. Support Internet sharing, redsocks, Wifi hotspot, IPv6. Can also be used for routing VM/containers πŸ›°οΈ ","archived":false,"fork":false,"pushed_at":"2024-12-18T12:55:11.000Z","size":178,"stargazers_count":1823,"open_issues_count":33,"forks_count":167,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-04-11T22:59:12.339Z","etag":null,"topics":["access-point","create-ap","gateway","internet-sharing","ipv6","ipv6-subnetting","linux","nat","nated-wifi-access-point","redsocks","router","transparent-proxy","wifi-hotspot"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/garywill.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-31T10:28:33.000Z","updated_at":"2025-04-10T19:38:07.000Z","dependencies_parsed_at":"2024-04-24T06:39:42.624Z","dependency_job_id":"5cfafaa0-1df2-4881-8148-2a1bf762a3a6","html_url":"https://github.com/garywill/linux-router","commit_stats":{"total_commits":94,"total_committers":5,"mean_commits":18.8,"dds":"0.11702127659574468","last_synced_commit":"fe2348a725246f3ed83e0f31a4330bfce5e2eb38"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garywill%2Flinux-router","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garywill%2Flinux-router/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garywill%2Flinux-router/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garywill%2Flinux-router/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/garywill","download_url":"https://codeload.github.com/garywill/linux-router/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254129525,"owners_count":22019628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-point","create-ap","gateway","internet-sharing","ipv6","ipv6-subnetting","linux","nat","nated-wifi-access-point","redsocks","router","transparent-proxy","wifi-hotspot"],"created_at":"2024-08-03T17:01:52.897Z","updated_at":"2025-05-14T11:12:10.894Z","avatar_url":"https://github.com/garywill.png","language":"Shell","funding_links":[],"categories":["\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003eε·₯ε…·","Command Line Utilities","Shell"],"sub_categories":["\u003ca id=\"57b8e953d394bbed52df2a6976d98dfa\"\u003e\u003c/a\u003eSocks","Internet"],"readme":"# Linux-router\n\nSet Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.\n\nIt wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).\n\n[Linux-Router News \u0026 Developer Notes πŸ“°](https://github.com/garywill/linux-router/issues/28) | [More tools and projects πŸ› οΈ](https://garywill.github.io) | [🍻 Buy me a coffee ❀️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)\n\n\n## Features\n\nBasic features:\n\n- Create a NATed sub-network\n- Provide Internet\n- DHCP server (and RA)\n - Specify what DNS the DHCP server assigns to clients\n- DNS server\n - Specify upstream DNS (kind of a plain DNS proxy)\n- IPv6 (behind NATed LAN, like IPv4)\n- Creating WiFi hotspot:\n - Channel selecting\n - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption\n - Create AP on the same interface you are getting Internet (usually require same channel)\n- Transparent proxy (redsocks)\n- Transparent DNS proxy (hijack port 53 packets)\n- Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)\n- Detect firewalld and make sure it won't interfere our (by using `trusted` zone)\n- You can run many instances, to create many different networks. Has instances managing feature.\n\n**For many other features, see below [CLI usage](#cli-usage-and-other-features)**\n\n### Useful in these situations\n\n```\nInternet----(eth0/wlan0)-Linux-(wlanX)AP\n |--client\n |--client\n```\n\n```\n Internet\nWiFi AP(no DHCP) |\n |----(wlan1)-Linux-(eth0/wlan0)------\n | (DHCP)\n |--client\n |--client\n```\n\n```\n Internet\n Switch |\n |---(eth1)-Linux-(eth0/wlan0)--------\n |--client\n |--client\n```\n\n```\nInternet----(eth0/wlan0)-Linux-(eth1)------Another PC\n```\n\n```\nInternet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container\n```\n\n## Install\n\n1-file-script. Release on [Linux-router repo on Github](https://github.com/garywill/linux-router). Just download and run the bash script (meet the dependencies). In this case use without installation.\n\nI'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here\n\n| Linux distro | |\n| ------------ | ---------------------------------------------------------------------------------------------------------- |\n| Any | download [1-file-script](https://raw.githubusercontent.com/garywill/linux-router/master/lnxrouter) and run without installation |\n\n### Dependencies\n\n- bash\n- procps or procps-ng\n- iproute2\n- dnsmasq\n- iptables (or nftables with `iptables-nft` translation linked)\n- WiFi hotspot dependencies\n - hostapd\n - iw\n - iwconfig (you only need this if 'iw' can not recognize your adapter)\n - haveged (optional)\n\n\n\n## Usage\n\n### Provide Internet to an interface\n\n```bash\nsudo lnxrouter -i eth1\n```\n\nno matter which interface (other than `eth1`) you're getting Internet from.\n\n### Create WiFi hotspot\n\n```bash\nsudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase\n```\n\nno matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.\n\n### Provide an interface's Internet to another interface\n\nClients access Internet through only `isp5`\n\n\u003cdetails\u003e\n\n```bash\nsudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]\n```\n\n\u003e In this case of usage, it's recommended to:\n\u003e \n\u003e 1. Stop serving local DNS\n\u003e 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)\n\n\u003c/details\u003e\n\n### Create LAN without providing Internet\n\n\u003cdetails\u003e\n\n```bash\nsudo lnxrouter -n -i eth1\n```\n\n```bash\nsudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase\n```\n\n\u003c/details\u003e\n\n### Internet for LXC\n\n\u003cdetails\u003e\n\nCreate a bridge\n\n```bash\nsudo brctl addbr lxcbr5\n```\n\nIn LXC container `config`\n\n```\nlxc.network.type = veth\nlxc.network.flags = up\nlxc.network.link = lxcbr5\nlxc.network.hwaddr = xx:xx:xx:xx:xx:xx\n```\n\n```bash\nsudo lnxrouter -i lxcbr5\n```\n\n\u003c/details\u003e\n\n### Transparent proxy\n\nAll clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use)\n\n\u003cdetails\u003e\n\n```bash\nsudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::\n```\n\nIn `torrc`\n\n```\nTransPort 192.168.55.1:9040 \nDNSPort 192.168.55.1:9053\nTransPort [fd00:5:6:7::1]:9040 \nDNSPort [fd00:5:6:7::1]:9053\n```\n\n\u003e **Warn**: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity.\n\u003e \n\u003e Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity.\n\n\u003c/details\u003e\n\n### Clients-in-sandbox network\n\nTo not give our infomation to clients. Clients can still access Internet.\n\n\u003cdetails\u003e\n\n```bash\nsudo lnxrouter -i eth1 \\\n --tp 9040 --dns 9053 \\\n --random-mac \\\n --ban-priv \\\n --catch-dns --log-dns # optional\n```\n\n\u003c/details\u003e\n\n\u003e Linux-router comes with no warranty. Use on your own risk\n\n### Use as transparent proxy for LXD\n\n\u003cdetails\u003e\n\nCreate a bridge\n\n```bash\nsudo brctl addbr lxdbr5\n```\n\nCreate and add a new LXD profile overriding container's `eth0`\n\n```bash\nlxc profile create profile5\nlxc profile edit profile5\n\n### profile content ###\nconfig: {}\ndescription: \"\"\ndevices:\n eth0:\n name: eth0\n nictype: bridged\n parent: lxdbr5\n type: nic\nname: profile5\n\nlxc profile add \u003ccontainer\u003e profile5\n```\n\n```bash\nsudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053\n```\n\nTo remove that new profile from container\n\n```bash\nlxc profile remove \u003ccontainer\u003e profile5\n```\n\n#### To not use profile\n\nAdd new `eth0` to container overriding default `eth0`\n\n```bash\nlxc config device add \u003ccontainer\u003e eth0 nic name=eth0 nictype=bridged parent=lxdbr5\n```\n\nTo remove the customized `eth0` to restore default `eth0`\n\n```bash\nlxc config device remove \u003ccontainer\u003e eth0\n```\n\n\u003c/details\u003e\n\n### Use as transparent proxy for VirtualBox\n\n\u003cdetails\u003e\n\nIn VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled.