UNIX / Linux keyboard.

WPA2 / 802.11i Wireless Networking on OpenBSD

WPA2 / 802.11i WLAN

So you have installed OpenBSD on your system, presumably because you are interested in its high security, although maybe because you would like an operating system that is even more efficient on low-end hardware than Linux while still providing a rich and powerful user environment. And see my page on installing and running OpenBSD on a Dell laptop for details on getting the operating system into place.

Now you would like to make a wireless network connection, and since you're probably interested in OpenBSD's high security, you would like for the wireless connection to be appropriately secure.


802 LAN refers to a local-area network technology based on decisions made at an IEEE conference in February, 1980. Yes, 802 = 1980, 2.

802.11 refers to the LANs considered by group number 11, the microwave wireless networks. "Wi-Fi" as it's generally called.

802.11a, 802.11b, 802.11g, and so on refer to specific microwave frequencies — for example, 2.4 GHz (802.11b, 802.11g, 802.11n) versus 5.2 GHz (802.11a) — and signalling standards — for example, OFDM with QPSK (802.11a, 802.11g), DSSS with CCK (802.11b), or OFDM with 64-QAM (802.11n). See my page with WLAN specifications if you want to see more.

WEP is an early attempt at securing wireless LAN connections. It is rather insecure and should not be relied upon.

WEP2 and WPA were interim standards, they also should be avoided.

WPA2, also known as 802.11i, is the best available standard for wireless security. WPA2 uses:

AES (Advanced Encryption Standard) cipher operating in CCMP mode. That's Counter Mode CBC-MAC, or to complete, Counter Mode Cipher Block Chaining Message Authentication Code Protocol. The short version is that AES-CCMP is the best known way to do it, so that's what WPA2 does!

Short-term session keys are automatically negotiated and maintained with TKIP (Temporal Key Integrity Protocol). Every node to node connection uses a randomly generated 256-bit key, and either node can decide that enough time or ciphertext has passed that a new session key should be automatically chosen.

Diffie-Hellman key agreement securely negotiates those session keys.

WPA with PSK (Pre-Shared Key) uses AES and a fixed key which you must manually configure.

WPA2-Enterprise refers to WPA2 with a Radius server for host-to-host authentication with digital certificates. WPA2-Enterprise is the best choice for organizations with the infrastructure, including network engineer skill, to maintain a RADIUS server.

Kernel Drivers and WPA2 on OpenBSD

You must use a wireless card for which there is support for WPA2 both in the hardware and in the OpenBSD kernel module. This will require you to figure out which kernel driver is appropriate for the card. This is not nearly as hard as it sounds!

First, look at the end of the kernel ring buffer:

% dmesg | tail

Next, simply plug in the wireless card and see what has been appended to the kernel ring buffer! You should see two lines or so where the appropriate kernel driver reports detecting the new hardware. You are looking for something like this:
xyz0 at cardbus0 ....
where xyz is the name of the kernel driver. Plug in the card and see what's new:

% dmesg | tail

For the two wireless cards that I own, I see this:

Netgear MA521 802.11b

rtw0 at cardbus0 dev 0 function 0 "Realtek 8180" rev 0x20: irq 268505353
rtw0: ver RTL8180F, radio SA2400A, amp SA2411, address 00:09:5b:8e:3a:87

Linksys MPC55AG (ver 1.1) 802.11a + 802.11b + 802.11g

ath0 at cardbus0 dev 0 function 0 "Atheros AR5212" rev 0x01: irq 268505353
ath0: AR5213 5.6 phy 4.1 rf5112a 3.6, FCC1A, address 00:0f:66:1a:0f:81
OpenBSD with Linksys WPC55AG 802.11a+g WLAN card, with Atheros chipset capable of 802.11i / WPA2 security.

OpenBSD notebook with Linksys WPC55AG WLAN card. Its Atheros chipset is capable of 802.11i/WPA2 security.

OpenBSD notebook at the National Archives in Washington DC.

OpenBSD notebook in use at the National Archives in Washington DC.

So, the Netgear MA521 card was recognized as device rtw0 and therefore the rtw kernel driver recognized it. The manual page for rtw says that this uses the Realtek RTL8180L chipset and provides a list of cards known to be based on that chipset.

Unfortunately, the rtw driver does not support WPA2, presumably because the manufacturer has not provided the needed details to the open source community. It does support WEP, but as the manual page warns:   It is strongly recommended that WEP not be used as the sole mechanism to secure wireless communication, due to serious weaknesses in it.

