summaryrefslogtreecommitdiff
path: root/docs/wireless.tex
blob: 67502338509568b4a34d194f4a3e0ce3aba6c977 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
The WiFi settings are configured in the file \texttt{/etc/config/wireless}
(currently supported on Broadcom, Atheros and mac80211). When booting the router for the first time
it should detect your card and create a sample configuration file. By default '\texttt{option network  lan}' is
commented. This prevents unsecured sharing of the network over the wireless interface.

Each wireless driver has its own configuration script in \texttt{/lib/wifi/driver\_name.sh} which handles
driver specific options and configurations. This script is also calling driver specific binaries like wlc for
Broadcom, or hostapd and wpa\_supplicant for atheros.

The reason for using such architecture, is that it abstracts the driver configuration. 

\paragraph{Generic Broadcom wireless config:}

\begin{Verbatim}
config wifi-device      "wl0"
    option type         "broadcom"
    option channel      "5"

config wifi-iface
    option device       "wl0"
#   option network  lan
    option mode         "ap"
    option ssid         "OpenWrt"
    option hidden       "0"
    option encryption   "none"
\end{Verbatim}

\paragraph{Generic Atheros wireless config:}

\begin{Verbatim}
config wifi-device      "wifi0"
    option type         "atheros"
    option channel      "5"
    option agmode  	"11g"

config wifi-iface
    option device       "wifi0"
#   option network  lan
    option mode         "ap"
    option ssid         "OpenWrt"
    option hidden       "0"
    option encryption   "none"
\end{Verbatim}

\paragraph{Generic mac80211 wireless config:}

\begin{Verbatim}
config wifi-device      "wifi0"
    option type         "mac80211"
    option channel      "5"

config wifi-iface
    option device       "wlan0"
#   option network  lan
    option mode         "ap"
    option ssid         "OpenWrt"
    option hidden       "0"
    option encryption   "none"
\end{Verbatim}

\paragraph{Generic multi-radio Atheros wireless config:}

\begin{Verbatim}
config wifi-device  wifi0
    option type     atheros
    option channel  1

config wifi-iface
    option device   wifi0
#   option network  lan
    option mode     ap
    option ssid     OpenWrt_private
    option hidden   0
    option encryption none

config wifi-device  wifi1
    option type     atheros
    option channel  11

config wifi-iface
    option device   wifi1
#   option network  lan
    option mode     ap
    option ssid     OpenWrt_public
    option hidden   1
    option encryption none
\end{Verbatim}

There are two types of config sections in this file. The '\texttt{wifi-device}' refers to
the physical wifi interface and '\texttt{wifi-iface}' configures a virtual interface on top
of that (if supported by the driver).

A full outline of the wireless configuration file with description of each field:

\begin{Verbatim}
config wifi-device     wifi device name
    option type     broadcom, atheros, mac80211
    option country  us, uk, fr, de, etc.
    option channel  1-14
    option maxassoc 1-128 (broadcom only)
    option distance 1-n
    option agmode     11b, 11g, 11a, 11bg (atheros only)

config wifi-iface
    option network  the interface you want wifi to bridge with 
    option device   wifi0, wifi1, wifi2, wifiN
    option mode     ap, sta, adhoc, monitor, or wds
    option ssid     ssid name
    option bssid    bssid address
    option encryption none, wep, psk, psk2, wpa, wpa2 
    option key      encryption key
    option key1     key 1
    option key2     key 2
    option key3     key 3
    option key4     key 4
    option server   ip address
    option port     port
    option hidden   0,1
    option isolate  0,1
\end{Verbatim}

\paragraph{Options for the \texttt{wifi-device}:}

\begin{itemize}
    \item \texttt{type} \\
        The driver to use for this interface.
	
    \item \texttt{country} \\
        The country code used to determine the regulatory settings.

    \item \texttt{channel} \\
        The wifi channel (e.g. 1-14, depending on your country setting).

    \item \texttt{maxassoc} \\
        Optional: Maximum number of associated clients. This feature is supported only on the broadcom chipset.

    \item \texttt{distance} \\
	Optional: Distance between the ap and the furthest client in meters. This feature is supported only on the atheros chipset.