\n\n```bash\nsudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053\n```\n\n\u003c/details\u003e\n\n### Use as transparent proxy for firejail\n\n\u003cdetails\u003e\n\nCreate a bridge\n\n```bash\nsudo brctl addbr firejail5\n```\n\n```bash\nsudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 \nfirejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd\n```\n\nFirejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.\n\nnscd is domain name cache service, which shouldn't be accessed from in jail here.\n\n\u003c/details\u003e\n\n### CLI usage and other features\n\n\u003cdetails\u003e\n\n```\nUsage: lnxrouter \u003coptions\u003e\n\nOptions:\n -h, --help Show this help\n --version Print version number\n\n -i \u003cinterface\u003e Interface to make NATed sub-network,\n and to provide Internet to\n (To create WiFi hotspot use '--ap' instead)\n -o \u003cinterface\u003e Specify an inteface to provide Internet from.\n (Note using this with default DNS option may leak\n queries to other interfaces)\n -n Do not provide Internet\n --ban-priv Disallow clients to access my private network\n \n -g \u003cip\u003e This host's IPv4 address in subnet (mask is /24)\n (example: '192.168.5.1' or '5' shortly)\n -6 Enable IPv6 (NAT)\n --no4 Disable IPv4 Internet (not forwarding IPv4).\n Usually used with '-6'\n \n --p6 \u003cprefix\u003e Set IPv6 LAN address prefix (length 64) \n (example: 'fd00:0:0:5::' or '5' shortly) \n Using this enables '-6'\n \n --dns \u003cip\u003e|\u003cport\u003e|\u003cip:port\u003e\n DNS server's upstream DNS.\n Use ',' to seperate multiple servers\n (default: use /etc/resolv.conf)\n (Note IPv6 addresses need '[]' around)\n --no-dns Do not serve DNS\n --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)\n --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) \n whose destination port is 53 to this host\n --log-dns Show DNS query log (dnsmasq)\n --dhcp-dns \u003cIP1[,IP2]\u003e|no\n Set IPv4 DNS offered by DHCP (default: this host).\n --dhcp-dns6 \u003cIP1[,IP2]\u003e|no\n Set IPv6 DNS offered by DHCP (RA) \n (default: this host)\n (Note IPv6 addresses need '[]' around)\n Using both above two will enable '--no-dns' \n --hostname \u003cname\u003e DNS server associate this name with this host.\n Use '-' to read name from /etc/hostname\n -d DNS server will take into account /etc/hosts\n -e \u003chosts_file\u003e DNS server will take into account additional \n hosts file\n --dns-nocache DNS server no cache\n \n --mac \u003cMAC\u003e Set MAC address\n --random-mac Use random MAC address\n \n --tp \u003cport\u003e Transparent proxy,\n redirect non-LAN TCP and UDP(not tested) traffic to\n port. (usually used with '--dns')\n \n WiFi hotspot options:\n --ap \u003cwifi interface\u003e \u003cSSID\u003e\n Create WiFi access point\n -p, --password \u003cpassword\u003e \n WiFi password\n --qr Show WiFi QR code in terminal (need qrencode)\n \n --hidden Hide access point (not broadcast SSID)\n --no-virt Do not create virtual interface\n Using this you can't use same wlan interface\n for both Internet and AP\n --virt-name \u003cname\u003e Set name of virtual interface\n -c \u003cchannel\u003e Specify channel (default: use current, or 1 / 36)\n --country \u003ccode\u003e Set two-letter country code for regularity\n (example: US)\n --freq-band \u003cGHz\u003e Set frequency band: 2.4 or 5 (default: 2.4)\n --driver Choose your WiFi adapter driver (default: nl80211)\n -w \u003cWPA version\u003e '2' for WPA2, '1' for WPA, '1+2' for both\n (default: 2)\n --psk Use 64 hex digits pre-shared-key instead of\n passphrase\n --mac-filter Enable WiFi hotspot MAC address filtering\n --mac-filter-accept Location of WiFi hotspot MAC address filter list\n (defaults to /etc/hostapd/hostapd.accept)\n --hostapd-debug \u003clevel\u003e 1 or 2. Passes -d or -dd to hostapd\n --isolate-clients Disable wifi communication between clients\n --no-haveged Do not run haveged