How to Create a WiFi Hotspot in Kali Linux: A Complete Guide

Turning the Kali Linux operating system into a fully-fledged WiFi access point isn't just a way to share the internet, but also a powerful tool for testing wireless network security. Many cybersecurity professionals use this feature to create isolated environments where they can safely run traffic sniffers or audit connected clients without risking the main infrastructure. Unlike standard distributions, this process requires a deep understanding of network interfaces and host management services.

Before you begin setting up, you need to make sure that your hardware supports the mode. Master Mode (Access Point Mode). Not all USB adapters or integrated modules can operate in this mode simultaneously with packet monitoring. If you plan to use this configuration for professional pentesting, choosing the right chipset is a critical step often overlooked by beginners.

In this guide, we'll walk you through the installation and configuration of key components: hostapd to manage wireless access and dnsmasq or isc-dhcp-server for distributing IP addresses. We won't rely on graphical utilities, as in Kali Linux, the most stable results are achieved by manually editing configuration files and using the command line.

Checking compatibility and preparing equipment

The first step is always to diagnose your wireless adapter. The standard drivers in the Linux kernel may not activate the necessary features by default, so we'll need a utility. iw or iwconfig To check the supported interface operating modes, enter the command iw list and carefully study the "Supported interface modes" section.

In the output of this command you should find the line AP (Access Point). If this mode is not supported by your device, you won't be able to create an access point using software—you'll need to replace the adapter. Realtek chipsets are most often problematic, while Atheros and some Ralink models demonstrate high stability.

It is also important to disable services that may conflict with the network being created. In particular, NetworkManager It often takes over interface control, causing settings to be reset immediately after applying them. To work in access point mode, it's best to temporarily disable this manager or configure it to ignore the specific device.

  • 📡 Check for AP mode support with the command iw list | grep -A 10"Supported interface modes".
  • 🛑 Stop NetworkManager with the command systemctl stop NetworkManager before starting the setup.
  • 💾 Make sure you have a backup access channel to the system (Ethernet or SSH), as WiFi will be disconnected.
  • 🔌 Use adapters with Atheros AR9271 or Ralink RT3070 chipsets for maximum compatibility.
📊 What adapter do you use for Kali Linux?
Built-in laptop (Intel/Realtek)
USB TP-Link (Atheros)
USB Alfa Network
Another external adapter
I don't know what chipset I have

Installation and basic configuration of Hostapd

The main daemon responsible for creating an access point is hostapdThis package allows you to turn a network interface into a base station that manages client authentication. Installation is performed using a standard package manager, but after installation, you must create your own configuration file, as the default settings often contain inoperable or insecure parameters.

Create a configuration file in the directory /etc/hostapd/. It is necessary to strictly specify the interface name (usually wlan0), driver (usually nl80211), and security parameters. Pay special attention to the field hw_mode: For the 2.4 GHz band, use the value 'g', and for 5 GHz, use 'a'. Incorrectly selecting the mode will result in clients simply not seeing the network.

interface=wlan0

driver=nl80211

ssid=Kali_Secure_Net

hw_mode=g

channel=6

wmm_enabled=0

macaddr_acl=0

auth_algs=1

ignore_broadcast_ssid=0

wpa=2

wpa_passphrase=StrongPassword123

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP

After configuring the file, you need to start the daemon. If the "Interface initialization failed" error occurs during startup, this almost always indicates a driver conflict or another process is using the interface. In such cases, restarting the network stack or forcibly shutting down the interface with the command ip link set wlan0 down before the start of the service.

⚠️ Attention: When using virtual machines (VirtualBox, VMware), the USB WiFi adapter must be forwarded before starting hostapd. If you connect the adapter after the service has started, the access point will not activate.

What to do if hostapd returns error "nl80211"

Could not configure driver mode"?

This error often occurs because the interface is in the "managed" state. Try the following sequence: ip link set wlan0 down, iw dev wlan0 set type monitor, ip link set wlan0 up. Then try running hostapd again.

Setting up a DHCP server to distribute addresses

Creating the network itself is only half the task. For connected clients to exchange data, they need an IP address, subnet mask, and gateway. For this purpose, a lightweight and fast daemon is most often used in Kali Linux. dnsmasq, which combines the functions of DHCP and DNS, or classic isc-dhcp-server.

Let's look at the setup dnsmasq, as it's less cumbersome for temporary access points. You need to create a configuration file that specifies the range of addresses to be distributed and the lease time. It's important to choose a subnet that doesn't overlap with your main network if you're also connected to the internet via Ethernet.

Example of minimal configuration for /etc/dnsmasq.conf includes a line dhcp-range=192.168.50.2,192.168.50.100,255.255.255.0,24hThis will reserve a pool of 99 addresses. It is also critical to specify the router option (dhcp-option=3,192.168.50.1), otherwise clients will not know where to send requests outside the local network.

Parameter Meaning Description
interface wlan0 Network interface for maintenance
dhcp-range 192.168.50.x Range of IP addresses issued
lease time 12h / 24h Duration of the address lease
gateway 192.168.50.1 Default gateway IP address

After setting up the configuration, start the service with the command systemctl start dnsmasqTo test the functionality, connect a smartphone or a second laptop: the device should automatically receive an address in the specified range. If the address is not assigned, check your firewall—it may be blocking UDP ports 67 and 68.

