I wrote a script to fully automate setting up a working guest wifi network. The guest network it sets up can optionally use WPA3 Opportunistic Wireless Encryption (OWE), which is set up with working transition SSID to make it fully backward-compatible with clients that don't support OWE.
The code and documentation are up on GitHub. Here is a link.
NOTE: this script was written for and tested on an 802.11-based dual-band wireless AC (ath10k) router. I imagine it would be easy to modify it to work with other 802.11-based routers (e.g., wireless N / ath9k routers and wireless AX / ath11k routers), but probably won't work quite right "as-is".
The GitHub README has detailed usage instructions and a detailed explanation of what the code does (the code itself is also fairly well commented), but I'll give a brief overview here:
Customization options include setting the guest wifi network SSID / IP /
netmask, and forcing OWE to be enabled/disabled. Setting these are optional - default values / logic to set these are built into the script. NOTE: by default, OWE is only enabled if the full version of either wpad
or hostapd
is installed.
Using the script involves saving it to the router, optionally setting customized values for the options mentioned above, then chmod +x
the script, run it and wait. The router will restart when it is done. If you enable OWE, the router will reboot twice and then it is done.
The script sets up the following in UCI config:
-
br-guest
bridge andguest
interface in thenetwork
config - guest wifi interfaces in the
wireless
config. 2 open interfaces (1 per band) are always setup. OWE sets up 2 more interfaces (1 per band) that are hidden and use OWE encryption. All have client isolation enabled. - the guest interface is added in the
dhcp
config - a guest zone and rules allowing DHCP/DHCPv6/DNS are addded in the
firewall
config
Additionally, a service is installed to /etc/init.d/guest_wifi
that allows you to enable/disable the guest network by running
service guest_wifi up
service guest_wifi down
Note that these commands will reboot the router unless the guest network is already in the requested state (e.g., the up
command does nothing if the guest network is already up and running).
NOTE: On my router bringing up/down the guest wifi without rebooting almost always lead to router instability (and inability to access remotely to reboot - I had to physically power cycle it to get control back). With a reboot though things work perfectly. Just be prepared that these commands will trigger a reboot.