Andy Smith's Blog

Raspberry Pi Wi-Fi Honeypot

I wanted to turn my Raspberry Pi in to a "fake" wireless access point that would accept Wi-Fi connections without a password but sandbox all requests to a local web server, like some hotel Wi-Fi you might encounter.

It turns out that to achieve this you need a Wi-Fi dongle that supports "AP Mode". I ended up ordering an Edimax EW-7711UAN which has worked perfectly in AP mode with the pi so far.

For this tutorial I am assuming that your pi is physically connected to your network via a LAN cable (on eth0). We can't set this up over Wi-Fi because the Wi-Fi network is going to be sandboxed.


So, beginning with a fresh Raspian install I installed the following:

sudo apt-get install -y hostapd dnsmasq nginx
  • hostapd will allow you to receive connections on your dongle, as if it were a wireless router.

  • Dnsmasq will allow the pi to provide DNS and DHCP services which is the bare minimum we need to get the clients to "work" on the network.

  • Nginx is the web server we'll use to serve the dummy files on our sandboxed network.


First hostapd:

sudo touch /etc/hostapd/hostapd.conf
sudo nano /etc/hostapd/hostapd.conf

And paste the following:


We also need to tell hostapd where to find this config file:

sudo nano /etc/init.d/hostapd

Find the line:


And change it to:


This will set your pi up to accept unsecured connections. Don't do it if you don't know what you're doing.

Next up, dnsmasq:

sudo nano /etc/dnsmasq.conf

And paste the following (at the end of the file):


This will set up the DHCP server, resolve all DNS lookups to and log all queries to /var/log/dnsmasq.

Now, you may have noticed that we used there, the plan is to get the Wi-Fi adaptor listening on This is to segregate the open Wi-Fi connections from the regular network:

sudo nano /etc/network/interfaces

And replace the contents with:

auto lo

iface lo inet loopback
iface eth0 inet dhcp

iface wlan0 inet static
pre-up iptables-restore < /etc/iptables.rules

Then, let's put a message in our www directory:

sudo echo "<h1>hello!<h1>" > /usr/share/nginx/www/index.html

Finally, we want to lock down our pi so that anyone who gets on the open network can't get up to any funny business:

sudo iptables -F
sudo iptables -i wlan0 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -p udp --dport 67:68 -j ACCEPT
sudo iptables -i wlan0 -A INPUT -j DROP

sudo sh -c "iptables-save > /etc/iptables.rules"

Let's set up all these services to start on startup so it will just work each time we turn it on:

sudo update-rc.d nginx defaults
sudo update-rc.d hostapd defaults
sudo update-rc.d dnsmasq defaults

Now make sure this will work on boot by turning it off and on again:

sudo reboot


If you do a Wi-Fi search on your laptop or phone you should now see "NotFreeWifi". If you connect and type in "" you should get the message we wrote out earlier.


Now if you're a normal human being you've probably just blindly pasted these commands in to your shell. If you'd like to know what you've set up, then read on!

Using hostapd we've set up our wireless dongle to take unsecured (no passwords) connections using the SSID "NotFreeWifi". This will allow anyone with Wi-Fi on their laptop or phone or whatever to connect to the pi.

On it's own this won't do much - clients won't be able to do anything once they connect -so we've setup Dnsmasq to give clients I.P. addresses and tell them use (the pi's I.P.) as a gateway.

We've also used Dnsmasq to provide a DNS server which we've (rather sneakily) set up to give the address to any request. So if someone tries to visit, we tell them the address is

Finally we've set up a webserver on the pi - so when users do try and go to they actually connect to our pi - where we say hello to them.


I've been running this on my pi for a week now and because of it's location I wasn't expecting to get any connections. Which is why I was pretty surprised to see that 5 people who weren't me have connected:

sudo cat /var/log/dnsmasq.log  | grep provides | awk '{print $9}' | sort | uniq


Comments !