Are WPA2/WPA3 design flaws fixable? If not advise to use VPN

Dear all,

I would be glad to hear abour your opinion about those two reference articles:
WPA2 ckrackattack:
WPA3 Dragonblood:

I am well-aware that OpenWRT offers mitigation for those design flaws. But it only slows down attacks, it cannot stop them.

Are these design flaws really fixable or should we wait for WPA3.1?
Are WPA2 and WPA3 currently dead from a security-by-design point of view?

As a community, we ought to know whether we shall still trust WPA2/WPA3 or whether developpers should recommend using a VPN over wireless.

Kind regards,


My opinion is that WPA2 cannot be fixed and WPA3 mixed mode can always be downgraded using old WPA2 buggy clients. When using an WPA3-SAE ESSID, you need a separate ESSID with WPA2. So this is non-fixable. The only solution is using wireless + Roadwarrior VPN.

Please make a public statement making a strong advise to "use VPN over wireless knowing WPA2/WPA3 design flaws".

It is not a problem for an open-source community to hear the truth.

You do not need to wait for any official announcement, and I do not think OpenWrt is the right place to demand one; you can just stop using WPA yourself.


You are right, I modified my post accordingly. Thanks.

Even WPA2 is pretty good when used at home with a strong PSK and AES. WPA3 is even better, in part because of the per-client encryption, and in part because deauth is authenticated.

There are definitely some uses of WPA2/3 for which the standards do not provide so much protection, especially if you expect to be attacked over the air by other clients.

So it depends on what you are using it for.

People are not aware that WPA2 / WPA3 can be attacked on side channels. This makes the WPA2/WPA3 standards useless IMHO. If you are fixing the holes in a server and all clients are attacked, the solution is "non-fixable". This is why in my original message, I was writting "death of WPA2/WPA3".

So we'd better be realistic and agree to strongly recommand using a Roadwarrior VPN scenario. I realize that some OpenWRT APs are not powerful enough to run a VPN server, but at leat it will infom people.

Vendors working on proprietory WPA2/WPA3 software cannot publicly recognize the death of WPA, it would hinder their market and people would wait a couple of years for a new standard and stop all purchase.

This is something that an open-source community can acknowledge and this would be very good for OpenWRT image on the long run.

The layered security model should work fine.
I prefer to use at least a couple of layers with restricted policy for all firewall zones while selectively allowing the services that I need and can trust more or less.
It is typically SSH/SFTP over WPA and pretty much everything else over VPN.

1 Like

There are not much Wifi6/WPA3 devices outside currently. I guess they will "hotfix" the addressed security issues and come up with sth. like WPA3.xx. Nothing lost so far (imo).

But they are keeping their secuirity design/meassures secret and they didn't release any information about the certification process about security. Nothing at all. Very likely that there will come up more in future. So you can use it as it is or take your own meassures.

IMO!: Wifi technology is designed arround limited hardware which it is serving. Simply because the vast majority of all devices outside is limited in cpu power and/or by electricity/power. Esp. smartphones and (soho-)routers. So it is designed around this limitations. You cannot do endless iterations or wait for enough entropy and all the sneaky stuff which comes in mind (algorithms, curves, crypt-tech, etc.). Esp. if you are serving more then one device.

1 Like