There is a new version of OpenWRT, version 19.07; apparently this was released almost 2 months ago. If you're running OpenWRT on your router, the new version has security fixes and such, so it's worth considering an upgrade. https://openwrt.org/releases/19.07/notes-19.07.3 I did so; it led to about a 2 minute Internet outage since my OpenWRT router manages my DSL connection. It came back fine, I have seen very few visible changes. When I logged in, and looked at my wireless networks, it indicated a need to make a change or two to configuration, which all seemed to work fine. I added an AC wireless network, which I think is the new, keen thing, which probably I didn't have in use before? Apparently it now supports WPA3, that'll need more configuration to activate, and I'm not sure I care to do so. (That's perhaps a good question for next Q&A?) -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
On 2020-07-08 4:25 p.m., Christopher Browne via talk wrote:
There is a new version of OpenWRT, version 19.07; apparently this was released almost 2 months ago. ...
Apparently it now supports WPA3, that'll need more configuration to activate, and I'm not sure I care to do so. (That's perhaps a good question for next Q&A?)
I'm still looking for a scheme that doesn't fail an evil-twin attack (;-)) I have an apparent neighbor who uses my connection. The use I don't mind much, the degree to which my work is public I do mind. --dave David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
On 2020-07-09 07:57 AM, David Collier-Brown via talk wrote:
I have an apparent neighbor who uses my connection. The use I don't mind much, the degree to which my work is public I do mind.
They can get through WPA2? Did the key somehow slip out? One thing you might try is a VPN. I used to use one back in the WEP days, as it was known to be insecure. To reach my network, you needed both the WEP key and VPN key.
It's mechanically breakable. I get UFO mac addresses back about an hour after changing the password. Mind you, if I really wanted to block then I'd list my devices as the only ones allowed. --dave On 2020-07-09 9:06 a.m., James Knott via talk wrote:
On 2020-07-09 07:57 AM, David Collier-Brown via talk wrote:
I have an apparent neighbor who uses my connection. The use I don't mind much, the degree to which my work is public I do mind.
They can get through WPA2? Did the key somehow slip out? One thing you might try is a VPN. I used to use one back in the WEP days, as it was known to be insecure. To reach my network, you needed both the WEP key and VPN key.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest dave.collier-brown@indexexchange.com | -- Mark Twain CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory.
| From: David Collier-Brown via talk <talk@gtalug.org> | I'm still looking for a scheme that doesn't fail an evil-twin attack (;-)) | | I have an apparent neighbor who uses my connection. The use I don't mind much, | the degree to which my work is public I do mind. Evil Twin is just a variant of man-in-the-middle, right? An "active", rather than "passive" MITM. Surely WPA is secure against MITM, including active MITM. All one needs to prevent MITM is a competent protocol and at least one end authenticated. Your strong-enough password provides such authentication. (WPS does or did have a weakness if I remember correctly. My brute force solution has been to disable WPS. There may have been fixes.) Ohh. KRACK. WPA2 isn't competent. I forgot. <https://en.wikipedia.org/wiki/KRACK>
On Fri, 10 Jul 2020 at 08:34, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
(WPS does or did have a weakness if I remember correctly. My brute force solution has been to disable WPS. There may have been fixes.)
Ohh. KRACK. WPA2 isn't competent. I forgot. <https://en.wikipedia.org/wiki/KRACK>--- Post to this mailing list talk@gtalug.org
OpenWrt does provide a workaround for WPA key reinstallation attacks. See the description of "wpa_disable_eapol_key_retries" parameter and the comments that follow at this page: https://openwrt.org/docs/guide-user/network/wifi/basic
On Fri, 10 Jul 2020 at 11:41, Val Kulkov <val.kulkov@gmail.com> wrote:
OpenWrt does provide a workaround for WPA key reinstallation attacks. See
the description of "wpa_disable_eapol_key_retries" parameter and the comments that follow at this page: https://openwrt.org/docs/guide-user/network/wifi/basic
I forgot to add that if enabling wpa_disable_eapol_key_retries does cause interoperability issues on a Wi-Fi network, then one can create a guest VLAN with this parameter disabled, and enable this parameter on a secure non-guest VLAN. This is not difficult to achieve with OpenWrt, and I will be happy to provide details in a separate thread if there is some interest.
On 2020-07-10 12:13 PM, Val Kulkov via talk wrote:
I forgot to add that if enabling wpa_disable_eapol_key_retries does cause interoperability issues on a Wi-Fi network, then one can create a guest VLAN with this parameter disabled, and enable this parameter on a secure non-guest VLAN. This is not difficult to achieve with OpenWrt, and I will be happy to provide details in a separate thread if there is some interest.
