Are you searching for the perfect OpenWRT device with robust Hotspot 2.0 and Passpoint 2.0 support? Look no further! We’ve curated a list of highly recommended devices that seamlessly integrate these advanced features into your network. From the GL-MT6000 (Flint 2) with WiFi 6 capabilities to the pocket-sized GL-AXT1800 (Slate AX) offering gigabit travel convenience, explore the best options for

enhanced connectivity and security. Upgrade your router experience with

these top-notch devices tailored for Hotspot 2.0 enthusiasts and

professionals alike.

• GL.iNet GL-MT6000 (Flint 2) WiFi 6 Router
• GL.iNet GL-AXT1800 (Slate AX)
• GL.iNet GL-MT3000 (Beryl AX)
• GL.iNet GL-SFT1200 (Opal)

hgot07 and we have completed testing, in addition to the above, on other GL.iNet devices

including the Mango (Has storage issues however), Slate and Beryl devices on both internal and external wireless interfaces.

Recommended External WiFi Adapters for HotSpot 2.0 Support on OpenWRT

When it comes to enhancing your OpenWRT setup with external WiFi adapters, especially for HotSpot 2.0 support, choosing the right hardware is crucial. Below, we recommend some top-performing external WiFi adapters known for their OpenWRT compatibility and 802.11 AX support.

We recommend these adapters for their overall OpenWRT compatibility and 802.11 AX Support. Top down, best to worst.

• ALFA AWUS036AXML 802.11axe WiFi 6E USB 3.0 Adapter AXE3000, Tri Band 6 GHz
• ALFA AWUS036AXM WiFi 6E USB 3.0 USB Adapter, AXE3000 Tri-Band 6Ghz/5.8GHz/2.4GHz
• NETGEAR WiFi AC1200 USB 3.0 Adapter (A6210)

For a list of other documented adapters that have support on Linux and OpenWRT See the USB-WiFi Documentation Repo

Before configuring Passpoint on OpenWrt, ensure you have the following prerequisites:

• OpenWrt compatible device with a Passpoint-capable wireless device (PHY).
• OpenWrt 21.02, or newer, including wpad (hostapd) built with the hs20 option.
• Full version of the iw package in OpenWrt.
• 802.1x infrastructure (RADIUS server).
• Information about the assigned RADIUS servers:

Note: This information can be obtained through an email or document through your provider. If you’re using Google Orion like we are in our examples below, you’ll be self hosting a freeradius based radsec proxy . We won’t be going into this in this article so please read your providers instructions carefully.

Updating OpenWRT Packages for Hotspot 2.0 Support on OpenWRT

Before configuring Hotspot 2.0 on OpenWRT, ensure that your system has the required packages installed.
Use the following commands to install necessary components:

opkg update
opkg --force-removal-of-dependent-packages remove iw iw-full wpad-basic gl-sdk4-repeater hostapd-basic host-apdcommon hostapd-openssl wpad-openssl
opkg --force-overwrite --force-removal-of-dependent-packages install iw-full hostapd-common wpad-openssl nano

If you’ve purchased one of the GL.iNet devices we recommended above you’ll also run the following command:

opkg --force-overwrite install kmod-ath10k-smallbuffers kmod-ath9k kmod-ath9k-common kmod-ath kmod-mac80211 kmod-cfg80211

In the /etc/config/wireless file, customize the settings for your Hotspot 2.0-enabled interface. Ensure the correct device, encryption type, and other parameters are set. Pay attention to the WAN Metrics, NAI Realm, and Domain Names sections to tailor them to your service provider.

We have many of these options already configured in the details below. Read the code comments carefully, this section is not copy and paste. It requires a lot of customization for your environment.

Copy and modify the following carefully. Once working, mirror it for the 2.4ghz, 5ghz, and 6ghz radios while adjusting the wifi-iface config name, ifname, and device (radio) options for each radio.

nano /etc/config/wireless

config wifi-iface 'radio1_orion5g'
    #Modify to your radsec proxy server / radius server
    option acct_secret 'radsec'
    option acct_server 'xxx.xxx.xxx.xxx'
    option auth_secret 'radsec'
    option auth_server 'xxx.xxx.xxx.xxx'
    # Likely radio0 or radio1 if using built in radios, if using a usb device it'll likely be radio 2
    option device 'radio1'
    # Change between either wpa2-mixed or wpa3-mixed
    option encryption 'wpa3-mixed'
    # first number matches the radio, second is the ssid number. Both start at 0
    # Ex wlan1-2 would be radio 1, ssid 2.
    option ifname 'wlan1-2'
    
    #Table E-4 of IEEE Std 802.11-2012 Annex E define the values that can be used in this. (Likely just use 5173)
    # https://ieeexplore.ieee.org/iel5/6361246/6361247/06361248.pdf
    # https://mentor.ieee.org/802.11/dcn/10/11-10-0564-00-0s1g-operating-classes.ppt
    #format: hexdump of operating class octets
    option hs20_operating_class '5173'
    # See Instructions Below (Optional, omit if you want.)
    option hs20_wan_metrics '01:3e80:3e80:33:99:3000'
    # Venue Info 
    # The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34
    option iw_venue_group '1'
    option iw_venue_type '7'
    # Specify the same nasid for both 2.4ghz and 5ghz. Use any time the network is different. Normally it'll be the same across the board for all AP's in the same location.
    option nasid 'OrionWRT'
    # Likely leave as guest, but customize if needed
    option network 'guest'
    # Likely Leave as Orion or OrionWiFi if using orion. But SSID can be anything you want.
    option ssid 'OrionWiFi'
    # Specify the IP address type availability as '11'.
    # IP Address Type Availability (ANQP) setting that indicates the availability of IP address types on the Passpoint network.
    # The value '11' informs Passpoint clients that both IPv4 and IPv6 addresses are available on the network.
    # It helps clients understand the network's IP address capabilities.
    # Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on IP Address Type Availability.
    option iw_ipaddr_type_availability '11'
    # Local time zone as specified in 8.3 of IEEE Std 1003.1-2004
    # Set as CST, Feel free to customize or omit.
    # stdoffset[dst[offset][,start[/time],end[/time]]]
    # We've defaulted it to Central Standard Time (most of our US based readers are in CST/CDT.)
    #This config is optional. You can safely omit it.
    option time_zone 'CST6CDT,M3.2.0,M11.1.0'
    # Specify the access network type as '2' (Chargeable public network).
    # Access Network Type (ANQP) is set to '2' indicating a Chargeable public network.
    # This value informs clients that the network requires payment for access.
    # Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details.
    option iw_access_network_type '2'
    # Specify the network authentication type as '00'.
    # Network Authentication Type (ANQP) setting that specifies the network's authentication type for Passpoint.
    # The value '00' indicates that the network authentication is open or unspecified.
    # It informs Passpoint clients about the type of authentication used by the network.
    # Refer to IEEE Std 802.11-2016, Section 9.4.2.72 for more details on Network Authentication Type.
    option iw_network_auth_type '00'
    # Operator-friendly name for Hotspot 2.0. (Can be anything you'd like as long as it is prefixed with your lang code.)
    option hs20_oper_friendly_name 'eng:Orion'
    # List of venue names associated with the Passpoint network, specifying language code and venue information. (Can be anything you'd like as long as it is prefixed with your lang code.)
    list iw_venue_name 'eng:Orion'
    # List of venue URLs associated with the Passpoint network, specifying language code and URL. (Can be any https url. Will Popup as notification on devices that connect.)
    list iw_venue_url '1:https://orionwifi.com'
    # List of operator icons, specifying width, height, language code, image format, and icon filename. (This doesn't need to be a valid path but must be specified on OpenWRT)
    list operator_icon '64:64:eng:image/png:operator_icon:operator_icon.png'

