Wpa3 support in OpenWrt?

  1. WPA3-SAE is supported by Openwrt software for Xiaomi Redmi Router AC2100, MIPS, MT7621A .
  2. If MT7621A haven't WPA3 hardware support, can WPA3 usage on 2.4ghz and 5Ghz overload Redmi processor?

Great thread, has more information than what google finds on WPA3...

Can some of this be written to the wiki?

This page: https://openwrt.org/docs/guide-user/network/wifi/basic
Or maybe a separate page for WPA3?

To answer common questions, like:

  • does OpenWRT support WPA3?
  • does it require special hardware?
  • any negative issues (like lower performance on older hardware)?
  • a word about compatibility with other devices (like the mentioned Apple issue)
  • is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details.
  • is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
1 Like

Sure it can be written there?
By you, perhaps?

1 Like

For the clients that connect via WPA3 it's more secure. However, if the client allows connecting to the same network via WPA2 there's a possibility of a downgrade attack. It's up to the client implementation to prevent this. As an example, the Google Pixel 3 always connects via WPA3 after the first WPA3 authentication/association with a network.[1]

[1] Interesting paper on security vulnerabilities in WPA3.

1 Like

Sure, after I get the answers to those questions.

1 Like

Another solution for OpenWrt admins is to setup 2 virtual WLAN using different keys, one for WPA2 and another for WPA3.

Although, it may not be that much of an improvement in terms of security due to other practical reasons.

Cheers.

  • does OpenWRT support WPA3? Yes, for official release, since 19.07 with wpad-openssl. wpad-wolfssl has been fixed in master/development
  • does it require special hardware? No AFAIK
  • any negative issues (like lower performance on older hardware)? In my test case no, the WLAN speed seems to be CPU-bound even without encryption, others with more experience may chime in?
  • a word about compatibility with other devices (like the mentioned Apple issue) You can go ahead and add later when people report other incompatibilities
  • is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details. see reply of huaracheguarache
  • is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
    no idea, but why would anyone still use WPA?

...................

Notes:

  • doesn't work on the WRT AC series of routers (mwlwifi). Probably important to note as they're very popular.
  • some older hardware needs hardware encryption disabled in the driver for it to work with wpa3
    WPA3 not working on TL-wr1043NDv1

https://openwrt.org/docs/techref/driver.wlan/mwlwifi would be the place to document mwlwifi specific stuff, e.g. WPA3 issues / WPA3 incompatibilities / general development status.

Fortunately this particular issue with ath9k and draft-n wireless chipsets <= AR9160 will be resolved with mac80211: ath9k: enable MFP capability unconditionally, which I've just successfully tested with on my tl-wr1043nd v1:

root@tl-wr1043ndx:~# grep -i -e sae -e 80211w /tmp/run/hostapd-phy0.conf 
sae_require_mfp=1
wpa_key_mgmt=SAE
ieee80211w=2
root@ath5k-client:~# wpa_cli -i wlp3s0 status | grep -i -e sae -e 80211w -e mfp -e pmf
key_mgmt=SAE
pmf=2
sae_group=19

Similar efforts have been happening (upstream) for b43 and rt2x00 as well (not yet in OpenWrt); ath5k worked fine with WPA3/ SAE from the beginning. Yes, enabling IEEE 802.11w (which is mandatory for WPA3) on devices that can't do it hardware accelerated does come with a steep performance penalty, but at least it (now-) works - without having to supply module parameters manually.

1 Like

Hi there, are you working on it now?

Cheers.

How much performance penalty?

Hmm, the https://en.wikipedia.org/wiki/IEEE_802.11w-2009 page says:

is required for 802.11 implementations that support TKIP or CCMP

So all WPA and WPA2 hardware should support it? Or am I misunderstanding something?

In theory, perhaps - in practice not at all. Even among the 802.ac chipsets functional 802.11w support is not a given, even less hardware accelerated pmf/ mfp.

About Apple WPA3 support:

on my iPhone SE, the options for Security offered are:

  • None
  • WEP
  • WPA
  • WPA2
  • WPA Enterprise
  • WPA2 Enterprise
  • WPA3 Enterprise

on iPad 6th gen:

  • None
  • WEP
  • WPA
  • WPA2/WPA3
  • WPA3
  • WPA Enterprise
  • WPA2 Enterprise
  • WPA3 Enterprise

Both running iOS 13.5.1

So either the SE hardware does not support WPA3 Personal or it is some UI glitch.

Where are you seeing these options listed? App on the phone itself? I have a iphone7 that connects to pure WPA-SAE just fine.

Same on MacBook Air 2012, it seem that wap3 is not fully supported on Apple older hardware.
Screen Shot 2020-06-20 at 10.49.32 AM

In Settings, when manually adding a network. Click/tap on "Other..." below the list of detected networks.

Nice, I did not know about this. From my iPhone7:

It seems that apple cuts functionality on older devices. Deceives people. Here's what's on my iphone 6s, ios 14 beta:

Hello, didn't find any info about PC OSes support for this (Windows, OSX, Linux, etc.).
So far I only see it working on Android Q devices (via sharing QR code feature).
Any info about it?

PS: and also I'm interested if Luci interface for that feature exists?