Skip to content

Instantly share code, notes, and snippets.

@kitswas
Last active March 7, 2026 20:05
Show Gist options
  • Select an option

  • Save kitswas/b5c3e6178b4b87df22c8dcf463d8858f to your computer and use it in GitHub Desktop.

Select an option

Save kitswas/b5c3e6178b4b87df22c8dcf463d8858f to your computer and use it in GitHub Desktop.

Wifi Router Setup IIITH

This document provides a guide for setting up a router in your room at the International Institute of Information Technology, Hyderabad (IIITH).

Warning

All usage from the router will be attributed to the account used. Share your password with caution.

You can either get a router that works out-of-the-box (don't ask me for names, look for enterprise routers that support 802.1X auth).
Or flash a router with OpenWrt.

Flashing OpenWrt

Caution

This will void your warranty. You cannot return the router either after you do this.
If you make mistakes, you will brick your router.
By proceeding, you agree that any problems that occur are solely your responsiblity.

This is a long, complicated process that demands time (hours, or even a couple of days, depending on your skills), patience and an understanding of Linux fundamentals. (So, don't expect others to do it for you.)

Important

Follow the steps carefully. Mistakes might require you to restart the process.

Here's what you have to do:

  1. Choose a supported router model from the OpenWrt Table of Hardware and buy it. (No, if the router you have is not supported by OpenWrt, it cannot be used.)

  2. Install OpenWrt. Refer to the quick start guide. Search for YouTube videos for your router.

  3. Download and flash an OpenWrt Sysupgrade image with modified packages. Visit https://firmware-selector.openwrt.org/, enter your router model, click on Customize installed packages and replace wpad-basic-mbedtls or wpad-mini with wpad. Request build and download when done. Go to 192.168.1.1 (OpenWrt config panel) -> System -> Firmware -> Flash the Sysupgrade image.
    The other option is to change the packages inside the router with opkg (similar to apt), but it'll be messy because the router won't have internet access yet.

Note

We are intentionally flashing twice.
The online image builder only produces a Sysupgrade image for some routers. If the image builder produces a recovery image for your router, you can flash the customized image directly.

  1. Follow the following configuration steps.

Config

This builds on:

  1. https://enjoykhg.blogspot.com/2017/12/how-to-configure-openwrt-router-8021x.html?m=1
  2. https://self-help.iiit.ac.in/wiki/index.php/Configure_802.1X_Client_Auth_Mechanism_for_Routers

Find and replace words starting with <YOUR in the following sections.

SSH into the router. (Connect via ethernet cable. Wifi is disabled by default. Internet will be unavailable.)
Replace 192.168.1.1 with your router's actual IP.

ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.1.1

Tip

Press i to enter edit mode in Vim. Press ESC followed by :q to exit. (or :wq to save and exit)

vim /etc/config/wpa.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
  key_mgmt=IEEE8021X
  eap=PEAP
  identity="<YOUR_EMAIL>@students.iiit.ac.in"
  password="<YOUR_802.1x_PASSWORD>"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

If you don't remember your 802.1X password, reset it here.

vim /etc/init.d/wpa

Update the date shown below. Also, change eth0.2 to your actual WAN port interface.
Remember, the WAN port on your router must be connected to the ethernet port in your room.

#!/bin/sh

START=99
start() {
  echo start
  date --set="2025-04-04 00:00:00"
  wpa_supplicant -D wired -i eth0.2 -c /etc/config/wpa.conf -B
  udhcpc -i eth0.2 -b
}
chmod a+x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa start

Edit the file /etc/config/dhcp and replace...

option rebind_protection '1'

...to...

option rebind_protection '0'

UCI-defaults

vim /etc/uci-defaults/98_default-wlan.sh
#!/bin/sh

# wireless settings
uci set wireless.@wifi-iface[0].ssid='<YOUR_WIFI_NETWORK_NAME>'
uci set wireless.@wifi-iface[0].encryption='psk2'
uci set wireless.@wifi-iface[0].key='<YOUR_WIFI_NETWORK_PASSWORD>'
uci set wireless.@wifi-device[0].country='IN'
uci set wireless.@wifi-device[0].channel='auto'
uci set wireless.@wifi-device[0].disabled='0'
uci commit wireless

wifi reload
exit 0
vim /etc/uci-defaults/97_default-time.sh
#!/bin/sh

# time and date settings
uci set system.@system[0].timezone='IST-5:30'
uci set system.@system[0].zonename='Asia/Kolkata'
uci set system.ntp.enabled='1'
uci set system.ntp.enable_server='0'

uci del system.ntp.server
uci add_list system.ntp.server='time.iiit.ac.in'
uci add_list system.ntp.server='in.pool.ntp.org'
uci add_list system.ntp.server='time.nist.gov'

