OpenWiFi Tips & Tricks
June 13, 2025
AP Onboarding Help:
pingable? -> no -> restart/factory reset until pingable ssh-able? -> no -> restart/factory rest until sshable *note SSH “Message of the Day” / Banner* /etc/hosts has private IP of controller -> no -> rXg should login and reset it within 10 min /etc/ucentral/gateway.json has fqdn:port of controller -> no > rXg should login and reset it within 10 min mTLS session test (see manual) -> fails -> reapprove -> fails -> reimport and reapprove
mTLS Session test:
openssl s\_client -connect openwifi.wlan.local:15002 -cert /etc/ucentral/cert.pem -key /etc/ucentral/key.pem
OpenWiFi Controller Configuration and WAP onboarding
See https://support.rgnets.com/knowledge/90 for detailed instructions on downloading, instantiating, and configuring an OpenWiFi Controller, followed by WAP onboarding.Note that the OpenWiFi Controller UI can be accessed only using its pre-configured FQDN and not the direct IP address - any attempts to use the explicit IP address will result in likely certificate failures and loss of functionality.
In the case of connectivity problems between the OpenWiFi controller and the WAP, confirm that both of them can be reached from the rXg shell.
If the WAP does not connect to the OpenWiFi Controller, there are a few settings / configuration details worth looking at, including:
- The content of /etc/hosts file on the WAP: confirm that an entry for the openwifi.wlan.local is present, and if using the rXg in a NATed configuration - the rXg FQDN is also present;
- The the /etc/ucentral/gateway.json file should contain the following string: {"server":"openwifi.wlan.local","port":15002} assuming teh default FQDN for the OpenWiFi Controller was used.
- Confirm that the WAP can properly receive and process certificates by issuing the `openssl s\_client -connect openwifi.wlan.local:15002 -cert /etc/ucentral/cert.pem -key /etc/ucentral/key.pem` command in the WAP shell. The output should include a valid certificate chain, even if the self signed certificate warning is present
No client certificate CA names sent Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3897 bytes and written 2163 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 Session-ID: 20BED919F346FAFD41B3A2B8119EDEB8FC317812C3F2EC2BABFD3E2384DA0F1B Session-ID-ctx: Resumption PSK: 735141CB14549D95B12E2ADA8F92E599A2E60917B9468098522253398FABD53E PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 120 (seconds) TLS session ticket: 0000 - c4 93 6a 4f 02 3e b0 67-8d 91 5b 02 2c 4c 03 6f ..jO.>.g..[.,L.o 0010 - 64 55 58 cd 14 47 e2 8d-f1 1c af fe e1 bb d1 d7 dUX..G.......... 0020 - b4 ea da db fe 9b a4 d3-e8 76 7d 9e 73 40 ea d6 .........v}.s@.. <<<snip>>>
Shell Access to OpenWiFi APs
OpenWiFi access points default credentials are: root/openwifi
When you are logged into the CLI, you may find the logread command useful to display current running log on the WAP:
logread -l100 -f
Consider the following to figure out if traffic is passing in a tunnel:
On AP:
tcpdump -nei up proto gre -vvv
on RXG
tcpdump -nei pflog0 proto gre and host <ap ip> -vvv
The /etc/hosts file on the AP should have an entry for the controller and the local rXg gateway address as well:
root@d4babaa141d0:~# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.0.49.2 openwifi.wlan.local 10.0.47.1 rxgdev02.home
If you need to factory reset an AP, use the following command:
firstboot -yr
Recovering WAP from a bricked state
If the AP powers on but does not respond to SSH or acquire the IP address via DHCP, configure a device (a laptop) with an address in the 192.168.1.0/24 prefix, connect to the WAP on the WAN/LAN port and see if you can ping the AP at 192.168.1.1. If that works, you should be able to ssh to the AP on 192.168.1.1 using the default credentials.
Once the connection was successful, execute the factory default to attempt to restore the device to its original state.
Firmware Upgrade
Once in the WAP shell, transfer firmware file to the /tmp directory of the AP by SCP and then run sysupgrade command to upgrade the AP
sysupgrade -o /tmp/firmware_file.bin
If you want to build your own firmware, check out details at https://github.com/Telecominfraproject/wlan-ap.
The firmware upgrade is also available via the OpenWiFi UI, when a new firmware becomes available.
