Wpa3 support in OpenWrt?

An interesting post by someone who got it to work:

1 Like

From what I understood previously, and from your link, OpenWrt needs:

  • to enable the CONFIG_SAE flag in wpad-mini and/or wpad
  • add WPA3 "stuff" to LuCI and UCI
  • DONE!
2 Likes

Well, wpad-mini will probably need 11W too, since WPA3 hijacks the MFP feature bits. But otherwise yes: uci/LuCI is holding it back since nobody knows how complete the uci/LuCI integration should be.

2 Likes

Funny this topic is coming up now, I'm playing with my A5V11 to see if I can get WPA3 to work on it.

Note that it appears you need either OpenSSL or WolfSSL, so the wpad-mini won't work (simply enabling SAE causes it to fail during compile).

I've built a build with CONFIG_SAE and CONFIG_OWE set on wpad-wolfssl and it seems to compile just fine. I'm just trying to get it to fit into 4MB of flash along with zram and Luci (if I minify lua sources I can get it to fit, but I want to play around with non-minified sources).

I'm trying now to compile wpad-mini with a reference with WolfSSL and SAE/OWE, we'll see how that works...

wpad-mesh supports SAE for 802.11s and may be sufficient. Selecting the "full" wpad might be an easier path to follow than trying to "hack" wpad-mini into submission, at least for exploratory purposes.

1 Like

I have a feeling you're right...

1 Like

Heads-up: @hauke posted his initial WPA3 patches.
http://lists.infradead.org/pipermail/openwrt-devel/2018-October/014182.html

This adds basic support for SAE which is the new WPA3-PSK SAE mode and
OWE. For OWE the options to configure the transition mode are still
missing. WPA3 Enterprise support is still missing.

It would be nice if this gets some testing, currently I only tested it
with a Linux client using hostapd, are there any other clients
available?

This can also be found here:
https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=shortlog;h=refs/heads/hostapd
I will update the branch more often than these mails.

I read that wpa3 is not supported in most phone any news on this?

You're probably like a year early or so

i mean i read that hostapd pushed support for sae mode about 1 year ago so any device older than 1 year (or anything not compiled with sae support will not run or will run but with sae disabled?)

i also read that wpa3 include an hybrid mode that makes wpa2 device only compatible with wpa3

I don't know if its interesting. For me it was so I'll post it here. I know this site is written in german. So in short:
Lancom has released LCOS 10.20 firmware including WPA3 for their routers. The company announced it for all recent access points and wlan routers. A list for the supported older products is not available currently. But they announced that many older hardware is capable running LCOS 10.20.

@hauke any chance you might do a rebased version on 18.06 please? Or push some updates for the 18.06 branch to bring hostapd up to the same point so that your patches can be applied cleanly?

Any help appreciated, and understand this is a bit of an ask. Otherwise i'll rebase it myself this weekend and try to test.
Thanks

There is no way that 18.06 will see such a rebase or hostapd update.
Use master branch to apply the patches

2 Likes

I kind of thought an 18.06.2 might receive WPA3, but i'm only guessing of course.
Seeing as my dev environment is built on 18.06 i'd prefer to try to test it there, but can appreciate that i might have to make that effort myself of course. This is why i asked the question, with a please on it, without any expectation of result :wink:

2 Likes

You likely guessed wrong. 18.06 is supposed to be feature-stable stable branch, so having wpa3 there in the near future is unlikely. First wpa3 should work at least for some time in master. Then backporting it to 18.06 might be considered, but would still sound a bit strange.

And if there is going to be 19.01 stable release, WPA3 might get into that if WPA3 works in master before the forthcoming 19.01 branching.

It would be great if some of the people here in the forum could report how good wpa3-enterprise is working for them using latest openwrt that supports wpa3-enterprise thanks to for example https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=4c3fae4adcd41f43cf734e4d07a457b111a3d864

To test it out please just download the image for your device here https://downloads.openwrt.org/snapshots/targets/ and report how well its working for you (and dont forget to tell the device its beeing tested on).

@Ansuel
If you want your phone to support WPA3 then configure your LineageOS build like that and report how well its working. Your phone should have kernel 3.8 or up. You can check that in the about section on your phone before starting.

What about windows?

@Ansuel
Please dont use Windows. This is closed source software that violates the basic rules about possible secure systems. You can learn more about the basic rules of security by understanding the requirement of the project https://reproducible-builds.org/ for every software that is running on any system.

If you HAVE to run any closed source software because there is none free as in freedom replacement for it, then you can run it in most cases in wine. Even huge software blobs like modern games run now in wine: https://www.youtube.com/watch?v=IWJUphbYnpg

It seems 18.06.2 has no wpa3?