WiFi encryption options

I found the official openwrt wireless page which explain the wireless options on openwrt.
However, mainly none, wep, psk/psk2 are mentioned.

When I search the Internet, I come across articles that mention all of the following.
wpa+tkip, mixed-psk+ccmp, psk2+tkip+ccmp, wpa2, wpa2_personal and wpa2_enterprise as well.

What I am trying to find are which options does current openwrt support when using the wifi in client mode?

option mode 'sta'
option encryption ?

Which are all of the valid entries? And, do they all require only one key or do some require two or more keys?

The AP controls what encryption the client must use. A valid setting is one that matches what the AP expects. This is not as complicated as it seems, since the AP will advertise most of what it expects in the beacon packets that can be scanned without connecting to the AP.

Most of the standards are now considered insecure. A properly set up AP will use standard 2 with CCMP encryption (also called AES) and one of two keying methods. The first is PSK, which means Pre-Shared Key-- every client uses the same single key. This is almost always used in homes and is thus also known as WPA2-Personal.

At colleges or corporations, it is not practical to share a new key with every user and make everyone reconfigure their device any time it is necessary to kick off a bad user. The Enterprise system is based on a username with different secret credentials for each potential user. The most common variant of that system is called EAP. EAP means Extensible Authentication Protocol, so exactly what is required may change outside the WiFi standard. With these networks it is often necessary to get instructions from the administration to find out how to set up your client. Also OpenWrt does not contain support for this standard by default, but it can be added by changing from the "mini" or "basic" version of hostapd to a full one.

So as you can see it's confusing because there is still reference to obsolete standards which may still be found, but only very rarely, and lots of different names for the same thing.

1 Like

Great explanation, thank you.

Yes, I understand that the AP uses what it uses but the thing that I'm having a hard time finding is what are all of the valid entries. And, do all of them need only only key or do some use two keys?

I should have made that clearer. This is the information I am having a hard time finding and correlating.

Are you using Luci GUI?

Recommended usual setup anyway for home usage is WP2-PSK with CCMP encryption (also called AES) or WPA3 ;- )

Sometimes office/s, sometimes homes.

I ask because I bring this router with me everywhere and just edit the /etc/config/wireless file as needed but there are some cases where I'm not sure what to enter so am trying to find all of the combinations etc so I can note them down.

That's interesting. I've not found mention of the actual words WP2-PSK, AES or WPA3 in any documentation showing what one can enter into the /etc/config/wireless file option settings. That's what I'm trying to find out, the specific words/options that can be entered into the file.

Search this page: https://openwrt.org/docs/guide-user/network/wifi/basic

for "encryption" and then further down... under "WPA modes"

1 Like

ALL of those can be used??

that's right.

Just to confirm, all of those sta/client options can be entered and so long as the AP is using it, any one of them will work? Or, do some of those require additional packages to be installed?

If I'm reading the page correctly, the only package I should add is wpa-supplicant-openssl and could use any one of those.

I think you're best off installing wpad, it's a multicall binary that does everything including supplicant.

Just wanted to confirm. I am running two Dumb AP's, which file should I install in order to have WPA3 as an option?