Openwrt, Fonera and .p12 certificates

The most common use of a Fonera is as wireless access point, but it’s not the only possible use. Another possibility is to use the Fonera to connect to an existing wireless network. This can be useful to connect a computer without a wireless card, to set up a “repeater” to extend the range of a wireless network, or to run some application that needs internet connectivity on the Fonera itself (after all, it’s just a Linux based device).

However, when the network you need to connect to requires a WPA enterprise certificate authentication, things can get messy.

This post is just a log of all I had to do to connect my Fonera to one such network, and I think it can be useful to other who have the same need.

First, I’ll describe how to connect to that network using a computer running Linux, using the shell only. It is also possible to use some GUI utility, such as network manager but the shell way is what (in theory) can be usd on the Fonera too, since it has no GUI.
The procedure starts by creating a wpa_supplicant.conf file, with the following content:

ssid="<your network ssid>"
anonymous_identity="<your username>"
ca_cert="<your path to the .cer certificate file>"
private_key="<your path to the .p12 ceritficate file>"
private_key_passwd="<your password>"

And by filling in the required data where there are angle brackets. It is also a good idea to write all the commands to connect in an .sh script file, just like this:

sudo /etc/init.d/network-manager stop
sudo killall wpa_supplicant
sudo ifconfig eth1 down
sudo ifconfig eth1 up
sudo iwconfig eth1 essid <your network ssid>
sudo wpa_supplicant -i eth1 -D wext -c <path to wpa_supplicant.conf>/wpa_supplicant.conf -d &
#wait for connection
sleep 20
sudo dhclient eth1

The script uses a couple of tricks: first it stops network-manager, since it interferes with the manual connection (don’t worry, it will be started again next time you reboot your computer), then the sleep 20 at the end is there to give time to wpa_supplicant to connect to the network before dhclient starts. Of course if you use this you need to replace eth1 with the device name of your wireless card.

This works flawlessly on a Linux computer, but when I tried to connnnect in this way on a Fonera running OpenWrt, it failed. First the Fonera does not have network-manager, so the first line needs to be removed. Then there is no dhclient, but an equivalent program named dhcpcd. But the real problem is wpa_supplicant. When I started it, it failed with the following error:

RSA: Expected zero INTEGER in the beginning of private key; not found
TLSv1: Failed to parse private key
TLS: Failed to load private key
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
TLSv1: Selected cipher suite: 0x0000
TLSv1: Record Layer - New write cipher suite 0x0000
TLSv1: Record Layer - New read cipher suite 0x0000
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)

After searching and posting on the OpenWrt forum, the problem was found: to minimize the size of the OpenWrt firmware (some routers only have 2..4MB of FLASH memory…) wpa_supplicant is compiled with an internal (and incomplete) implementation of TLS, which may fail with some certificate types. The solution is to compile a custom wpa_supplicant configured to use OpenSSL as TLS provider.

So I downloaded on my computer running Kubuntu Linux the OpenWrt buildroot with

svn co svn://

configured it with

make meunconfig

in the following way: Network > wpa_supplicant > TLS provider > OpenSSL and disabled timestamp check (since the Fonera does not have a permanent clock and the time is set to 1/1/1970 every time it reboots)

Then I typed “make” and after ~2GB of source files downloaded form the Internet and 1.5 hours of compile time the buildroot compiled a custom firmware  with the required packages.

However when I installed the wpa-supplicant_0.6.3-1.1_mips.ipk file together with the required dependencies libopenssl_0.9.8i-3.2_mips.ipk and zlib_1.2.3-5_mips.ipk  on my OpenWrt it still failed to connect. The problem this time was a lot of ioctl() errors. It looks like the wpa_supplicant package is heavily dependent on the kernel version, so it didn’t work.

The solution was to reflash the Fonera with the firmware that the buildroot compiled together with the wpa_supplicant package. At this point another problem occurred: in the custom firmware the ath0 device, which is the wireless device was not present! At the beginning the problem looked like the lack of the kmod_madwifi package, but the package was present. The solution was to create the device at every reboot with

wlanconfig ath0 create wlandev wifi0

Now that the device was again available, a new problem occurred: wpa_supplicant successfully parsed the certificates, but failed agian to connect, with the following error:

TLS: Certificate verification failed, error 9 (certificate is not yet valid)

The problem was that while the timestamp check was disabled, the date still needed to be within the certificate’s validity range. A quick “date -s” command soved this and finally wpa_supplicant connected to the wireless network.

However, it failed getting an IP address. This because in my custom firmware I forgot to add dhcpcd. Building the dhcpcd package with the buildroot and installing the .ipk package solved this last problem.

In the end the scripts used to connect successfully are these:


ssid="<your network ssid>"
anonymous_identity="<your username>"
ca_cert="<your path to the .cer certificate file>"
private_key="your path to the .p12 certificate file>"
private_key_passwd="<your password>"

## For Fonera + specially compiled OpenWrt
## Developed by TFT

## any date in the certificate validity range is acceptable
date -s 2009.11.20-10:00

killall wpa_supplicant dhcpcd
wlanconfig ath0 destroy

wlanconfig ath0 create wlandev wifi0
ifconfig ath0 down
ifconfig ath0 up
iwconfig ath0 essid <your network ssid>
wpa_supplicant -i ath0 -D madwifi -c /etc/wpa_supplicant.conf -d &
## wait for connection
sleep 20
dhcpcd ath0


11 Responses to “Openwrt, Fonera and .p12 certificates”

  1. Neku Says:

    Thanks Federico for yours efforts!

  2. admiral0 Says:

    And that’s all folks from today’s guide “How to dismantle your balls after 1.5hrs of compilation”

  3. fedetft Says:

    Well, 1.5 hours is a short time compared to the first time I compiled OpenWrt. It was a couple of years ago, when I had a slower internet connection and a pentium III 866MHz computer. It took 7 hours…

  4. admiral0 Says:

    Try to build openembedded dev branch and we’ll laugh together after some day of compilation on dual core 🙂

  5. saten Says:

    minchiazza :O

  6. Hendrix Says:

    1.5 h such a pain in the ass

  7. fedetft Says:

    Well, keep in mind that 1.5 hours is the time needed to compile a full OpenWrt firmware, not just the wpa_supplicant package.
    This means compiling:
    -the Linux kernel 2.6
    -the GCC compiler for MIPS architecture (the Fonera has a MIPS CPU)
    -42 packages ranging from busybox to the already mentioned wpa_supplicant
    Given that, I think 1.5 hours is a reasonable time.

  8. luka12345 Says:

    For your date problem try using ntpclient package !

  9. fedetft Says:

    I was already aware of ntpclient, but the date is needed by wpa_supplicant to connect to the network, so I need the date *before* I am connected, and ntpclient can’t help in that.

  10. Anonymous Says:

    Is adding “tls_disable_time_checks=1″ to phase2=”auth=MSCHAPV2” could help there?

  11. fedetft Says:

    I don’t know. It’s been a long time since I don’t mess with wpa_supplicant as everything works now. Anyway, given that it’s still needed to rebuild the package to select OpenSSL as TLS provider, it’s not an issue to also disable time checking.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: