Skip to content

Instantly share code, notes, and snippets.

@kitswas

kitswas/OpenWRTwith802.1XAuth.md

Last active November 13, 2025 12:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kitswas/b5c3e6178b4b87df22c8dcf463d8858f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kitswas/b5c3e6178b4b87df22c8dcf463d8858f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OpenWRTwith802.1XAuth.md

Wifi Router Setup IIITH

This document provides a guide for setting up a router in your room at the International Institute of Information Technology, Hyderabad (IIITH).

Warning

All usage from the router will be attributed to the account used. Share your password with caution.

You can either get a router that works out-of-the-box (don't ask me for names, look for enterprise routers that support 802.1X auth).
Or flash a router with OpenWrt.

Flashing OpenWrt

Caution

This will void your warranty. You cannot return the router either after you do this.
If you make mistakes, you will brick your router.
By proceeding, you agree that any problems that occur are solely your responsiblity.

This is a long, complicated process that demands time (hours, or even a couple of days, depending on your skills), patience and an understanding of Linux fundamentals. (So, don't expect others to do it for you.)

Important

Follow the steps carefully. Mistakes might require you to restart the process.

Here's what you have to do:

  1. Choose a supported router model from the OpenWrt Table of Hardware and buy it. (No, if the router you have is not supported by OpenWrt, it cannot be used.)

  2. Install OpenWrt. Refer to the quick start guide. Search for YouTube videos for your router.

  3. Download and flash an OpenWrt Sysupgrade image with modified packages. Visit https://firmware-selector.openwrt.org/, enter your router model, click on Customize installed packages and replace wpad-basic-mbedtls or wpad-mini with wpad. Request build and download when done. Go to 192.168.1.1 (OpenWrt config panel) -> System -> Firmware -> Flash the Sysupgrade image.
    The other option is to change the packages inside the router with opkg (similar to apt), but it'll be messy because the router won't have internet access yet.

Note

We are intentionally flashing twice.
The online image builder only produces a Sysupgrade image for some routers. If the image builder produces a recovery image for your router, you can flash the customized image directly.

  1. Follow the following configuration steps.

Config

This builds on:

  1. https://enjoykhg.blogspot.com/2017/12/how-to-configure-openwrt-router-8021x.html?m=1
  2. https://self-help.iiit.ac.in/wiki/index.php/Configure_802.1X_Client_Auth_Mechanism_for_Routers

Find and replace words starting with <YOUR in the following sections.

SSH into the router. (Connect via ethernet cable. Wifi is disabled by default. Internet will be unavailable.)
Replace 192.168.1.1 with your router's actual IP.

ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.1.1

Tip

Press i to enter edit mode in Vim. Press ESC followed by :q to exit. (or :wq to save and exit)

vim /etc/config/wpa.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
  key_mgmt=IEEE8021X
  eap=PEAP
  identity="<YOUR_EMAIL>@students.iiit.ac.in"
  password="<YOUR_802.1x_PASSWORD>"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

If you don't remember your 802.1X password, reset it here.

vim /etc/init.d/wpa

Update the date shown below. Also, change eth0.2 to your actual WAN port interface.
Remember, the WAN port on your router must be connected to the ethernet port in your room.

#!/bin/sh

START=99
start() {
  echo start
  date --set="2025-04-04 00:00:00"
  wpa_supplicant -D wired -i eth0.2 -c /etc/config/wpa.conf -B
  udhcpc -i eth0.2 -b
}
chmod a+x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa start

Edit the file /etc/config/dhcp and replace...

option rebind_protection '1'

...to...

option rebind_protection '0'

UCI-defaults

vim /etc/uci-defaults/98_default-wlan.sh
#!/bin/sh

# wireless settings
uci set wireless.@wifi-iface[0].ssid='<YOUR_WIFI_NETWORK_NAME>'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='<YOUR_WIFI_NETWORK_PASSWORD>'
uci set wireless.@wifi-device[0].country='IN'
uci set wireless.@wifi-device[0].channel='auto'
uci set wireless.@wifi-device[0].disabled='0'
uci commit wireless

wifi reload
exit 0

vim /etc/uci-defaults/97_default-time.sh
#!/bin/sh

# time and date settings
uci set system.@system[0].timezone='IST-5:30'
uci set system.@system[0].zonename='Asia/Kolkata'
uci set system.ntp.enabled='1'
uci set system.ntp.enable_server='0'

uci del system.ntp.server
uci add_list system.ntp.server='time.iiit.ac.in'
uci add_list system.ntp.server='in.pool.ntp.org'
uci add_list system.ntp.server='time.nist.gov'

uci commit system

chmod +x /etc/init.d/sysntpd
/etc/init.d/sysntpd restart

exit 0

vim /etc/uci-defaults/95_default-auth.sh
#!/bin/sh

# dnsmasq settings
uci set dnsmasq.rebind_protection='0'
uci commit dnsmasq

chmod +x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa start

ntpd -dddnqg -p 10.4.20.38 # time.iiit.ac.in (Verify, has been known to change)

exit 0

Save and restart your router. Wait for a few minutes. Light an incense or something.
Then try to connect to the wifi from your phone or laptop.
If Murphy doesn't visit, you should see the Wifi network you worked so hard to set up.

Congratulations! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment