How to secure an open wifi access point
A public access point is public. This means that anybody can connect to it and use it. Thus, «protecting the access point against malicious users» is not a well-defined goal. The access point has no secret data to keep confidential, or a restricted service to offer only to authorized users. It is public.
What you might want is to protect users from each other: you don’t want one user of the public access point to be able to eavesdrop on other users, or alter their data, or even simply disrupting communications. This is a problematic of big sites which really want to provide «free WiFi» for a lot of people but have a recurrent problem of antisocial users.
It turns out that you cannot. The cryptographic elements in the WiFi protocol are meant to:
- Enforce authentication, keeping people out of the connection if the access point is not public, but requires authentication.
- Prevent eavesdropping on the connection of duly connected users from people who are not connected.
However, nothing in the WiFi protocol was designed to prevent two connected users from spying on each other. With a public WiFi, everybody can connect (by definition), so everybody can spy on everybody.
Crippling your access point, e.g. by blocking port 443, won’t bring any security, except in the following sense: if the access point is made unusable because of too strict restrictions, then people won’t use it, and thus the spying issue disappears: there is no attacked user if there is no user at all. But for the remaining users, blocking port 443 just makes their situation worse: not only does it not prevent other users from spying on their traffic, but it also prevents them from defending themselves by using HTTPS browsing when possible.
You seem to be aware that «legal sources» may ask for logs. The legal situation is actually worse (for you):
- By willingly running an open access point, you have become a service provider, so you are bound by all the regulations attached to that state. The ARCEP could give you the relevant information, but be warned that this goes much beyond simple squid logs.
- Your own Internet access was provided to you based on a contract which explicitly forbids sharing beyond «home usage». If you act as a service provider (that’s what you are trying to do), then you are in clear violation of the terms of that contract, and your ISP may lawfully shut your access down.
- If someone uses your access point to then engage in «illegal activities» (e.g. attacking other sites) then you could be considered as accomplice. That’s the point of the ARCEP regulations: registered service providers can claim exemption, in the way that phone companies do not get into legal trouble when criminals plot crime by phoning each other. This exemption is not automatically granted to just any random citizen who plugs a WiFi access point.
Therefore, running your own public access point, just like that, really is a bad idea, however generous the basic principle might seem at first look.
Configure an open Wi-Fi access point
This procedure configures a Wi-Fi access point that does not require a password for client connections.
By default, the AnywhereUSB Plus W device comes with one preconfigured access point, Digi AP . You cannot delete default access points, but you can modify them or you can create your own access points.
Required configuration items
- Enable the Wi-Fi access point
- The Service Set Identifier (SSID) for the access point.
- Configure open security for the access point.
- LAN/bridge assignment. Once you configure a Wi-Fi access point, you must assign the Wi-Fi access point to a LAN interface or to a bridge. See Configure a Local Area Network (LAN) and Configure a bridge for more information.
Additional configuration items
- Determine whether to broadcast the access point’s SSID.
- Determine whether to isolate clients connected to this access point, so that they cannot communicate with each other.
- The amount of time to wait before changing the group key.
To configure a Wi-Fi access point with no security:
- Log into Digi Remote Manager , or log into the local Web UI as a user with full Admin access rights.
- Access the device configuration:
- Locate your device as described in Use Digi Remote Manager to view and manage your device.
- Click the Device ID.
- Click Settings.
- Click to expand Config.
- On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
- To create a new access point, for Add WiFi access point:, type a name for the access point and click .
- To modify an existing access point, click to expand the access point.
The Wi-Fi access point configuration window is displayed.
- Open (Unencrypted) No encryption is used.
- WPA3 Enhanced Open (OWE) Uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select WPA3 Enhanced Open (OWE) if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed. Allowed values are any number of days, hours, minutes, or seconds, and take the format number d|h|m|s >. For example, to set Group rekey interval to ten minutes, enter 10m or 600s. Increasing the time between rekeys can improve connectivity issues in noisy environments. To disable group rekeys, set to 0. This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi-Fi radio is restarted. The default is 10 minutes.
Configure a new Access point
- Select the device in Remote Manager and click Actions >Open Console, or log into the AnywhereUSB Plus local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
- At the command line, type config to enter configuration mode:
(config)> add network wifi ap new_AP (config network wifi ap new_AP)>
(config network wifi ap new_AP)> ssid my_SSID (config network wifi ap new_AP)>
(config network wifi ap new_AP)> encryption type value (config network wifi ap new_AP)>
- none: No encryption is used.
- owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
(config)> network wifi ap digi_ap isolate_clients true (config)>
The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
(config network wifi ap new_AP)> encryption group_rekey value (config network wifi ap new_AP)>
where value is any number of days, hours, minutes, or seconds, and take s the format number d|h|m|s >. For example, to set group rekey interval to ten minutes, enter either 10m or 600s:
(config network wireless ap new_AP)> encryption group_rekey 600s (config network wireless ap new_AP)>
Increasing the time between rekeys can improve connectivity issues in noisy environments. To disable group rekeys, set to 0. This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi-Fi radio is restarted. The default is 10 minutes.
(config)> save Configuration saved. > Edit an existing Access point
- Select the device in Remote Manager and click Actions >Open Console, or log into the AnywhereUSB Plus local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.
- At the command line, type config to enter configuration mode:
(config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------------- digi_ap Digi AP (config)>
(config)> network wifi ap digi_ap ssid my_SSID (config)>
(config)> network wifi ap digi_ap ssid_broadcast true (config)>
(config network wifi ap new_AP)> encryption type value (config network wifi ap new_AP)>
- none: No encryption is used.
- owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
(config)> network wifi ap digi_ap isolate_client true (config)>
The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
(config)> network wifi ap digi_ap encryption group_rekey value (config)>
where value is any number of days, hours, minutes, or seconds, and take s the format number d|h|m|s >. For example, to set group rekey interval to ten minutes, enter either 10m or 600s:
(config)> network wireless ap digi_ap encryption group_rekey 600s (config)>
(config)> save Configuration saved. > © 2023 Digi International Inc. All rights reserved.
Configure an open Wi-Fi access point updated on 26 Sep 2022 03:59 PM