Hotspot 2.0 OpenWRT Configuration Guide
by SimeonOnSecurity in Workshop > Tools
1430 Views, 2 Favorites, 0 Comments
Hotspot 2.0 OpenWRT Configuration Guide
In today’s connected world, providing seamless and secure Wi-Fi
connectivity is essential for various industries and public spaces. One
revolutionary technology that addresses this need is Hotspot 2.0, also known as Passpoint 2.0. In this guide, we will explore how to set up Hotspot 2.0 on OpenWRT, a popular open-source router and access point firmware.
The Significance of Hotspot 2.0 and Passpoint 2.0
Hotspot 2.0 brings enhanced security and convenience to Wi-Fi connectivity by automating the connection process and ensuring a secure exchange of credentials. Before diving into the technical details, let’s address the key questions: What is Hotspot 2.0, and why is it crucial for modern Wi-Fi networks?
Hotspot 2.0, defined by the IEEE 802.11u standard, enables seamless and secure Wi-Fi roaming by allowing mobile devices to connect to Wi-Fi networks automatically. This technology eliminates the hassle of manually selecting and authenticating with each network, providing users with a more efficient and user-friendly experience.
Enhancing User Experience
One of the main goals of Hotspot 2.0 is to enhance the user experience when connecting to Wi-Fi networks.
With Passpoint certification, smartphones can automatically identify and connect to Passpoint-certified access points. This eliminates the need for users to navigate through network lists and enter credentials manually.
Security and Authentication
Hotspot 2.0 addresses security concerns by implementing robust authentication
protocols. The Passpoint profile on a smartphone contains essential information, including MCC-MNC (Mobile Country Code – Mobile Network Code), NAI realm, and OI (Organization Identifier). These elements, along with login credentials, establish a secure connection to the service provider.
Interoperability and Roaming
Passpoint profiles are not tied to specific SSIDs, allowing them to work across any WLAN with appropriate Passpoint configuration. This interoperability ensures a consistent and reliable connection experience, especially in
environments with multiple access points.
Downloads
Supplies
Recommended OpenWRT Devices with Hotspot 2.0 and Passpoint 2.0 Support
Are you searching for the perfect OpenWRT device with robust Hotspot 2.0 and Passpoint 2.0 support? Look no further! We’ve curated a list of highly recommended devices that seamlessly integrate these advanced features into your network. From the GL-MT6000 (Flint 2) with WiFi 6 capabilities to the pocket-sized GL-AXT1800 (Slate AX) offering gigabit travel convenience, explore the best options for
enhanced connectivity and security. Upgrade your router experience with
these top-notch devices tailored for Hotspot 2.0 enthusiasts and
professionals alike.
- GL.iNet GL-MT6000 (Flint 2) WiFi 6 Router
- GL.iNet GL-AXT1800 (Slate AX)
- GL.iNet GL-MT3000 (Beryl AX)
- GL.iNet GL-SFT1200 (Opal)
hgot07 and we have completed testing, in addition to the above, on other GL.iNet devices
including the Mango (Has storage issues however), Slate and Beryl devices on both internal and external wireless interfaces.
Recommended External WiFi Adapters for HotSpot 2.0 Support on OpenWRT
When it comes to enhancing your OpenWRT setup with external WiFi adapters, especially for HotSpot 2.0 support, choosing the right hardware is crucial. Below, we recommend some top-performing external WiFi adapters known for their OpenWRT compatibility and 802.11 AX support.
We recommend these adapters for their overall OpenWRT compatibility and 802.11 AX Support. Top down, best to worst.
- ALFA AWUS036AXML 802.11axe WiFi 6E USB 3.0 Adapter AXE3000, Tri Band 6 GHz
- ALFA AWUS036AXM WiFi 6E USB 3.0 USB Adapter, AXE3000 Tri-Band 6Ghz/5.8GHz/2.4GHz
- NETGEAR WiFi AC1200 USB 3.0 Adapter (A6210)
For a list of other documented adapters that have support on Linux and OpenWRT See the
Implementing Hotspot 2.0 on OpenWRT
Prerequisites for Hotspot 2.0 on OpenWRT
Before configuring Passpoint on OpenWrt, ensure you have the following prerequisites:
- OpenWrt compatible device with a Passpoint-capable wireless device (PHY).
