Turn a $60-$120 router into an Enterprise class wireless router with OpenWRT

Enterprise Wireless Security and You!

Enterprise Wireless is all about security.  If you had customer transactions going over a wireless network, you’d want to be sure your data was protected from hackers.  Unfortunately, Enterprise security typically involves expensive access point hardware, a radius server, and a complicated configuration.  But, it doesn’t have to be hard!

Why use Enterprise Wireless Security at Home?

Perhaps you have financial information to protect?  your source code?  the secret formula for Coke or other trade secret?  Or maybe you just want to keep everyone off your wifi so bad things don’t happen to you.

What’s wrong with my Wireless Security?

Most home wireless networks use Pre-Shared Key security, like WPA-PSK.  With this type of security every machine on your network is using the same key.  A side effect of this is that anyone with the PSK can sniff the wireless network and see everything that’s going on.  PSK networks are also susceptible to brute-force hacks, though it will take a determined hacker if you are using WPA2-PSK.  With WPA2 Enterprise security, every client has their own encrypted tunnel, so a wireless client can’t sniff the packets of another wireless client.  With Enterprise security, you’ll be able to add a user to your Wifi network, allow a guest to use the network using that new user ID, then later remove the user ID, blocking their access.  To do the same thing with a WPA-PSK network after a guest has used your key, you’d need to change every remaining client to a new key.  What a pain!

Why I wrote this

I couldn’t find a HOWTO specifically to use WPA2 Enterprise with OpenWRT, so I searched through the OpenWRT forum, wiki, various other websites, the FreeRadius2 documentation, etc. to come up with a working configuration, taking notes on it as I went along.  I’m posting this here for others, but also so that I can find it again in the future.  I just took a little extra time to fill in the gaps of the notes that I took while I experimented with this.

Getting Started

You first need a Wireless router that is compatible with OpenWRT, about the most flexible of the community firmware available (no offense to the others).  Fortunately, there is a long list of them here.  Just select the maker on the far right of that page and you’ll get all the models of that maker that are compatible.  You probably need one with at least 8 MB of Flash.  Mine has 16 MB of flash, and after completing this process, I was down to just under 10 MB free.

If you are going to buy a new one, I suggest the Netgear WNDR3800 (pictured at the top of this entry).  I picked mine up from my local CostCo for $119.  This is a great router for enthusiasts, as it comes with a 680 MHz processor, 128 MB of DRAM and 16 MB of Flash.  That may not sound like much, but in these boxes, it can do quite a lot.

Load the Firmware

Download the appropriate firmware from OpenWRT’s site.  The one I’m using for  my Netgear WNDR3800 is right here.  From what I could gather from the forums, you generally want one with “factory” in the name, since we will be upgrading from a stock factory firmware.  You want one with squashfs too.

Log into your Router’s web interface of your model and go to the firmware update page.  For the WNDR3800, it’s under Advanced, Administration, Firmware Update.

Update the firmware and give it plenty of time to complete.  This took about 3-4 minutes in my case, but it could take a bit longer.  Don’t be impatient here!

Basic Configuration

Log into the web interface of OpenWRT.  It will probably be at http://192.168.1.1/.  The default username is root with no password.  Set a password.

Configure the Router as you normally would.  If you use it as your router, set it up that way with DHCP enabled, etc.  If you use it as an AP/Switch only, make sure to set your default gateway and DNS server under the Network, Interfaces, then LAN tab.

Installing the Test Configuration

The method used in this guide involves a minimal number of changes from the default configuration files, with testing at various points to ensure everything is working.  This config has a lot of moving parts, so this should limit the possibility that you make a mistake, plus it helps you to better understand how it actually works.

Remove Unneeded Software

Navigate to System, then the Software tab, and you’ll see one of my favorite parts of OpenWRT, the software screen.   Hit the Update lists link to get a fresh list of packages.

On the Installed Packages tab, hit the Remove link next to freeradius.  This will uninstall the freeradius package, as we are going to use the freeradius2 package.

Hit the Remove link next to wpad-mini.

If you are running this as an AP only, hit the Remove link next to the firewall package too. 

Install FreeRadius

You could use the Web Interface to install all the packages one at a time, but to speed things along, SSH into your OpenWRT box.  (Use Putty under Windows to SSH)

After you’re logged in, run this command:

opkg install wpad freeradius2 freeradius2-mod-eap freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls  freeradius2-mod-eap-ttls freeradius2-mod-files freeradius2-mod-mschap  freeradius2-utils freeradius2-mod-radutmp freeradius2-mod-realm freeradius2-mod-exec freeradius2-mod-pap freeradius2-mod-chap freeradius2-democerts

Next, we edit some text files.  I use Vi.  Here’s a guide to Vi or you could install the nano package and follow this guide to that text editor.

vi /etc/freeradius2/users

Find the line:
#steve  Cleartext-Password := “testing”

Uncomment that line and save the file. For the purposes of testing, you are now “steve”.

vi /etc/freeradius2/sites/default

There are numerous line with the word unix on them.  All but one are commented out.  Comment out the last unix line and save.

vi /etc/freeradius2/radiusd.conf

Find the line consisting of interface = br-lan.  Comment this line out and save.

Note:  For other hardware types, the interface line may be different.  Comment it out anyhow.

vi /etc/freeradius2/clients.conf

Find the line consisting of ipaddr = 127.0.0.1

Change this to the LAN IP of your OpenWRT box.

Initial Radius Test

Now, we will start the Radius server and do an initial test.

From your SSH session:

radiusd -XX

Lots of debug output will show up.  The last line should say Ready to process requests.  If it doesn’t, start troubleshooting why.

NOTE:  You can’t enter any more commands in your current SSH session.

Open a new SSH session to your OpenWRT box.

Now, we will actually send a test to the radius server and see if it processes it properly.  Type this in to test with your “steve” user, being sure to replace “OpenWRT_LAN_IP” with the LAN IP of your OpenWRT box.

echo “User-Name = steve, User-Password = testing” | radclient -x OpenWRT_LAN_IP auth testing123

You should get something like this back:

rad_recv: Access-Accept packet from host 192.168.111.4 port 1812, id=44, length=20

In the window where FreeRadius is running, look at the output.  You should see some 15-20 lines or so explaining exactly what happened with your request.

NOTE:  When authenticating Wifi, you’ll get MUCH, MUCH more output.  If this test worked, but Wifi doesn’t, look at this output to see what went wrong.  Look for “Rejected” or “Failed” or something similar.

Initial Wifi Radius Test

Assuming everything went well with the previous test, we’ll now configure the WiFi settings.

In the OpenWRT web interface, go to the Network tab, then Wifi, and select radio 0.

Under the Wireless Security tab, set:

Encryption to WPA-EAP
Cipher to Force CCMP (AES)
Radius-Authentication-Server to the LAN IP of your OpenWRT box
Radius-Authentication-Port to 1812
Radius-Authentication-Secret with testing123

Select Save & Apply

If radio 0 is not already enabled, Enable it.

Using an iPad, iPod, or iPhone, try to connect to your Wireless network (the default SSID is OpenWRT).  You can use other devices, but they may be more difficult to configure, so I won’t go into that here.

On your iDevice, you’ll be prompted for a Username and Password.  Use steve for the username and testing for the password.
After using the username and password, you’ll be prompted to accept the certificate.  Do so.

If all goes well, you should get an IP Address from your DHCP server and you should be able to browse the Internet from your iDevice.

Customizing Your Config

Assuming you are successfully browsing on Wifi with your iDevice, we are ready to go to the next steps.  Now that we know that it works with most of the defaults and demo certificates, we will make our installation unique.

