A fully automated script to set up a guest wifi network with support for WPA3 OWE

I wrote a script to fully automate setting up a working guest wifi network. The guest network it sets up can optionally use WPA3 Opportunistic Wireless Encryption (OWE), which is set up with working transition SSID to make it fully backward-compatible with clients that don't support OWE.

The code and documentation are up on GitHub. Here is a link.

NOTE: this script was written for and tested on an 802.11-based dual-band wireless AC (ath10k) router. I imagine it would be easy to modify it to work with other 802.11-based routers (e.g., wireless N / ath9k routers and wireless AX / ath11k routers), but probably won't work quite right "as-is".

The GitHub README has detailed usage instructions and a detailed explanation of what the code does (the code itself is also fairly well commented), but I'll give a brief overview here:

Customization options include setting the guest wifi network SSID / IP /
netmask, and forcing OWE to be enabled/disabled. Setting these are optional - default values / logic to set these are built into the script. NOTE: by default, OWE is only enabled if the full version of either wpad or hostapd is installed.

Using the script involves saving it to the router, optionally setting customized values for the options mentioned above, then chmod +x the script, run it and wait. The router will restart when it is done. If you enable OWE, the router will reboot twice and then it is done.

The script sets up the following in UCI config:

  • br-guest bridge and guest interface in the network config
  • guest wifi interfaces in the wireless config. 2 open interfaces (1 per band) are always setup. OWE sets up 2 more interfaces (1 per band) that are hidden and use OWE encryption. All have client isolation enabled.
  • the guest interface is added in the dhcp config
  • a guest zone and rules allowing DHCP/DHCPv6/DNS are addded in the firewall config

Additionally, a service is installed to /etc/init.d/guest_wifi that allows you to enable/disable the guest network by running

service guest_wifi up
service guest_wifi down

Note that these commands will reboot the router unless the guest network is already in the requested state (e.g., the up command does nothing if the guest network is already up and running).

NOTE: On my router bringing up/down the guest wifi without rebooting almost always lead to router instability (and inability to access remotely to reboot - I had to physically power cycle it to get control back). With a reboot though things work perfectly. Just be prepared that these commands will trigger a reboot.