Introduction: Hotspot 2.0 OpenWRT Configuration Guide

By SimeonOnSecurity.com
About: SimeonOnSecurity is a highly accomplished IT professional with a strong focus on Cybersecurity and Privacy. With a career spanning several years, SimeonOnSecurity has demonstrated expertise in various domains,…

In today’s connected world, providing seamless and secure Wi-Fi
connectivity is essential for various industries and public spaces. One
revolutionary technology that addresses this need is Hotspot 2.0, also known as Passpoint 2.0. In this guide, we will explore how to set up Hotspot 2.0 on OpenWRT, a popular open-source router and access point firmware.


The Significance of Hotspot 2.0 and Passpoint 2.0

Hotspot 2.0 brings enhanced security and convenience to Wi-Fi connectivity by automating the connection process and ensuring a secure exchange of credentials. Before diving into the technical details, let’s address the key questions: What is Hotspot 2.0, and why is it crucial for modern Wi-Fi networks?

Hotspot 2.0, defined by the IEEE 802.11u standard, enables seamless and secure Wi-Fi roaming by allowing mobile devices to connect to Wi-Fi networks automatically. This technology eliminates the hassle of manually selecting and authenticating with each network, providing users with a more efficient and user-friendly experience.


Enhancing User Experience


One of the main goals of Hotspot 2.0 is to enhance the user experience when connecting to Wi-Fi networks.
With Passpoint certification, smartphones can automatically identify and connect to Passpoint-certified access points. This eliminates the need for users to navigate through network lists and enter credentials manually.

Security and Authentication

Hotspot 2.0 addresses security concerns by implementing robust authentication
protocols. The Passpoint profile on a smartphone contains essential information, including MCC-MNC (Mobile Country Code – Mobile Network Code), NAI realm, and OI (Organization Identifier). These elements, along with login credentials, establish a secure connection to the service provider.

Interoperability and Roaming

Passpoint profiles are not tied to specific SSIDs, allowing them to work across any WLAN with appropriate Passpoint configuration. This interoperability ensures a consistent and reliable connection experience, especially in
environments with multiple access points.


Attachments

Supplies

Recommended OpenWRT Devices with Hotspot 2.0 and Passpoint 2.0 Support

Are you searching for the perfect OpenWRT device with robust Hotspot 2.0 and Passpoint 2.0 support? Look no further! We’ve curated a list of highly recommended devices that seamlessly integrate these advanced features into your network. From the GL-MT6000 (Flint 2) with WiFi 6 capabilities to the pocket-sized GL-AXT1800 (Slate AX) offering gigabit travel convenience, explore the best options for

enhanced connectivity and security. Upgrade your router experience with

these top-notch devices tailored for Hotspot 2.0 enthusiasts and

professionals alike.

hgot07 and we have completed testing, in addition to the above, on other GL.iNet devices

including the Mango (Has storage issues however), Slate and Beryl devices on both internal and external wireless interfaces.

Recommended External WiFi Adapters for HotSpot 2.0 Support on OpenWRT


When it comes to enhancing your OpenWRT setup with external WiFi adapters, especially for HotSpot 2.0 support, choosing the right hardware is crucial. Below, we recommend some top-performing external WiFi adapters known for their OpenWRT compatibility and 802.11 AX support.


We recommend these adapters for their overall OpenWRT compatibility and 802.11 AX Support. Top down, best to worst.

For a list of other documented adapters that have support on Linux and OpenWRT See the

USB-WiFi Documentation Repo

Step 1: Implementing Hotspot 2.0 on OpenWRT

Prerequisites for Hotspot 2.0 on OpenWRT

Before configuring Passpoint on OpenWrt, ensure you have the following prerequisites:

  • OpenWrt compatible device with a Passpoint-capable wireless device (PHY).
  • OpenWrt 21.02, or newer, including wpad (hostapd) built with the hs20 option.
  • Full version of the iw package in OpenWrt.
  • 802.1x infrastructure (RADIUS server).
  • Information about the assigned RADIUS servers:

Note: This information can be obtained through an email or document through your provider. If you’re using
Google Orion like we are in our examples below, you’ll be self hosting a freeradius based radsec proxy . We won’t be going into this in this article so please read your providers instructions carefully.