Guest VLAN??? Perhaps you meant Guest SSID. WPA has nothing to do with VLANs.
On Fri, 10 Jul 2020 at 12:17, James Knott via talk <talk@gtalug.org> wrote:
On 2020-07-10 12:13 PM, Val Kulkov via talk wrote:
I forgot to add that if enabling wpa_disable_eapol_key_retries does cause interoperability issues on a Wi-Fi network, then one can create a guest VLAN with this parameter disabled, and enable this parameter on a secure non-guest VLAN. This is not difficult to achieve with OpenWrt, and I will be happy to provide details in a separate thread if there is some interest.
Guest VLAN??? Perhaps you meant Guest SSID. WPA has nothing to do with VLANs.
You set up a guest VLAN on your OpenWrt device and then associate your guest SSID with that VLAN. If you have multiple Wi-Fi access points, they must all support 802.1q VLANs and be configured to communicate with the main router on the main VLAN and on the guest VLAN in order to use DHCP, DNS, routing and other services provided by the main router. Recent OpenWrt releases also support virtual SSIDs, but I have not tried them and cannot comment on their usefulness. See this guide for example, it is a little outdated but still useful: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
On 2020-07-10 12:32 PM, Val Kulkov wrote:
then associate your guest SSID with that VLAN.
Yes, you associate the SSID with a VLAN. It's entirely possible to have a Guest SSID without VLANs on a WiFi router, that uses only routing to forward the guest traffic out to the 'net. VLAN is a LAN function that has nothing to do with WiFi and SSID is a WiFi function that has nothing to do with the LAN.
On Fri, 10 Jul 2020 at 12:37, James Knott via talk <talk@gtalug.org> wrote:
On 2020-07-10 12:32 PM, Val Kulkov wrote:
then associate your guest SSID with that VLAN.
Yes, you associate the SSID with a VLAN. It's entirely possible to have a Guest SSID without VLANs on a WiFi router, that uses only routing to forward the guest traffic out to the 'net. VLAN is a LAN function that has nothing to do with WiFi and SSID is a WiFi function that has nothing to do with the LAN.
Yes. I agree, you don't really need VLANs if you have only one WiFi access point. But if you have more than one WiFi access point and you want to avoid WDS, which is often not great in congested environments, you'd use Ethernet and VLANs to connect your Wi-Fi access points.
On 2020-07-10 04:04 PM, Val Kulkov wrote:
On Fri, 10 Jul 2020 at 12:37, James Knott via talk <talk@gtalug.org <mailto:talk@gtalug.org>> wrote:
On 2020-07-10 12:32 PM, Val Kulkov wrote: > then associate your guest SSID with that VLAN.
Yes, you associate the SSID with a VLAN. It's entirely possible to have a Guest SSID without VLANs on a WiFi router, that uses only routing to forward the guest traffic out to the 'net. VLAN is a LAN function that has nothing to do with WiFi and SSID is a WiFi function that has nothing to do with the LAN.
Yes. I agree, you don't really need VLANs if you have only one WiFi access point. But if you have more than one WiFi access point and you want to avoid WDS, which is often not great in congested environments, you'd use Ethernet and VLANs to connect your Wi-Fi access points.
Mulitple SSIDs are not the only reason for VLANs. For example, many companies have VoIP phones on the same Ethernet port as the computers. The cable connects to the phone and the computer plugs into the phone. Here a VLAN is used, without anything to do with WiFi. Several years ago, I set up a network at St. Hilda's Towers, a seniors residence at Dufferin & St. Clair. There were 3 VLANs on the cable. The native LAN was for the office computers, 1 VLAN for office VoIP, 1 VLAN for resident's Internet access and 1 VLAN for the management interfaces. While there were WiFi access points that carried both the office and resident WiFi, the otherwise had nothing to do with VALNs. I could have just as easily set up the network without WiFi. Again, VLANs and SSIDs are completely independent concepts. As I mentioned, you can have multiple SSIDs without VLANs and multiple VLANs without any WiFi. In some circumstances, as at St. Hilda's you could have a WiFi SSID on a VLAN. Incidentally, VLANs fall under the IEEE 802.3 spec and SSIDs under 802.11, which are completely separate and unrelated specs.
participants (6)
-
Christopher Browne -
D. Hugh Redelmeier -
Dave Collier-Brown -
David Collier-Brown -
James Knott -
Val Kulkov