	\item \texttt{mode} \\
		The frequency band (\texttt{b}, \texttt{g}, \texttt{bg}, \texttt{a}). This feature is only supported on the atheros chipset.


\end{itemize}

\paragraph{Options for the \texttt{wifi-iface}:}

\begin{itemize}
    \item \texttt{network} \\
        Selects the interface section from \texttt{/etc/config/network} to be
        used with this interface

    \item \texttt{device} \\
	Set the wifi device name.

    \item \texttt{mode} \\
        Operating mode:

        \begin{itemize}
            \item \texttt{ap} \\
                Access point mode

            \item \texttt{sta} \\
                Client mode

            \item \texttt{adhoc} \\
                Ad-Hoc mode

            \item \texttt{monitor} \\
                Monitor mode

            \item \texttt{wds} \\
                WDS point-to-point link

        \end{itemize}

    \item \texttt{ssid}
	Set the SSID to be used on the wifi device.

    \item \texttt{bssid}
	Set the BSSID address to be used for wds to set the mac address of the other wds unit.

    \item \texttt{encryption} \\
        Encryption setting. Accepts the following values:

        \begin{itemize}
	    \item \texttt{none}
	    \item \texttt{wep}
            \item \texttt{psk}, \texttt{psk2} \\
                WPA(2) Pre-shared Key

            \item \texttt{wpa}, \texttt{wpa2} \\
                WPA(2) RADIUS
        \end{itemize}

    \item \texttt{key, key1, key2, key3, key4} (wep, wpa and psk) \\
        WEP key, WPA key (PSK mode) or the RADIUS shared secret (WPA RADIUS mode)

    \item \texttt{server} (wpa) \\
        The RADIUS server ip address

    \item \texttt{port} (wpa) \\
        The RADIUS server port (defaults to 1812)

    \item \texttt{hidden} \\
        0 broadcasts the ssid; 1 disables broadcasting of the ssid

    \item \texttt{isolate} \\
        Optional: Isolation is a mode usually set on hotspots that limits the clients to communicate only with the AP and not with other wireless clients.
        0 disables ap isolation (default); 1 enables ap isolation.

\end{itemize}

\paragraph{Wireless Distribution System}

WDS is a non-standard mode which will be working between two Broadcom devices for instance
but not between a Broadcom and Atheros device.

\subparagraph{Unencrypted WDS connections}

This configuration example shows you how to setup unencrypted WDS connections.
We assume that the peer configured as below as the BSSID ca:fe:ba:be:00:01
and the remote WDS endpoint ca:fe:ba:be:00:02 (option bssid field).

\begin{Verbatim}
config wifi-device      "wl0"
    option type		"broadcom"
    option channel      "5"

config wifi-iface
    option device       "wl0"
    option network  	lan
    option mode         "ap"
    option ssid         "OpenWrt"
    option hidden       "0"
    option encryption   "none"

config wifi-iface
    option device       "wl0"
    option network      lan
    option mode         wds
    option ssid         "OpenWrt WDS"
    option bssid        "ca:fe:ba:be:00:02"
\end{Verbatim}

\subparagraph{Encrypted WDS connections}

It is also possible to encrypt WDS connections. \texttt{psk}, \texttt{psk2} and
\texttt{psk+psk2} modes are supported. Configuration below is an example
configuration using Pre-Shared-Keys with AES algorithm.

\begin{Verbatim}
config wifi-device  wl0
    option type     broadcom
    option channel  5

config wifi-iface
    option device   "wl0"
    option network  lan
    option mode     ap
    option ssid     "OpenWrt"
    option encryption  psk2
    option key      "<key for clients>"

config wifi-iface
    option device   "wl0"
    option network  lan
    option mode     wds
    option bssid    ca:fe:ba:be:00:02
    option ssid     "OpenWrt WDS"
    option encryption	psk2
    option key      "<psk for WDS>"
\end{Verbatim}

\paragraph{802.1x configurations}

OpenWrt supports both 802.1x client and Access Point
configurations. 802.1x client is only working with
Atheros or mac80211 drivers. Configuration only
supports EAP types TLS, TTLS or PEAP.

