User Tools

Site Tools


Wireless overview

This article deals with 802.11 wireless, however OpenWrt also supports other wireless technologies


Linux Wireless is the source for documentation regarding the entire Linux Kernel IEEE 802.11 (“wireless”) subsystem.

  • IEEE 802.
    • 3: Official name: Ethernet
    • 11: No official name; AKA: “wireless”, “wavelan”, or wifi (NOTE: Wi-Fi is a brand name)
      • A family of communication protocols also comprising Layer 1 and Layer 2 Sublayer MAC
        • Support for IEEE 802.11 in the Linux-Kernel is fragmented, meaning there are two frames (WEXT=deprecated, cfg80211 + nl80211=current) and multiple drivers, e.g.
        • For some Broadcom WNICs, there are three drivers available:
          • Broadcom proprietary drivers (broadcom-wl)
          • Broadcom mac80211-based drivers (the b43)
          • brcmSmac- and brcmFmac drivers

  • Set up and configure:
  • There are two different types of WNICs to distinguish:
  • Many drivers might require firmware blobs.
    • Most firmware code is closed source, with some exceptions (ath9k_htc)
    • Atheros ath9k does not require firmware.

  • In contrast to Ethernet drivers, wireless drivers work in a Wireless Mode of Operation.

Operation Modes

Driver Support

Some drivers support only one mode, STA (also called station, client or managed mode), while other drivers support multiple modes, including simultaneously [interface combination]



Available Frequencies, Bands, and Channels are subject to regulation in each state and country(see Reg Database)


Wireless drivers are pulled on a more or less regular basis from wireless-testing, with the OpenWrt-patches not mainlined yet being adjusted.

OpenWrt does not use Kernel drivers, and the package is called mac80211.

Similar work (drivers for older kernels) is done by the backports project

  • April 2013 announcement, previously called compat-wireless or compat-driver. OpenWrt does not use this, despite referencing it by name.


Package Dependencies
kmod-crypto-arc 4 kmod-crypto-core
kmod-cfg80211 wireless-tools
iw libnl-tiny
Overall size = 486.450 Bytes
kmod-crypto-arc 4 kmod-crypto-core
kmod-cfg80211 wireless-tools
iw libnl-tiny
Overall size = 308.902 Bytes
kmod-crypto-arc 4 kmod-crypto-core
kmod-cfg80211 wireless-tools
iw libnl-tiny
Overall size = 561.201 Bytes
Name Size Description
kmod-ath9k 155.684 This module adds support for wireless adapters based on Atheros IEEE 802.11n AR5008 and AR9001 family of chipsets.
kmod-ath9k-htc 113.441 This module adds support for wireless adapters based on Atheros USB AR9271 and AR7010 family of chipsets.
kmod-ath9k-common 104.136 Atheros 802.11n wireless devices (common code for ath9k and ath9k_htc)
kmod-ath5k 82.272 This module adds support for wireless adapters based on Atheros 5xxx chipset.
kmod-ath 10.059 This module contains some common parts needed by Atheros Wireless drivers.
kmod-b43 210.860 Kernel module for Broadcom 43xx wireless support (mac80211 stack)
kmod-mac80211 139.372 Generic IEEE 802.11 Networking Stack (mac80211)
kmod-cfg80211 93.696 cfg80211 is the Linux wireless LAN (802.11) configuration API.
iw 32.100 cfg80211 interface configuration utility
wireless-tools 23.153 Contains iwconfig, iwlist and iwpriv; tools for configuring wireless adapters implementing the WExt.
crda 9.627 The Central Regulatory Domain Agent serves one purpose: tell Linux kernel what to enforce.
It is a udev helper for communication between kernel ↔ userspace. You only need to run this manually for debugging purposes.
For manual changing of regulatory domains use iw (iw reg set) or wpa-supplicant.
libnl-tiny 13.529 This package contains a stripped down version of libnl
Due to r31954 tweaking the regulatory.bin to enbale channel 13 and 14 is no longer an option.

Wireless Utilities

Applications & Tools

    • An IEEE 802.11 network detector, sniffer and intrusion detection system.

    • The next generation of aircrack with new features

    • A scanning and analysis tool for IEEE 802.11 networks and especially IBSS (ad-hoc) mode and mesh networks (OLSR).