    #ProxyARP and 80211k are not supported on all devices, remove if you have issues.
    option proxy_arp '1'
    option ieee80211k '1'

    # Comment out what you don't need and uncomment/modify what you do.
    #AT&T / Orion 3gpp
    list iw_anqp_3gpp_cell_net '310,150'
    list iw_anqp_3gpp_cell_net '310,280'
    list iw_anqp_3gpp_cell_net '310,410'
    list iw_anqp_3gpp_cell_net '313,100'
    #T-Mobile 3gpp 
	# list iw_anqp_3gpp_cell_net '310,240'
	# list iw_anqp_3gpp_cell_net '310,260'
    # list iw_anqp_3gpp_cell_net '310,310'
    #Orion domain Names
    list iw_domain_name 'orion.area120.com'
    list iw_domain_name 'orionwifi.com'
    list iw_domain_name 'dogwood120.net'
    list iw_domain_name 'openroaming.goog'
    list iw_domain_name 'wifi.fi.google.com'
    #AT&T Domain Names
    #list iw_domain_name 'attwifi.com'
    #list iw_domain_name 'att.com'
    #list iw_domain_name 'attwireless.com'
    #T-Mobile Domain Names
    #list iw_domain_name 't-mobile.com'
    #OpenRoaming / IronWiFi Domain Names
    #list iw_domain_name 'ironwifi.net'
    #list iw_domain_name 'openroaming.org'
    #list iw_domain_name 'apple.openroaming.net'
    #list iw_domain_name 'google.openroaming.net'
    #list iw_domain_name 'ciscooneid.openroaming.net'
    # Anything more than 3 OUIs and the information won't be available until the client performs a GAS Request.
    # Orion / AT&T / OpenRoaming Default Consortium
    list iw_roaming_consortium 'f4f5e8f5f4'
    #OpenRoaming Consortium
    #Baseline Participation: OpenRoaming for All Identities, settlement-free, no personal data requested, baseline QoS - includes, but is not limited to users in education and research
    #list iw_roaming_consortium '5a03ba0000'
    #Education-Only Participation: OpenRoaming Visited Network Providers who want to signal that they specifically welcome educational and research (i.e. eduroam) visitors settlement-free, 
    #list iw_roaming_consortium '5a03ba0800'
    #IronWiFi Consortium
    #list iw_roaming_consortium 'AA146B0000'
    #list iw_roaming_consortium 'BAA2D00000'
    #list iw_roaming_consortium '5A03BA0000'
    #Cisco OpenRoaming and Samsung OneUI Onboarding
    #list iw_roaming_consortium '004096'
    #EDURoam Consortium
    #list iw_roaming_consortium '001BC50460'
    #Orion NAI Realm
    list iw_nai_realm '0,*.orion.area120.com,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
    #AT&T NAI Realm
    #list iw_nai_realm '0,*wlan.mnc410.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
    #T-Mobile NAI Realm
    #list iw_nai_realm '0,*wlan.mnc260.mcc310.3gppnetwork.org,13[5:6],21[2:4][5:7],23[5:1][5:2],50[5:1][5:2],18[5:1][5:2]'
    #IronWiFi Realm
    #list iw_nai_realm '0,ironwifi,13[5:6],21[2:4][5:7]'

