Configuring guest WLAN/Wifi access on the openwrt router

Posted in linux, server on 2014/05/04
Tags: , , , , , , , , , ,

Every now and then I was being asked by family and/or friends visiting me if they can use my wifi @home. As I trust them I don't see a problem with that, but there are few issues with it:

  • I don't want to give them my password
  • My password is really long and thus hard to type
  • I don't want them to access all files on the local home network

Having said that I decided to configure a guest wifi access on my openwrt router. The basic idea behind it is as follows:

  • The guest wifi has a different SSID
  • The clients are on a different subnet and separated from the home network
  • They can only access internet, use the dns server and obtain the ip address through dhcp
  • Guest wifi password is automatically changed everyday
  • Password is visible on the intranet page accessible only on the home network, so I can easily check it and show it to my guests
  • It is not to long so it is not to difficult to type it

The following code snippet does the network setup:

$ cat
# add new network interface

uci set network.guest=interface
uci set network.guest.proto=static
uci set network.guest.ipaddr=
uci set network.guest.netmask=
uci set network.guest.type=bridge

uci commit network

# give IPs to guests over dhcp
uci set dhcp.guest=dhcp
uci set dhcp.guest.start=100
uci set dhcp.guest.limit=120
uci set dhcp.guest.leasetime=2h
uci set dhcp.guest.interface=guest
uci commit dhcp

# create new virtual access point attached to the same radio network
uci set wireless.guest=wifi-iface
uci set wireless.guest.device=radio0
uci set wireless.guest.mode=ap
uci set
uci set wireless.guest.ssid=guest
uci set wireless.guest.encryption=psk2
uci set wireless.guest.key=<InitialPW>

uci commit wireless

# setup firewall, allowing only access to the internet, dns &amp; dhcp
uci add firewall zone
uci set firewall.@zone[-1].name=guest
uci set firewall.@zone[-1].network=guest
uci set firewall.@zone[-1].input=REJECT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].forward=REJECT

uci add firewall forwarding
uci set firewall.@forwarding[-1].src=guest
uci set firewall.@forwarding[-1].dest=wan

uci add firewall rule
uci set firewall.@rule[-1].src=guest
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].src_port=67-68
uci set firewall.@rule[-1].dest_port=67-68
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].family=ipv4

uci add firewall rule
uci set firewall.@rule[-1].src=guest
uci set firewall.@rule[-1].dest_port=53
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].family=ipv4
uci set firewall.@rule[-1].proto=tcpudp

uci commit firewall

This is a small script responsible for the password generation and/or information about the current password. The password is created as a 10 characters substring from the md5sum of the salt and datetime at the time of the generation only when the "change" parameter is passed to the script. The script is placed in /www/cgi-bin/wlang

$ cat wlang
# /www/cgi-bin/wlang

if [ x"$1" = xchange ]; then
        SALT="fed5a630a182415a" # some salt
        PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-10`
        uci set wireless.guest.key=$PWD
        uci commit wireless
        PWD=`uci get wireless.guest.key`
        echo "Content-Type: text/plain"
        echo ""
        echo "$PWD"

Crontab entry is responsible for daily password change:

1 0 * * * /www/cgi-bin/wlang change

The password is also visible on the home network under router/cgi-bin/wlang address.

Leave a Reply

Your email address will not be published. Required fields are marked *