Updating OpenWRT Packages for Hotspot 2.0 Support on OpenWRT

Before configuring Hotspot 2.0 on OpenWRT, ensure that your system has the required packages installed.
Use the following commands to install necessary components:

opkg update
opkg --force-removal-of-dependent-packages remove iw iw-full wpad-basic gl-sdk4-repeater hostapd-basic host-apdcommon hostapd-openssl wpad-openssl
opkg --force-overwrite --force-removal-of-dependent-packages install iw-full hostapd-common wpad-openssl nano

If you’ve purchased one of the GL.iNet devices we recommended above you’ll also run the following command:


Configuring Wireless Interfaces for Hotspot 2.0 on OpenWRT

opkg --force-overwrite install kmod-ath10k-smallbuffers kmod-ath9k kmod-ath9k-common kmod-ath kmod-mac80211 kmod-cfg80211

Configuring Wireless Interfaces for Hotspot 2.0 on OpenWRT

In the /etc/config/wireless
file, customize the settings for your Hotspot 2.0-enabled interface.
Ensure the correct device, encryption type, and other parameters are
set. Pay attention to the WAN Metrics, NAI Realm, and Domain Names sections to tailor them to your service provider.


Copy and modify the following carefully. Once working, mirror it for the 2.4ghz, 5ghz, and 6ghz radios while adjusting the wifi-iface config name, ifname, and device (radio) options for each radio.


nano /etc/config/wireless

config wifi-iface 'radio1_orion5g'
#Modify to your radsec proxy server / radius server
    option acct_secret 'radsec'
    option acct_server 'xxx.xxx.xxx.xxx'
    option auth_secret 'radsec'
    option auth_server 'xxx.xxx.xxx.xxx'
# Likely radio0 or radio1 if using built in radios, if using a usb device it'll likely be radio 2
    option device 'radio1'
# Change between either wpa2-mixed or wpa3-mixed
    option encryption 'wpa3-mixed'
# first number matches the radio, second is the ssid number. Both start at 0
# Ex wlan1-2 would be radio 1, ssid 2.
    option ifname 'wlan1-2'

#Table E-4 of IEEE Std 802.11-2012 Annex E define the values that can be used in this. (Likely just use 5173)
# https://ieeexplore.ieee.org/iel5/6361246/6361247/06361248.pdf
# https://mentor.ieee.org/802.11/dcn/10/11-10-0564-00-0s1g-operating-classes.ppt
#format: hexdump of operating class octets
    option hs20_operating_class '5173'
# See Instructions Below (Optional, omit if you want.)
    option hs20_wan_metrics '01:3e80:3e80:33:99:3000'
# Venue Info 
# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34
    option iw_venue_group '1'
    option iw_venue_type '7'
# Specify the same nasid for both 2.4ghz and 5ghz. Use any time the network is different. Normally it'll be the same across the board for all AP's in the same location.
    option nasid 'OrionWRT'
# Likely leave as guest, but customize if needed
    option network 'guest'
# Likely Leave as Orion or OrionWiFi if using orion. But SSID can be anything you want.
    option ssid 'OrionWiFi'
# Specify the IP address type availability as '11'.
# IP Address Type Availability (ANQP) setting that indicates the availability of IP address types on the Passpoint network.
# The value '11' informs Passpoint clients that both IPv4 and IPv6 addresses are available on the network.
# It helps clients understand the network's IP address capabilities.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on IP Address Type Availability.
    option iw_ipaddr_type_availability '11'
# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004
# Set as CST, Feel free to customize or omit.
# stdoffset[dst[offset][,start[/time],end[/time]]]
# We've defaulted it to Central Standard Time (most of our US based readers are in CST/CDT.)
#This config is optional. You can safely omit it.
    option time_zone 'CST6CDT,M3.2.0,M11.1.0'
# Specify the access network type as '2' (Chargeable public network).
# Access Network Type (ANQP) is set to '2' indicating a Chargeable public network.
# This value informs clients that the network requires payment for access.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details.
    option iw_access_network_type '2'
# Specify the network authentication type as '00'.
# Network Authentication Type (ANQP) setting that specifies the network's authentication type for Passpoint.
# The value '00' indicates that the network authentication is open or unspecified.
# It informs Passpoint clients about the type of authentication used by the network.
# Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on Network Authentication Type.
    option iw_network_auth_type '00'
# Operator-friendly name for Hotspot 2.0. (Can be anything you'd like as long as it is prefixed with your lang code.)
    option hs20_oper_friendly_name 'eng:Orion'
# List of venue names associated with the Passpoint network, specifying language code and venue information. (Can be anything you'd like as long as it is prefixed with your lang code.)
    list iw_venue_name 'eng:Orion'
# List of venue URLs associated with the Passpoint network, specifying language code and URL. (Can be any https url. Will Popup as notification on devices that connect.)
    list iw_venue_url '1:https://orionwifi.com'
# List of operator icons, specifying width, height, language code, image format, and icon filename. (This doesn't need to be a valid path but must be specified on OpenWRT)
    list operator_icon '64:64:eng:image/png:operator_icon:operator_icon.png'

#ProxyARP and 80211k are not supported on all devices, remove if you have issues.
    option proxy_arp '1'
    option ieee80211k '1'

# Comment out what you don't need and uncomment/modify what you do.
#AT&T / Orion 3gpp
    list iw_anqp_3gpp_cell_net '310,150'
    list iw_anqp_3gpp_cell_net '310,280'
    list iw_anqp_3gpp_cell_net '310,410'
    list iw_anqp_3gpp_cell_net '313,100'
#T-Mobile 3gpp 
# list iw_anqp_3gpp_cell_net '310,240'
# list iw_anqp_3gpp_cell_net '310,260'
# list iw_anqp_3gpp_cell_net '310,310'
#Orion domain Names
    list iw_domain_name 'orion.area120.com'
    list iw_domain_name 'orionwifi.com'
    list iw_domain_name 'dogwood120.net'
    list iw_domain_name 'openroaming.goog'
    list iw_domain_name 'wifi.fi.google.com'
#AT&T Domain Names
#list iw_domain_name 'attwifi.com'
#list iw_domain_name 'att.com'
#list iw_domain_name 'attwireless.com'
#T-Mobile Domain Names
#list iw_domain_name 't-mobile.com'
#OpenRoaming / IronWiFi Domain Names
#list iw_domain_name 'ironwifi.net'
#list iw_domain_name 'openroaming.org'
#list iw_domain_name 'apple.openroaming.net'
#list iw_domain_name 'google.openroaming.net'
#list iw_domain_name 'ciscooneid.openroaming.net'
# Anything more than 3 OUIs and the information won't be available until the client performs a GAS Request.
# Orion / AT&T / OpenRoaming Default Consortium
    list iw_roaming_consortium 'f4f5e8f5f4'
#OpenRoaming Consortium
#Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
#list iw_roaming_consortium '5a03ba0000'
#Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, 
#list iw_roaming_consortium '5a03ba0800'
#IronWiFi Consortium
#list iw_roaming_consortium 'AA146B0000'
#list iw_roaming_consortium 'BAA2D00000'
#list iw_roaming_consortium '5A03BA0000'
#Cisco OpenRoaming and Samsung OneUI Onboarding
#list iw_roaming_consortium '004096'
#EDURoam Consortium
#list iw_roaming_consortium '001BC50460'
#Orion NAI Realm
    list iw_nai_realm '0,*.orion.area120.com,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#AT&T NAI Realm
#list iw_nai_realm '0,*wlan.mnc410.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#T-Mobile NAI Realm
#list iw_nai_realm '0,*wlan.mnc260.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
#IronWiFi Realm
#list iw_nai_realm '0,ironwifi,13[5:6],21[2:4][5:7]'

