I saw this proposed setup for owe ( enhanced open ) wifi on openwrt and found it very interesting. I've been testing it on openwrt 19.07 these last days. I would like to thank @lantis1008 for sharing this.
Although there is something I'm not sure to understand with this setup.
It appears to me that basic of any security on an open network would be to avoid mac interpersonation / spoofing, i.e avoid that when a client A opens a session for a given mac M, if a client B comes later it cannot pretend to have the mac M (for at least as long as A is still associated to the wifi network). Otherwise if B can prentend to have mac M it could obviously both intercept paquets/trafic destinated for A, and use its privileges or identity ( e.g use its authentication to a captive portal ).
But from what I understand and have tested from the setup above, there always remain an unencrypted open network to which any client can associate with any mac address, even one used on the owe network. I.e if A connects securely with owe and mac M, B can still connect to the unencrypted open network with the same mac M, which obviously renders security for A almost accessory.
It seems possible in Openwrt to have only one network with owe and no associated unencrypted open network. It seems to be possible to connect to such network with wpa_supplicant, but not with network-manager (at least on Ubuntu 20.10). So it does not seem very standard, and may not be supported by a wide variety of devices in few years.
config wifi-iface 'ap_g_owe' option device 'radio0' option mode 'ap' option network 'lan' option ssid 'owe test' option encryption 'owe'
I'm also quite surprise on the apparent lack of session management in this system. For example at least timeout values defining how long we need since we last saw previous client with mac M, to accept a new client with same mac M without requiring him to know the previous shared key computed with Diffie-hellman.
Any comment and explanation about all this would be most welcome!