Wpa3 support in OpenWrt?

For Developers
144
  • does OpenWRT support WPA3? Yes, for official release, since 19.07 with wpad-openssl. wpad-wolfssl has been fixed in master/development
  • does it require special hardware? No AFAIK
  • any negative issues (like lower performance on older hardware)? In my test case no, the WLAN speed seems to be CPU-bound even without encryption, others with more experience may chime in?
  • a word about compatibility with other devices (like the mentioned Apple issue) You can go ahead and add later when people report other incompatibilities
  • is mixed WPA2/WPA3 really more secure than just WPA2? I read that exclusive WPA3 is better, but forgot the details. see reply of huaracheguarache
  • is WPA/WPA2/WPA3 mixed mode possible? (I see no support for it currently, but what in theory?)
    no idea, but why would anyone still use WPA?

...................

145

Notes:

  • doesn't work on the WRT AC series of routers (mwlwifi). Probably important to note as they're very popular.
  • some older hardware needs hardware encryption disabled in the driver for it to work with wpa3
    WPA3 not working on TL-wr1043NDv1
1 Like
146

https://openwrt.org/docs/techref/driver.wlan/mwlwifi would be the place to document mwlwifi specific stuff, e.g. WPA3 issues / WPA3 incompatibilities / general development status.

147

Fortunately this particular issue with ath9k and draft-n wireless chipsets <= AR9160 will be resolved with mac80211: ath9k: enable MFP capability unconditionally, which I've just successfully tested with on my tl-wr1043nd v1:

root@tl-wr1043ndx:~# grep -i -e sae -e 80211w /tmp/run/hostapd-phy0.conf 
sae_require_mfp=1
wpa_key_mgmt=SAE
ieee80211w=2

root@ath5k-client:~# wpa_cli -i wlp3s0 status | grep -i -e sae -e 80211w -e mfp -e pmf
key_mgmt=SAE
pmf=2
sae_group=19

Similar efforts have been happening (upstream) for b43 and rt2x00 as well (not yet in OpenWrt); ath5k worked fine with WPA3/ SAE from the beginning. Yes, enabling IEEE 802.11w (which is mandatory for WPA3) on devices that can't do it hardware accelerated does come with a steep performance penalty, but at least it (now-) works - without having to supply module parameters manually.

1 Like
148

Hi there, are you working on it now?

Cheers.

149

How much performance penalty?

Hmm, the https://en.wikipedia.org/wiki/IEEE_802.11w-2009 page says:

is required for 802.11 implementations that support TKIP or CCMP

So all WPA and WPA2 hardware should support it? Or am I misunderstanding something?

150

In theory, perhaps - in practice not at all. Even among the 802.ac chipsets functional 802.11w support is not a given, even less hardware accelerated pmf/ mfp.

151

About Apple WPA3 support:

on my iPhone SE, the options for Security offered are:

  • None
  • WEP
  • WPA
  • WPA2
  • WPA Enterprise
  • WPA2 Enterprise
  • WPA3 Enterprise

on iPad 6th gen:

  • None
  • WEP
  • WPA
  • WPA2/WPA3
  • WPA3
  • WPA Enterprise
  • WPA2 Enterprise
  • WPA3 Enterprise

Both running iOS 13.5.1

So either the SE hardware does not support WPA3 Personal or it is some UI glitch.

152

Where are you seeing these options listed? App on the phone itself? I have a iphone7 that connects to pure WPA-SAE just fine.

153

Same on MacBook Air 2012, it seem that wap3 is not fully supported on Apple older hardware.
Screen Shot 2020-06-20 at 10.49.32 AM

154

In Settings, when manually adding a network. Click/tap on "Other..." below the list of detected networks.

155

Nice, I did not know about this. From my iPhone7:

85.tit
85.tit750×926 29.9 KB

156

It seems that apple cuts functionality on older devices. Deceives people. Here's what's on my iphone 6s, ios 14 beta:

image
image746×1167 57.7 KB

157

Hello, didn't find any info about PC OSes support for this (Windows, OSX, Linux, etc.).
So far I only see it working on Android Q devices (via sharing QR code feature).
Any info about it?

PS: and also I'm interested if Luci interface for that feature exists?