OpenWrt Forum Archive

Topic: Encryption of adhoc interfaces (again...)

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello All

I realise this topic has appeared here several times, but please forgive me raising it again, as I can't find a definitive answer.

I am using OpenWrt r33030 on TP Link WR703N devices with batman-adv 2012.3.0 for mesh connectivity.
Wireless is the r33030 default ath9k and kmod-mac80211 - 3.3.8+2012-07-16-1

Everything works fine with no encryption on the adhoc interface.

I want to look into using encryption on the mesh interface so that traffic on the mesh is not travelling in the clear.
I am not looking for iron clad security here, more just something to prevent casual snooping.

From reading the OpenWrt documentation, it appears that all that is required to add encryption to the interface is to add the encryption option and key to the adhoc interface definition in "/etc/config/wireless". However it is obviously not that simple.

When I do this, the iwinfo "iwinfo wlan0-1 assoclist" and "... info" commands (see below) show that encryption is active and that the two devices are associated and can see each other, but batctl reports no nodes in range, so clearly that are not actually connected.

I have searched this and other forums, and while there are a lot of similar queries and some indication of success, there doesn't seem to be a definitive recipe to make it work. A lot of discussion also seems to relate to madwifi use rather than mac80211.

Adding the encryption option to the adhoc interface definition in "/etc/config/wireless" results in a "/var/run/wpa_supplicant-wlan0-1.conf" file something like that shown below. Adding various parameters to the interface definition as per forum suggestions results in the parameters appearing in this file, but alas to no good effect.

Can anyone throw any light on this please?

Have I missed some basic documentation that describes how this is meant to work?

Thanks in advance.


# /etc/config/wireless
config wifi-iface 'ah_0'
    option device 'radio0'
    option network 'mesh_0'
    option encryption 'none'
    option bssid '02:CA:FF:EE:BA:BE'
    option mode 'adhoc'
    option ssid 'mymeshssid'
    option disabled '0'
    option encryption 'psk'
    option key_mgmt 'WPA-NONE'
    option proto 'WPA'
    option pairwise 'NONE'
    option group 'TKIP'
    option key 'mypassword'

#  /tmp/run/wpa_supplicant-wlan0-1.conf


root@TP-43:~# batctl o
[B.A.T.M.A.N. adv 2012.3.0, MainIF/MAC: wlan0-1/5e:63:bf:d8:eb:0d (bat0)]
  Originator      last-seen (#/255)           Nexthop [outgoingIF]:   Potential nexthops ...
No batman nodes in range ...

root@TP-43:~# iwinfo wlan0-1 assoclist
16:E6:E4:E7:6D:53  -35 dBm / -88 dBm (SNR 53)  0 ms ago
    RX: 1.0 MBit/s, MCS 0, 20MHz                    1038 Pkts.
    TX: 1.0 MBit/s, MCS 0, 20MHz                       1 Pkts.

root@TP-43:~# iwinfo wlan0-1 info
wlan0-1   ESSID: "mymeshssid"
          Access Point: 02:CA:FF:EE:BA:BE
          Mode: Ad-Hoc  Channel: 1 (2.412 GHz)
          Tx-Power: 17 dBm  Link Quality: 70/70
          Signal: -35 dBm  Noise: -88 dBm
          Bit Rate: 1.0 MBit/s
          Encryption: WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: unknown [Generic MAC80211]
          TX power offset: unknown
          Frequency offset: unknown
          Supports VAPs: yes

root@TP-43:~# iwconfig
wlan0-1   IEEE 802.11bgn  ESSID:"mymeshssid"
          Mode:Ad-Hoc  Frequency:2.412 GHz  Cell: 02:CA:FF:EE:BA:BE 
          Tx-Power=17 dBm 
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on
wlan0     IEEE 802.11bgn  Mode:Master  Tx-Power=17 dBm 
          RTS thr:off   Fragment thr:off
          Power Management:on

I can't find an answer as well in the same case, except that my devices are actually older Atheros (DIR-300 and Fonera). As said by someone [1], WPA encryption with adhoc-networks is possible "Since end of march in trunk." (see link). This feels a bit ridiculously, because there is

a) a high-demanded feature
b) which somebody claimed is available
c) nobody ever documented

I hope, some devs are reading this and bring some clarity into adhoc networking w/ WPA encryption.


I think I have it working.  The key seems to be to remove wpad-mini and install wpad. It also worked with hostapd and wpa-supplicant instead of wpad-mini.  Did not work with wpa-supplicant-mini

Here's one of my batman-adv interfaces:

config wifi-iface
    option device 'radio1'
    option network 'mesh5'
    option mode 'adhoc'
    option bssid 'CA:CA:CA:CA:CA:01'
    option ssid 'MarkNet.mesh5'
    option mcast_rate '11000'
    option key 'asdfasdf'
    option encryption 'psk2'

(Last edited by markf on 12 Jul 2013, 04:09)

As a follow up...  I swear it was working with wpad in attitude adjustment, but now that I've switched to trunk, I needed wpa_supplicant and hostapd instead of wpad in order to use adhoc encryption.

current batman iface config config:
config wifi-iface
    option device 'radio0'
    option encryption 'psk2'
    option key 'key goes here'
    option network 'mesh2'
    option mode 'adhoc'
    option bssid 'CA:CA:CA:CA:CA:00'
    option ssid 'mesh2'
    option mcast_rate '11000'

config wifi-iface
    option device 'radio1'
    option encryption 'psk2'
    option key 'key goes here'
    option network 'mesh5'
    option mode 'adhoc'
    option bssid 'CA:CA:CA:CA:CA:01'
    option ssid 'mesh5'
    option mcast_rate '11000'

I am still having a problem where the 5ghz radio adhoc iface doesn't come up on its own.  I have to issue this manually:

iw wlan1-1 ibss join mesh.5 5240 fixed-freq ca:ca:ca:CA:CA:01

See also this post. … c-rsnwpa2/


   "The only thing that must be watched for is config options used during wpa_supplicant compilation – you need "CONFIG_IBSS_RSN=y” to be defined. Judging from sources of current openwrt stable („Attitude Adjustement”) it seems wpad-mini package is missing that functionality, where wpad should be good to go."

It seems that wpad will work if compiled with "CONFIG_IBSS_RSN=y”

The discussion might have continued from here.