Archive for November, 2009

Openwrt, Fonera and .p12 certificates

November 21, 2009

The most common use of a Fonera is as wireless access point, but it’s not the only possible use. Another possibility is to use the Fonera to connect to an existing wireless network. This can be useful to connect a computer without a wireless card, to set up a “repeater” to extend the range of a wireless network, or to run some application that needs internet connectivity on the Fonera itself (after all, it’s just a Linux based device).

However, when the network you need to connect to requires a WPA enterprise certificate authentication, things can get messy.

This post is just a log of all I had to do to connect my Fonera to one such network, and I think it can be useful to other who have the same need.

First, I’ll describe how to connect to that network using a computer running Linux, using the shell only. It is also possible to use some GUI utility, such as network manager but the shell way is what (in theory) can be usd on the Fonera too, since it has no GUI.
The procedure starts by creating a wpa_supplicant.conf file, with the following content:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="<your network ssid>"
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
anonymous_identity="<your username>"
ca_cert="<your path to the .cer certificate file>"
private_key="<your path to the .p12 ceritficate file>"
private_key_passwd="<your password>"
phase2="auth=MSCHAPV2"
}

And by filling in the required data where there are angle brackets. It is also a good idea to write all the commands to connect in an .sh script file, just like this:

sudo /etc/init.d/network-manager stop
sudo killall wpa_supplicant
sudo ifconfig eth1 down
sudo ifconfig eth1 up
sudo iwconfig eth1 essid <your network ssid>
sudo wpa_supplicant -i eth1 -D wext -c <path to wpa_supplicant.conf>/wpa_supplicant.conf -d &
#wait for connection
sleep 20
sudo dhclient eth1

The script uses a couple of tricks: first it stops network-manager, since it interferes with the manual connection (don’t worry, it will be started again next time you reboot your computer), then the sleep 20 at the end is there to give time to wpa_supplicant to connect to the network before dhclient starts. Of course if you use this you need to replace eth1 with the device name of your wireless card.

This works flawlessly on a Linux computer, but when I tried to connnnect in this way on a Fonera running OpenWrt, it failed. First the Fonera does not have network-manager, so the first line needs to be removed. Then there is no dhclient, but an equivalent program named dhcpcd. But the real problem is wpa_supplicant. When I started it, it failed with the following error:

RSA: Expected zero INTEGER in the beginning of private key; not found
TLSv1: Failed to parse private key
TLS: Failed to load private key
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
TLSv1: Selected cipher suite: 0x0000
TLSv1: Record Layer - New write cipher suite 0x0000
TLSv1: Record Layer - New read cipher suite 0x0000
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)

After searching and posting on the OpenWrt forum, the problem was found: to minimize the size of the OpenWrt firmware (some routers only have 2..4MB of FLASH memory…) wpa_supplicant is compiled with an internal (and incomplete) implementation of TLS, which may fail with some certificate types. The solution is to compile a custom wpa_supplicant configured to use OpenSSL as TLS provider.

So I downloaded on my computer running Kubuntu Linux the OpenWrt buildroot with

svn co svn://svn.openwrt.org/openwrt/branches/8.09

configured it with

make meunconfig

in the following way: Network > wpa_supplicant > TLS provider > OpenSSL and disabled timestamp check (since the Fonera does not have a permanent clock and the time is set to 1/1/1970 every time it reboots)

Then I typed “make” and after ~2GB of source files downloaded form the Internet and 1.5 hours of compile time the buildroot compiled a custom firmware¬† with the required packages.

However when I installed the wpa-supplicant_0.6.3-1.1_mips.ipk file together with the required dependencies libopenssl_0.9.8i-3.2_mips.ipk and zlib_1.2.3-5_mips.ipk¬† on my OpenWrt it still failed to connect. The problem this time was a lot of ioctl() errors. It looks like the wpa_supplicant package is heavily dependent on the kernel version, so it didn’t work.

The solution was to reflash the Fonera with the firmware that the buildroot compiled together with the wpa_supplicant package. At this point another problem occurred: in the custom firmware the ath0 device, which is the wireless device was not present! At the beginning the problem looked like the lack of the kmod_madwifi package, but the package was present. The solution was to create the device at every reboot with

wlanconfig ath0 create wlandev wifi0

Now that the device was again available, a new problem occurred: wpa_supplicant successfully parsed the certificates, but failed agian to connect, with the following error:

TLS: Certificate verification failed, error 9 (certificate is not yet valid)

The problem was that while the timestamp check was disabled, the date still needed to be within the certificate’s validity range. A quick “date -s” command soved this and finally wpa_supplicant connected to the wireless network.

However, it failed getting an IP address. This because in my custom firmware I forgot to add dhcpcd. Building the dhcpcd package with the buildroot and installing the .ipk package solved this last problem.

In the end the scripts used to connect successfully are these:

wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="<your network ssid>"
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
anonymous_identity="<your username>"
ca_cert="<your path to the .cer certificate file>"
private_key="your path to the .p12 certificate file>"
private_key_passwd="<your password>"
phase2="auth=MSCHAPV2"
}

connect.sh

## For Fonera + specially compiled OpenWrt
## Developed by TFT

## any date in the certificate validity range is acceptable
date -s 2009.11.20-10:00

killall wpa_supplicant dhcpcd
wlanconfig ath0 destroy

wlanconfig ath0 create wlandev wifi0
ifconfig ath0 down
ifconfig ath0 up
iwconfig ath0 essid <your network ssid>
wpa_supplicant -i ath0 -D madwifi -c /etc/wpa_supplicant.conf -d &
## wait for connection
sleep 20
dhcpcd ath0

Follow

Get every new post delivered to your Inbox.

Join 30 other followers