Google is committed to advancing racial equity for Black communities. See how.

Wi-Fi Access Point Setup for OpenThread Border Router

A Wi-Fi access point (AP) connects a Thread network to the internet.

A Raspberry Pi (RPi) functioning as an OpenThread Border Router (OTBR) may also serve as a Soft Access Point (SoftAP). This SoftAP acts as a DHCP server to assign IPv4 addresses to the RPi and any devices used as External Commissioners.

The BeagleBone Black does not have built-in Wi-Fi support, and cannot be used as a Wi-Fi Access Point.

All configuration and terminal commands occur on a RPi running OTBR. See Build and Configuration for more information.

The RPi must be connected to the internet via Ethernet (eth0 interface, as displayed in the output of the ifconfig command) to successfully serve as a SoftAP.

If you ran the OTBR setup script without disabling NETWORK_MANAGER, as described in Build and Configuration, the Wi-Fi AP has already been configured. Skip down to Using Network Manager for more information.

Install packages

Three packages are required:

  • hostapd — Allows use of a device's built-in Wi-Fi radio as an AP
  • dnsmasq — A combined DHCP and DNS server
  • tayga — Stateless NAT64
sudo apt-get install hostapd dnsmasq tayga

Configure static IPv4 addresses

In newer Raspbian versions, interface configuration is handled by dhcpcd by default. Disable dhcpcd for the interface and manually configure static IPv4 addresses for the SoftAP.

  1. Update dhcpcd to ignore the wlan0 (Wi-Fi) interface:
    1. Open the dhcpcd configuration file:
      sudo vim /etc/dhcpcd.conf
    2. Add the following line to the end of the file:
      denyinterfaces wlan0
  2. Configure static IPv4 addresses on the wlan0 interface:
    1. Create a configuration file for the wlan0 interface:
      sudo vim /etc/network/interfaces.d/wlan0
    2. Add the following configuration parameters to the wlan0 file:
      allow-hotplug wlan0
      iface wlan0 inet static

Configure hostapd

  1. Create a new hostapd configuration file:
    sudo vim /etc/hostapd/hostapd.conf
  2. Add the following configuration parameters to hostapd.conf:

    # The Wi-Fi interface configured for static IPv4 addresses
    # Use the 802.11 Netlink interface driver
    # The user-defined name of the network
    # Use the 2.4GHz band
    # Use channel 6
    # Enable 802.11n
    # Enable WMM
    # Enable 40MHz channels with 20ns guard interval
    # Accept all MAC addresses
    # Use WPA authentication
    # Require clients to know the network name
    # Use WPA2
    # Use a pre-shared key
    # The network passphrase
    # Use AES, instead of TKIP
  3. Set this new configuration file as the default daemon:

    1. Open the default configuration file:
      sudo vim /etc/default/hostapd
    2. Enable the DAEMON_CONF parameter and point it to the new hostapd configuration file:
  4. Bootstrap the hostapd daemon automatically upon reboot:

    1. Unmask and manually start hostapd in case it is masked:
      sudo systemctl unmask hostapd
      sudo systemctl start hostapd
    2. Create a service configuration file for hostapd:
      sudo vim /etc/systemd/system/hostapd.service
    3. Add the following configuration parameters to hostapd.service:

      Description=Hostapd IEEE 802.11 Access Point
      ExecStart=/usr/sbin/hostapd -B /etc/hostapd/hostapd.conf -P /var/run/
    4. Open the /etc/rc.local file:

      sudo vim /etc/rc.local

    5. Add the following at the end of the file, before the exit 0 line:

      sudo service hostapd start

Verify the access point

Once hostapd is configured, the SoftAP should be live (though without internet connectivity).

To verify, reboot the RPi:

sudo reboot

After reboot, check for wireless networks on another device. You should see the BorderRouter-AP SSID.

Configure dnsmasq

  1. For ease of configuration, if a default dnsmasq configuration file already exists on your system, move it and create a new one:
    sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
    sudo vim /etc/dnsmasq.conf
  2. Add the following configuration parameters to dnsmasq.conf:

    # The Wi-Fi interface configured for static IPv4 addresses
    # Explicitly specify the address to listen on
    # Bind to the interface to make sure we aren't sending things elsewhere
    # Forward DNS requests to the Google DNS
    # Don't forward short names
    # Never forward addresses in non-routed address spaces
    # Assign IP addresses between and with a 12 hour lease time
  3. The bind9 service might conflict with dnsmasq during start up. To ensure there is no conflict, update the bind9 service to not start until dnsmasq has started. Open the /lib/systemd/system/bind9.service file:

    sudo vim /lib/systemd/system/bind9.service

  4. Modify the After parameter so bind9 starts after dnsmasq:

    " dnsmasq.service"

Configure NAT

Network Address Translation (NAT) is a method of translating IP addresses while packets are in transit. NAT64 translates addresses between IPv6 and IPv4.