Captive Portals

  • Layer 3
      • NoDogSplash offers a simple way to open a free hotspot providing restricted access to an internet connection.
        • An alternative from NoCat, offering captive portal solutions local to the router/gateway, with a simplistic setup, user bandwidth control and basic auth/splash page.
        • Small, well tested, tailored for OpenWrt by its author, it can be set up with only one or two config file changes; in contrast, Chilli is more complete but complex to set up.

  • Layer 2 / Layer 3
      • An open source access controller for wireless LAN access points and is based on ChilliSpot.
        • Used for authenticating users of a wireless (or wired) LAN, it supports web based login (UAM), which is today's standard for public HotSpots, and Wireless Protected Access (WPA).
          • Authentication, authorization, and accounting (AAA) is handled by your favorite RADIUS server.
        • Built on top of Chillispot with several improvements and additions, including WISPr support, among others, which is the main captive portal solution used in CoovaAP.


These are some of the packages in the OpenWrt repository regarding wireless stuff to play with.

  • The installation is always the same opkg install <package>
  • For documentation regarding the configuration and utilization, search for HowTOs in this wiki or via your search engine of choice.
Name Size Description
airpwn 23618 Airpwn is a framework for 802.11 (wireless) packet injection. Airpwn listens to incoming wireless packets, and if the data matches a pattern specified in the config files, custom content is injected “spoofed” from the wireless access point. From the perspective of the wireless client, airpwn becomes the server.
collectd-mod-wireless 7321 wireless status input plugin
freifunk-watchdog 9546 A watchdog daemon that monitors wireless interfaces to ensure the correct BSSID and channel. The process will initiate a wireless restart as soon as it detects a BSSID or channel mismatch.
karma 8605 KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames.
kmod-wprobe 9408 A module that exports measurement data from wireless driver to user space
mdk3 49495 Tool to exploit wireless vulnerabilities
wavemon 32209 wavemon is a ncurses-based monitoring application for wireless network devices. Based on WEXT-API
wireless-tools 30236 This package contains a collection of tools for configuring wireless adapters implementing WEXT-API

Wireless security

  • DO NOT, under any circumstances, utilize WPS (WiFi Protected Setup), or WEP/WPA encryption
    • They're not even remotely secure


  • Basic
    • It is recommended to use WPA2-PSK and Force CCMP (AES) as both are the best means of non-enterprise encryption.


  • WiFi network passwords should be a minimum 16 characters & contain at least:
    • 2 uppercase letters
    • 2 lowercase letters
    • 2 numbers
    • 2 symbols
  • Do not utilize these in your passwords:
    • Personal info
      • Your name, Family/Friends/Pets' names
      • Important dates (birthdays, anniversaries, etc.)
      • Dictionary words
    • Router Admin [root] password
      • Any form of your Admin [root] password
  • Above all, do not write down passwords & do not save them in files
    • If you, for whatever reason, require writing passwords down, please utilize:
    • to create a 4096bit or greater signing cert, protect it with a password inline with the above, and use that signing cert to encrypt the document.


  • Should be customized, not generic (i.e. not OpenWrt, Linksys, etc.)

WiFi Access

  • Your home network is like your house, you don't give your house keys to anyone but those you trust; WiFi networks and their passwords are the same.
  • Please see Forwardings and Zones
    • vLANs should be configured for Guest networks and Guest vLANs should be firewalled off from LAN
      • By default, fw3 blocks all traffic unless explicitly told to allow it

    • These rules below are for reference only and not required due to OpenWrt's implementation of fw3
      • Chain names [ FORWARD ] and interfaces [ br0 (LAN), br1 (Guest) ] will vary
        iptables  -t  filter  -I  FORWARD 1 -i  br1         -m  conntrack --ctstate NEW -j  ACCEPT
        iptables  -t  filter  -I  FORWARD 2 -i  br1 -o  br0 -m  conntrack --ctstate NEW -j  DROP
        iptables  -t  filter  -I  FORWARD 3 -i  br0 -o  br1 -m  conntrack --ctstate NEW -j  DROP

Configs & HowTOs



docs/guide-user/network/wifi/wireless.overview.txt · Last modified: 2018/09/16 12:37 by bobafetthotmail