OWE on the GL.iNet Flint 3

  • Published:

For my work at IPinfo I needed an open Wi-Fi network to test against. Having learned of the existence of Opportunistic Wireless Encryption (OWE) and that OpenWrt supports it, I wanted to have one.

OWE encrypts traffic on open networks without requiring a password. Clients (Apple, Android) that support OWE encrypt their traffic. Lack of encryption was always the big drawback of open networks. For my use case it didn't really matter (I don't expect anyone to join), but now I get to say I have an encrypted guest Wi-Fi network that doesn't need a password.

Setting it up on the Flint 3 was straightforward following the OpenWrt guest Wi-Fi and OWE guides. But it didn't work. There were two separate issues.

GL.iNet firmware bug

The OpenWrt guides tell you to set encryption='owe' on the wireless interface. Presumably this works in the normal version of OpenWrt, but there's a bug in the modified variant that ships with the Flint 3's firmware. On firmware 4.8.4 it silently creates an open network with no encryption. Technical details.

The workaround is to use the encryption and OWE flag separately:

uci set wireless.<iface>.encryption='ccmp'
uci set wireless.<iface>.owe='1'
uci commit wireless
wifi

CoreWLAN bug

After getting OWE working I noticed that macOS and iOS report the network as "Security: None". At first I thought OWE wasn't working, but checking on the router confirmed it was.

The bug is in Apple's CoreWLAN framework. CWInterface.security() returns kCWSecurityNone (0) for an active OWE connection when it should return kCWSecurityOWE (14). The scan API gets it right: CWNetwork.strongestSupportedSecurity correctly returns kCWSecurityOWE.

Maybe because of this bug the UI also doesn't distinguish OWE from open networks at all. Same appearance and security warning. Anyone who went through the trouble of setting up OWE gets flagged as insecure anyway. That's wrong.

Apple feedback ID: FB22250575

Free Wi-Fi for all

It took a lot of fiddling and going back and forth with Claude but ultimately I was able to come up with a solution that I understood and could report issues for. Finding issues with iOS and macOS was an unexpected bonus. I guess.

If you're ever near my house be sure to join my open but encrypted Wi-Fi.