\subparagraph{EAP-TLS}

\begin{Verbatim}
config wifi-iface
    option device         "ath0"
    option network        lan
    option ssid           OpenWrt
    option eap_type       tls
    option ca_cert        "/etc/config/certs/ca.crt"
    option priv_key       "/etc/config/certs/priv.crt"
    option priv_key_pwd   "PKCS#12 passphrase"
\end{Verbatim}

\subparagraph{EAP-PEAP}

\begin{Verbatim}
config wifi-iface
    option device         "ath0"
    option network        lan
    option ssid           OpenWrt
    option eap_type       peap
    option ca_cert        "/etc/config/certs/ca.crt"
    option auth           MSCHAPV2
    option identity       username
    option password       password
\end{Verbatim}

\paragraph{Limitations:}

There are certain limitations when combining modes.
Only the following mode combinations are supported:

\begin{itemize}
    \item \textbf{Broadcom}: \\
        \begin{itemize}
            \item 1x \texttt{sta}, 0-3x \texttt{ap}
            \item 1-4x \texttt{ap}
            \item 1x \texttt{adhoc}
            \item 1x \texttt{monitor}
        \end{itemize}

        WDS links can only be used in pure AP mode and cannot use WEP (except when sharing the
        settings with the master interface, which is done automatically).

    \item \textbf{Atheros}: \\
        \begin{itemize}
            \item 1x \texttt{sta}, 0-Nx \texttt{ap}
            \item 1-Nx \texttt{ap}
            \item 1x \texttt{adhoc}
        \end{itemize}

	N is the maximum number of VAPs that the module allows, it defaults to 4, but can be
	changed by loading the module with the maxvaps=N parameter.
\end{itemize}

\paragraph{Adding a new driver configuration}

Since we currently only support thread different wireless drivers : Broadcom, Atheros and mac80211,
you might be interested in adding support for another driver like Ralink RT2x00, 
Texas Instruments ACX100/111.

The driver specific script should be placed in \texttt{/lib/wifi/<driver>.sh} and has to
include several functions providing :

\begin{itemize}
	\item detection of the driver presence
	\item enabling/disabling the wifi interface(s)
	\item configuration reading and setting
	\item third-party programs calling (nas, supplicant)
\end{itemize}

Each driver script should append the driver to a global DRIVERS variable :

\begin{Verbatim}
append DRIVERS "driver name"
\end{Verbatim}

\subparagraph{\texttt{scan\_<driver>}}

This function will parse the \texttt{/etc/config/wireless} and make sure there
are no configuration incompatibilities, like enabling hidden SSIDS with ad-hoc mode
for instance. This can be more complex if your driver supports a lof of configuration
options. It does not change the state of the interface.

Example:
\begin{Verbatim}
scan_dummy() {
	local device="$1"

	config_get vifs "$device" vifs
	for vif in $vifs; do
		# check config consistency for wifi-iface sections
	done
	# check mode combination
}
\end{Verbatim}

\subparagraph{\texttt{enable\_<driver>}}

This function will bring up the wifi device and optionally create application specific
configuration files, e.g. for the WPA authenticator or supplicant.

Example:
\begin{Verbatim}
enable_dummy() {
	local device="$1"

	config_get vifs "$device" vifs
	for vif in $vifs; do
		# bring up virtual interface belonging to
		# the wifi-device "$device"
	done
}
\end{Verbatim}

\subparagraph{\texttt{disable\_<driver>}}

This function will bring down the wifi device and all its virtual interfaces (if supported).

Example:
\begin{Verbatim}
disable_dummy() {
	local device="$1"

	# bring down virtual interfaces belonging to
	# "$device" regardless of whether they are
	# configured or not. Don't rely on the vifs
	# variable at this point
}
\end{Verbatim}

\subparagraph{\texttt{detect\_<driver>}}

This function looks for interfaces that are usable with the driver. Template config sections
for new devices should be written to stdout. Must check for already existing config sections
belonging to the interfaces before creating new templates.

Example:
\begin{Verbatim}
detect_dummy() {
	[ wifi-device = "$(config_get dummydev type)" ] && return 0
	cat <<EOF
config wifi-device dummydev
	option type dummy
	# REMOVE THIS LINE TO ENABLE WIFI:
	option disabled 1

config wifi-iface
	option device dummydev
	option mode ap
	option ssid OpenWrt
EOF
}
\end{Verbatim}