This document provides a guide for setting up a router in your room at the International Institute of Information Technology, Hyderabad (IIITH).
Warning
All usage from the router will be attributed to the account used. Share your password with caution.
You can either get a router that works out-of-the-box (don't ask me for names, look for enterprise routers that support 802.1X auth).
Or flash a router with OpenWrt.
Caution
This will void your warranty. You cannot return the router either after you do this.
If you make mistakes, you will brick your router.
By proceeding, you agree that any problems that occur are solely your responsiblity.
This is a long, complicated process that demands time (hours, or even a couple of days, depending on your skills), patience and an understanding of Linux fundamentals. (So, don't expect others to do it for you.)
Important
Follow the steps carefully. Mistakes might require you to restart the process.
Here's what you have to do:
-
Choose a supported router model from the OpenWrt Table of Hardware and buy it. (No, if the router you have is not supported by OpenWrt, it cannot be used.)
-
Install OpenWrt. Refer to the quick start guide. Search for YouTube videos for your router.
-
Download and flash an OpenWrt Sysupgrade image with modified packages. Visit https://firmware-selector.openwrt.org/, enter your router model, click on Customize installed packages and replace
wpad-basic-mbedtlsorwpad-miniwithwpad. Request build and download when done. Go to 192.168.1.1 (OpenWrt config panel) -> System -> Firmware -> Flash the Sysupgrade image.
The other option is to change the packages inside the router withopkg(similar toapt), but it'll be messy because the router won't have internet access yet.
Note
We are intentionally flashing twice.
The online image builder only produces a Sysupgrade image for some routers. If the image builder produces a recovery image for your router, you can flash the customized image directly.
- Follow the following configuration steps.
This builds on:
- https://enjoykhg.blogspot.com/2017/12/how-to-configure-openwrt-router-8021x.html?m=1
- https://self-help.iiit.ac.in/wiki/index.php/Configure_802.1X_Client_Auth_Mechanism_for_Routers
Find and replace words starting with <YOUR in the following sections.
SSH into the router. (Connect via ethernet cable. Wifi is disabled by default. Internet will be unavailable.)
Replace 192.168.1.1 with your router's actual IP.
ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.1.1Tip
Press i to enter edit mode in Vim.
Press ESC followed by :q to exit. (or :wq to save and exit)
vim /etc/config/wpa.confctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
identity="<YOUR_EMAIL>@students.iiit.ac.in"
password="<YOUR_802.1x_PASSWORD>"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}If you don't remember your 802.1X password, reset it here.
vim /etc/init.d/wpaUpdate the date shown below. Also, change eth0.2 to your actual WAN port interface.
Remember, the WAN port on your router must be connected to the ethernet port in your room.
#!/bin/sh
START=99
start() {
echo start
date --set="2025-04-04 00:00:00"
wpa_supplicant -D wired -i eth0.2 -c /etc/config/wpa.conf -B
udhcpc -i eth0.2 -b
}chmod a+x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa startEdit the file /etc/config/dhcp and replace...
option rebind_protection '1'...to...
option rebind_protection '0'vim /etc/uci-defaults/98_default-wlan.sh#!/bin/sh
# wireless settings
uci set wireless.@wifi-iface[0].ssid='<YOUR_WIFI_NETWORK_NAME>'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='<YOUR_WIFI_NETWORK_PASSWORD>'
uci set wireless.@wifi-device[0].country='IN'
uci set wireless.@wifi-device[0].channel='auto'
uci set wireless.@wifi-device[0].disabled='0'
uci commit wireless
wifi reload
exit 0
vim /etc/uci-defaults/97_default-time.sh#!/bin/sh
# time and date settings
uci set system.@system[0].timezone='IST-5:30'
uci set system.@system[0].zonename='Asia/Kolkata'
uci set system.ntp.enabled='1'
uci set system.ntp.enable_server='0'
uci del system.ntp.server
uci add_list system.ntp.server='time.iiit.ac.in'
uci add_list system.ntp.server='in.pool.ntp.org'
uci add_list system.ntp.server='time.nist.gov'
uci commit system
chmod +x /etc/init.d/sysntpd
/etc/init.d/sysntpd restart
exit 0
vim /etc/uci-defaults/95_default-auth.sh#!/bin/sh
# dnsmasq settings
uci set dnsmasq.rebind_protection='0'
uci commit dnsmasq
chmod +x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa start
ntpd -dddnqg -p 10.4.20.38 # time.iiit.ac.in (Verify, has been known to change)
exit 0Save and restart your router. Wait for a few minutes. Light an incense or something.
Then try to connect to the wifi from your phone or laptop.
If Murphy doesn't visit, you should see the Wifi network you worked so hard to set up.
Congratulations! π
Here is a new guide with organized instructions to setup iiit lan on a openwrt router.This should help with problems related to router needing to be reconfigured after power cuts and lost connections. I generated this with the help of above guide, college lan connection guide available on intranet, some other online sources and mostly by prompting Claude ai to check configurations and fix errors. I used these instructions to configure my ASUS router. and it worked quite well .
OpenWrt Router Setup for IIIT Hyderabad Campus Network
This guide configures an OpenWrt router to authenticate to IIIT Hyderabad campus network using 802.1X PEAP/MSCHAPv2 authentication and enables dual-band WiFi (2.4GHz + 5GHz).Not all configurations and packages mentioned here may be required in your case but if you face problems then following these steps shold definitely help). after ssh into router all commands are mostly to be executed in router
Check if your router supports peap and running scripts (then it may work without openwrt) Else
Buy openwrt compatible router. Supported routers are listed at : https://toh.openwrt.org/?view=normal
Flash openwrt from their site onto the router by following their instructions.