OTBR uses tayga for stateless NAT64, iptables for stateful NAT44, and combines the two to provide stateful NAT64. This allows Thread devices to communicate with IPv4 hosts. See the Tayga documentation for more information.

Configure tayga

  1. Create the configuration:
    1. Open the /etc/tayga.conf file:
      sudo vim /etc/tayga.conf
    2. Update the file with the following configuration:
      prefix 64:ff9b::/96
      ipv6-addr 2001:db8:1::1
  2. Enable tayga:
    1. Open the /etc/default/tayga file:
      sudo vim /etc/default/tayga
    2. Change the RUN parameter to yes:

In this configuration, ipv6-addr is optional. If ipv6-addr is not defined, tayga generates it for you from the prefix parameter.

Configuration parameters

prefixSince Tayga provides stateless NAT64, a /96 or greater prefix is required to map all of IPv4 to IPv6. This parameter should be an unused /96 prefix from your IPv6 address range. For OTBR, use the Well-Known Prefix (64:ff9b::/96) to enable automatic address translation.
dynamic-poolRequired for Tayga to map IPv6 to IPv4. Set to an IPv4 network.
ipv6-addrRequired for Tayga to act as an IPv6 router. When using the Well-Known Prefix for the prefix parameter, this address should be one that is not included in prefix.
ipv4-addrRequired for Tayga to act as an IPv4 router. This address should be one that is included in dynamic-pool.

Enable forwarding

  1. Enable IPv4 and IPv6 forwarding:
    sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
    sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding"
  2. To ensure IPv4 forwarding remains enabled after reboot, also update the sysctl configuration file:
    1. Open the /etc/sysctl.conf file:
      sudo vim /etc/sysctl.conf
    2. Uncomment the IPv4 forwarding parameter and ensure it's set to 1:
  3. Configure NAT with iptables:
    1. Enable NAT 44:
      sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    2. Configure FILTER between the wlan0 (Wi-Fi) and eth0 (Ethernet) interfaces:
      sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
  4. Apply these NAT rules automatically upon reboot:
    1. Save the rules to the /etc/iptables.ipv4.nat file:
      sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"
    2. Open the /etc/rc.local file:
      sudo vim /etc/rc.local
    3. Add the following at the end of the file, before the exit 0 line:
      iptables-restore < /etc/iptables.ipv4.nat

Verify the configuration

  1. Reboot the Raspberry Pi:
    sudo reboot
    OTBR Web GUI Home
  2. After reboot, connect a different device (not the RPi) to the BorderRouter-AP Wi-Fi access point.
  3. Open a browser window on that device and navigate to (the IPv4 address configured for the wlan0 interface). If the AP configuration is successful, the OTBR Web GUI loads.

The BorderRouter-AP Wi-Fi access point should also provide regular internet connectivity. Verify by visiting or pinging any public website from a device connected to the BorderRouter-AP Wi-Fi access point.


If the BorderRouter-AP Wi-Fi access point is not available, check the system status of the RPi:

sudo systemctl status

If the status shows the RPi in a degraded state, check which services have failed to start:

sudo systemctl --failed

If the AP was set up manually and any of the required OTBR services have failed to start:

  1. Go back through the configuration steps in Build and Configuration and Wi-Fi Access Point Setup and check for errors.
  2. Reboot the RPi or use the server script to stop and restart required OTBR services:
cd ot-br-posix
./script/server NETWORK_MANAGER=0

Using Network Manager

When the AP is automatically setup during installation, it is managed by Network Manager. The OTBR setup script uses the same default values detailed in the manual setup:

  • SSID = BorderRouter-AP
  • Password = 12345678

Control Network Manager using the nmcli command line tool.

For example, to display all information related to the AP once OTBR is up and running:

nmcli -s c show BorderRouter-AP

For more information, see the OTBR Network Manager script/script/_network_manager).