WPA and MAC locking with OpenWRT Kamikaze (7.09)

I've finally got round to sorting out OpenWRT on a spare wireless router I have, and in the process of getting things working as I want, I thought I'd document the process.

Please note that these instructions are probably fairly Atheros specific. If your OpenWRT device is based on a broadcom chipset, a lot of this probably won't apply.

Firstly (and well hidden in the documentation), to get WPA or WPA2 working, you'll need to install hostapd. If you just want to use regular WPA-PSK then hostapd-mini will do:

ipkg install hostapd-mini

If you want to use WPA with radius support (enterprise style) then you'll need the full hostapd:

ipkg install hostapd

Once this is done, you can set the wireless to wpa mode in /etc/config/wireless. Mine looks like this:

config wifi-device  wifi0
    option type     atheros
    option channel  1

config wifi-iface
    option device   wifi0
    option network  lan
    option mode     ap
    option ssid     OpenWrt
    option encryption psk
    option key thisisnotreallymywpakey

Use 'psk' or 'psk2' for WPA in regular shared-key mode - 'wpa' or 'wpa2' implies you want to use radius, and won't work without further configuration. It is better to use wpa2/psk2 if you can, but not all devices support it. WEP alone should be avoided where possible - it's trivial to compromise wep keys in a few minutes these days.

Run the 'wifi' command to reinitialise the wireless configuration and you should be able to connect to the access point using WPA. If this has worked when you run the 'iwconfig' you should see something like: Encryption key:AABB-CCDD-EEFF-0011-2233-4455-6677-8899.

I also wanted MAC address locking, which hasn't made it into the current release yet, although does appear to be in the CVS repository. I lifted the current 'standard' configuration so this should be compatible with future releases, but I added some extra code to pull MAC addresses out of /etc/ethers as well, which will be used for static DHCP entries as there's no point duplicating these. This extra bit doesn't make much sense if you're going to be using the mac address locking as a blacklist, so bear that in mind if you make this change.

The following additions are to /lib/wifi/madwifi.sh

--- madwifi.orig        2008-04-06 12:07:45.000000000 +0100
+++ madwifi.sh  2008-04-06 12:07:45.000000000 +0100
@@ -194,6 +194,38 @@    
                        iwconfig "$ifname" rts "${rts%%.*}"

+               config_get maclist "$vif" maclist
+               [ -n "$maclist" ] && {
+                       # flush MAC list
+                       iwpriv "$ifname" maccmd 3
+                       for mac in $maclist; do
+                               echo "Adding mac: $mac"
+                               iwpriv "$ifname" addmac "$mac"
+                       done
+               }
+               ## Remove this if you're doing MAC blacklisting
+               [ -e "/etc/ethers" ] && {
+                       # add ethers entries to mac acls
+                       for mac in `cut -f 1 /etc/ethers`; do
+                               echo "Adding mac: $mac"
+                               iwpriv "$ifname" addmac "$mac"
+                       done
+               }
+               config_get macpolicy "$vif" macpolicy
+               case "$macpolicy" in
+                       allow)
+                               iwpriv "$ifname" maccmd 1
+                       ;;
+                       deny)
+                               iwpriv "$ifname" maccmd 2
+                       ;;
+                       *)
+                               # default deny policy if mac list exists
+                               [ -n "$maclist" ] && iwpriv "$ifname" maccmd 2
+                       ;;
+               esac
                ifconfig "$ifname" up
                iwconfig "$ifname" channel "$channel" >/dev/null 2>/dev/null

Then, to only allow approved mac addresses to connect, add the following to /etc/config/wireless under the wifi-iface section, editing the addresses in the maclist to your own wireless devices:

    option maclist "00:00:00:00:00:01 00:00:00:00:00:02"
    option macpolicy allow

Rerun the 'wifi' command to load the new config and you should have mac address locking enabled.

One useful command to remember is 'wlanconfig ath0 list' - this will show all associated mac addresses and their connection speed/mode/channel.

Contact: site@spod.cx