OpenWRT config for connecting to Proximus FON encrypted SSID

With autumn comes bad weather, and as I recently moved from cable to DSL at home (for variety of reasons that are irrelevant here), the rainy weather really is visible. My throughput fell from 30mbps which is fairly decent, down to about 8mbps up and 0.5mbps down.

Some other short-term solution other than shouting "Could you stop watching video for a minute?" needed to be found. Luckily, I enabled FON hotspot and there are about 8 other Proximus CPEs that I see, so just use the SSID sitting on the CPE with a faster throughput!

All is well, except the devices, unless told otherwise, usually pick the strongest SSID, which of course belongs to me. So I needed to force a BSSID selection and preferrably to integrate all of that as another WAN uplink into my home network so I do not have to change the way the devices connect.

Thus, OpenWRT. It can act as a client on the WiFi and serve the local LAN via the Ethernet port. After some fiddling, I got it working and here's the process (assuming you have Chaos Calmer running).

First, connect the OpenWRT in client mode to the PROXIMUS_FON SSID via the WiFi scan, picking the best AP you can find. After you authenticate your laptop connected to the Ethernet LAN port, your OpenWRT will have the connectivity outbound for updates.

Perform the update: telnet to your CPE address, and issue command opkg update, and try to install wpa-supplicant: opkg install wpa-supplicant. It will complain about being mutually exclusive with wpad-mini which is already installed. Great. Remove it: opkg remove wpad-mini and then perform opkg install wpa-supplicant again.

The reason we need wpa-supplicant is wpad-mini does not have the support for WPA-TTLS which the encrypted SSID uses.

Make the dummy configuration for PROXIMUS_AUTO_FON by picking the appropriate AP from the list of scanning and then applying the configuration. We will edit it in the next step via the CLI.

Create a file /etc/config/ca1.pem which contains the following data:

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

Now edit the file /etc/config/wireless, and ensure that config wifi-iface section looks as follows:

config wifi-iface
        option network 'wwan'
        option ssid 'PROXIMUS_AUTO_FON'
        option device 'radio0'
        option mode 'sta'
        option bssid 'XX:XX:XX:XX:XX:XX'
        option encryption 'wpa2'
        option eap_type 'ttls'
        option identity 'YOUR_USERNAME@proximusfon.be'
        option password 'YOUR_PASSWORD'
        option ca_cert '/etc/config/ca1.pem'
        option auth 'auth=MSCHAPV2'
        option disabled '0'

After that, from the root shell, give command wifi disable, followed by wifi to enable it back. ifconfig wlan0 after a while should show the public IPv4 address assigned to the interface. Unfortunately no IPv6 so far...

Now if you like you can install wpa_cli by doing opkg install wpa-cli and look at the results of the connection:

root@OpenWrt:/# wpa_cli
wpa_cli v2.5-devel
Copyright (c) 2004-2015, Jouni Malinen  and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.


Selected interface 'wlan0'

Interactive mode

> status
bssid=32:91:8f:42:42:42
freq=2437
ssid=PROXIMUS_AUTO_FON
id=0
mode=station
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address=192.0.2.42
address=a0:f3:c1:42:42:42
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=21 (EAP-TTLS)
EAP TLS cipher=AES-256-SHA
tls_session_reused=0
EAP-TTLSv0 Phase2 method=MSCHAPV2
eap_session_id=4242424242424242442422442442424244242242424242424244224242422442242442242424422424422424242424242424
uuid=a5de4242-4242-442-4242-424242424242
>

That's really it.

In getting this to work, there were a couple of very useful resources I used:

1. https://dev.wlan-si.net/ticket/974
2. https://nxadm.wordpress.com/2015/04/14/post-it-proximus_auto_fon-and-telenetwifree-belgium-from-gnulinux-or-windows-7/

Further notes

The first document in the references talks about the necessity to edit the file /lib/netifd/hostapd.sh and add the line in bold below (as adapted to proximusfon logins):

network={
        $scan_ssid        
        ssid="$ssid"  
        key_mgmt=$key_mgmt
        $network_data
        anonymous_identity="anonymous@proximusfon.be"
}         

I found that in my case it eventually worked even without this line - i.e. just editing the wireless configuration is enough.

Eventually I might get a new cable from our apartment to downstairs, but for now this tweak gets the overall throughput back to acceptable levels for the short term.

Index of /blog/2015-09-09-OpenWRT-config-for-connecting-to-Proximus-FON-encrypted-SSID/