    # Don't Touch
    # Some options are repeated for legacy support
    # ANQP (Access Network Query Protocol) Domain ID, used to uniquely identify the Passpoint domain.
    option anqp_domain_id '0'
    # Enable BSS (Basic Service Set) transition support for efficient handovers between APs.
    option bss_transition '1'
    # Disable Directed Group Address Forwarding (DGAF) support.
    option disable_dgaf '1'
    # Set disabled to '0' to enable the interface.
    option disabled '0'
    # Identify the ap as a guest access point.
    option guest '1'
    # Enable Hotspot 2.0 support in Passpoint.
    option hotspot20 '1'
    # Enable Hotspot 2.0 (HS2) support in Passpoint.
    option hs20 '1'
    # Set the deauthentication request timeout for Hotspot 2.0.
    option hs20_deauth_req_timeout '60'
    # Enable internet access for the Passpoint network.
    option internet '1'
    # Isolate clients on the Passpoint network for enhanced security.
    option isolate '1'
    # Enable or disable ASRA (ANQP Service Required for Access).
    option iw_asra '0'
    # Disable Directed Group Address Forwarding (DGAF) for Passpoint.
    option iw_disable_dgaf '1'
    # Enable Passpoint functionality.
    option iw_enabled '1'
    # Enable or disable Emergency Services Reachability (ESR) for Passpoint.
    option iw_esr '0'
    # Enable internet access for Passpoint.
    option iw_internet '1'
    # Enable interworking with external networks for Passpoint.
    option iw_interworking '1'
    # Disable UESA (Unauthenticated Emergency Service Availability)
    option iw_uesa '0'
    # Set the mode to 'ap', indicating that the wireless interface is operating in Access Point mode.
    option mode 'ap'
    # Enable the Requested Connectivity to User Information (CUI) feature.
    # CUI is used to request user-specific information during the network selection process and is mandatory for Google Orion.
    option request_cui '1'
    # Enable the WNM (Wireless Network Management) Sleep Mode Transition with No Keys option.
        # This option allows the device to perform sleep mode transitions without exchanging keys, improving efficiency.
    option wnm_sleep_mode_no_keys '1' 

Afterwards we need to run two commands:

Fixing 3GPP Bug for Hotspot 2.0 Support on OpenWRT

OpenWRT doesn’t configure hostapd directly. It uses a script at /lib/netifd/hostapd.sh to convert your config at /etc/config/wireless to the appropriate hostapd config. On some distros of OpenWRT there is a bug that prevents 3GPP configurations.

Run the following command on your device to resolve it:

sed -i '/append_iw_anqp_3gpp_cell_net() {/,/}/c\
append_iw_anqp_3gpp_cell_net() {\
    if [ -z "$iw_anqp_3gpp_cell_net_conf" ]; then\
        iw_anqp_3gpp_cell_net_conf="$1";\
    else\
        iw_anqp_3gpp_cell_net_conf="$iw_anqp_3gpp_cell_net_conf;$1";\
    fi\
}' /lib/netifd/hostapd.sh

Just one character is the issue. The script above is fine to run on all devices. It won’t make any changes if the bug isn’t there.

Testing Hotspot 2.0 Functionality on OpenWRT

After configuring your interface and performing the 3gpp fix, you’ll run the following command to reload your wireless config:

wifi

Then verify that the interface becomes available:

iwinfo

Example:

phy0-ap0  ESSID: "OrionWiFi"
          Access Point: XX:XX:XX:XX:XX:XX
          Mode: Master  Channel: 6 (2.437 GHz)  HT Mode: HE20
          Center Channel 1: 6 2: unknown
          Tx-Power: 30 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -91 dBm
          Bit Rate: unknown
          Encryption: WPA2 802.1X (CCMP)
          Type: nl80211  HW Mode(s): 802.11ax/b/g/n
          Hardware: embedded [MediaTek MT7986]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy0

phy1-ap0  ESSID: "OrionWiFi"
          Access Point: XX:XX:XX:XX:XX:XX
          Mode: Master  Channel: 153 (5.765 GHz)  HT Mode: HE80
          Center Channel 1: 155 2: unknown
          Tx-Power: 30 dBm  Link Quality: 54/70
          Signal: -56 dBm  Noise: -92 dBm
          Bit Rate: 689.1 MBit/s
          Encryption: WPA2 802.1X (CCMP)
          Type: nl80211  HW Mode(s): 802.11ac/ax/n
          Hardware: embedded [MediaTek MT7986]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy1

netsh wlan show wirelesscapabilities