Wpa3 support in OpenWrt?

I managed to get WPA3 to show up in my Luci GUI by installing hostapd-openssl.
Had to make sure the buildmenu had a [*] and not an [M] next to it so it could work.

I build mvebu targets and this is not happening for me. Do you use per device rootfs per chance, looks to be the only thing that might force the package.

1 Like

I replaced wpad-openssl with hostapd-openssl and I still don't have WPA3 options available in LuCI, which is really weird. Could this be a hardware compatibility issue?

Edit: tried this on another ar71xx device (AR9331) and I was able to see WPA3 in LuCI. :confused:

Nailed it, thanks mate. I was able to change it as soon as I deselected that.

Do you know/mind explaining what that option is for?

It allows you to create different builds for subtargets by including / excluding packages from respective images. You can use that facility still, but will have to exclude the problematic package by adding a string to the package list in make menuconfig with a - (hypen) in front of the name, rather than just the name, which would include a package

1 Like

I also use an ar71 device the Archer C7 v4 seems to work for me. Although the craziest thing happened it "used" to work just fine using Openwrt 18 on my TP-Link WDR3600 as a client to my Archer running Openwrt 19. But After I upgraded my Openwrt 18 to 19 on my WDR 3600 device it suddenly "stopped" connecting. Even after setting it back to version 18 it STILL would no longer connect. Which is crazy.

EDIT: Fixed my connectivity problems by resetting the WDR 3600 running Openwrt 18 to factory and setting it up normally.

I'm thinking the technology is probably still too new to just "set it and forget it" and requires slight tweaks to work.

Don't pull your hairs out man. unless you're the one trying to fix this issue then good luck to you. :sweat_smile:

After I set it up I realized none of my stations can connect to it, even if I set it to WPA2-PSK/WPA3-SAE mixed mode... Well, it's worth a shot I guess.

Did you make sure to set 802.11w Management Frame Protection to Optional? I think that's a requirement for WPA3 and not necessary for WPA2 so it should work with WPA Mixed Mode. At least that's how I have mine setup and I am allowed to connect using both "WPA2 and WPA3".

1 Like

WPA3 as a standard mandates the use of 802.11w as required, but you can experiment with that setting under SAE (optional or disabled), both of which should work (especially 802.11w is a problem for many older network chipsets/ devices) but aren't compliant to the WPA3 standard. For WPA2PSK/ WPA3SAE mixed mode, 802.11w can only (reasonably) be set to optional.


Just wanted to thank the developers and contributors that worked to get WPA3 incorporated into OpenWrt. I am building off trunk using hostapd-wolfssl, and my Android Q device connects just fine with the AP set to WPA3 only.


May I know which device you are using? I can’t get WPA3 working in MT76, at least my iOS 13.1.2 iPad says no.

My AP is a PC Engines APU2 (x86) with a Compex WLE600VX (QCA9882) card in it. The client device is a Pixel 3 phone running Android Q stock firmware.

My company-issued cell phone is an iPhone SE running iOS 13.1.2 and, like your iPad, cannot connect to my WPA3-only AP, despite Apple literature saying iOS 13 supports WPA3. Interestingly, in settings it shows support for WPA3-Enterprise but not WPA3-Personal. This is not an admin/company policy restriction on the phone, since it is running stock iOS with no additional apps whatsoever.

1 Like

I upgrade Windows to 1903 and installed the newest Intel Wireless driver last night, WPA3-Personal works fine in both 5G and 2.4G. It seems iOS13 has compatibility problem with WPA3. MT76 is not the problem.

I have the same problem with different OpenWRT devices (running snapshot) and Apple-Clients.

I did a packet capturing, the Apple client sends an 802.11 associate package to the OpenWrt device including SAE cipher and the specific PMKID.

The reply from OpenWrt is:

Status code: Invalid pairwise master key identifier (PMKID) (0x0035)

So the PMKID calculation on the Apple client seems different to the OpenWrt device, but i don't why...

How is this possible? If wpa3 works on other device and the pmkid is calculated at the same way... The the problem is with apple?

I'm not sure, because WPA3 works with Apple clients and LANCOM devices for example (i tried it myself).

So maybe it's a configuration issue or we need an additional hostapd option?

1 Like

Could be that they transfer pmkid in a different way and hostapd doesn't support it? Or openwrt doesn't support it.

confirmed. only wpa3-eap seems to be supported by ios 13.1.2 (no psk)

While settings in MacOS Catalina says "personal WPA3", connecting doesn't work either.

iOS 12 connected fine to a mixed access point (WPA2/WPA3) but iOS 13 doesn't. I think Apple have tried to implement WPA3 but got something wrong which prevents it from falling back to WPA2. See https://www.reddit.com/r/ios/comments/df7mop/ios_13_wont_connect_to_wpa3_networks/.