Skip to content
Bill Zimmerman edited this page Nov 19, 2020 · 97 revisions

This has been written to address some frequently asked questions among users of RaspAP.

If you're unable to access RaspAP's web interface from the default http://10.3.141.1/ address, do the following:

  1. Be sure your browser isn't forcing SSL by appending https:// to the address, which can result in misleading errors. This may sound obvious but it's reported frequently. (Related: add SSL support for RaspAP)
  2. Connect your device to wired ethernet and access it via the browser or SSH on the eth0 interface using one of the methods below. Check the logs for hostapd errors and reconfigure the service, or run the installer again to restore the default configuration.
  3. There are several methods to determine your Pi's IP address. RaspAP's installer only configures a static IP address for the AP interface on wlan0. If the AP has entered a failed state, you may still be able to connect on an alternate IP.
  4. Recent versions of the RPi OS kernel include the avahi-daemon which provides multicast DNS. On client computers with the Bonjour service installed (all MacOS machines and Windows PCs with Apple iTunes installed), try accessing your Pi by entering http://raspberrypi.local/ in the browser or via SSH with ssh pi@raspberrypi.local.
  5. If you don't have access to wired ethernet and the above methods fail, configure your Pi for USB-OTG, aka 'on-the-go' or gadget mode. Instructions for enabling USB-OTG vary between various models and not all Pi hardware has support for this.

What do all these settings in the UI do? Changing them seems to have no effect.

RaspAP manipulates several daemons, services and helper programs behind the scenes for you. In the footer of each management panel is a helpful "Information provided by..." label. These indicate which Linux daemon and/or program is being modified by the UI. Learning what these services are and how they work will go a long way toward demystifying things.

For example, two of the best starting points for understanding hostapd (the service that implements 802.11 AP management) include the hostapd Linux documentation page and hostapd Wifi homepage.

Important: After you choose Save settings for hostapd or dhcpcd, these services must be stopped and restarted for your changes to take effect. If you're not sure if your AP is behaving as expected, enable logging in the Advanced options of Configure hotspot and check the output.

My custom hostapd.conf / php.ini is gone. Help!

The installer applies a "known good" default configuration to some services, including hostapd. It will also, optionally, optimize php by changing a very limited number of settings. Your custom configurations haven't been lost however; they've been moved to the backups directory in /etc/raspap/backups.

You are free to SSH in to restore those files to their rightful position. However, you may need to ensure that the RaspAP modifications are applied to your own custom configurations.

I changed the admin password and forgot what it was. Help!

Login credentials are stored in /etc/raspap/raspap.auth. The password is encrypted and cannot be edited manually. However, deleting this file with sudo rm /etc/raspap/raspap.auth will restore the default admin password.

What are the steps to upgrade RaspAP?

Upgrading an existing install without changing your configuration is very straightforward. To upgrade to the latest release version, simply run the Quick Installer with the --upgrade option:

curl -sL https://install.raspap.com | bash -s -- --upgrade

The installer upgrade is idempotent, meaning it can be repeated an arbitrary number of times and the result will be as if it had been done only once. If you choose this method, you're done! Confirm the upgrade by checking the release version on the About page.

If you want to install a specific version you can do so by referencing a tag:

sudo git fetch --tags
sudo git checkout 2.5

A tag is a pointer that isn't connected to the main development tree that git knows about. As a result, git will reply that you're in a 'detached HEAD' state. This isn't a big deal, it just means that you have a specific version of the code that isn't connected to the git tree.

Alternatively, if you want the latest bleeding edge commits from the master branch, use the following:

sudo git checkout master
sudo git pull origin master

If you've customized your installation by editing config.php, update the release version in this file:

sudo nano /var/www/html/includes/config.php

Change the first line to the release version, save the file and exit. Note: RASPI_VERSION is only used on the About page; it does not affect any other functionality.

define('RASPI_VERSION', '2.5');

Finally, give the lighttpd service a kick with:

sudo systemctl restart lighttpd.service

Whichever method you choose (installer upgrade, specific release or latest updates), your RaspAP configuration won't be changed.