uci commit system

chmod +x /etc/init.d/sysntpd
/etc/init.d/sysntpd restart

exit 0
vim /etc/uci-defaults/95_default-auth.sh
#!/bin/sh

# dnsmasq settings
uci set dnsmasq.rebind_protection='0'
uci commit dnsmasq

chmod +x /etc/init.d/wpa
/etc/init.d/wpa enable
/etc/init.d/wpa start

ntpd -dddnqg -p 10.4.20.38 # time.iiit.ac.in (Verify, has been known to change)

exit 0

Save and restart your router. Wait for a few minutes. Light an incense or something.
Then try to connect to the wifi from your phone or laptop.
If Murphy doesn't visit, you should see the Wifi network you worked so hard to set up.

Congratulations! πŸŽ‰

@RishabhSahuIIIT

RishabhSahuIIIT commented Mar 7, 2026

Copy link
Copy Markdown

Here is a new guide with organized instructions to setup iiit lan on a openwrt router.This should help with problems related to router needing to be reconfigured after power cuts and lost connections. I generated this with the help of above guide, college lan connection guide available on intranet, some other online sources and mostly by prompting Claude ai to check configurations and fix errors. I used these instructions to configure my ASUS router. and it worked quite well .

OpenWrt Router Setup for IIIT Hyderabad Campus Network

This guide configures an OpenWrt router to authenticate to IIIT Hyderabad campus network using 802.1X PEAP/MSCHAPv2 authentication and enables dual-band WiFi (2.4GHz + 5GHz).Not all configurations and packages mentioned here may be required in your case but if you face problems then following these steps shold definitely help). after ssh into router all commands are mostly to be executed in router

Check if your router supports peap and running scripts (then it may work without openwrt) Else
Buy openwrt compatible router. Supported routers are listed at : https://toh.openwrt.org/?view=normal
Flash openwrt from their site onto the router by following their instructions.
After flashing ,login to router interface and go to router settings .
Change lan interface settings to allow connecting to internet using lan connected laptop as internet source.
Connect laptop to mobile or other available wifi.
Install required packages on router (through internet connection you shared to laptop) , wpad and openssl are two such packages required.

Prerequisites

  • OpenWrt router with wpad (or wpad-openssl) package installed
  • Campus network credentials (802.1X password from passwordreset.iiit.ac.in)
  • Router WAN port connected to campus LAN port
  • SSH access to router

Part 1: Campus Network Authentication Setup

Step 1: Verify Required Packages

SSH into your router

ssh <USERNAME>@<ROUTER_IP>
# usually username is root, router ip is 192.168.1.1
# it will ask for the password in next step if password was setup

and check if required packages are installed:

opkg list-installed | grep wpad
opkg list-installed | grep openssl

You should see:

  • wpad or wpad-openssl (for 802.1X support)
  • libopenssl3 (for PEAP encryption)

If wpad-mini is installed instead, upgrade it:

opkg update
opkg remove wpad-mini
opkg install wpad-openssl

Step 2: Create WPA Supplicant Configuration

Create the 802.1X authentication configuration file(use nano or vi or vim):

nano /etc/config/wpa.conf

Add the following content (replace with your credentials):

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
       key_mgmt=IEEE8021X
       eap=PEAP
       identity="your.email@students.iiit.ac.in"
       password="your-802.1x-password"
       phase1="peaplabel=0"
       phase2="auth=MSCHAPV2"
}

Important: Use your complete email address and the 802.1X password (NOT your regular LDAP password).

Set proper permissions:

chmod 600 /etc/config/wpa.conf

Step 3: Test Authentication Manually

Before making it permanent, test if authentication works:

# Run wpa_supplicant manually with debug output
wpa_supplicant -D wired -i wan -c /etc/config/wpa.conf -d

Look for these success messages:

  • EAP-MSCHAPV2: Authentication succeeded
  • CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
  • CTRL-EVENT-CONNECTED

Press Ctrl+C to stop the test.

If successful, manually request DHCP:

udhcpc -i wan

Test connectivity:

ping -c 4 8.8.8.8
ping -c 4 google.com

Step 4: Configure Network Interfaces

Edit network configuration (use nano or vi or vim):

nano /etc/config/network

WAN interface (should already be correct):

config interface 'wan'
       option device 'wan'
       option proto 'dhcp'

LAN interface (router as gateway):

config interface 'lan'
       option device 'br-lan'
       option proto 'static'
       option ipaddr '192.168.1.1'
       option netmask '255.255.255.0'
       option ip6assign '60'

Step 5: Verify Firewall Configuration

Check firewall settings:

cat /etc/config/firewall | grep -A 3 "config forwarding"

Ensure you have LAN to WAN forwarding:

config forwarding
       option src              lan
       option dest             wan

This should already exist in default OpenWrt configuration.