☑️ Checking the DHCP server

Completed: 0 / 5

Organizing routing and Internet access

To allow your access point's clients to access the outside world (for example, via an Ethernet cable), you need to enable IP forwarding in the Linux kernel. Without it, packets from wireless clients will reach your computer but won't be forwarded further into the global network. This is a fundamental operating mechanism for any router.

Enable forwarding with the command echo 1 > /proc/sys/net/ipv4/ip_forwardHowever, just enabling it isn't enough: you need to configure the rules. iptables to perform NAT (Network Address Translation). This will allow you to "hide" internal client addresses behind the external IP address of your primary interface.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

In the above code, replace eth0 to the name of your internet interface, and wlan0 to the name of your WiFi adapter. Interface name errors are the most common cause of internet downtime for clients. It's also worth adding a save option for iptables rules so they don't reset after a system reboot.

⚠️ Attention: If you're using a dynamic IP (DHCP) on the external interface, the interface name (e.g., eth0) may change when the cable is reconnected. In such cases, it's best to use rules tied to the interface name or NetworkManager hook scripts.

After applying the routing rules, perform a test ping from the client device to an external resource, for example, 8.8.8.8If the ping works, but websites don't open using domain names, the problem lies with the DNS. Make sure you've configured your DHCP settings to provide clients with public DNS server addresses.

Comparison of access point creation methods

There are several approaches to setting up an access point in Kali Linux, and the choice depends on your goals. You can use manual configuration via configuration files, which gives you complete control, or use specialized utilities that automate the process. Each method has its advantages and disadvantages.

Manual setup via hostapd And dnsmasq is the most flexible, but requires in-depth knowledge. An alternative is the utility create_ap, which combines all the necessary steps into a single script. However, in Kali Linux, third-party scripts can conflict with system updates, so manual control is considered more reliable for professionals.

Below is a table comparing the key features of the different approaches to creating an access point in a Linux environment.

Method Complexity Flexibility Stability
Hostapd + Dnsmasq (CLI) High Maximum Very high
create_ap utility Low Average Depends on the version
NetworkManager GUI Low Low Average
Linux Bridge Very high High High

For security auditing, the CLI (Command Line Interface) method is preferable. It allows for quick parameter changes on the fly, the implementation of connection logging scripts, and the integration of the access point into complex testing scenarios, such as the Evil Twin attack (for educational purposes).

Troubleshooting and Network Security

Even with proper configuration, connection or data transfer speed issues may still occur. The log file should be your first diagnostic tool. hostapd. Run the daemon in debug mode (by adding the flag -dd) to see a detailed handshake with the client. This will help identify issues with passwords or encryption.

In terms of security, creating an open access point in Kali Linux carries security risks. If you're testing your network, ensure you're using an isolated environment. Using WPA2 with a strong password is essential, even for testing purposes, to prevent connections from unauthorized users who might attempt to attack your machine.

Keep in mind that turning on hotspot mode makes your computer visible to everyone around you. Firewall should be configured to block incoming connections to all ports except those required for DHCP and DNS. Open SSH ports or web interfaces can become easy prey for attackers.

  • 🔍 Use tcpdump on the wlan0 interface to analyze passing traffic and search for anomalies.
  • 🔐 Always change (default) passwords and SSID to unique values ​​before starting.
  • 🚫 Disconnect the access point immediately after completing testing.
  • 📝 Keep a log of all connections (MAC addresses and time) for later analysis.

⚠️ Attention: Laws in many countries prohibit traffic interception and the creation of fake access points with legitimate network names without written permission from the infrastructure owner. Use this information only for (legal) purposes and on your own equipment.

Frequently Asked Questions (FAQ)

Why isn't my hotspot visible on iPhone or modern Android devices?

Modern devices may ignore networks operating on channels above 11 in the 2.4 GHz band or require specific encryption standards. Try hard-coding the channel (for example, channel=6) and use the WPA2-PSK combination with CCMP encryption. Also, check if the SSID is hidden.

Is it possible to create a hotspot and connect to WiFi at the same time?

This isn't possible with a single physical adapter, as the card can't simultaneously receive and transmit signals from different networks on the same frequency. You'll need a second WiFi adapter: one for connecting to the internet (Client mode) and one for distributing data (AP mode).

How to make an access point start automatically when Kali starts?

To do this, you need to create a systemd service. Create a file /etc/systemd/system/my-hotspot.service, in the [Service] section, enter the commands to start hostapd and dnsmasq, and then run systemctl enable my-hotspotThis will ensure that the network starts when the OS boots.

What is the maximum speed that customers will experience?

Speed ​​depends on the capabilities of your adapter, the WiFi standard (802.11n/g/b), and the CPU load when encrypting traffic. In access point mode on Kali Linux via USB adapters, actual speeds rarely exceed 20-30 Mbps due to OS and driver overhead.

Is it safe to use Kali Linux as a primary router?

No, it's not recommended. Kali Linux is not optimized for persistent traffic routing and may be less stable than dedicated router operating systems (OpenWrt, DD-WRT). Use this feature only temporarily for testing or auditing.