RaspAP control panel works but there is no WiFi after reboot.

This problem often occurs when another program tries to reconfigure hostapd at startup. It can also happen when your RPi is configured as both a WiFi client and access point, known as a 'managed mode' AP. To address this, RaspAP has added a systemd init service to bring up networking services in a predictable order and timing after the Linux kernel is booted. You can check the status of this service with:

sudo systemctl status raspapd.service

The raspapd.service is optionally installed and enabled by the Quick Installer. It is also included in the manual setup steps.

Do I need the RaspAP service to run at boot?

If you are using your RPi as a client on a WiFi network (also known as managed mode) and hosting an access point simultaneously, the raspapd.service will ensure that your hotspot is active after a reboot. It does this by detecting WiFi client AP mode, adding the uap0 interface and starting up networking services in a specific order.

If your RPi is configured with wired ethernet (eth0) or you haven't experienced problems with the AP starting on boot, you can disable the RaspAP daemon like so:

sudo systemctl disable raspapd.service

How do I integrate RaspAP with Pi-hole?

There have been several discussions around integrating RaspAP with Pi-hole, with the end goal of hosting a complete AP and ad-blocker on a single device. Both projects rely on dnsmasq, so integration between them is tricky. There are now several options available to users of RaspAP.

One option is to configure RaspAP to use a Pi-Hole installation on a separate device. Go to RaspAP's DHCP Server > Advanced page and enable the "Upstream DNS Server" option, add your Pi-Hole's DNS, save settings and restart dnsmasq.

Alternatively, you can run Pi-Hole and RaspAP on the same device by operating RaspAP in bridged mode. Go to RaspAP's Hotspot > Advanced settings page, enable the "Bridged AP mode" option and restart your hotspot.

Finally, and by popular demand, RaspAP has released its own ad blocking facility with support for custom blocklists.

Can I integrate RaspAP with Adguard Home?

Yes, you can run RaspAP and Adguard Home on the same device. Change Adguard Home’s listening port to 5300 and bind to 127.0.0.1, then go to RaspAP's > DHCP Server > Advanced page and enable the "Upstream DNS Server". Add 127.0.0.1#5300 as an upstream DNS Server. Save settings and restart dnsmasq. Tip via @firestrife23

Can I configure RaspAP to work with a captive portal?

Yes, the nodogsplash project works just fine with RaspAP and is recommended over other methods. A detailed setup guide is available here.

How do I create an AP activation schedule?

This is a common function in consumer wireless routers. For example, let's assume you want to disable your AP on Monday through Friday between 02:00 and 08:00. You can implement this with cron to stop/start RaspAP's service control script at certain times. Run sudo crontab -e and add entries like so:

# Stop RaspAP services at 02:00 on Monday through Friday
0 2 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --action stop

# Start RaspAP services at 08:00 on Monday through Friday
0 8 * * 1-5 sudo /etc/raspap/hostapd/servicestart.sh --seconds 3

For help with crontab, head over to crontab.guru.

Why can't I access wireless mode 'N' (802.11n)?

On the Configure hotspot > Security tab, be sure to select CCMP for the Encryption Type. Save the settings and restart the hotspot. The wireless mode should be reported on clients as 802.11b/g/n.

RaspAP:
  PHY Mode:		802.11n
  Channel:		1
  Network Type:		Infrastructure
  Security:		WPA2 Personal
  Signal / Noise:	-49 dBm / -86 dBm
  Transmit Rate:	73

If using TKIP for encryption with WPA, you will be restricted to 54 Mb/s. This is because the IEEE 802.11n draft prohibits using high throughput with WEP or TKIP ciphers.

How do I prepare the SD card to connect to WiFi in headless mode?

Since May 2016, Raspbian has been able to copy wifi details from /boot/wpa_supplicant.conf into /etc/wpa_supplicant/wpa_supplicant.conf to automatically configure wireless network access.

An example wpa_supplicant.conf file is shown below. Replace the fields with your settings:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=your_ISO-3166_two-letter_country_code

network={
    ssid="my_SSID"
    psk="my_PSK"
    key_mgmt=WPA-PSK
}

Can I configure a managed mode AP without using the UI?

