Alfa Tube 2HP w/ OpenWrt won't connect to a hotspot (4-Way Handshake Failed) while my laptop will connect to hotspot

I assume you read it is complaining about a wrong key, and you verified it. So, also assuming that this worked before, my first bet is that the owner of the cafe thinks that you are abusing his AP, and has decided to ban your router.

You might try to use another WiFi-MAC in the ALFA. But, in case the owner of the Cafe blocked your org MAC because of high traffic, he will do so again for the new MAC.
Only reasonable solution: Use a 4G-router as backup. Good idea for a boat, anyway :slight_smile:

Thanks for the responses. I know the key (wifi password?) works because I use it on my laptop and smartphone. In any event, I think they're talking about a pre-shared key, which I understand is different than the hotspot password.

It doesn't make sense that my Alfa Tube 2HP was banned because I was never able to connect long enough to even check email. When I said it worked perfectly for months, I meant it worked perfectly at other locations for other hotspots. The Alfa Tube on Open-WRT just doesn't work for this hotspot, while my devices connect just fine.

Is there a way to adjust the handshake timeout?

please take a look at your travelmate, i never used that, so i m not sure, but i see in your log that you have it.

Thanks, I disabled that and have been using the standard way to add this access point.

@wifiatsea, welcome to the communioty!

Just an FYI:

To clear up what you do and do not have:

(BTW, theft of service is a crime in most US if you're referring to agreeing to their terms of service on a captive portal page...or their ISP's, beware.)

And yes, they could be block MACs that are commonly routers and network devices (e.g. one could safely exclude let's say Juniper or Cisco MACs). They could also exclude you by seeing differing TTLs on the packets (meaning some passed a router :wink:).

No, unless you control the cafe's WiFi and can flash firmware that had such an incompatible (and maybe illegal) setting.

I have seen the "possible PSK mismatch" once when the key did match. It was on a Raspberry Pi 4 (Broadcom chip) as client of a TP-Link Archer A7 (ath10k chip). Having the AP set for optional Management Frame Protection (option ieee8211w 1) caused the Pi station to fail to connect with errors like the OP reported. This should not cause a fail to connect but it did. Reconfiguring the AP for no MFP allowed the Pi to connect.

I kind of doubt that is the issue here-- though early ath9k chips do not support MFP and might have similar problems. If you don't control the AP there isn't much you can do. Do iw dev wlan0 scan to see what the AP is advertising.

1 Like

We definitely have the permission of the AP owner to use their wifi. It's part of what we're paying for to be at this location. In no way is it "theft of service". In fact, I've asked for their help because our devices have trouble connecting and we're trying to get our Alfa Tube 2h extender to allow us to use the wifi that we're paying for. They were even less technical than I am, so no help there.

Mike - I ran the scan you suggested. here's what I see:

BSS 00:a2:89:34:74:b3(on wlan0)

TSF: 8718464933544 usec (100d, 21:47:44)

freq: 2462

beacon interval: 100 TUs

capability: ESS (0x0411)

signal: -45.00 dBm

last seen: 20 ms ago

Information elements from Probe Response frame:


RSN: * Version: 1

  • Group cipher: CCMP

  • Pairwise ciphers: CCMP

  • Authentication suites: PSK

  • Capabilities: 16-PTKSA-RC 1-GTKSA-RC MFP-capable (0x008c)

  • 0 PMKIDs

  • Group mgmt cipher suite: AES-128-CMAC

HT capabilities:

Capabilities: 0x80d



SM Power Save disabled


Max AMSDU length: 7935 bytes


Maximum RX AMPDU length 65535 bytes (exponent: 0x003)

Minimum RX AMPDU time spacing: 4 usec (0x05)

HT RX MCS rate indexes supported: 0-23

HT TX MCS rate indexes are undefined

HT operation:

  • primary channel: 11

  • secondary channel offset: no secondary

  • STA channel width: 20 MHz

Any thoughts?

you said that the tube is able to connect to other ssid, also you said that your phone will connect at this cafe ssid and thatn disconnect like the tube.
at this point the problem is the bar AP , try to reboot it.


Your scan has the RSSI from the CAFE AP at -45 which is very strong. Generally, signals above -70 are fully usable and above -60 is ideal.

I just tested the MFP scenario again on an old ath9k device (WNR2000v1, ar9100 chip) as the client and it did not have a problem when the AP was running "MFP-capable". So I don't think it's that.

The Tube-2 HP is listed as having an AR9331 which is newer and should be highly compatible. Actually you could install the full wpad and turn MFP on. MFP protects against a type of DoS attack involving fake deauthenticate requests transmitted by a malicious actor within wifi range.

