Primer for 802.11 (Wi-Fi) Mesh Networks with OpenWrt


Several days ago, knowing nothing about mesh networks, I set an objective as simple as any possible on the subject, to construct a network by joining two OpenWrt devices in mesh configuration.

Needing a minimal recipe for the operation I would regard as quite common, yet still important even for those without deep knowledge of the subject or great experience with the platform, my first thought was to search for tutorials and guides. I was disappointed that the several documents readily available were largely unhelpful. I came to regard each in turn as presenting a single, convoluted, circuitous, and highly-specific approach, but failing to outline directly the most straightforward and accessible method, along with essential details but not extraneous ones.

At length, I have gathered my new knowledge into some notes, intended as a condensed but robust primer on mesh networks in OpenWrt. Its presentation takes two parts, separating those details general to mesh networks versus specific to the platform itself.

The following are my two objectives in presenting the primer:

  1. Gaining feedback about whether the discussion is inaccurate in any part, or incomplete as a whole.
  2. Helping anyone in a situation like mine several days ago, inexperienced in the subject yet hoping to make speedy progress toward a simple result.

Hopefully, readers in either group will engage the available opportunity.

Primer for Mesh Wi-Fi

  • In 802.11 family protocols (i.e. Wi-Fi), an Access Point (AP) is a device that supports wireless connections by multiple client devices. Clients scan for APs, which broadcast SSIDs (short sequences of text identifying each network among others), and attempt to connect to an AP broadcasting a target SSID. Acceptance for a full connection may depend on authentication, according to the APs policy.

  • While in principle an AP may support only communication among its connected clients, it is generally most useful by integrating Ethernet ports and IP routing capabilities, to provide wide- and and local-area connectivity through Ethernet switching and IP routing.

  • At times the term Access Point is used to describe a device without routing capabilities, or with such capabilities unused, but formally an AP is any device supporting connections by Wi-Fi client devices, whether or not also integrated in a unit providing other functions. A wireless router is a unit that integrates an 802.11 Access Point, an Ethernet switch, and an IP router, usually intended principally for NAT routing in small deployments.

  • Mesh networks in the 802.11 family are based on pre-existing, non-mesh 802.11 protocols, with additional mesh extensions.

  • The standard extension for mesh networks in the 802.11 family is 802.11s.

  • The 802.11s protocol depends on underlying layer 2 (i.e. other WiFi) protocols, linking mesh nodes through layer 3 (i.e. IP) connections.

  • Nodes on mesh networks employ collaborative strategies for resolving and modifying the network topology, that is, which pairs of nodes are connected to each other. The 802.11s standard incorporates a default strategy adequate for most simple applications, but allows this strategy to be replaced in any particular deployment. Various proprietary and open strategies are available, B.A.T.M.A.N. enjoying widespread use due to its performance and openness.

  • A client configured to connect using a specific SSID, finding multiple APs broadcasting the same one, employs a strategy to select the one at any time supporting superior speed and reliability, irrespective of any layer 3 (IP) connections.

  • While the behavior of clients freely switching among Access Points may cause problems if infrastructure is improperly or uncooperatively provisioned, it is also valuable for a mesh network, whose essential design is to provide multiple APs that expose the same layer 3 network.

  • In 802.11s, a mesh network is formed by mesh base, which is a regular Access Point, usually with wide-area connectivity, and one or more further nodes able to act as intermediaries between clients and the base. The intermediaries, or mesh points operate mesh protocols, but the mesh base and the clients are are not required to support any such services.

  • A mesh point is an integrated AP router that simultaneously performs the following three operational functions:

    1. Master mode, supporting, as any AP, connections by clients.
    2. Client mode, connecting to a remote AP, in this case the mesh base. (More complicated configurations may involve multiple hops between mesh points, with some needing no general connection to base.)
    3. Mesh mode, linking the the clients (by its operation in master mode) to the mesh base (by its operation in client mode).
  • Operation of 802.11s requires hardware support in an AP's radio devices, as well as software support for routing operations.

Primer for Mesh Wi-Fi in OpenWrt

  • OpenWrt includes the software functionality of Wi-Fi mesh extensions. Basic support is essentially available from most installation images, for operation on any device with required hardware capabilities.

  • Because 802.11s connections require WPA3 authentication, devices configured for such connections must have installed on them either the package wpad-mesh-openssl or wpad-mesh-wolfssl. In practice, therefore, these packages are required on the devices serving as mesh points (but not as the mesh base). The former package offers a library based on OpenSSL. The latter is widely recommended, because it is based on the wolfSSL library, aimed to be a successor to OpenSSL and providing a more lightweight implementation and more modern programming interface. Either, however, provides comparable support.

  • In order for the OpenWrt package system to avoid complicated dependencies, package conflicts are common. Most installation images provide either the wpad-basic or wpad-mini package, which must be removed, due to a conflict, before either of the SSL-based authentication packages may be installed. Both SSL-based authentication packages provide full support for the simpler authentication methods of the basic packages.

  • The general procedure for creating a mesh network is to begin with a device, designated as a mesh base, already functioning as an Access Point, and then to add additional devices designated as mesh points. The device serving as a mesh base requires no modifications from its service as a regular AP.

  • The general procedure for provisioning an OpenWrt device as a mesh point is constituted of the following steps:

    • Include support for WPA3, by installing one of the SSL-based authentication packages.
    • Configure master wireless networks, usually one for each radio, using the same SSID, and authentication method and credentials, as the AP serving as the mesh base.
    • Configure client wireless networks joined to the AP serving as the mesh base, on at least one radio able to reach it. (Mesh node may instead by joined by Ethernet, if infrastructure is available.)
    • Configure mesh point (802.11s) wireless networks, complementing the master networks, and sharing the same mesh identifier as all other mesh points for the network.


I welcome requests over clarity or completeness, as well as objections over accuracy.

I little doubt I will have exposed misconceptions, some perhaps substantial, in my current understanding, and as I otherwise have no means for doing so, receiving corrections is among my chief objectives in submitting notes on the topics.



I have a question regarding multiple mesh points connected physically to the network. In some places I see it’s possible and even desired for redundancy, but in others it seems only one connection to the wired net is possible. In your post you speak of one. (Mesh Portal)

What is reality? If I can connect more than one mesh point to the Ethernet cable, what should I change in the configuration? Because as of now if I have two connected everything breaks.