WPS setup on OpenWrt

Updated: 2020-04-29

Most routers nowadays support WPS, which allows you to easily add new devices to a WLAN, without the need to type in long passwords. Most consumer routers or APs come with a WPS button (often on the back) so you can initiate WPS simply by pushing it. This is not the sole possibility, you can e.g. also exchange a PIN between client and AP. The button functionality is not always replicated when you replace OEM firmware with custom firmware like OpenWrt - or, like on the TL-WR1043ND v2, the WPS and reset buttons might be the same physical button, which can cause you to reset your device instead of initiating a WPS request. That's not what you want, and you don't want to fiddle with button support either, so I'll show you how to use WPS without needing to actually push that button.

Replacing wpad-mini

OpenWrt comes with wpad-mini by default, an IEEE 802.1x/WPA Authenticator and Supplicant. This provides all you need for a regular WLAN, but for WPS you need to remove it and install hostapd-utils and wpad (the latter, according to the OpenWrt wiki, is hostapd plus a multi-call wpa_supplicant binary). With OpenWrt 19.07 and later, there are multiple SSL enabled variants of wpad, like wpad-openssl or wpad-wolfssl. Those are functionally equivalent for what we're about to do.

# opkg update
# opkg remove wpad-mini
# opkg install hostapd-utils wpad

Adding WPS capability

Next we add WPS support to /etc/config/wireless. WPS will only work with WPA2-PSK enabled and CCMP being used as the encryption protocol. Add the following line at the end of the config wifi-iface section:

option wps_pushbutton '1'

If you have multiple access points (SSIDs), add this to every matching wifi-iface config section for the SSID you want to enable WPS for. Now restart your wireless (make sure you are connected with a cable to the device, to be on the safe side).

# wifi down && wifi up

Running WPS

Now you're all set to initiate the WPS request. If you check /var/run/hostapd-phy0.conf (or phy1, if it's the second radio), you'll see that there is a line showing all the WPS possibilities supported:

config_methods= push_button

Run the following on your router or AP to initiate the WPS procedure. Since hostapd picks the first interface it encounters, you might have to specify the interface explictly:

# hostapd_cli -i wlan0 wps_pbc

Now push the WPS button on your client. It might take a bit, to verify the status of the WPS request, you can call hostapd_cli again:

# hostapd_cli -i wlan0 wps_get_status
Selected interface 'wlan0'
PBC Status: Disabled
Last WPS result: Success
Peer Address: d4:c9:e4:75:ed:79

VoilĂ , your client is connected, and everything should also stick after AP or client reboots.

Security concerns

For security, you might want to disable WPS on the AP afterwards, and if you'd like, you can swap hostapd-utils and wpad for wpad-mini again. Security vulnerabilities have been reported against WPS, specifically when using PIN exchange.