OpenWRT: Easy and secure guest WLAN access

I use OpenWRT on my TP-Link TL-WDR3500, and I have a guest WLAN defined on each of the two radios (2.4 and 5 GHz). The guest WLANs are isolated from my LAN, i. e. guest WLAN stations can’t talk to any of my own hosts (either on the WLAN, or in the LAN, i. e. hosts connected via Ethernet). Guest WLAN stations also can’t talk to each other. The actual OpenWRT configuration (apart from passwords, of course ;-)) is not a secret, I will publish an article about that soon.

For security reasons I didn’t want a static guest WLAN password, but one that changes daily, so that I don’t have to manually revoke the right to use my WLAN by changing the password all the time. So I created two tiny scripts, one that actually changes the active WLAN password every day, and one CGI script that displays the password so that I can give it to my guests.

Here’s the first one that sets the password. I run it from cron at 00:01 every day:

 #!/bin/ash
 SALT="theSalt"
 DATE=`date -I`
 PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`
 CHANGE=0

 if [ `uci get wireless.@wifi-iface[2].network`x = guestlanx ]; then
   uci set wireless.@wifi-iface[2].key=$PWD
   CHANGE=1
 fi
 if [ `uci get wireless.@wifi-iface[3].network`x = guestlan2x ]; then
   uci set wireless.@wifi-iface[3].key=$PWD
   CHANGE=1
 fi
 if [ $CHANGE -eq 1 ]; then
   uci commit wireless
   wifi
 fi

And here’s the CGI script that needs to go to /www/cgi-bin to show the current password:

#!/bin/ash
SALT="theSalt"
SSID="Guest-WLAN"
DATE=`date -I`
PWD=`echo -n "${SALT}${DATE}" | md5sum | cut -c1-16`

echo "Content-Type: text/plain"
echo ""
echo "Today's Guest Password for $SSID is $PWD"

Don’t forget to make the scripts executable by running “chmod +x <script>“.

If you find this helpful I would appreciate your feedback.