The air-gapped EST server uses a certificate signed by the OpenLAN
Server Issuing CA. This certificate is used to ensure mTLS
authentication when the device connects to the EST server.
Signed-off-by: John Crispin <john@phrozen.org>
Add dnsmasq_rebind_allow() function to automatically whitelist controller
FQDNs for private IP resolution in air-gapped deployments.
When dnsmasq's boguspriv option is enabled (default), it blocks DNS
responses containing private IP addresses (RFC 1918) as a security
measure. This prevents DHCP Option 224 from resolving controller FQDNs
to local private IPs in air-gapped networks.
Solution: Inject rebind-domain-ok directives into /tmp/dnsmasq.d/
directory, which dnsmasq automatically includes via --conf-dir option.
Behaviour:
- DHCP discovery: Whitelist FQDN from dhcp_server field
- Standard FQDN discovery: Whitelist openwifi.network
- Centralized discovery: No changes (public IPs not affected)
This maintains security by only allowing specific controller domains
to resolve to private IPs whilst filtering all other RFC 1918 responses.
Signed-off-by: John Crispin <john@phrozen.org>
Add cert_prefix_determine() function that reads discovery method from
/tmp/discovery.method and determines appropriate certificate naming:
- Centralized (OpenLAN redirector): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <controller-fqdn>.pem/<controller-fqdn>.ca
The FQDN is extracted from the controller address in /tmp/cloud.json
(DHCP Option 224).
This enables APs to enrol and store separate operational certificates
for multiple controllers, supporting portability between centralized
and air-gapped deployments without certificate conflicts.
Signed-off-by: John Crispin <john@phrozen.org>
Extend gateway.json to include cert and ca fields specifying which
certificate files the client should use for the connection.
Certificate naming strategy:
- Centralized (redirector discovery): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <fqdn>.pem/<fqdn>.ca
Write discovery method to /tmp/discovery.method so est_client can
determine appropriate certificate naming when enrolling.
This enables APs to maintain separate operational certificates for
multiple controllers and automatically select the correct certificates
based on which controller they're connecting to.
Signed-off-by: John Crispin <john@phrozen.org>
Modify early_boot init script to copy all .pem and .ca files from
/certificates/ to /etc/ucentral/ instead of only operational.pem
and operational.ca.
This enables support for multiple trust chains where certificates
are stored with FQDN-based names (e.g., controller.example.com.pem)
alongside the traditional operational.pem.
The simple wildcard copy allows air-gapped deployments to maintain
certificates for multiple controllers without complex logic.
Signed-off-by: John Crispin <john@phrozen.org>
Add discovery method that attempts to resolve a standard FQDN when DHCP
discovery fails. This enables zero-touch provisioning in environments
where administrators configure DNS without modifying DHCP infrastructure.
The standard FQDN is configurable via STANDARD_FQDN constant (defaults
to "openwifi.network"). Administrators can configure their local DNS to
resolve this FQDN to their controller, allowing APs to discover the
controller automatically.
Discovery priority order:
1. EST enrollment (blocking)
2. DHCP discovery (Option 224/138)
3. Flash-based configuration
4. Standard FQDN resolution (NEW)
5. Cloud redirector service (internet-connected only)
The implementation uses the resolv module for DNS queries, performing
A record lookups. If resolution fails, discovery continues to the next
method. The standard FQDN method integrates with the existing discovery
block list mechanism to prevent repeated failed attempts.
Note: The boguspriv dnsmasq option may prevent FQDNs from resolving to
private IPs. Administrators should either use CG NAT Safe IP addresses
(100.64.0.0/10) or configure dnsmasq with rebind-domain-ok exceptions.
Signed-off-by: John Crispin <john@phrozen.org>
Implement EST server discovery via CAA DNS records for air-gapped
deployments. When DHCP Option 224 provides a controller FQDN, query
CAA records to determine the appropriate EST server endpoint.
The discovery flow:
1. Read controller FQDN from /tmp/cloud.json (set by DHCP handler)
2. Query CAA records for the controller domain
3. Use EST server from CAA 'issue' tag if present
4. Fall back to certificate issuer-based selection if CAA lookup fails
This allows network administrators to configure local EST servers via
DNS rather than relying on hardcoded public endpoints. Air-gapped
deployments can now specify private EST servers through standard DNS
infrastructure.
Example DNS configuration:
controller.local. IN CAA 0 issue "est.local:8001"
When an AP receives controller.local via DHCP Option 224, it will
query CAA records and use est.local:8001 for certificate enrollment
instead of the public est.certificates.open-lan.org endpoint.
Signed-off-by: John Crispin <john@phrozen.org>
Add missing ';;' after edgecore,eap111/eap112 LED configuration to
prevent fall-through to subsequent case statements.
Signed-off-by: John Crispin <john@phrozen.org>
Allow configuring small values of duration time for passive
scanning in software scan.
Fixes: WIFI-14822
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
**SPECIFICATIONS:**
SOC: Qualcomm IPQ6018 (64-bit quad-core ARM Cortex-A53 @ 1.8Ghz)
Flash: SPI NOR 8MB + NAND 128MB
Memory: 1GB
2.4GHz Frequency Band: 2.4GHz ~ 2.484GHz (802.11 b/g/n/ax)
5GHz Frequency Band: 5.150GHz~5.850GHz (802.11 a/n/ac/ax)
Wireless Speed: 2.4GHz: 574Mbps, 5GHz: 1201Mbps
**BACKUP YOUR STOCK FIRMWARE:**
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
device=<device_name>
mkdir -p /tmp/fw_backup; cd /tmp/fw_backup
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
dd if=/dev/${rootfs} of=rootfs_${rootfs} bs=1M
dd if=/dev/${rootfs_1} of=rootfs_1_${rootfs_1} bs=1M
cp /sys/firmware/fdt fdt.dtb
md5sum * > md5sum
tar -cvzf /tmp/${device}.tar.gz .
sum=$(md5sum /tmp/${device}.tar.gz | cut -d' ' -f1)
mv /tmp/${device}.tar.gz /tmp/${device}_${sum}.tar.gz
echo "stock fw backup saved to: /tmp/${device}_${sum}.tar.gz"
```
- Upload/save your backup to a safe place.
