[Olsr-users] Encryption in ad-hoc network using Openwrt+OLSR

Ben West (spam-protected)
Mon Apr 7 16:10:44 CEST 2014 

Hi Henning,

Adhoc wireless interfaces actually can't be bridged (AFAIK), at least not
with the conventional 'bridge' option in /etc/config/wireless.  I believe
the preferred approach is to use the trelay package to forwards packages
to/from a wireless interface to a VLAN.


On Mon, Apr 7, 2014 at 1:36 AM, Henning Rogge <(spam-protected)> wrote:

> Hi,
>
> things getting even more strange... WPA2 WORKS if I remove the wlan
> interface from the openvswitch bridge...
>
> connection over the bridge does also work without wpa2... but not with
> both.
>
> very strange...
>
> Henning Rogge
>
> On Sat, Apr 5, 2014 at 7:26 AM, Henning Rogge <(spam-protected)> wrote:
> > Hi,
> >
> > found out the "psk2" vs "psk2+aes" problem myself, after looking
> > through OpenWRT scripts for a few hours... something in /lib/wifi/...
> > just looks for the "psk2" string, without any wildcards. So now it
> > seems encryption is active, but I have no connectivity at all
> > anymore... but that is a step forward.
> >
> > Will continue to look into this matter on Monday. Thanks for your help.
> >
> > Henning
> >
> > On Fri, Apr 4, 2014 at 5:13 PM, Ben West <(spam-protected)> wrote:
> >> Ah ha!  Some surprises from the OpenWRT folks!
> >>
> >> Apologies for not fully testing the parameter set I gave.  That was
> actually
> >> what I'm migrating all nodes towards that I manage, to drop
> older/outdated
> >> encryption standards.  Yes, it looks like "encryption=psk2+aes" does not
> >> work for adhoc mode, failing silently, even though it works just fine
> for
> >> ap/sta mode.
> >>
> >> "encryption=psk2" works for me on OpenWRT AA r39928 using the wpad
> package,
> >> which I verified (at least superficially) by running iwlist on an
> adjacent
> >> node.
> >>
> >>
> >>
> >> On Fri, Apr 4, 2014 at 5:18 AM, Henning Rogge <(spam-protected)> wrote:
> >>>
> >>> Hi,
> >>>
> >>> are you sure about this parameter set?
> >>>
> >>> I tested it between two Ubiquiti M Bullets (ath9k driver) on a up to
> >>> date OpenWRT AA with installed wpad.
> >>>
> >>> I didn't got any error, everything worked. But then I noticed that
> >>> there is no wpad process running. So I changed the password on one of
> >>> the two nodes and rebooted it... and they still can talk to each
> >>> other. I assume that the network still runs "open".
> >>>
> >>> Any tips what I could do?
> >>>
> >>> Henning
> >>>
> >>> On Thu, Apr 3, 2014 at 6:02 PM, Ben West <(spam-protected)> wrote:
> >>> > This is possible in current generations of OpenWRT Attitude
> Adjustment,
> >>> > although I'm not completely sure if the pre-compiled v12.09 binaries
> >>> > support
> >>> > it reliably.  It is called IBSS-RSN.  You would need to include the
> >>> > package
> >>> > wpad or hostapd + wpa_supplicant.  The wpad_mini package as-is
> doesn't
> >>> > include IBSS-RSN support.
> >>> >
> >>> > Below is an example /etc/config/wireless which I use for adhoc
> >>> > encryption on
> >>> > a UBNT Nano M2.  To my knowledge, tho, IBSS-RSN is only possibly with
> >>> > pre-shared keys (i.e. key stored locally on each node's flash), which
> >>> > does
> >>> > bring up security issues.  I.e. WPA Enterprise-style distribution
> >>> > encryption
> >>> > management isn't available yet.
> >>> >
> >>> > config wifi-device  radio0
> >>> >     option type     mac80211
> >>> >     option channel  5
> >>> >     option hwmode   11ng
> >>> >     option macaddr  DC:XX:XX:XX:XX:XX
> >>> >     option htmode   HT20
> >>> >     list ht_capab   SHORT-GI-20
> >>> >     list ht_capab   SHORT-GI-40
> >>> >     list ht_capab   TX-STBC
> >>> >     list ht_capab   RX-STBC1
> >>> >     list ht_capab   DSSS_CCK-40
> >>> >     option beacon_int       337
> >>> >     # REMOVE THIS LINE TO ENABLE WIFI:
> >>> >     option disabled 0
> >>> >
> >>> > config wifi-iface wmesh
> >>> >     option network 'mesh'
> >>> >     option mode 'adhoc'
> >>> >     option device 'radio0'
> >>> >     option ssid 'MyMesh'
> >>> >     option bssid '02:CA:FF:EE:BA:BE'
> >>> >     option encryption 'psk2+aes'
> >>> >     option key 'areallyreallyreallyreallystrongpassword'
> >>> >
> >>> > To take advantage of all the entropy available, I'd recommend using a
> >>> > tool
> >>> > like pwgen to generate a randomized with maximum entropy, and of
> maximum
> >>> > length (e.g. 63chars).
> >>> >
> >>> > 802.11s meshing, i.e. layer 2 meshing, will at some point support the
> >>> > authsae encryption agent, i.e. for distributed encryption management
> >>> > that
> >>> > does not depend on pre-shared keys.  But, I don't believe it's at a
> >>> > usable
> >>> > state just yet.
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > On Thu, Apr 3, 2014 at 8:57 AM, Andrea Mannoni <
> (spam-protected)>
> >>> > wrote:
> >>> >>
> >>> >> Hi all,
> >>> >>
> >>> >> I'm working for the implementation of an ad-hoc network that works,
> in
> >>> >> each repeater, with Openwrt + OLSR.
> >>> >>
> >>> >> I discovered that one critical problem in an ad-hoc network is the
> >>> >> impossibility to encrypt it.
> >>> >>
> >>> >> Did you find a solution at this problem?
> >>> >>
> >>> >> Thank you for your support.
> >>> >>
> >>> >> --
> >>> >>
> >>> >>
> >>> >> --
> >>> >> Olsr-users mailing list
> >>> >> (spam-protected)
> >>> >> https://lists.olsr.org/mailman/listinfo/olsr-users
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Ben West
> >>> > (spam-protected)
> >>> >
> >>> > --
> >>> > Olsr-users mailing list
> >>> > (spam-protected)
> >>> > https://lists.olsr.org/mailman/listinfo/olsr-users
> >>
> >>
> >>
> >>
> >> --
> >> Ben West
> >> http://gowasabi.net
> >> (spam-protected)
> >> 314-246-9434
>



-- 
Ben West
http://gowasabi.net
(spam-protected)
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20140407/10812424/attachment.html>

More information about the Olsr-users mailing list