This weekend, I struggled to flash a TP-Link TL-WA901ND access point with OpenWRT and connect it to my university's dorm internet.
It took 7 hours to figure out what I accidentaly achieved after 2 but didn't understand and couldn't reproduce then. For anyone who wants to do the same, I publish this article for reference.
Tomorrow, we'll be airing a new Zettelkasten post. Promise.
Update 2013-11-26: I enabled comments so you can ask questions and tell me where you're stuck.
Update 2013-12-11: With my configuration, this device won't create its own LAN and hide connected devices from the network server. Instead, it's operating in bridge mode so that every device connected via wi-fi obtains its own IP address as if it was connected to the port directly. Your physical port will be blocked in Bielefeld (and Marburg, it seems) if too many devices connect at the same time or too many different MAC addresses request access in a short time, though. I recommend you pick up a different device like the TP-Link WDR-3600 ("N600")[^aff] instead which is capable of the required feature to circumvent this issue.
Update 2017-05-21: If you need assistance, Fabian Schmidt-Michels is doing a great job for a couple of Euros.
[^aff]: Affiliate link; I get a small kickback from the vendor if you buy from my link but it won't cost you anything.
This isn't the first device I want to connect to the internet at my university. The TP-Link TL-WA901ND (henceforth called "WA901ND" or "The Router" for brevity) is unique in its port design, though: there's only one LAN/WAN port, bound to
eth0. While you usually plug the internet into the WAN port during setup, I had to setup wifi first or the port would've been used by my local machine.
The objective is to install OpenWRT with the
wpa_supplicant package to authenticate to the WPA 2 Enterprise network. I'm no network specialist. Thus my vocabulary may be inappropriate at times (though not in a way which includes profanity). Forgive me, please, and send feedback.
- The Router will be operating as a bridge from my LAN to the WAN.
- The LAN will be accessible via wifi only. Also, my router will be wired to the foreign network. This is somewhat diametral to descriptions of a Routed Client from which I took the inspiring picture.
- I don't know and wouldn't be able to determine any static IP for a router in the foreign network or WAN. The Router will have to use DHCP to obtain its IP on WAN side.
- I'll need to access my WA901ND for admin purposes, though. I need to know a static IP address in my LAN. So I'll have to decouple the ethernet port and wifi antennae, juggling two networks which I never needed before. Yikes.
1. Connect to 802.1X encrypted internet
I'm at Bielefeld University. European universities provide a 802.1X/WPA Enterprise encrypted Wifi connection called "eduroam". Furthermore, student dormitories ("Wohnheim") in Bielefeld got blazing fast ethernet with 802.1X PEAP/MD5 authentication ("Wohnheimnetz").
Popular eduroam-specific use cases cover the authentication problem, which is nice for reference. They don't connect to the 802.1X encrypted network via LAN or cable, though. Eduroam is a wireless LAN. I, on the other hand, need to create a wired connection. This was a problem since the instructions didn't work out of the box.
Let's get started.
Install OpenWRT via the TP-Link web interface. It's quick and painless. The Router responds to
telnet 192.168.1.1 after a reboot and waits for you to set a
passwd, so do that first.
I prepared configuration files for the router in accordance with Bielefeld University-specific instructions on how to set up OpenWRT and
Configuration file for
wpa_supplicant– you'll have to put your login credentials in here in plain text
Shove them over to The Router via
$ scp wpa_supplicant.conf firstname.lastname@example.org:/etc/whnetz.conf $ scp whnetz.init email@example.com:/etc/init.d/whnetz
To find out which packages I needed, I asked The Router via SSH:
$ opkg print-architecture arch all 1 arch noarch 1 arch ar71xx 10
Get the packages
wpa_supplicant and the
wpad-mini replacement called
hostapd from the OpenWRT v12.09 ar71xx-architecture package repository.[^bleed] Copy them over, changing file names appropriately:
$ scp hostapd_20130807-1_ar71xx.ipk wpa-supplicant_20130807-1_ar71xx.ipk wpa-cli_20130807-1_ar71xx.ipk firstname.lastname@example.org:/tmp
Log into the WA901ND again and install the new packages, removing the old
$ cd /tmp $ opkg remove wpad-mini $ opkg install wpa-cli_20130807-1_ar71xx.ipk $ opkg install wpa-supplicant_20130807-1_ar71xx.ipk $ opkg install hostapd_20130807-1_ar71xx.ipk
[^bleed]: I picked the nightly builds and they worked fine yesterday. Your mileage may vary, though, so I recommend you stick to the packages compatible with v12.09.