Mike -

The noise level here is quite high, around -74, if that makes a difference. I understand that as long as you have a 20db spread between signal and noise, you're in good shape.

I'm in a catch22 since I can't connect to the internet to use the luci based package downloader. Also my Tube 2HP is on the top of my mast (with a 8dbi antenna) so it won't connect to my smartphone hotspot below it.. I believe that's because of the radiation pattern of the antenna.

Can I download full wpad on my laptop and then install via Luci?

I think a manual .ipk file install requires CLI.

Also this procedure is a little risky since you have to remove wpad-basic first, and if you get left without wpad there is no way to run wifi at all.

Having the phone outside should be enough signal even if not in line with the antenna. If there's that much 2.4 noise in the area that could be the problem all along.

Here's what I've found so far:
This is the version of wpad that is installed, per the luci based opkg


These are the download links I've found:

Any idea which is the correct one for my AR9331? Do I need to uninstall wpad-basic first?

Are there other packages I need to install also?

Sorry for asking what you probably consider to be quite basic questions.


that is strange

Read /etc/opkg/distfeeds.conf to find the server URL, which will be under not a third party. The wpad package will be in the basic section. Load this /basic URL into your browser and find wpad in the directory that appears.

Yes that's really strange. If you take a hotspotted smartphone outside the cabin so it has a line of sight to the Tube-2 antenna with no metal, it should connect easily even though it isn't directly in the plane of the antenna.

Bricco -

In my experience, the radiation pattern of a 8dbi antenna is quite "compressed" in the vertical plane. Note that my antenna is around 20m/70ft up in the air on top of the mast.

So when I'm in a location and trying to connect to a very close hotspot, my antenna will not see it. However, if the hotspot is a bit further away, it works great. The reason I have it that high is that earlier when I had it quite low, neighboring boats and even my solar panels would interrupt coverage. Something about the panels being in the Fresnel zone.

In any event, that means if I'm standing directly below the antenna with my mobile phone hotspot, my Tube 2hp will not pick it up. But it will see a hotspot 1/2 a mile away!

1 Like

Hi, I didn't read all the responses here but I've been using the AlphaTube2H continuously for over 3 years. I liked the 18.06.04 firmware release for it better than my 19.07.4. Seemed more stable. Are you using a dish or directional antenna at the top of the mast that overshoots the cafe? The routers now days have little saucer shaped beams that you may be totally off the plane of them if you also have a directional antenna at 20' in the air. I just use scan feature to find a signal and I connect and enter the password. More than a couple of occasions recently the local wifi is blocking device MAC that are mfgs other than laptops or smart phones eg. if they are anything outside of a specific mac number range. What I have done is added a line to dummy up a mac address of a smart phone, what they typically like connecting to their network. It's in /etc/config/network add to the wan block using a mac a few numbers off that you see your cell phone using

config interface 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

*** Never experienced a block after adding this macaddr line. Have run into 5G only so if you hear of any combination of OpenWRT with a Alfa or Ubuiquity tube that sports 5G client support, let me know.

Maybe you need my "backpacker special" it is a 17db 2.4Ghz PVC yagi connected to an Alpha wireless USB network adapter with chip Atheros AR9271 that pulls in remote wifi signals, connects as client and feeds via a heavy power & data USB cable into GL-AR300M that re-transmits the signal to other devices in the vicinity.


Can I set the mac address though Luci using:

Network->Interfaces->WWAN->Advanced Settings->Override MAC Address

Would that achieve the same thing as your command line edit?

Also, I use an omni antenna. The boat moves too much to point a directional.

Maybe someone can answer this for you ... I have a record on my laptop of all my router configurations and I cannot access either of the ones which I have changed the MAC which are in my camper. I am out of my camper in an apartment until the virus lets up. I don't use the Luci menus much these days because every since they started that "roll back" business, I get hit too many times with the roll back showing up when my Windows system is not responding fast enough. If you haven't tried it, check out WinSCP if you are a Windows person, just open the file tree like you were on Windows, open the config file with a Notepad like editor, save the file when you close it and either enter "reboot" in the top command window of the SCP screen or you can log into Luci and do the restart as well. (Did a search and some people were having an issue with this via the Luci menu back Aug '19 I believe but I didn't get too thick into their issue. Once you use WinSCP, you may see it as easier. They say not to change the control files directly because that Luci and their dotted.command line syntax handles all the changes associated, but this level of change will be fine if you reboot after editing the control file. Located in the WINSCP file treee at /etc/config/network, double click, the file opens, enter the edit, save and reboot the router.

From left to right on the MAC, copy your cell phone or laptop MAC exactly but the final 4 characters make up another number, using only digits 0-F. (0-9,A,B,C,D,E,F)