automatically when needed\n --hs20 Enable Hotspot 2.0\n\n WiFi 4 (802.11n) configs:\n --wifi4 Enable IEEE 802.11n (HT)\n --req-ht Require station HT (High Throughput) mode\n --ht-capab \u003cHT caps\u003e HT capabilities (default: [HT40+])\n\n WiFi 5 (802.11ac) configs:\n --wifi5 Enable IEEE 802.11ac (VHT)\n --req-vht Require station VHT (Very High Thoughtput) mode\n --vht-capab \u003cVHT caps\u003e VHT capabilities\n \n --vht-ch-width \u003cindex\u003e Index of VHT channel width:\n 0 for 20MHz or 40MHz (default)\n 1 for 80MHz\n 2 for 160MHz\n 3 for 80+80MHz (Non-contigous 160MHz) \n --vht-seg0-ch \u003cchannel\u003e Channel index of VHT center frequency for primary \n segment. Use with '--vht-ch-width'\n --vht-seg1-ch \u003cchannel\u003e Channel index of VHT center frequency for secondary\n (second 80MHz) segment. Use with '--vht-ch-width 3'\n\n Instance managing:\n --daemon Run in background\n -l, --list-running Show running instances\n --lc, --list-clients \u003cid|interface\u003e \n List clients of an instance. Or list neighbors of\n an interface, even if it isn't handled by us.\n (passive mode)\n --stop \u003cid\u003e Stop a running instance\n For \u003cid\u003e you can use PID or subnet interface name.\n You can get them with '--list-running'\n \nExamples:\n lnxrouter -i eth1\n lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase\n lnxrouter -i eth1 --tp \u003ctransparent-proxy\u003e --dns \u003cdns-proxy\u003e\n```\n\n\u003c/details\u003e\n\n## What changes are done to Linux system\n\nOn exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes (if needed) will **not** be undone, which are:\n\n1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`\n2. dnsmasq in Apparmor complain mode\n3. hostapd in Apparmor complain mode\n4. Kernel module `nf_nat_pptp` loaded\n5. The wifi device which is used to create hotspot is `rfkill unblock`ed\n6. WiFi country code, if user assigns\n\n## Meet contributor(s) and become one of them\n\nVisit [**my homepage** 🏑](https://garywill.github.io) to see **more tools and projects** πŸ› οΈ.\n\n\u003e [❀️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❀️ ζ‰«η ι’†ηΊ’εŒ…εΉΆζ‰“θ΅δΈ€δΈͺ!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))\n\u003e \n\u003e πŸ₯‚ ( ^\\_^) oθ‡ͺθ‡ͺo (^_^ ) 🍻\n\n🀝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🀝 Also thank those who contributed to that project.\n\nπŸ‘¨β€πŸ’» You can be contributor, too! \n\n- πŸƒ There're some TO-DOs listed, in both [readme TODO](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO\u0026type=code)\n- πŸƒ Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement)\n- πŸ™‹β€β™‚οΈ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer\n\n## TODO\n- WPA3\n- Global IPv6\n\n## License\n\nlinux-router is LGPL licensed\n\n\u003cdetails\u003e\n\n```\nlinux-router\nCopyright (C) 2018 garywill\n\nThis library is free software; you can redistribute it and/or\nmodify it under the terms of the GNU Lesser General Public\nLicense as published by the Free Software Foundation; either\nversion 2.1 of the License, or (at your option) any later version.\n\nThis library is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\nLesser General Public License for more details.\n\nYou should have received a copy of the GNU Lesser General Public\nLicense along with this library; if not, write to the Free Software\nFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\n```\n\n\u003c/details\u003e\n\nUpstream create_ap was BSD licensed\n\n\u003cdetails\u003e\n\n```\nCopyright (c) 2013, oblique\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n this list of conditions and the following disclaimer in the documentation\n and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n```\n\n\u003c/details\u003e\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarywill%2Flinux-router","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgarywill%2Flinux-router","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarywill%2Flinux-router/lists"}