2. Setup W-LAN
You need to activate the W-LAN interface first:
$ uci set wireless.@wifi-device.disabled=0 $ uci commit wireless $ wifi
There should be no errors.
I set up the wifi so its decoupled from the LAN port. The Router itself will get the IP '192.168.10.1' in a network interface I appended to
# /etc/config/network # ... config interface 'wlanAP' option proto 'static' option ipaddr '192.168.10.1' # ip for wifi option netmask '255.255.255.0'
You'll have to assign your computer a static IP manually as well to connect via wifi. I picked '192.168.10.100' for my Mac. You'll have to do this every time you want to reconfigure The Router later on. But don't worry about that just now, we're not finished, yet.
The wifi has to use the newly created network interface first:
$ uci set wireless.@wifi-iface.network="wlanAP"
While you're at it, change the wireless networks' SSID and passphrase:
$ uci set wireless.@wifi-iface.encryption=psk2 $ uci set wireless.@wifi-iface.key="fill_in_your_key" $ uci set wireless.@wifi-iface.ssid="fill_in_your_key" $ uci commit wireless
To reload network interface settings and restart wifi, run
$ /etc/init.d/network restart
Wait until the network is up and running. Then unplug your computer, activate and connect via wifi with a static IP like '192.168.1.100'.
3. Bridge WAN and WLAN/Wifi
We'll change the ethernet port's settings now. Afterwards, you won't be able to connect to The Router via LAN anymore. So ensure wifi is working as expected right now.
Lots of forum threads started with the OpenWRT [Dumb Access Point configuration]. It gets a lot of things right, but it's not tailored to a single-ethernet-port device. Since there's no
eth1 device or
wan network interface available for bridging, I had to try lots and lots of different solutions.[^sol]
Change the LAN interface to this:
# /etc/config/network # ... config interface 'lan' option ifname 'eth0' option proto 'dhcp'
wpa_supplicant will need to retrieve a device IP via DHCP. This will do the trick.
$ /etc/init.d/whnetz enable # autostart 802.1X on login $ /etc/init.d/whnetz start
The router itself should be online right now.
$ wget -s http://google.de
Now let the wifi network bridge to The ethernet post, which is called 'lan' but should be 'wan' from now on, really. Any computer connecting via wifi with DHCP will retrieve a university network IP, starting with '212' instead of '198'. That's why you won't be able to access The Router via wifi if you don't set an IP manually: you're computer will be in a totally different IP-range.
Enable bridging like this:
# /etc/config/network # ... config interface 'wlanAP' option proto 'static' option ipaddr '192.168.10.1' # Router-IP vom WLAN aus option netmask '255.255.255.0' option type 'bridge' option ifname 'eth0' # same as lan
Restart the network again:
$ /etc/init.d/network restart
When it's finished and everything still works on The Router's side, you still won't have access to the internet from your computer as long as you're accessing your private LAN. Disconnect from wifi and obtain an IP via DHCP from The Router. Instead of a
192.168.10.x LAN address, you should get one starting with
212. Depending on your computer, you may have to request a new DHCP lease manually.
The WA901ND unlocked the ethernet port via 802.1X and every device connecting through it will be granted access.
Thats's esentiay the same unlocking mechanism when using a switch: you can authenticate with one machine hooked to the switch and all the others will benefit as well. Because doing so manually is a pain, we all want our access points to handle that.
So that's all there is. I hope this reference will spare you a headache or two.
I myself went online quickly but didn't understand how I could access The Router again. I needed to combine both DHCP for ethernet and static IP for wifi. Took me hours to figure that out.
[^sol]: Some use relayd, but only for repeater usage. Others bridge LAN and so on. Didn't apply to this case.
Since so many visitors are attracted to this page, I enabled comments for this post. What do you struggle with while you set up your router?
Browse the blog archive