**STOCK FIRMWARE RECOVERY:**
- Boot initramfs image
- Upload your backed-up stock fw tarball to the device
using scp or download it from the device using wget.
- Enter device ssh cli or tty and exec:
```
cd /tmp && wget <your_web_server_ip>/${stock_fw_backup}.tar.gz`
tar -xpzf ${stock_fw_backup}.tar.gz
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f /tmp/rootfs_${rootfs}
ubiformat /dev/${rootfs_1} -y -f /tmp/rootfs_1_${rootfs_1}
reboot
```
**INSTALLATION:**
1. initramfs method
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
cd /tmp && wget <your_web_server_ip>/factory.ubi`
export rootfs=$(cat /proc/mtd | grep rootfs | cut -d: -f1)
export rootfs_1=$(cat /proc/mtd | grep rootfs_1 | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f factory.ubi
ubiformat /dev/${rootfs_1} -y -f factory.ubi
reboot
```
2. u-boot nand-factory.bin image method
- Put openwrt-*-squashfs-nand-factory.bin to your TFTP server and enter u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:factory.bin
#After downloading is finished:
imxtract 0x44000000 ubi
flash rootfs
flash rootfs_1
reset
```
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
During 802.11r Fast Transition roaming, when a client moves between
APs (e.g., wlan0 to wlan1) with the same dynamic VLAN assignment, the
vlan_add handler's refcount mechanism prevented the new WiFi interface
from being added to the bridge.
When wlan0-v100 and wlan1-v100 exist simultaneously with VLAN ID 100,
the refcount becomes 2, causing vlan_add to exit early for wlan1-v100.
This left wlan1-v100 out of the bridge VLAN table, breaking connectivity
after roaming despite correct VLAN assignment via RADIUS and RRB frames.
Fix by detecting WiFi VLAN interfaces (wlan*-v*) and always adding them
to the bridge regardless of refcount. The refcount mechanism now only
controls WAN port VLAN configuration, which should only occur once per
VLAN ID.
Also reorganise vlan_add/vlan_remove to check swconfig early for clarity.
Signed-off-by: John Crispin <john@phrozen.org>
Enable CONFIG_LEDS_TRIGGER_HEARTBEAT to allow LED heartbeat
functionality when device goes offline. Without this kernel option,
the LED trigger mechanism was unavailable, preventing the LED from
flashing to indicate offline status.
Fixes: WIFI-14646
Signed-off-by: John Crispin <john@phrozen.org>
When a station roams between bands on the same VLAN, the vlan_remove
event from the old band can arrive after the vlan_add event from the
new band, causing the VLAN to be incorrectly deleted whilst still in use.
Add reference counting that tracks how many interfaces are using each
VLAN ID. Only create VLAN devices on the first reference and only
remove them when the last reference is dropped.
On startup, initialise refcounts from current station state to handle
daemon restarts correctly.
Signed-off-by: John Crispin <john@phrozen.org>
676e155 dhcp_inject: fix a syntax issue in dhcp_inject
e594c44 captive.uam.mac-auth: the default was wrong
Signed-off-by: John Crispin <john@phrozen.org>
LAN switch exposes single eth1 instead of per-port interfaces for RAP750W-311A.
Using VLAN to separate LAN to each physical port for RAP750W-311A.
Fixes: WIFI-15163
Signed-off-by: jackcybertan <jack.tsai@cybertan.com.tw>
make openwrt/profiles relative so moving or renaming the repo directory won't break the symlink
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
Changelog:
- Fix MAC address assignment for Ethernet ports
- Fix Ethernet port configuration (was not working in the current DTS
because GPIOs 23 and 24, used for LEDs, are RGMII2 pins)
- Add package kmod-7915-firmware to enable Wi-Fi
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
Set max_ap_assoc at wiphy init instead of vif init for mt7915.
Hard code max_ap_assoc to 128 for EAP112 in wifi_max_user.uc
Fixes WIFI-15027
Signed-off-by: Arif Alam <arif.alam@netexperience.com>
100c045 Fix cloud cannot show association list when WDS-AP in state.uc
168f6a4 dhcp_inject: Support multiple upstream
Signed-off-by: John Crispin <john@phrozen.org>
Introduce a blocklist mechanism to avoid retrying failed discovery
methods within the same discovery cycle. Each time a method fails
validation, it is added to the blacklist. The blacklist is cleared
once the device transitions to ONLINE or after all discovery methods
have been attempted.
This prevents repeated attempts of failing methods and ensures the
discovery process progresses more reliably.
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
In cases where gateway.json exists, the discovery method may be unset.
Writing an empty value to discovery.state.json is not useful, so
avoid updating the file in this case.
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
Always obtain EST certificates before starting the discovery process.
This ensures certificates are already available from the EST server, since
the FQDN may be provided via DHCP discovery or another discovery method,
and requires valid certificates to proceed.
Fixes: WIFI-15123
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