Step 6: Create Auto-Start Script

Create the boot script that runs authentication and DHCP renewal:

nano /etc/rc.local

Replace entire file with:

#!/bin/sh
# Put your custom commands here that should be executed once 
# the system init finished. By default this file does nothing.

# Start 802.1X authentication for WAN
/usr/sbin/wpa_supplicant -D wired -i wan -c /etc/config/wpa.conf -B

# Wait for authentication to complete
sleep 15

# Renew DHCP to get correct IP after authentication
udhcpc -i wan

exit 0

Make it executable:

chmod +x /etc/rc.local

Step 7: Test Complete Boot Sequence

Reboot the router to test automatic configuration:

reboot

Wait 60 seconds for boot to complete.

Step 8: Verify After Reboot

SSH back into the router (now at 192.168.1.1):

ssh root@192.168.1.1

Check authentication succeeded:

logread | grep "EAP-SUCCESS"

Check WAN interface has campus IP (10.x.x.x range):

ip addr show wan
ip route show

Test internet connectivity:

ping -c 4 8.8.8.8
ping -c 4 google.com

Part 2: Dual-Band WiFi Setup (2.4GHz + 5GHz)

Step 9: Configure Wireless for Both Bands

Edit the wireless configuration:

nano /etc/config/wireless

Fix any typos (e.g., option counry should be option country).

Configure both radios - your file should look like this:

# 2.4GHz Radio Configuration
config wifi-device 'radio0'
       option type 'mac80211'
       option path 'platform/...'
       option band '2g'
       option channel 'auto'
       option htmode 'HE20'
       option country 'IN'
       option disabled '0'

# 2.4GHz WiFi Network
config wifi-iface 'default_radio0'
       option device 'radio0'
       option network 'lan'
       option mode 'ap'
       option ssid 'YourNetworkName'
       option encryption 'psk2'
       option key 'YourWiFiPassword'
       option disabled '0'

# 5GHz Radio Configuration
config wifi-device 'radio1'
       option type 'mac80211'
       option path 'platform/...'
       option band '5g'
       option channel '36'
       option htmode 'HE80'
       option country 'IN'
       option disabled '0'

# 5GHz WiFi Network
config wifi-iface 'default_radio1'
       option device 'radio1'
       option network 'lan'
       option mode 'ap'
       option ssid 'YourNetworkName_5G'
       option encryption 'psk2'
       option key 'YourWiFiPassword'
       option disabled '0'

Important Settings:

  • option country 'IN' - Required for India (sets legal channels and power limits)
  • option disabled '0' - Enables the radio (must be 0, not 1)
  • option htmode - HE20 for 2.4GHz, HE80 for 5GHz (WiFi 6 standards)
  • option channel - 'auto' for 2.4GHz, '36' or '40' for 5GHz recommended

For Band Steering (same SSID on both bands, devices auto-select):

Use the SAME option ssid for both radios:

config wifi-iface 'default_radio0'
       option ssid 'MyNetwork'

config wifi-iface 'default_radio1'
       option ssid 'MyNetwork'

For Separate SSIDs (recommended for troubleshooting):

Use DIFFERENT option ssid for each:

config wifi-iface 'default_radio0'
       option ssid 'MyNetwork_2.4G'

config wifi-iface 'default_radio1'
       option ssid 'MyNetwork_5G'

Step 10: Apply WiFi Configuration

Reload WiFi settings:

wifi reload

Or restart network completely:

/etc/init.d/network restart

Step 11: Verify Both WiFi Bands Are Active

Check WiFi status:

wifi status

You should see both radio0 and radio1 with "up": true.

Check active interfaces:

iw dev

You should see:

  • phy0-ap0 (2.4GHz interface)
  • phy1-ap0 (5GHz interface)

Get detailed info for each band:

iw dev phy0-ap0 info
iw dev phy1-ap0 info

Check channels and frequencies:

iw dev phy0-ap0 info | grep -E "channel|ssid"
iw dev phy1-ap0 info | grep -E "channel|ssid"

Step 12: Verify From Client Devices

From your laptop or phone WiFi settings, you should see:

  • YourNetworkName or YourNetworkName_2.4G (2.4GHz band)
  • YourNetworkName_5G (5GHz band)

Connect to each network and verify:

  • You get an IP address (192.168.1.x range)
  • Internet connectivity works

Verification Checklist

After complete setup, verify:

Campus Network Authentication:

  • wpa_supplicant process running on WAN: ps | grep "wpa.*wan"
  • WAN has campus IP address: ip addr show wan
  • Default route through WAN gateway: ip route show
  • Can reach internet: ping -c 4 8.8.8.8
  • DNS resolution works: ping -c 4 google.com