The Linksys MPC55AG was recognized as ath0 and the ath manual page indicates that this driver recognizes the Atheros AR5210, AR5211, and AR5212 chips. Cards using those chips include: 3Com 3CRPAG175; Cisco AIR-CB21AG; D-Link DWL-A650, DWL-AB650, and DWL-A520; Elecom LD-WL54; IBM 11ABG WL LAN; Linksys WPC51AB; Netgear WAB501; Planet WL-3560; Proxim Skyline 4030 and 4032; Senao NL-5354MP; SMC SMC2735W; Sony PCWA-C500; and Wistron CM9.

And, WPA2 is supported by the Atheros driver!

Atheros supports the open source community, which in turn helps Atheros sell hardware by writing drivers of interest to security-conscious administrators. See Atheros' site for an up to date list of products using these chips.

Configuring an Atheros WLAN card for WPA2 from the command line

First, find the network ID (or Service Set Identifier, SSID) and the passphrase. You can find the network ID with something like Kismet, but you will have to get the passphrase from the network administrator. Note that both the passphrase and the network ID are case sensitive! For the sake of this example let's assume:
Network ID = my_net
Passphrase = my_passphrase
Run the following command to join the network. Notice that those are back-quotes for command completion!

# ifconfig ath0 nwid my_net wpa wpapsk `wpa-psk my_net my_passphrase`

What's going on here? Let's try this one step at a time. First, run that embedded wpa-psk command by itself:

# wpa-psk my_net my_passphrase 

That big and random-looking string is a 256-bit pre-shared key based on an SSID and the passphrase. The SSID must be from 1 to 32 octets, and the passphrase must be a sequence of 8 to 63 ASCII encoded characters. The wpa-psk command applies the Password-Based Key Derivation Function 2 (PBKDF2) in which the passphrase is hashed 4096 times using the HMAC-SHA1 cryptographic hash function.

If the passphrase contains any special characters (white space, or most any punctuation mark), the passphrase should be hidden from the shell with appropriate quoting or escape characters. The third and fourth examples show that there are multiple ways of accomplishing this:

# wpa-psk my_net "Peter O'Toole"
# wpa-psk my_net 'Say "Cheese!"'
# wpa-psk my_net Peter\ O\'Toole\ says\ \"Cheese\!\"
# wpa-psk my_net "Peter O'Toole says "'"Cheese!"'

So, going back to our simple example, the part within the backquotes executes first. Its output replaces the backquoted string, so it is as if you had really typed:

# ifconfig ath0 nwid my_net wpa wpapsk 0x0aad103e71babddd8ab549fb97d76e9fe515485d9e492273387cb8d397c6e178

You could add an IP address, the word netmask, and the netmask to assign a static IP address. However, a notebook with a WLAN card usually means DHCP and you don't want to fuss too much with the details, so:

Configuring an Atheros WLAN card for automated boot with DHCP

You need a file named /etc/hostname.if where if is replaced with the interface name.

So, my example file /etc/hostname.ath0 will be used to configure interface ath0 when the network configuration script /etc/netstart runs.

Put something like the following in that file:

dhcp nwid my_net wpakey my_passphrase`

If you need to specify any other parameters, you can do so:

dhcp chan 1 nwid my_net wpakey my_passphrase`

Figuring this out

It's pretty straightforward — just read the relevant manual page for the WLAN card kernel driver. But why did I first have to figure this out?

Hilltop Hostel in Washington DC

Hilltop Hostel in the snow. Much better network security than the typical hotel!

After doing a lot of traveling and having no trouble getting wireless networking up and running, I ran into a situation where I could not simply bring up the interface with DHCP and no authentication at all (the wide-open wireless networking in most hotels catering to business travelers, coffeeshops, and so on) or with the very weak WEP security.

Hey, this was a system that very casually required the much higher security of WPA2! Good for them! Where was this?

At the Hilltop Hostel in Washington D.C.

That's right — travellers from major corporations and supposedly security conscious government agencies stay at hotels and recklessly use the wide-open cleartext wireless. I know because I have run tools like Kismet and Wireshark while staying at those hotels (and being careful to do nothing myself except through an SSH or SSL tunnel).

But a hippie crash-pad where you pay $20 a night for a bed in a shared room uses WPA2. Good for the Hilltop, too bad for the rest.

Why do the hotels catering to business travelers have poor network security? Because those hotels are in business to make money. And network security would frustrate the usually clueless business traveler, who would conclude that the network doesn't work and stay somewhere else the next time.