Hello,

I've got a problem WDS in combination with WPA.
My configuration:
2x Linksys WRT54GS
OpenWrt White Russian RC4

I've tried all Howto's, which i found on the Internet but it don't works. WDS is running with WEP and WPA is running without WDS, but if I combine WPA with WDS, WDS will not establish an connection. Can anyone help me?

you can't use wpa with wds without some trickery. out-of-the-box RC4 cannot do it because of the way WPA works.

What is the trick?

I am using RC3 on a WRT54G v.1.0   and some intermediate CVS Build from 1. oct 2005 on an ASUS WL-500G Deluxe - where WDS + WPA works flawlessly without any messing around with odd stuff !

Yup, same here. I just setup 2x WRT54G v2.2 and one Asus WL-500G connected via WDS. For encryption I used PSK+AES. The nas crap is installed. This is a self builded (no modifications) post-rc4 White Russian release from subversion with the revision 2813.

It really seems since the watchdog or the hotplug scripts are involved the WPA encryption is unusable! Btw. before I upgraded these three router to White Russian I had successfully running latest experimental from 2005.05.25 on it with WDS (PSK+AES) working.

In my situation the datatransfer pauses 2 seconds every minute and over the night the connection freezes completly. I have to power cycle the 3 units to get it working again.

I will test it now with WEP encryption and will report here.

Going back and using LAN cables and use OpenWrt only for the wired router or using OpenVPN to encrypt wireless traffic. I think this is currently the best alternative. Never thought I have to say this.

(Last edited by olli on 6 Jan 2006, 15:30)

sorry for my late answer,
i've got it running!!
My Problem was the variable: wl0_crypto. If I set them to tkip or aes+tkip it will not work.
If I set wl0_crypto=aes it's working fine. My working config is:

wl0_afterburner=off
wl0_akm=psk
wl0_antdiv=3
wl0_ap_isolate=0
wl0_auth=0
wl0_auth_mode=psk
wl0_channel=3
wl0_closed=0
wl0_country_code=DE
wl0_crypto=aes
wl0_frameburst=off
wl0_gmode=1
wl0_ifname=eth1
wl0_infra=1
wl0_lazywds=0
wl0_maclist=<all macs>
wl0_macmode=allow
wl0_mode=ap
wl0_radio=1
wl0_ssid=wds_test
wl0_wds=<other ap>
wl0_wep=disabled
wl0_wpa_gtk_rekey=3600
wl0_wpa_psk=......

This config is working!!!
Can anyone explain, why it is not working if i change wl0_crypto=aes+tkip???

you need the tool 'nas' ( http://wiki.openwrt.org/OpenWrtDocs/nas )!! you can install it with 'ipkg install http://downloads.openwrt.org/whiterussian/packages/non-free/nas_3.90.37-14_mipsel.ipk'

As far as I understand it, there mut be one authenticator and one or more supplicants. But what happens, if one of the supplicants does not have direct WLAN contact to the authenticator? Will that work? Will WPA work in a very large scale with lets say 10 APs? Or is WEP the only working choice for that scenario?

I'm running WPA+WDS with 2 APs and both of them are authentificator, because i can connect to both with my laptop. i think, you can use this for more than two APs.

i think so too. but if you want to bulid a very large wlan you should use olsr and not wds! there are ipkg packages or an openwrt based firmware from freikunk.net with gui avaible

here you can see a lot of wlan nodes in berlin, germany:
http://olsrexperiment.de/index.php?opti … mp;lang=en

information about olsr: http://www.olsrexperiment.de
the freifunk firmware: http://www.freifunk.net

good night

So, finally the hotplug/watchdog issues are fixed in the latest pre-rc5 release images. Here on a test setup WPA/WPA2 works fine. You can get these images from people/nbd/whiterussian/.

The table below shows the available encryption types in White Russian:

Available WiFi encryption in White Russian
------------------------------------------

Mode                 WEP  WPA      WPA2     Comment
AP mode (WDS)        X    X (nas)  X (nas)
Bridged client mode  X    X        -        WPA2 broken due to bug in nas binary (wont fix)
Routed client mode   X    X        X (nas)

TKIP and AES should work on WPA/WPA2

Legend:
X       = available
X (nas) = available and the nas package is required
-       = not available

(Last edited by olli on 15 Jan 2006, 12:37)

Does nas support WPA-EAP in client mode?

If nas support it how can I configure it?
nas --help doesn't show anything and the wiki
page doesn't tell anything about WPA-EAP

Regards,

In which way you want to une wpa-eap?

Is there more than one way?

My wrt is configured in client mode.
My isp sopprts wpa-eap now.

I have to authenticate myself against a radius
server. Every user has it's own username/password.

I know hos to do this with wpa_supplicant. Unfortunatly this
won't work with the wrt54g.

I have RC-5 installed on my WRT54GS 1.0 and 1.1 and WDS still doesn't work with WPA2-PSK AES encryption (with WPA-PSK AES is working good).I got nas installed. Am I missing something?

olli, is WPA2 works for you with WDS on RC5?

No idea, if it currently work. I don't use any kind of wireless stuff.

Marek, to make your life easy use a VPN like PPTP or OpenVPN. Both are known work with OpenWrt.

My problem is that my present wlan network is based on WPA2 and I don't want to go to every user and change everything...
Now I want to connect some remote wired LAN to my network, but it is impossible with WPA2, so I decided to use WPA2 for wlan clients and WPA for WDS, but when I set 'psk psk2' on main AP and 'psk' on remote one the WDS don't work...(works only when 'psk' are on both sides).
I read somewere on this forum that it is possible to set separated settings for wlan clients and WDS (akm,crypto and even password!) by wl0_wds_***** nvrams. Is that true?

I tried client bridge too but it has some disadvantages: every wired client from remote LAN is seen as the same MAC adress...Client bridge mode is more suitable for my purposes because there is no wireless client which connects to second AP, but it isn't real transparent bridge...(correct if I'm wrong).

(Last edited by Marek on 1 May 2006, 21:56)

If wpa is working with aes why you need wpa2?
Is there any security reason?

As far as I know "no". ( I am not sure in this. )
Just use psk and not psk2 with aes and you are ok.

I have post a topic here I think it was something like "wds+wpa+aes success" but I cannot remember exactly. Search for it. I have posted there my nvram variables and some notes.

I need WPA2 because as I said my all wlan users are configured to WPA2-PSK-AES and they will not be satified if I change 'something' all the time...
avalon, my "wds+wpa-psk+aes" works fine, but only if main AP is in 'psk' mode ('psk2' and 'psk psk2' don't work)
I read somewhere that WPA2 is back compatible and now I wonder if I change my main AP to WPA-PSK-AES, so maybe my WPA2-PSK-AES configured clients will able to asociate without any changes. If so I could connect remote LAN via WDS+WPA-PSK+AES, but I'm not sure that WPA-AES is as strong as WPA2-AES

AES is AES.
Unly the key exchange algorithm may be different, but I haven't read something like this.
If you find something, please report.

comment:
As I read in http://www.ezlan.net/wpa_wep.html, I think that there is little to no drawback on using psk over psk2.

(Last edited by avalon on 5 May 2006, 10:40)