Let's assume you are creating a Raspbian image (or other supported OS) with scripts that setup RaspAP at first startup. In this scenario, to configure a managed mode AP you must manually connect via a browser, make some changes via the UI and then save your settings. This can be also be done programmatically. Assuming you have wpa_supplicant.conf fully populated, set the following values in /etc/raspap/hostapd.ini:

LogEnable = 0
WifiAPEnable = 1
BridgedEnable = 0
WifiManaged = wlan0

substituting wlan0 for your AP interface, if necessary. You may then restart the raspap daemon with sudo systemctl restart raspapd.service.

Managed mode AP doesn't work on the Pi Zero W. Help!

See this walkthrough where the installation is described in detail.

Can I use wlan0 and wlan1 rather than eth0 for my AP?

Yes, this is supported by RaspAP. In this scenario, you may wish to use the wlan0 interface as a wireless client with wlan1 as the AP interface. Follow the steps below to enable this configuration:

  1. Bind the two adapters with the interface names wlan0 and wlan1.
  2. Select wlan1 as the AP interface in Hotspot and Save Settings.
  3. Do not enable the Wifi AP (AP-STA) mode option. This is only needed when the client and AP are utilizing the same wlan adapter.
  4. (Re)start the hotspot.

ℹ️ Important: Be aware that external WiFi adapters (ie, USB "dongles") vary greatly in terms of hardware capabilities and driver support. Many do not have support for AP mode, require a powered USB hub, manual driver and/or firmware installation or are otherwise not well suited for this application.

Recommended adapters such as the Edimax 7811Un and Ralink RT5370 work out of the box with Raspberry OS (32-bit) Buster Lite. Adapters that require compiling of third-party drivers or other workarounds can be problematic. For this reason, you must verify your adapter before reporting an issue with this feature.

Can I use RaspAP as a monitor only, without changing my configuration?

Yes, RaspAP has support for a so-called "monitor mode". In config.php change the setting RASPI_MONITOR_ENABLED to true. This disables the ability to modify settings, start/stop daemons, shutdown or reboot the RPi. RaspAP will continue to report interface statistics, service settings and data usage as normal.

WiFi scanning doesn't work or I get the error cannot execute "wpa_cli reconfigure". Help!

On some configurations, the Configure WiFi client panel may appear empty. This project uses the wpa_supplicant command line client wpa_cli to populate a list of available wireless networks. If you can't execute this from the shell, neither can the web UI. For example, the results of this command:

sudo wpa_cli -i wlan0 scan_results
Failed to connect to non-global ctrl_ifname: wlan0  error: No such file or directory

indicate a problem with the socket used to communicate with wpa_supplicant. You may also encounter errors such as "Could not connect to wpa_supplicant: wlan0 - re-trying".

If this happens, first check the contents of wpa_supplicant with sudo cat /etc/wpa_supplicant/wpa_supplicant.conf. You should see, at minimum, the following:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

The above is present on clean installs of Raspbian. If you've made changes to this file, ensure that these lines appear first. Next, reinitialize the socket with:

sudo wpa_supplicant -B -Dnl80211,wext -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0

substituting wlan0 with your wireless interface, if necessary. You should then be able to perform scans as expected.

Can the Quick Installer accept the default options without prompting me?

Yes, the Quick Installer has a non-interactive mode that lets you perform unattended setups. This mode assumes "yes" as an answer to all prompts. You can do an unattended install of RaspAP by appending the --yes command-line option, like so:

curl -sL https://install.raspap.com | bash -s -- --yes

The options -y or --assume-yes are also accepted and have the same result.

Can I configure an alternate port for RaspAP's web service?

Yes, you can now do this from the Advanced tab in System. Manual steps for changing lighttpd's default port are included below.

Edit /etc/lighttpd/lighttpd.conf and change the following line:

server.port                 = 8080

then give the service a kick...

sudo systemctl restart lighttpd.service

You can then access RaspAP as before with the new port number in the URI, for example, http://raspberrypi.local:8080. This will allow you run another web server alongside lighttpd, if that is your goal.