# Don't Touch
# Some options are repeated for legacy support
# ANQP (Access Network Query Protocol) Domain ID, used to uniquely identify the Passpoint domain.
    option anqp_domain_id '0'
# Enable BSS (Basic Service Set) transition support for efficient handovers between APs.
    option bss_transition '1'
# Disable Directed Group Address Forwarding (DGAF) support.
    option disable_dgaf '1'
# Set disabled to '0' to enable the interface.
    option disabled '0'
# Identify the ap as a guest access point.
    option guest '1'
# Enable Hotspot 2.0 support in Passpoint.
    option hotspot20 '1'
# Enable Hotspot 2.0 (HS2) support in Passpoint.
    option hs20 '1'
# Set the deauthentication request timeout for Hotspot 2.0.
    option hs20_deauth_req_timeout '60'
# Enable internet access for the Passpoint network.
    option internet '1'
# Isolate clients on the Passpoint network for enhanced security.
    option isolate '1'
# Enable or disable ASRA (ANQP Service Required for Access).
    option iw_asra '0'
# Disable Directed Group Address Forwarding (DGAF) for Passpoint.
    option iw_disable_dgaf '1'
# Enable Passpoint functionality.
    option iw_enabled '1'
# Enable or disable Emergency Services Reachability (ESR) for Passpoint.
    option iw_esr '0'
# Enable internet access for Passpoint.
    option iw_internet '1'
# Enable interworking with external networks for Passpoint.
    option iw_interworking '1'
# Disable UESA (Unauthenticated Emergency Service Availability)
    option iw_uesa '0'
# Set the mode to 'ap', indicating that the wireless interface is operating in Access Point mode.
    option mode 'ap'
# Enable the Requested Connectivity to User Information (CUI) feature.
# CUI is used to request user-specific information during the network selection process and is mandatory for Google Orion.
    option request_cui '1'
# Enable the WNM (Wireless Network Management) Sleep Mode Transition with No Keys option.
# This option allows the device to perform sleep mode transitions without exchanging keys, improving efficiency.
    option wnm_sleep_mode_no_keys '1'

Afterwards we need to run two commands:

Fixing 3GPP Bug for Hotspot 2.0 Support on OpenWRT

OpenWRT doesn’t configure hostapd directly. It uses a script at /lib/netifd/hostapd.sh to convert your config at /etc/config/wireless to the appropriate hostapd config. On some distros of OpenWRT there is a bug that prevents 3GPP configurations.

Run the following command on your device to resolve it:

sed -i '/append_iw_anqp_3gpp_cell_net() {/,/}/c\
append_iw_anqp_3gpp_cell_net() {\
    if [ -z "$iw_anqp_3gpp_cell_net_conf" ]; then\
        iw_anqp_3gpp_cell_net_conf="$1";\
    else\
        iw_anqp_3gpp_cell_net_conf="$iw_anqp_3gpp_cell_net_conf;$1";\
    fi\
}' /lib/netifd/hostapd.sh


Just one character is the issue. The script above is fine to run on all devices. It won’t make any changes if the bug isn’t there.

Testing Hotspot 2.0 Functionality on OpenWRT

After configuring your interface and performing the 3gpp fix, you’ll run the following command to reload your wireless config:

wifi


Then verify that the interface becomes available:

iwinfo


Verifying Hotspot 2.0 Client Capability on Windows

To see whether Passpoint is supported by your Wi-Fi device on Windows 10/11, verify if “ANQP Service Information Discovery” is “Supported”, using the following command:

netsh wlan show wirelesscapabilities



To read more about the technical details on how to configure hotspot 2.0 on openwrt devices, click here.