After flashing ,login to router interface and go to router settings .
Change lan interface settings to allow connecting to internet using lan connected laptop as internet source.
Connect laptop to mobile or other available wifi.
Install required packages on router (through internet connection you shared to laptop) , wpad and openssl are two such packages required.
Prerequisites
wpad(orwpad-openssl) package installedPart 1: Campus Network Authentication Setup
Step 1: Verify Required Packages
SSH into your router
and check if required packages are installed:
You should see:
wpadorwpad-openssl(for 802.1X support)libopenssl3(for PEAP encryption)If
wpad-miniis installed instead, upgrade it:Step 2: Create WPA Supplicant Configuration
Create the 802.1X authentication configuration file(use nano or vi or vim):
nano /etc/config/wpa.confAdd the following content (replace with your credentials):
Important: Use your complete email address and the 802.1X password (NOT your regular LDAP password).
Set proper permissions:
chmod 600 /etc/config/wpa.confStep 3: Test Authentication Manually
Before making it permanent, test if authentication works:
Look for these success messages:
Press Ctrl+C to stop the test.
If successful, manually request DHCP:
udhcpc -i wanTest connectivity:
Step 4: Configure Network Interfaces
Edit network configuration (use nano or vi or vim):
nano /etc/config/networkWAN interface (should already be correct):
LAN interface (router as gateway):
Step 5: Verify Firewall Configuration
Check firewall settings:
cat /etc/config/firewall | grep -A 3 "config forwarding"Ensure you have LAN to WAN forwarding:
This should already exist in default OpenWrt configuration.
Step 6: Create Auto-Start Script
Create the boot script that runs authentication and DHCP renewal:
nano /etc/rc.localReplace entire file with:
Make it executable:
chmod +x /etc/rc.localStep 7: Test Complete Boot Sequence
Reboot the router to test automatic configuration:
rebootWait 60 seconds for boot to complete.
Step 8: Verify After Reboot
SSH back into the router (now at 192.168.1.1):
ssh root@192.168.1.1Check authentication succeeded:
logread | grep "EAP-SUCCESS"Check WAN interface has campus IP (10.x.x.x range):
Test internet connectivity:
Part 2: Dual-Band WiFi Setup (2.4GHz + 5GHz)
Step 9: Configure Wireless for Both Bands
Edit the wireless configuration:
nano /etc/config/wireless
Fix any typos (e.g.,
option counryshould beoption country).Configure both radios - your file should look like this:
Important Settings:
option country 'IN'- Required for India (sets legal channels and power limits)option disabled '0'- Enables the radio (must be 0, not 1)option htmode- HE20 for 2.4GHz, HE80 for 5GHz (WiFi 6 standards)option channel- 'auto' for 2.4GHz, '36' or '40' for 5GHz recommendedFor Band Steering (same SSID on both bands, devices auto-select):
Use the SAME
option ssidfor both radios:For Separate SSIDs (recommended for troubleshooting):
Use DIFFERENT
option ssidfor each:Step 10: Apply WiFi Configuration
Reload WiFi settings:
wifi reloadOr restart network completely:
/etc/init.d/network restartStep 11: Verify Both WiFi Bands Are Active
Check WiFi status:
wifi statusYou should see both radio0 and radio1 with "up": true.
Check active interfaces:
iw devYou should see:
Get detailed info for each band:
Check channels and frequencies:
Step 12: Verify From Client Devices
From your laptop or phone WiFi settings, you should see:
YourNetworkNameorYourNetworkName_2.4G(2.4GHz band)YourNetworkName_5G(5GHz band)Connect to each network and verify:
Verification Checklist
After complete setup, verify:
Campus Network Authentication:
WiFi Configuration:
Troubleshooting
Authentication fails
Authentication succeeds but no internet
Wrong IP address after boot
5GHz WiFi not broadcasting
WiFi interface names (wlan0/wlan1 vs phy0-ap0/phy1-ap0)
Can't connect to 5GHz network
Network Topology
Internet
β
Campus Network Gateway (10.x.x.1)
β
| 802.1X PEAP Authentication
|
Router WAN (10.x.x.x) β authenticated
|
Router LAN (192.168.1.1)
|
βββ WiFi 2.4GHz (phy0-ap0)
βββ WiFi 5GHz (phy1-ap0)
βββ LAN Ports (Ethernet)
|
β
Your Devices (192.168.1.x)
Key Configuration Files
WiFi Best Practices
Channel Selection:
Security:
Performance:
Security Notes
Backup Configuration
To backup your working configuration:
Backup critical files
tar -czf openwrt-campus-config-backup.tar.gz
/etc/config/wpa.conf
/etc/rc.local
/etc/config/network
/etc/config/wireless
/etc/config/firewall
Transfer backup to your laptop:
On router
scp openwrt-campus-config-backup.tar.gz user@laptop-ip:/path/to/backup/
Useful Commands Reference
WiFi Management
wifi status # Check WiFi status
wifi reload # Reload WiFi configuration
wifi up # Enable all WiFi
wifi down # Disable all WiFi
iw dev # List wireless interfaces
iw dev phy0-ap0 info # 2.4GHz interface details
iw dev phy1-ap0 info # 5GHz interface details
Network Management
ip addr show wan # Check WAN IP address
ip route show # Check routing table
udhcpc -i wan # Renew DHCP lease
Authentication
ps | grep wpa_supplicant # Check authentication process
logread | grep "EAP-SUCCESS" # Check authentication logs
Configuration
nano /etc/config/wireless # Edit WiFi config
nano /etc/config/network # Edit network config
nano /etc/rc.local # Edit boot script
Credits
Configuration based on IIIT Hyderabad network requirements and OpenWrt documentation.