- OpenWrt 21.02, or newer, including
wpad
(hostapd) built with thehs20
option. - Full version of the
iw
package in OpenWrt. - 802.1x infrastructure (RADIUS server).
- Information about the assigned RADIUS servers:
Note: This information can be obtained through an email or document through your provider. If you’re using
Google Orion like we are in our examples below, you’ll be self hosting a freeradius based radsec proxy . We won’t be going into this in this article so please read your providers instructions carefully.
Updating OpenWRT Packages for Hotspot 2.0 Support on OpenWRT
Before configuring Hotspot 2.0 on OpenWRT, ensure that your system has the required packages installed.
Use the following commands to install necessary components:
opkg update
opkg --force-removal-of-dependent-packages remove iw iw-full wpad-basic gl-sdk4-repeater hostapd-basic host-apdcommon hostapd-openssl wpad-openssl
opkg --force-overwrite --force-removal-of-dependent-packages install iw-full hostapd-common wpad-openssl nano
If you’ve purchased one of the GL.iNet devices we recommended above you’ll also run the following command:
Configuring Wireless Interfaces for Hotspot 2.0 on OpenWRT
opkg --force-overwrite install kmod-ath10k-smallbuffers kmod-ath9k kmod-ath9k-common kmod-ath kmod-mac80211 kmod-cfg80211
Configuring Wireless Interfaces for Hotspot 2.0 on OpenWRT
In the /etc/config/wireless
file, customize the settings for your Hotspot 2.0-enabled interface.
Ensure the correct device, encryption type, and other parameters are
set. Pay attention to the WAN Metrics, NAI Realm, and Domain Names sections to tailor them to your service provider.
Copy and modify the following carefully. Once working, mirror it for the 2.4ghz, 5ghz, and 6ghz radios while adjusting the wifi-iface config name
, ifname
, and device
(radio) options for each radio.
nano /etc/config/wireless
config wifi-iface 'radio1_orion5g'
#Modify to your radsec proxy server / radius server
option acct_secret 'radsec'
option acct_server 'xxx.xxx.xxx.xxx'
option auth_secret 'radsec'
option auth_server 'xxx.xxx.xxx.xxx'
# Likely radio0 or radio1 if using built in radios, if using a usb device it'll likely be radio 2
option device 'radio1'
# Change between either wpa2-mixed or wpa3-mixed
option encryption 'wpa3-mixed'
# first number matches the radio, second is the ssid number. Both start at 0
# Ex wlan1-2 would be radio 1, ssid 2.
option ifname 'wlan1-2'
#Table E-4 of IEEE Std 802.11-2012 Annex E define the values that can be used in this. (Likely just use 5173)
# https://ieeexplore.ieee.org/iel5/6361246/6361247/06361248.pdf
# https://mentor.ieee.org/802.11/dcn/10/11-10-0564-00-0s1g-operating-classes.ppt
#format: hexdump of operating class octets
option hs20_operating_class '5173'
# See Instructions Below (Optional, omit if you want.)
option hs20_wan_metrics '01:3e80:3e80:33:99:3000'
# Venue Info
# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34
option iw_venue_group '1'
option iw_venue_type '7'
# Specify the same nasid for both 2.4ghz and 5ghz. Use any time the network is different. Normally it'll be the same across the board for all AP's in the same location.
option nasid 'OrionWRT'
# Likely leave as guest, but customize if needed
option network 'guest'
# Likely Leave as Orion or OrionWiFi if using orion. But SSID can be anything you want.
option ssid 'OrionWiFi'
# Specify the IP address type availability as '11'.
# IP Address Type Availability (ANQP) setting that indicates the availability of IP address types on the Passpoint network.
# The value '11' informs Passpoint clients that both IPv4 and IPv6 addresses are available on the network.
# It helps clients understand the network's IP address capabilities.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on IP Address Type Availability.
option iw_ipaddr_type_availability '11'
# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004
# Set as CST, Feel free to customize or omit.
# stdoffset[dst[offset][,start[/time],end[/time]]]
# We've defaulted it to Central Standard Time (most of our US based readers are in CST/CDT.)
#This config is optional. You can safely omit it.
option time_zone 'CST6CDT,M3.2.0,M11.1.0'
# Specify the access network type as '2' (Chargeable public network).
# Access Network Type (ANQP) is set to '2' indicating a Chargeable public network.
# This value informs clients that the network requires payment for access.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details.
option iw_access_network_type '2'
# Specify the network authentication type as '00'.
# Network Authentication Type (ANQP) setting that specifies the network's authentication type for Passpoint.
# The value '00' indicates that the network authentication is open or unspecified.
# It informs Passpoint clients about the type of authentication used by the network.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on Network Authentication Type.
option iw_network_auth_type '00'
# Operator-friendly name for Hotspot 2.0. (Can be anything you'd like as long as it is prefixed with your lang code.)
option hs20_oper_friendly_name 'eng:Orion'
# List of venue names associated with the Passpoint network, specifying language code and venue information. (Can be anything you'd like as long as it is prefixed with your lang code.)
list iw_venue_name 'eng:Orion'
# List of venue URLs associated with the Passpoint network, specifying language code and URL. (Can be any https url. Will Popup as notification on devices that connect.)
list iw_venue_url '1:https://orionwifi.com'
# List of operator icons, specifying width, height, language code, image format, and icon filename. (This doesn't need to be a valid path but must be specified on OpenWRT)
list operator_icon '64:64:eng:image/png:operator_icon:operator_icon.png'
#ProxyARP and 80211k are not supported on all devices, remove if you have issues.
option proxy_arp '1'
option ieee80211k '1'
# Comment out what you don't need and uncomment/modify what you do.
#AT&T / Orion 3gpp
list iw_anqp_3gpp_cell_net '310,150'
list iw_anqp_3gpp_cell_net '310,280'
list iw_anqp_3gpp_cell_net '310,410'
list iw_anqp_3gpp_cell_net '313,100'
#T-Mobile 3gpp
# list iw_anqp_3gpp_cell_net '310,240'
# list iw_anqp_3gpp_cell_net '310,260'
# list iw_anqp_3gpp_cell_net '310,310'
#Orion domain Names
list iw_domain_name 'orion.area120.com'
list iw_domain_name 'orionwifi.com'
list iw_domain_name 'dogwood120.net'
list iw_domain_name 'openroaming.goog'
list iw_domain_name 'wifi.fi.google.com'
#AT&T Domain Names
#list iw_domain_name 'attwifi.com'
#list iw_domain_name 'att.com'
#list iw_domain_name 'attwireless.com'
#T-Mobile Domain Names
#list iw_domain_name 't-mobile.com'
#OpenRoaming / IronWiFi Domain Names
#list iw_domain_name 'ironwifi.net'
#list iw_domain_name 'openroaming.org'
#list iw_domain_name 'apple.openroaming.net'
#list iw_domain_name 'google.openroaming.net'
#list iw_domain_name 'ciscooneid.openroaming.net'
# Anything more than 3 OUIs and the information won't be available until the client performs a GAS Request.
# Orion / AT&T / OpenRoaming Default Consortium
list iw_roaming_consortium 'f4f5e8f5f4'
#OpenRoaming Consortium
#Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
#list iw_roaming_consortium '5a03ba0000'
#Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free,
#list iw_roaming_consortium '5a03ba0800'
#IronWiFi Consortium
#list iw_roaming_consortium 'AA146B0000'
#list iw_roaming_consortium 'BAA2D00000'
#list iw_roaming_consortium '5A03BA0000'
#Cisco OpenRoaming and Samsung OneUI Onboarding
#list iw_roaming_consortium '004096'
#EDURoam Consortium
#list iw_roaming_consortium '001BC50460'
#Orion NAI Realm
list iw_nai_realm '0,*.orion.area120.com,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#AT&T NAI Realm
#list iw_nai_realm '0,*wlan.mnc410.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#T-Mobile NAI Realm
#list iw_nai_realm '0,*wlan.mnc260.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#IronWiFi Realm
#list iw_nai_realm '0,ironwifi,13[5:6],21[2:4][5:7]'
# Don't Touch
# Some options are repeated for legacy support
# ANQP (Access Network Query Protocol) Domain ID, used to uniquely identify the Passpoint domain.
option anqp_domain_id '0'
# Enable BSS (Basic Service Set) transition support for efficient handovers between APs.
option bss_transition '1'
# Disable Directed Group Address Forwarding (DGAF) support.
option disable_dgaf '1'
# Set disabled to '0' to enable the interface.
option disabled '0'
# Identify the ap as a guest access point.
option guest '1'
# Enable Hotspot 2.0 support in Passpoint.
option hotspot20 '1'
# Enable Hotspot 2.0 (HS2) support in Passpoint.
option hs20 '1'
# Set the deauthentication request timeout for Hotspot 2.0.
option hs20_deauth_req_timeout '60'
# Enable internet access for the Passpoint network.
option internet '1'
# Isolate clients on the Passpoint network for enhanced security.
option isolate '1'
# Enable or disable ASRA (ANQP Service Required for Access).
option iw_asra '0'
# Disable Directed Group Address Forwarding (DGAF) for Passpoint.
option iw_disable_dgaf '1'
# Enable Passpoint functionality.
option iw_enabled '1'
# Enable or disable Emergency Services Reachability (ESR) for Passpoint.
option iw_esr '0'
# Enable internet access for Passpoint.
option iw_internet '1'
# Enable interworking with external networks for Passpoint.
option iw_interworking '1'
# Disable UESA (Unauthenticated Emergency Service Availability)
option iw_uesa '0'
# Set the mode to 'ap', indicating that the wireless interface is operating in Access Point mode.
option mode 'ap'
# Enable the Requested Connectivity to User Information (CUI) feature.
# CUI is used to request user-specific information during the network selection process and is mandatory for Google Orion.
option request_cui '1'
# Enable the WNM (Wireless Network Management) Sleep Mode Transition with No Keys option.
# This option allows the device to perform sleep mode transitions without exchanging keys, improving efficiency.
option wnm_sleep_mode_no_keys '1'
Afterwards we need to run two commands:
Fixing 3GPP Bug for Hotspot 2.0 Support on OpenWRT
OpenWRT doesn’t configure hostapd
directly. It uses a script at /lib/netifd/hostapd.sh
to convert your config at /etc/config/wireless
to the appropriate hostapd
config. On some distros of OpenWRT there is a bug that prevents 3GPP configurations.
Run the following command on your device to resolve it:
sed -i '/append_iw_anqp_3gpp_cell_net() {/,/}/c\
append_iw_anqp_3gpp_cell_net() {\
if [ -z "$iw_anqp_3gpp_cell_net_conf" ]; then\
iw_anqp_3gpp_cell_net_conf="$1";\
else\
iw_anqp_3gpp_cell_net_conf="$iw_anqp_3gpp_cell_net_conf;$1";\
fi\
}' /lib/netifd/hostapd.sh
Just one character is the issue. The script above is fine to run on all devices. It won’t make any changes if the bug isn’t there.
Testing Hotspot 2.0 Functionality on OpenWRT
After configuring your interface and performing the 3gpp fix, you’ll run the following command to reload your wireless config:
wifi
Then verify that the interface becomes available:
iwinfo
Verifying Hotspot 2.0 Client Capability on Windows
To see whether Passpoint is supported by your Wi-Fi device on Windows 10/11, verify if “ANQP Service Information Discovery” is “Supported”, using the following command:
netsh wlan show wirelesscapabilities
To read more about the technical details on how to configure hotspot 2.0 on openwrt devices, click here.