Fonera+ (FON 2201) Encryption of Public ESSID

[beakmyn]

Ok, so it took some researching and poking around but you can easily do pretty much whatever you want with the "public" Fonera signal. I'll tell you how to change the ESSID (removing the FON_ prepend) and how encrypt it. Why would you want to? Well, let's say you don't just want to share your internet connection with just anyone; lest you be liable for whatever illegal actions they perform while connected through your network. Here, you have a little more control over who gets to connect.

Requirements

SSH access to your Fonera

scp (secure copy) OR Winscp OR vi editor in Fonera

Hardware Used

Fonera+ (FON 2201)

Files touched

I will only show you modified sections of the scripts for brevity.

/etc/config/fon

/lib/fon/config.sh

/etc/init.d/chillispot #For WPA only

Background

In non-modified mode when the Fonera boots it calls

/etc/config/Wireless which is just a redirect to set up the wireless (contents: . /lib/fon/config.sh wireless). So config.sh is called with parameters to accomplish this. It queries the /etc/config/fon file "Public" section settings. Currently there is no code in this file that allows the "Public" signal to be encrypted. This is easily fixed, just copy the code from the private section and replace the appropriate references sections. This is easy enough for WEP but there's a catch if you want to use WPA.

Here's the rub; WPA uses the passphrase you provide and the ESSID as a seed to create the actual encryption key. Not a big deal except that the ESSID you supply in the /etc/config/fon is not the actual ESSID of the public connection even though that's what will show up in your wireless client/manager!

So, you have to do a little more work and modify the chillispot config file and remove the FON_ prepend which is shown below. Unless this is done you'll never be able to connect to the public side using WPA encryption.

Keep in mind that the Public signal isn't available until the Fonera has determined that it can access the internet.

Modified: /lib/fon/config.sh

    config wifi-iface public
        option device   wifi0
        option ifname    ath0
        option mode     ap
        config_get ssid public essid
        option ssid "$ssid"
        option hidden   0
        config_get encryption public encryption
        case "$encryption" in
            wpa*|WPA*|Mixed|mixed)
                case "$encryption" in
                    WPA|WPA1|wpa|wpa1) enc=psk;;
                    WPA2|wpa2) enc=psk2;;
                    Mixed|mixed) enc=psk-mixed;;
                esac
                config_get crypto public wpa_crypto
                option encryption "$enc${crypto:+/$crypto}"
                config_get key public password
                option key "$key"
        ;;
            WEP|wep)
                option encryption wep
                config_get key public wepkey
                option key "$wepkey"
        ;;
        esac

This is the workhorse script . You'll see the unmodified section of the script, on your Fonera, for "config wifi-iface public" is pretty spartan. Just copy the what's in the private section pertaining to encryption and replace the appropriate "config_get private" with "config_get public" These are the calls to /etc/config/fon. This file needs to be changed if you want to enable encryption on the public wifi.

WEP Encryption

This is the easiest and requires the least amount of work on your part.

Modified: /etc/config/fon

config wifi public
    option    essid       'MyPublicPlace'
    option    isolate        1
    option wepkey    '1'
    option key1    'DEADBEEF11'
    option key2    ''
    option key3    ''
    option key4    ''

DEADBEEF11 is a 10 digit hexidecimal passphrase. This creates WEP 64 encryption key.

Also tested:

option key1 $(get_serial)

Conveniently creates a WEP64 key that is the serial number

For a WEP 128 key try

option key1 'FoneraIsCool!'

Setting option wepkey '1' sets the Key# index to use. But since there is currently no webif interface to change this leave it at 1.

WPA Encryption

Using WPA comes with the warm fuzzy of a less-likely to be broken key. Yes, I know all the ways to break it, you don't need to tell me.

Modified: /etc/config/fon

config wifi public
    option    essid       'MyPublicPlace'
    option    isolate        1
    option    encryption    'wpa'
    option    wpa_crypto    tkip
    option    password    'CPE1704TKS'

Modified: /etc/init.d/chillispot

    # enable the wifi interface ssid
    config_get ssid public essid
    # Original
    #iwconfig "$wifi_ifname" essid "FON_$ssid"
    # WPA working
    iwconfig "$wifi_ifname" essid "$ssid"

See the difference? Because the Public wifi was never meant to be encrypted it wasn't an issue to prepend the FON_ to the ESSID. However doing this will break WPA because the ESSID in use doesn't match what was used for the seed to the hash. So, you've got a buried shovel.

We must remove the FON_ prepend. This doesn't appear to break anything. It does make it harder for the user to know it's FON spot so you'll want to set your ESSID to include the FON_ as an alternative.

Removing the FON_ doesn't affect the captive portal.

Caveats

If you use the web interface to make changes that touch the /etc/config/fon file like changing the private wifi settings, you will lose your modifications to the public wifi. This is due to the webif scripts in use that overwrite this file.

It should be a trivial procedure to modify the wireless settings web page to allow you to set both the private and public settings. These modifications most likely won't survive a firmware update though.

Final Notes

Reboot your Fonera and you should see that both the "Public" and "Private" are now encrypted!

You can have both the WEP and WPA options in the /etc/config/fon file just remember to set the "option encryption" appropriately.

Next up, modifying the webif scripts to make it even easier.