Can I use RaspAP with my custom dnsmasq configuration?

Yes, RaspAP supports this through the use of dnsmasq.d. The primary /etc/dnsmasq.d/090_raspap.conf managed by the UI includes the following directive to enable your custom .conf files:

conf-dir=/etc/dnsmasq.d

Configuration files placed in this directory will be used by the dnsmasq service and are untouched by the UI.

OpenVPN fails to start and/or I have no internet. Help!

RaspAP supports OpenVPN clients by uploading a valid .ovpn file to /etc/openvpn/client and, optionally, creating a login.conf file with your client auth credentials. Additionally, in line with the project's default configuration, the following iptables rules are added to forward traffic from OpenVPN's tun0 interface to your configured wireless interface (wlan0 is the default):

-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT

It is your responsibility to provide a valid .ovpn file; RaspAP does not attempt to validate the settings or RSA keys contained in this file. If OpenVPN fails to start, check for errors with sudo systemctl status openvpn-client@client and journalctl --identifier openvpn.

OpenVPN works but I have partial or no internet access. Help!

Issues like this are frequently reported. Begin by confirming the status of your connection:

$ sudo systemctl status openvpn-client@client
● openvpn-client@client.service - OpenVPN tunnel for client
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-06-12 15:45:41 CDT; 1min 39s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 2689 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 2200)
   Memory: 1.1M
   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@client.service
           └─2689 /usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf

You can also use journalctl --identifier openvpn to identify any errors. If your internet access is intermittent or otherwise degraded with the openvpn-client active, the next step is to test your connection for packet loss and latency. There are many Linux tools you can use to diagnose your network. mtr is a good choice as it combines functionality of the traceroute and ping programs. Install and use it to perform your own evaluation:

sudo apt install mtr -y
sudo mtr -rwc 50 -i 0.2 -rw duckduckgo.com

Start: 2020-06-13T11:42:26+0100
HOST: raspberrypi                                Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 192.168.1.254                              0.0%    50   26.8  27.1  26.5  31.4   0.8
  2.|-- somerouter.net                            88.0%    50   392.0 390.4 362.1 596.7  1.2

The results are reported as round-trip response times in milliseconds and the percentage of packet loss. If you see loss and/or latency like the above example, report it to your VPN provider or find another one. Read this for more on interpreting mtr results.

Protip: free VPNs are frequently oversubscribed and usually not worth the trouble.

OpenVPN is enabled but I am still blocked from country restricted websites. Help!

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. Others have specific VPN nodes to use with popular streaming services.

Several users have reported that Firefox's DNS-over-HTTPS (DoH) has created problems with their VPN, in effect creating a DNS leak from the browser that circumvents RaspAP's DNS settings. Be sure to disable this "feature" when using a VPN service.

If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop
sudo iftop -i [interface]

How do I exclude NAT rules from IP traffic on localhost?

RaspAP's Quick Installer configures network-address-translation (NAT) with iptables rules, so that the RPi can act as an internet gateway to multiple hosts on a local network with a single public IP address. This is done by rewriting the addresses of IP packets as they pass through the NAT system. Many access points, including RaspAP, use a combination of IP forwarding and masquerading to achieve this.

In some cases, NAT rules applied to localhost can interfere with other services running on an RPi. An example is the Plex Media Server, which has an API that listens on localhost. As of this writing, the Plex API has been built to not authenticate communication between service processes of the server. This can cause a failure to communicate with the Plex API or similar add-on services on your RPi.

The solution is to add a NAT rule ahead of the rule RaspAP installs to not apply NAT to connections destined to 127.0.0.0/8:

$ sudo iptables -t nat -I POSTROUTING -d 127.0.0.0/8 -j ACCEPT

The resulting iptables chain should look something like this:

$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 31 packets, 4810 bytes)
 pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 31 packets, 4810 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 23 packets, 1338 bytes)
 pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   17 999 ACCEPT all -- * * 0.0.0.0/0 127.0.0.0/8
   2422 158K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Refer to this issue.

Why is the 802.11ac 5GHz wireless mode option disabled in Configure hotspot?