WiFi Configuration:

  • Both radios show as up: wifi status
  • Both WiFi interfaces visible: iw dev
  • 2.4GHz network broadcasting: Check with phone/laptop
  • 5GHz network broadcasting: Check with phone/laptop
  • Devices can connect to both bands
  • Internet works through both WiFi bands
  • Both WiFi LEDs on router are active

Troubleshooting

Authentication fails

  • Verify credentials in /etc/config/wpa.conf
  • Check if you're using 802.1X password (not LDAP password)
  • Test manually: wpa_supplicant -D wired -i wan -c /etc/config/wpa.conf -d

Authentication succeeds but no internet

  • Manually renew DHCP: udhcpc -i wan
  • Check routing: ip route show
  • Verify firewall allows forwarding: cat /etc/config/firewall | grep forwarding

Wrong IP address after boot

  • The old DHCP lease might still be cached
  • Increase sleep time in /etc/rc.local from 15 to 30 seconds
  • Manually trigger renewal: udhcpc -i wan

5GHz WiFi not broadcasting

  • Check if radio1 is enabled: wifi status
  • Verify option disabled '0' in /etc/config/wireless for both radio1 and default_radio1
  • Ensure wifi-iface section exists for radio1
  • Check for typos: option country not option counry
  • Reload WiFi: wifi reload

WiFi interface names (wlan0/wlan1 vs phy0-ap0/phy1-ap0)

  • Modern OpenWrt uses phy0-ap0 and phy1-ap0 interface naming
  • Use: iw dev phy0-ap0 info (not wlan0)
  • Use: iw dev phy1-ap0 info (not wlan1)

Can't connect to 5GHz network

  • Ensure your device supports 5GHz WiFi
  • Try manual channel selection (36, 40, 44, or 48) instead of 'auto'
  • Verify option country 'IN' is set correctly
  • Check channel width: HE80 or VHT80 for best compatibility

Network Topology

Internet
↑
Campus Network Gateway (10.x.x.1)
↑
| 802.1X PEAP Authentication
|
Router WAN (10.x.x.x) ← authenticated
|
Router LAN (192.168.1.1)
|
β”œβ”€β†’ WiFi 2.4GHz (phy0-ap0)
β”œβ”€β†’ WiFi 5GHz (phy1-ap0)
└─→ LAN Ports (Ethernet)
|
↓
Your Devices (192.168.1.x)

Key Configuration Files

  • Authentication config: /etc/config/wpa.conf
  • Boot script: /etc/rc.local
  • Network config: /etc/config/network
  • Wireless config: /etc/config/wireless
  • Firewall config: /etc/config/firewall

WiFi Best Practices

Channel Selection:

  • 2.4GHz: Use channels 1, 6, or 11 (non-overlapping)
  • 5GHz: Use channels 36, 40, 44, 48 (best compatibility) or 149, 153, 157, 161 (less congested)

Security:

  • Always use WPA2-PSK (psk2) or WPA3 encryption
  • Use strong passwords (12+ characters)
  • Avoid using 'none' encryption on any network

Performance:

  • 5GHz offers faster speeds but shorter range
  • 2.4GHz offers better range but slower speeds
  • Use band steering (same SSID) for automatic selection
  • Or use separate SSIDs to manually choose the best band

Security Notes

  • Keep /etc/config/wpa.conf secure (contains credentials)
  • Use strong WiFi passwords for both bands
  • Regular password rotation recommended
  • Consider using wpad-openssl for better PEAP compatibility
  • Set option country 'IN' correctly for legal compliance

Backup Configuration

To backup your working configuration:

Backup critical files

tar -czf openwrt-campus-config-backup.tar.gz
/etc/config/wpa.conf
/etc/rc.local
/etc/config/network
/etc/config/wireless
/etc/config/firewall

Transfer backup to your laptop:

On router

scp openwrt-campus-config-backup.tar.gz user@laptop-ip:/path/to/backup/

Useful Commands Reference

WiFi Management

wifi status # Check WiFi status
wifi reload # Reload WiFi configuration
wifi up # Enable all WiFi
wifi down # Disable all WiFi
iw dev # List wireless interfaces
iw dev phy0-ap0 info # 2.4GHz interface details
iw dev phy1-ap0 info # 5GHz interface details

Network Management

ip addr show wan # Check WAN IP address
ip route show # Check routing table
udhcpc -i wan # Renew DHCP lease

Authentication

ps | grep wpa_supplicant # Check authentication process
logread | grep "EAP-SUCCESS" # Check authentication logs

Configuration

nano /etc/config/wireless # Edit WiFi config
nano /etc/config/network # Edit network config
nano /etc/rc.local # Edit boot script

Credits

Configuration based on IIIT Hyderabad network requirements and OpenWrt documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment