[Olsr-users] Encryption in ad-hoc network using Openwrt+OLSR

Henning Rogge (spam-protected)
Mon Apr 7 16:20:31 CEST 2014 

Hi Ben,

I am using a specially configured bridge based on OpenVSwitch... it works
well without in Adhoc-mode without wpa_supplicant, no VLAN necessary. So I
think there are some intereferences between the bridge and wpa_supplicant.

Henning


On Mon, Apr 7, 2014 at 4:10 PM, Ben West <(spam-protected)> wrote:

> Hi Henning,
>
> Adhoc wireless interfaces actually can't be bridged (AFAIK), at least not
> with the conventional 'bridge' option in /etc/config/wireless.  I believe
> the preferred approach is to use the trelay package to forwards packages
> to/from a wireless interface to a VLAN.
>
>
> On Mon, Apr 7, 2014 at 1:36 AM, Henning Rogge <(spam-protected)> wrote:
>
>> Hi,
>>
>> things getting even more strange... WPA2 WORKS if I remove the wlan
>> interface from the openvswitch bridge...
>>
>> connection over the bridge does also work without wpa2... but not with
>> both.
>>
>> very strange...
>>
>> Henning Rogge
>>
>> On Sat, Apr 5, 2014 at 7:26 AM, Henning Rogge <(spam-protected)> wrote:
>> > Hi,
>> >
>> > found out the "psk2" vs "psk2+aes" problem myself, after looking
>> > through OpenWRT scripts for a few hours... something in /lib/wifi/...
>> > just looks for the "psk2" string, without any wildcards. So now it
>> > seems encryption is active, but I have no connectivity at all
>> > anymore... but that is a step forward.
>> >
>> > Will continue to look into this matter on Monday. Thanks for your help.
>> >
>> > Henning
>> >
>> > On Fri, Apr 4, 2014 at 5:13 PM, Ben West <(spam-protected)> wrote:
>> >> Ah ha!  Some surprises from the OpenWRT folks!
>> >>
>> >> Apologies for not fully testing the parameter set I gave.  That was
>> actually
>> >> what I'm migrating all nodes towards that I manage, to drop
>> older/outdated
>> >> encryption standards.  Yes, it looks like "encryption=psk2+aes" does
>> not
>> >> work for adhoc mode, failing silently, even though it works just fine
>> for
>> >> ap/sta mode.
>> >>
>> >> "encryption=psk2" works for me on OpenWRT AA r39928 using the wpad
>> package,
>> >> which I verified (at least superficially) by running iwlist on an
>> adjacent
>> >> node.
>> >>
>> >>
>> >>
>> >> On Fri, Apr 4, 2014 at 5:18 AM, Henning Rogge <(spam-protected)>
>> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> are you sure about this parameter set?
>> >>>
>> >>> I tested it between two Ubiquiti M Bullets (ath9k driver) on a up to
>> >>> date OpenWRT AA with installed wpad.
>> >>>
>> >>> I didn't got any error, everything worked. But then I noticed that
>> >>> there is no wpad process running. So I changed the password on one of
>> >>> the two nodes and rebooted it... and they still can talk to each
>> >>> other. I assume that the network still runs "open".
>> >>>
>> >>> Any tips what I could do?
>> >>>
>> >>> Henning
>> >>>
>> >>> On Thu, Apr 3, 2014 at 6:02 PM, Ben West <(spam-protected)> wrote:
>> >>> > This is possible in current generations of OpenWRT Attitude
>> Adjustment,
>> >>> > although I'm not completely sure if the pre-compiled v12.09 binaries
>> >>> > support
>> >>> > it reliably.  It is called IBSS-RSN.  You would need to include the
>> >>> > package
>> >>> > wpad or hostapd + wpa_supplicant.  The wpad_mini package as-is
>> doesn't
>> >>> > include IBSS-RSN support.
>> >>> >
>> >>> > Below is an example /etc/config/wireless which I use for adhoc
>> >>> > encryption on
>> >>> > a UBNT Nano M2.  To my knowledge, tho, IBSS-RSN is only possibly
>> with
>> >>> > pre-shared keys (i.e. key stored locally on each node's flash),
>> which
>> >>> > does
>> >>> > bring up security issues.  I.e. WPA Enterprise-style distribution
>> >>> > encryption
>> >>> > management isn't available yet.
>> >>> >
>> >>> > config wifi-device  radio0
>> >>> >     option type     mac80211
>> >>> >     option channel  5
>> >>> >     option hwmode   11ng
>> >>> >     option macaddr  DC:XX:XX:XX:XX:XX
>> >>> >     option htmode   HT20
>> >>> >     list ht_capab   SHORT-GI-20
>> >>> >     list ht_capab   SHORT-GI-40
>> >>> >     list ht_capab   TX-STBC
>> >>> >     list ht_capab   RX-STBC1
>> >>> >     list ht_capab   DSSS_CCK-40
>> >>> >     option beacon_int       337
>> >>> >     # REMOVE THIS LINE TO ENABLE WIFI:
>> >>> >     option disabled 0
>> >>> >
>> >>> > config wifi-iface wmesh
>> >>> >     option network 'mesh'
>> >>> >     option mode 'adhoc'
>> >>> >     option device 'radio0'
>> >>> >     option ssid 'MyMesh'
>> >>> >     option bssid '02:CA:FF:EE:BA:BE'
>> >>> >     option encryption 'psk2+aes'
>> >>> >     option key 'areallyreallyreallyreallystrongpassword'
>> >>> >
>> >>> > To take advantage of all the entropy available, I'd recommend using
>> a
>> >>> > tool
>> >>> > like pwgen to generate a randomized with maximum entropy, and of
>> maximum
>> >>> > length (e.g. 63chars).
>> >>> >
>> >>> > 802.11s meshing, i.e. layer 2 meshing, will at some point support
>> the
>> >>> > authsae encryption agent, i.e. for distributed encryption management
>> >>> > that
>> >>> > does not depend on pre-shared keys.  But, I don't believe it's at a
>> >>> > usable
>> >>> > state just yet.
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > On Thu, Apr 3, 2014 at 8:57 AM, Andrea Mannoni <
>> (spam-protected)>
>> >>> > wrote:
>> >>> >>
>> >>> >> Hi all,
>> >>> >>
>> >>> >> I'm working for the implementation of an ad-hoc network that
>> works, in
>> >>> >> each repeater, with Openwrt + OLSR.
>> >>> >>
>> >>> >> I discovered that one critical problem in an ad-hoc network is the
>> >>> >> impossibility to encrypt it.
>> >>> >>
>> >>> >> Did you find a solution at this problem?
>> >>> >>
>> >>> >> Thank you for your support.
>> >>> >>
>> >>> >> --
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Olsr-users mailing list
>> >>> >> (spam-protected)
>> >>> >> https://lists.olsr.org/mailman/listinfo/olsr-users
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Ben West
>> >>> > (spam-protected)
>> >>> >
>> >>> > --
>> >>> > Olsr-users mailing list
>> >>> > (spam-protected)
>> >>> > https://lists.olsr.org/mailman/listinfo/olsr-users
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Ben West
>> >> http://gowasabi.net
>> >> (spam-protected)
>> >> 314-246-9434
>>
>
>
>
> --
> Ben West
> http://gowasabi.net
> (spam-protected)
> 314-246-9434
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20140407/0e20b715/attachment.html>

More information about the Olsr-users mailing list