Short answer: because of wireless regulatory restrictions for your country. If the AC option is disabled on your RPi, there are two small configuration changes you can make to enable it. First, configure your RPi's wireless regulatory domain with sudo iw reg set US. Next, on the Advanced tab of Configure hotspot, choose "United States" as the country code and save settings. You can now choose 802.11ac from the wireless mode select on the Basic tab.

Choosing the AC wireless mode will populate the supported 5 GHz channels for you.

Longer answer: AC support is not simply a function of your device's hardware capabilities. It must also take into account regulatory restrictions of the wireless spectrum. The regulatory info for brcmfmac, the kernel driver that supports the Broadcom wireless chipset, is embedded in the firmware of RPi models 3B+ and 4. There are lots of international issues with WiFi that restrict channel use, transmission power, etc. on a regional and per-country basis. As a result, only combinations of certain frequencies (channels) and countries are capable of hosting an AC access point with the RPi's wireless adapter.

If the country configured on your RPi does not allow use of a particular segment of the 5 GHz wireless spectrum, an AC configured AP will fail to start. Errors like these are common:

nl80211: Failed to set channel (freq=5180): -22 (Invalid argument)
hostapd: Could not set channel for kernel driver

In testing, stable AP's on the RPi's supported AC channels were only reliably obtained with 'US' as the regulatory domain. To get a list of the supported channels on your RPi for the 2.4 and 5 GHz bands, use iw phy phy0 channels. Refer to this issue.

I think my country allows 5 GHz AP channels. Can I test this?

Yes, you can. In the spirit of experimentation, this project allows you to override RaspAP's default configuration. The file wireless.json contains the regulatory domains and channels for the 2.4 and 5 GHz bands. Add a valid ISO Alpha-2 country code to the list of 5Ghz_max48ch countries and save the file. Next, edit includes/config.php and add the same country to this constant:

// Constant for the 5GHz wireless regulatory domain
define('RASPI_5GHZ_ISO_ALPHA2', array('US'));

The Configure hotspot page will now let you select AC as a wireless mode option for your country. If you succeed in creating a stable AP, feel free to share your results in this issue.

Note: it is recommended to monitor logs such as dmesg and the hostapd error log (available in the Logfile output tab of RaspAP) while doing this. Bug reports like "AC doesn't work" and/or troubleshooting requests will not be considered. No hard feelings.

Why is the maximum throughput of my 802.11n AP reduced by half?

In order to achieve optimal throughput with 802.11n, the wireless stream must operate at a 40 MHz wide channel on the 2.4 GHz band. A 20 MHz channel will restrict you to 72 Mbps. Your hostapd.conf might have the required settings, but this is no guarantee of a 40 MHz channel.

In practice, this can be quite difficult due to interference on the 2.4 GHz band. There are many things that will cause an AP to fallback to 20 MHz. The most common reason is if an AP detects another wireless network within 40 MHz, i.e. two channels, of its own channel. For example, if an AP is set to channel 6, another network operating anywhere from channel 4 to 8 will trigger a fallback. hostapd will usually report a fallback like so:

20/40 MHz operation not permitted on channel pri=3 sec=7 based on overlapping BSSes

For more information on optimizing 802.11n, refer to this resource.

Generally speaking, the 5 GHz band has substantially greater capacity due to more non-overlapping radio channels and less radio interference as compared to the 2.4 GHz band.

What breaks RaspAP when Docker is installed on the same system and how I can fix it?

Installing RaspAP after installing Docker often results in connected clients not having internet access from the AP. The reason for this is Docker manipulates iptables rules to provide network isolation. Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. Docker also sets the policy for the FORWARD chain to DROP. When RaspAP is started in its default router mode, this will result in the AP not forwarding any traffic anymore. If you want RaspAP to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:

sudo iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT

Additional info here.

How do I remove RaspAP?

We have provided an uninstall script to remove RaspAP cleanly, and also restore any backups of your configuration that were created before RaspAP was installed. The uninstall script is located in installers/uninstall.sh. To start the uninstaller, simply run the following from the project root folder (default location is /var/www/html):

cd /var/www/html
sudo installers/uninstall.sh