Radius Shared Secret

In OpenWRT, under Wireless Security for this radio, change the Radius-Authentication-Secret to a random string of your choosing.  This is called a Shared Secret, and it must be the same on the WiFi settings of your Router and in the Radius server config.  Save and apply.

vi /etc/freeradius2/clients.conf

Find the secret = testing123 line, and put your secret here, replacing testing123.

Generate certificates

First, install the software to handle certificate generation via your SSH session.

opkg install openssl-util

Next, remove the demo certs that we’ve been testing with.

cd /etc/freeradius2/certs
rm ca.pem
rm server.pem

Now, generate your CA Key.

openssl genrsa -des3 -out ca.key 2048

You’ll be prompted for a passphrase.  Pick something at least 4 characters long.  Make a note of it.

Next, generate the CA Certificate (we are making a 10 year cert)

openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

Answer the prompts, being sure to include “CA” in the “Common Name” section.  Bold Red text is to emphasize the answer.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Jacksonville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Wifi
Organizational Unit Name (eg, section) []:Wifi
Common Name (eg, YOUR name) []:Wifi CA
Email Address []:

Don’t put a challenge phrase when prompted.

Next, we generate a server key.

openssl genrsa -des3 -out server.key 2048

When prompted for a passphrase, use the same one you used before.

Now, we generate a certificate request.

openssl req -new -key server.key -out server.csr

Answer the prompts, being sure that the “Common Name” is different from your previous answer.  Bold Red text is to emphasize the answer.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Jacksonville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Wifi
Organizational Unit Name (eg, section) []:Wifi
Common Name (eg, YOUR name) []:Wifi
Email Address []:

Don’t put a challenge phrase when prompted.

Now, we generate a server certificate and sign it using the Certificate Authority.

openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem

When prompted for a passphrase, put in the one you did before.

Now that we’ve got our unique certificates, update the EAP Radius config file.

vi /etc/freeradius2/eap.conf

Find the line private_key_password and replace whatever with the passphrase you’ve chosen.

Change the line private_key_file to end in server.key.

Add Users and Passwords

vi /etc/freeradius2/users

Comment out steve and add all the users and passwords you wish, using the same format, like so:

jack  Cleartext-Password := “OfAllI.T.”
jacksphone Cleartext-Password := “SiriIsCool”

Wifi Test with Customizations

Hit CTRL-C on the SSH session running Radius, then restart radius:

radiusd -XX

It should start up cleanly, ending with the same Ready to Process Requests message as before.

Now login with your iDevice.  Use the new username and password you set, and then you’ll be prompted to accept your certificate.

Finalizing Your Config

Assuming you were prompted for the new Cert, there are just a few things left to do.

Hit CTRL-C on the SSH session running Radius.

vi /etc/init.d/radiusd

In the start function, change

radiusd -i $IPADDR -p 1812,1813 $OPTIONS

to

radiusd $OPTIONS

In the web interface, go to System, Startup, then enable the RadiusD service.  That tells it to start when OpenWRT boots.

Finally, hit Start next to RadiusD.  Now, your fully customized radius server is up and running, ready to handle all your WPA2 Enterprise authentication requests.

What about Windows and Mac OS X?

Mac OS X is almost as easy as an iDevice.  It’s basically the same steps.

Windows 7?  I’m not sure, but I imagine it is similar.  I do know that Windows XP involved installing your certificate.

Perhaps I’ll do a follow-up with screenshots showing each of these options.

Further Expansion

If you want to add more APs, it’s as easy as configuring them to point to the LAN IP of your OpenWRT box, pointing to port 1812 and putting in a good shared secret.
Next, edit the /etc/freeradius2/clients.conf file and add your new AP, like so:

client ap1 {
ipaddr          = 192.168.1.2
secret          = MyLongSharedSecret
nastype         = other
}

Finally, go to your OpenWRT web interface, System, Startup, then click Restart next to RadiusD.