In practical scenarios it is sometimes useful to have partial access is granted to a network system. One such scenario are guest wireless networks that prove useful in isolating wireless clients from the network, allowing the owner to not reveal the real wireless password but at the same time permitting connecting clients to access the Internet.

This tutorial covers the implementation of sliding key for the wireless password that will be updated every day depending on a preconfigured algorithm. Trivially, the algorithm becomes part of the secret such that any variation is possible.

Opening up the page at Network→Wireless will reveal the radios available for the OpenWrt device along with the already configured networks underneath each radio. Pressing the Add button will allow an additional network to be aded and configured

• The script from the code section should be placed at /usr/local/sbin/wireless-sliding-password and then made executable:

chmod +x /usr/local/sbin/wireless-sliding-password

• update the script at /usr/local/sbin/wireless-sliding-password to change the SET_SSID variable to the wireless network SSID whose password should be updated
• micrond should be installed:

opkg update
opkg install micrond

• a cron file has to be created at /usr/lib/micron.d/wireless-sliding-password with the following contents:

0 0 * * * /usr/local/sbin/wireless-sliding-password >/dev/null 2>&1

Every day at midnight, the script will run and update the password for the networks specified by their SSID within the script on the configuration line ``SET_SSID``.

wireless-sliding-password

#!/bin/sh
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2022 - License: GNU GPLv3      ##
###########################################################################
# This script intends to be ran from crontab every day and will set the   #
# wireless password to the current date in YYYYMMDD format and its intent #
# is to provide a "guest" network whilst still providing encryption.      #
###########################################################################
 
###########################################################################
##                            CONFIGURATION                              ##
###########################################################################
# Space separated list of wireless SSIDs for which to set the sliding key.
SET_SSID='mywifi'
 
###########################################################################
##                              INTERNALS                                ##
###########################################################################
 
PASSWORD=`date +%Y%m%d | \
    openssl dgst -md4 -hex | \
    awk '{ print $2 }' | 
    cut -c 1-8`
 
i=0
for SET in $SET_SSID; do
    while :; do
        SSID=`uci get wireless.@wifi-iface[$i].ssid 2>&1`
        if [ "$?" = 1 ]; then
            break
        fi
        if [ "$SSID" = "$SET" ]; then
            echo "Updating sliding key for $SSID..."
            # Set the sliding key.
            uci set wireless.@wifi-iface[$i].key="$PASSWORD"
            # Commit wireless configuration.
            uci commit wireless
            # Reload the wifi subsystem.
            wifi reload
        fi
        let "i = i + 1"
    done
done

In case the password changes daily the owner would have to relay the current password to any guests. However, one interesting turn, depending on the OpenWrt device, would be to attach an LCD/LED to display the password on (or next to the router itself).

The scheme provides the following differences to a standard guest network:

• the password changes dynamically such that guests do not retain their access nor the network password when they leave,
• the network is closed and secured (compared to not having any password at all) such that bystanders cannot hijack the network unless can physically observe the router (in case a display is used),
• the initial variation of the script contained just an incremental date format such that the password could be conveyed to a guest without having to look up the current password; nevertheless in case a hardware display is used, the password could just be randomly generated,
• aside from using hardware devices, the password could be easily broadcasted via CCTV (ex: hotels, airports, etc), passed through MQTT, and so on…
• once the system is set up, there is no user intervention required; each day the password is generated automatically, the wifi is restarted and then displayed up to the next password,
• no requirement on the user's hardware, since the network could use standard WPA authentication, and low-cost