Encryption in 802.11s

Most consumer devices aren't 802.11s "aware" and don't clearly represent the SAE auth in the UI. LuCI, last I checked, also wasn't able to clearly indicate 802.11s being encrypted. iwinfo (at least from September, 2018) isn't very clear either.

Wireshark on a wireless, monitor interface can be used to confirm that the channel is encrypted.

Ok, I'm going to do tests with that program to see on my network.

It appears as unknown in Encryption. I do not know how to find out if encryption with Wireshark is used.

You should be able to see the encryption negotiation in Wireshark as the peers associate. If you send unencrypted data over the connection (nc, netcat, socat, wget of an HTTP resource, ... ) you should not see "in the clear" data.

Ok, now I'm looking for how to use the program. Thank you!

sae_passphrase in /etc/config/wireless doesn't seem to be used. If you check your wpa_supplicant (will be called something like /var/run/wpa_supplicant-mesh0.conf depending on what you name the mesh) I think you'll find the password is blank, or at least it was for mine using OpenWrt 18.06.1, until I used key instead.

You actually need to use option key.

These are the relevant settings I'm using.


config wifi-iface 'mesh0'
       option disabled '0'
       option device 'radio0'
       option ifname 'mesh0'
       option mode 'mesh'
       option mesh_fwding '1'
       option mesh_id 'My Mesh'
       option encryption 'psk2+ccmp'
       option key 'MyPassword'          
       option network 'lan'


config interface 'lan'
      option ifname 'eth0.1 mesh0'

Still not sure if the wifi connection is encrypted, but it is authenticated, in that the correct password is required.

The iwinfo command from the shell either shows encryption unknown, or none depending on the command line options.


I used sae_passphrase because jeff indicated it at Setting up 802.11s for meshed "dumb APs" thread.

And what would be the difference between encryption and authentication?



Authentication convinces the parties of the identity of the other. Encryption makes the information that they exchange "difficult" for others to understand.

Checking openwrt-18.06 for the current state of the config parameter to use:


                        local passphrase

                        if [ "$_w_mode" != "mesh" ]; then


                        if [ ${#key} -eq 64 ]; then
                                if [ "$_w_mode" = "mesh" ]; then
                        append network_data "$passphrase" "$N$T"

so it appears that current OpenWrt is looking for option key

Have you checked your wpa_supplicant?

I initially used option sae_passphrase as I read here:- https://openwrt.org/docs/guide-user/network/wifi/mesh/batman

But I found wpa_supplicant-*.conf contained sae_password="" unless I used option key in wireless instead. (And I confirmed that the mesh was using a blank password)

This is using key

cat /var/run/wpa_supplicant-mesh0.conf


        ssid="My Mesh"

1 Like

It appears that:

root@Archer_C60:~# cat /var/run/wpa_supplicant-mesh0.conf


        ssid="Mi Red WiFi Mesh"

If I use the wpad package and add option encryption 'psk2+ccmp' and option key 'password', Luci shows Wireless is not associated.

wpad-mesh is working with a password for me (openwrt 18.06.1 & 18.06.2) . I just tried the full wpad, and mesh doesn't associate with a password. I do seem to recall the full wpad working without a password.

I also seem to recall previously trying hostapd with wpa-supplicant-mesh installed successfully too.

1 Like

So is it encrypted but without password using wpad?

Does using these packages work? What should I put in the configuration file so that it does not happen to me from the beginning?

Shows as open in the UI except when the mesh is not connected.

An android 8 phone showed the mesh as WPA-EAP :- https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

The passwords (key) on both routers have to match, I suspect it may not be encrypted, but I wouldn't know.

root@Router:~# iwinfo mesh0 info
mesh0 ESSID: "My Mesh"
Access Point: ########
Mode: Mesh Point Channel: 48 (5.240 GHz)
Tx-Power: 20 dBm Link Quality: 70/70
Signal: -38 dBm Noise: -103 dBm
Bit Rate: 6.0 MBit/s
Encryption: unknown
Type: nl80211 HW Mode(s): 802.11nac
Hardware: 168C:003C 0000:0000 [Qualcomm Atheros QCA9880]
TX power offset: none
Frequency offset: none
Supports VAPs: yes PHY name: phy0

root@Router:~# iwinfo phy0 scan
Cell 01 -

Cell 04 - Address: 44:######
ESSID: "My Mesh"
Mode: Mesh Point Channel: 48
Signal: -31 dBm Quality: 70/70
Encryption: WPA2 NONE (CCMP)

Use of a monitor interface, tcpdump, and wireshark should let you see just what is being sent and convince yourself of encryption (one way or the other)

config wifi-iface
	option device 'radio5'
	option mode 'monitor'
	option ifname 'mon5'
root@OpenWrt:~# tcpdump -i mon5 -w /tmp/mon5.pcap

Then copy to your "desktop" and examine

I did some tests on February 5, 2019 and this resulted:

OpenWRT 18.06.2 in Archer C60 and x86 with rtl8192ce (rtl8188ce):

If I use hostapd + wpa-supplicant-mesh:
They do not connect or pass the ping test.
Both appear in WirelessNetView and WiFi Analyzer with WEP encryption permanently.
In Luci they appear as a network without connected stations.

If I use wpad:
Nor does it appear in programs on Windows.
In Luci they appear as Wireless is not associated.

If I use wpad-mesh:
The nodes connect and pass the ping test.
On Windows it appears with WEP encryption permanently.
In Luci it appears that they are connected to each other correctly in "Associated Stations".

In all the tests I used the lines option encryption 'psk2+ccmp' and option key 'password' in the configuration file and dnsmasq disabled in the second node.

1 Like

Is that interface created on the same router?
How do I realize that to use encryption?
I only see network names available.

You can do it on the same router, or another one.

You should be able to see the encryption in the frames' metadata, as well as not seeing clear-text data in the payload. If you catch the association, you should be able to see the negotiation of encryption. Wireshark is very helpful for understanding the raw packets.

What are the packages I have to find called?