This tutorial explains how to configure OpenWRT to authentificate the WAN connection using 802.11x EAP-TLS.

Step 1: Make sure your OpenWRT image include all the needed packages

Make sure that your OpenWRT at least includes the following packages:

libopenssl hostapd-common wpad-openssl -wpad-basic-wolfssl

Note: wpad-basic-wolfssl is explicitly excluded.

You can easely get your image build using the OpenWRT Firmware Selector.

Step 2: Create wpa_suplicant configuration file

We need to create:

• /etc/config/wpadot1x.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
	key_mgmt=IEEE8021X
	eap=PEAP
	identity="username"
	password=""
	anonymous_identity="username"
	pairwise=CCMP
	phase2="auth=MSCHAPV2"
	ca_cert="/etc/config/80211x-CA.pem"
	priority=2
}

Step 3: Attach a script to run wpa_supplicant when the wan interface goes up

Create /etc/hotplug.d/iface/99-ifup-wan as following:

#!/bin/sh
[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] && {
    logger "iface wan up detected..."
    wpa_supplicant -s -t -D wired -B -i eth1 -c /etc/config/wpadot1x.conf
    # Wait 3 s
    sleep 3
    echo "wan ifup -> dhcp releases"
    # Renew DHCP adresses on all the interfaces
    PID=`pidof udhcpc` && kill -SIGUSR1 $PID
}
exit 0

Make the script executable:

chmod +x /etc/hotplug.d/iface/99-ifup-wan

Restart the interface:

ifup wan

Note: eth1 should be replaced with the actual WAN interface.

Note: The CA certificate is optional, but recomanded for security.

Note: If you are looking for UPB’s CA certificate you can download it from here.