Monday, August 16, 2010

WRT54GL - GoogleWiFiSecure - OpenWRT

It had to be an eventuality that someone would try to get OpenWRT onto Google's secure wifi network, and that ended up being me. As I couldn't find any other information I had to figure this out for myself.

Here it is:
Use Backfire trunk (currently it's approximately 10.03.1 RC1). Use wpa_supplicant (instead of wpad or wpad-mini), and set it to use libopenssl. Add libopenssl. Add luci-medium too. Use the 47xx Broadcom as opposed to the old 2.4 kernel. Compile. Flash. Look for excellent compilation instructions on OpenWRT's website. I used Debian Lenny in a virtual machine (Oracle VirtualBox) and it went very smoothly.

After compiling and flashing, reboot and then telnet into the system and edit /lib/wifi/wpa_supplicant.sh line 84 from:
peap|ttls)
to
PEAP|TTLS)

It's a bug and hopefully they will fix it. The bug is either in LUCI or wpa_supplicant (probably depends who you ask), but this will get it working either way.

Now go into luci and set the settings. "Path-to-certificate" can be left blank. It will not affect anything (other than to verify server, but Google's WIFI doesn't support that). Set all the other settings as Google instructs:

To connect to GoogleWiFiSecure, create a new network connections profile with the following settings:

SSID: GoogleWiFiSecure (case-sensitive)

WPA/WPA2 Settings
EAP type: EAP-PEAP or EAP-TTLS
Encryption method: AES (preferred) or TKIP
Authentication Protocol: MS-CHAP-V2 or CHAP
Trusted Server Name for Authentication: onex.wifi.google.com

Under the 802.1x settings be sure to enter the username and password that you obtained earlier.

Reboot router and it should work.

Currently this is a NAT configuration. I'm sure with more work you can configure it to be a bridge, but as I passed the router back to my friend, and I have my own internet, I don't care anymore...

Here is a link to the compiled .trx file. You'll need the ability to burn the trx file.
http://nkcorner.com/openwrt-brcm47xx-squashfs.trx
Here is a link to the .config file I used:
http://nkcorner.com/openwrt-config (rename to .config)

PS - For the config, you just do make defconfig, and then choose the Broadcom BCM947xx/953xx (WITHOUT the 2.4!). If you use 2.4 then you won't have the 802.1x authentication which is required for Google's secure Wifi.
Then add wpa-supplicant (remove wpad-mini), and set wpa_supplicant to use libopenssl instead of internal. Then add libopenssl. Also add luci-medium if you want graphical configuration.
Everything else will work fine.

And YES - BCM947xx is the correct target, I know, I know, but the WRT54GL uses the BCM5352. Don't worry, it is the same chipset or something as the BCM947xx series...

This is it.

I'm sure that wpa_supplicant.sh can be changed when creating the image, but I never bothered with it, cause I don't care enough. If you make that change and would like to share how then by all means post a comment. Also note that it seems that after a change is made you will have to power cycle the router to get it to get back onto the wifi network. I don't know why, but I'm happy enough that it gets there once so I didn't bother trying to debug this. A mostly impossible step given my limited knowledge of how OpenWRT works anyhow.

As I don't have this router anymore, I'm probably not gonna update this blog much more unless someone posts an interesting comment which should be added.

Hopefully this will help someone.

3 comments:

  1. Thanks very much for the info!! It has helped me greatly in connecting my WRT54GL to eduroam. I struggled to get the most recent release of OpenWRT working with 802.1x, but your build did the trick. I'd also like to try building the kernal myself out of interest. What tutorial did you use to learn how to do it?

    One further point: when you mention to set wpa_supplicant to use libopenssl, where does one change this setting? I think libopenssl is the reason that your build authenticates to the 802.1x access point and the ones downloaded from the openWRT website don't. Thanks once again for a great article!

    ReplyDelete
  2. Follow the instructions from OpenWRT to build an image:
    http://wiki.openwrt.org/doc/howto/build

    During the build process, you must perform 'make config', in the menus, you must add wpa_supplicant, and under wpa_supplicant you must choose libopenssl. Also be sure to add libopenssl.

    You're welcome :)

    ReplyDelete
  3. please do can you help me

    i need the .trx and the config file the links are not working

    ReplyDelete