This could be really useful sometimes. Is this possible while compiling your own images?
It's not enabled by default because of the fact that it would need to be open (encrypted, no passphrase) or it would need to be a known/published passphrase with a known SSID. Likewise, OpenWrt's default user is root with no password.
This means simply powering-on the device in its default state would provide opportunity for malicious actors within range to access the router and its administrative surfaces as well as the network behind it. Worse yet, some people might not change or disable the wifi, thus making a potential perpetual security threat to the network.
Enabling the 2.4G wifi would be worse, in fact, than the 5G radio beacuse of the fact that 2.4G has more range than 5G (based on physics).
OpenWrt requires an ethernet connection because physical access is a reasonable assurance that the user is legit (it's not a guarantee, but physical access to most network gear presents the same concern).
But yes... if you build your own images (even with the firmware-selector) you can "bake-in" scripts to enable the wifi upon first boot. In that case, though, you can specifically set the SSID, encryption type, and passphrase such that it isn't a known-to-the-world and easily exploitable SSID.
10 Likes
How about I add this to the ~/openwrt/package/base-files/files/etc/uci-defaults/99-enable-wifi:
#!/bin/sh
# Enable Wi-Fi radios at first boot
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-device[1].disabled='0'
uci set wireless.@wifi-device[0].channel='6'
uci set wireless.@wifi-iface[0].ssid='AX80-EU-test'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='12345678'
uci commit wireless
wifi reload
exit 0
Then compile this as usual afterwards?
3 Likes
I used a similar script with the firmware builder for automated registration off fresh devices as dumb ap on opensoho
1 Like
I agree. Every wireless device I have ever come across had wifi enabled by default. Granted, those usually have the ssid/pwd on a sticker somewhere, but I have a painless solution for that.
If OpenWrt doesn't like having an unencrypted network enabled by default then make it easy and universal across all devices like ssid=OpenWrt pw=12345678 and maybe even perhaps a warning when you first log in to luci to change the wifi password (like the create root pwd warning). The default ssid and pwd could even be shown on each device page.
It would save so many people who don't have a usb ethernet adapter, my self included, a great big headache when they are first getting into openwrt and don't know any better that they need a ethernet adapter or a first boot script.
Also, the average person installing openwrt on a device is not exactly an idiot and I feel like having wifi disabled is treating the user as an idiot. Saving him from himself so to speak. If they are competent enough to flash a device with firmware they are probably competent enough to remember to change the default ssid/pwd or encryption.
That is a good idea, but on some routers iface/device numbers are in reverse. But for 1st setup probably does not matter 
Ok, well this won't prevent the device from booting up am I right? If something is wrong, wifi will not be up, am I right? No harm done?
Dont change the channel or set to auto - in worst case wifi will come up on ch36/5ghz ....
Doing this would be no better than using no password at all given that the whole world would know the password. In fact, vendor firmware (back in the day) used to do this, too... but it was too easy to compromise because of the fact that the passwords were published/common knowledge.
Yes... that is true. In fact, laws have been passed in various jurisdictions (although nothing universal or internationally coordinated) such as this one in California that require a unique login for each device (i.e. every single unit must be unique). Doing otherwise (a single published password for all units of a specific model) would violate the laws like the one I referenced.
One could argue that OpenWrt is not provided by the manufacturer, so it is not subject to the same laws around the passwords. I do not know if that assertion would be true or not, but the reason OpenWrt doesn't have its SSID enabled open or with a known password is the same as the principle behind the law -- it would be trivial to compromise and thus should be disabled.
And to your point about the unique login -- that works for the vendors because they have a factory process that enables them to load a default set of parameters and a corresponding sticker to put on the case. OpenWrt doesn't have that advantage, so it wouldn't be possible to use the same credentials as would be found on the sticker.
While this is certainly true, if you are setting up advanced/open-source firmware, it is generally wise to have an ethernet adapter of some sort for this purpose. USB adapters are cheap and ubiquitous. Aside from initial setup, you'll also need one if you ever need to use failsafe mode to recover/fix your device.
There are users of all skill levels who install OpenWrt. Some who are professional network admins and others who have barely even configured a home network. But ultimately, it's not about saving them from themselves... it's about making sure that someone cannot remotely compromise your router before you even get to login to set it up.
4 Likes
device label mac could be used as the default password ... but i agree, this should not be the openwrt default. This can be implemented by the user with uci-defaults if preferred.
Same situation in Europe with the Cyber Resilience Act (CRA), and the UK also enacted similar laws.
Which doesn't hold true for the OpenWrt One, nor the planned OpenWrt Two.
Weak default passwords are bad (they were actively exploited by wardrivers while those were still common in ISP provided gear) - and often even illegal.
So unless there's some smarter approach (for some devices it would be possible to extract the vendor provided -hopefully not weak- device specific passwords, but that might be hard to accomplish for many devices - and pretty much futile for the existing ones (what's the chance that current users will investigate that now, for their fully working devices)).
1 Like
There's a package for Cudy devices doing exactly this.
2 Likes
So that gets 22 devices out of ~2K in the ToH (admittedly not all of those have wifi). It's a start, but it would be quite the effort to profile each brand (and model) for if and how they store those credentials.
1 Like
I know, just saying it's not an impossible task, once someone manages to figure out how the password is being generated.
1 Like
Just don't do it. Enabling wireless with some default password and ssid is a bad habit. I used to "crack" networks around me just by using a set of default passwords from popular OEMs. People are lazy, some leave default passwords unchanged. Those managed to install OpenWrt are only marginally better.
7 Likes
I do have a first boot script that sets the WiFi with the SSID and password from the sticker on my devices.
On my Belkin RT3200s, I had to manually set up the password, but on some TP-Link devices, like my WDR4300, the password is stored in /dev/mtdblock0. So, anyway this is the script I use on the TP-Link:
# log potential errors
exec >/tmp/setup.log 2>&1
# Check that something has changed, then is not first boot and exit
[ "$(uci -q get system.@system[0].zonename)" = "America/Caracas" ] && exit 0
# Set root password. The same as the sticker.
root_password="admin"
if [ -n "$root_password" ]; then
(echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null
fi
echo "Setting router generals..."
uci set system.@system[0].hostname='TPLink'
uci set system.@system[0].timezone='<-04>4'
uci set system.@system[0].zonename='America/Caracas'
echo "Setting WiFi..."
# Configure WLAN
uci set wireless.@wifi-device[0].disabled='0'
uci set wireless.@wifi-iface[0].disabled='0'
uci set wireless.@wifi-device[1].disabled='0'
uci set wireless.@wifi-iface[1].disabled='0'
uci set wireless.@wifi-iface[0].ssid="TP-LINK_$(ifconfig eth0 | awk '/HWaddr/ { printf $5 }' | tr -d : | tail -c 6)"
uci set wireless.@wifi-iface[0].key="$(dd if=/dev/mtdblock0 bs=1 skip=130560 count=8 2>/dev/null)"
uci set wireless.@wifi-iface[0].encryption='psk2+aes'
uci set wireless.@wifi-iface[1].ssid="TP-LINK_$(ifconfig eth0 | awk '/HWaddr/ { printf $5 }' | tr -d : | tail -c 6)_5G"
uci set wireless.@wifi-iface[1].key="$(dd if=/dev/mtdblock0 bs=1 skip=130560 count=8 2>/dev/null)"
uci set wireless.@wifi-iface[1].encryption='psk2+aes'
echo "Setting Hostname..."
# Configure router hostname. I use the same on the sticker
uci add dhcp domain
uci set dhcp.@domain[-1].name='tplinklogin.net'
uci set dhcp.@domain[-1].ip='192.168.1.1'
echo "Setting persistence of this script..."
# Configure owut to include the script.
uci set attendedsysupgrade.owut=owut
uci set attendedsysupgrade.owut.init_script='/rom/etc/uci-defaults/99-asu-defaults'
echo "Comiting changes..."
uci commit
echo "All done!"
exit 0
This works for me, at least. Is as secure, as I have physical access to the devices.
1 Like
Ok it appears enabling wifi by default is not gonna happen. Fine. I don't make the decisions but I can accept it's not gonna happen.
How about an alternative which would be a big warning banner on the top of device pages saying something to the effect of "DO NOT FLASH DEVICE IF YOU DON'T HAVE A COMPUTER WITH A WORKING ETHERNET ADAPTER."
and/or have the first boot script right on the device page to make it easy to enable wifi on first boot if the user so wishes.
It would help so many new users. It would of really helped me 10 years ago LoL..
It is already well documented:
1 Like
"1. Connect to the device via Ethernet cable (Only fallback to wireless, if the device has no Ethernet connection options)."
A person who doesn't read the wiki, won't read a banner.
2 Likes
can this not be implement in the firmware/image builder .. ? an option to set up a default password and enable wifi.
A few check boxes, text inputs, and a simple uci-def script to apply the new settings . perhaps a warning about weak passwords wouldn't hurt either.