Orange Pi Zero 3 hotspot/access point not working

[av4625]

I had an OrangePi Zero LTS and set up an access point using the following commands:

% sudo apt install dnsmasq-base -y
% sudo sed -i "s/#MulticastDNS=no/MulticastDNS=yes/g" /etc/systemd/resolved.conf
% sudo nmcli connection add type wifi ifname wlan0 con-name access_point autoconnect yes ssid <ssid>
% sudo nmcli connection modify access_point 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
% sudo nmcli connection modify access_point connection.mdns 2
% sudo nmcli connection modify access_point wifi-sec.key-mgmt wpa-psk
% sudo nmcli connection modify access_point wifi-sec.psk "<password>"
% sudo nmcli connection up access_point
% sudo hostnamectl set-hostname <hostname>

 

This worked fine, I can connect and ssh using `hostname.local` etc etc

I recently just got a OrangePi Zero 3 and tried the minimal OS, I did the commands above along with:

sudo apt install network-manager -y

The access point does seem to appear and I can see it from phones and laptops etc but I can't connect to it. What is the best way to debug the issue?

This is what it shows from the following commands:

$ nmcli device
DEVICE         TYPE      STATE                   CONNECTION   
wlan0          wifi      connected               access_point 
lo             loopback  connected (externally)  lo           
p2p-dev-wlan0  wifi-p2p  disconnected            --           
end0           ethernet  unmanaged               --           

$ nmcli connection
NAME          UUID                                  TYPE      DEVICE 
access_point  d7a42b9e-63bd-4e76-9457-018cbd43d712  wifi      wlan0  
lo            a0764323-619d-4bd9-b029-fa8da5ed24c4  loopback  lo

Any help is appreciated!

 

I should mention that the OrangePI Zero LTS OS wasn't the minimal one it was the server one so I'm not sure if I'm just missing something in the minimal OS for OrangePi Zero 3.

 

I get these debug logs if I try and connect to the access point:

Sep 29 13:41:35 <hostname> NetworkManager[846]: <debug> [1727613695.7400] ndisc-lndp[0xaaaae75732f0,"wlan0"]: processing libndp events
Sep 29 13:41:35 <hostname> NetworkManager[846]: <debug> [1727613695.7409] platform: (end0) signal: address 6 changed: fd00::97ff:fe9b:cbc0/64 lft 7200sec pref 3600sec lifetime 1394-1394[3600,7200] dev 2 flags mngtmpaddr,noprefixroute src kernel
Sep 29 13:41:35 <hostname> NetworkManager[846]: <debug> [1727613695.7412] platform: (end0) signal: address 6 changed: fd00::5bc2:4133:f0ea:931d/64 lft 7200sec pref 3600sec lifetime 1394-1394[3600,7200] dev 2 flags secondary src kernel
Sep 29 13:41:35 <hostname> NetworkManager[846]: <debug> [1727613695.7441] manager: (end0): assume: don't assume because device is not managed
Sep 29 13:41:40 <hostname> NetworkManager[846]: <debug> [1727613700.3462] ndisc-lndp[0xaaaae75732f0,"wlan0"]: processing libndp events
Sep 29 13:41:40 <hostname> NetworkManager[846]: <debug> [1727613700.3471] platform: (end0) signal: address 6 changed: fd00::97ff:fe9b:cbc0/64 lft 7200sec pref 3600sec lifetime 1398-1398[3600,7200] dev 2 flags mngtmpaddr,noprefixroute src kernel
Sep 29 13:41:40 <hostname> NetworkManager[846]: <debug> [1727613700.3474] platform: (end0) signal: address 6 changed: fd00::5bc2:4133:f0ea:931d/64 lft 7200sec pref 3600sec lifetime 1398-1398[3600,7200] dev 2 flags secondary src kernel
Sep 29 13:41:40 <hostname> NetworkManager[846]: <debug> [1727613700.3499] manager: (end0): assume: don't assume because device is not managed
Sep 29 13:41:44 <hostname> NetworkManager[846]: <debug> [1727613704.8566] ndisc-lndp[0xaaaae75732f0,"wlan0"]: processing libndp events
Sep 29 13:41:44 <hostname> NetworkManager[846]: <debug> [1727613704.8575] platform: (end0) signal: address 6 changed: fd00::97ff:fe9b:cbc0/64 lft 7200sec pref 3600sec lifetime 1403-1403[3600,7200] dev 2 flags mngtmpaddr,noprefixroute src kernel
Sep 29 13:41:44 <hostname> NetworkManager[846]: <debug> [1727613704.8578] platform: (end0) signal: address 6 changed: fd00::5bc2:4133:f0ea:931d/64 lft 7200sec pref 3600sec lifetime 1403-1403[3600,7200] dev 2 flags secondary src kernel
Sep 29 13:41:44 <hostname> NetworkManager[846]: <debug> [1727613704.8603] manager: (end0): assume: don't assume because device is not managed

 

Edited September 29 by av4625

[ag123]

running a Wifi AP (hotspot) has quite a few pieces of protocols / apps that needs to be setup to work correctly

 

I used hostapd

https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3

but that network manager (e.g. via nmcli etc) should work ok 

using hostapd seemed more 'transparent' in a sense that the config is in a text file. for nmcli check the interface settings

 

the other thing is check how *dhcpd* is installed, I used isc dhcp server and that works ok

I'm not sure how that'd work in network manager, but that I prefer running my own separate instance of dhcp server as that simplifies troubleshooting if things go goofy

 

There are various guides about that. A google search would probably find them e.g. 

https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager

 

[av4625]

@ag123 I appreciate the help thanks.

I was hoping to use `nmcli` so that I could keep my "setup script" as similar as possible between the Zero and Zero3. Its frustrating that the same commands work on one and not the other, but I know there are some differences between the two.

 

Did you get a hotspot to work with hostapd? Cause I'd move away from `nmcli` for a working solution of course.

 

I found out a few things since my first post with the help from your links.

 

I was able to use `nmcli` to connect to my router over Wi-Fi and that seemed to work fine.

The ethernet is unmanaged by `NetworkManager` on the Zero3 but it is managed on the Zero.

 

I tried the exact commands from your second link at the heading "Configuring WiFi Access Point with NetworkManager" to setup a hotspot incase mine were a bit weird and the result is exactly the same, it shows up and appears to work but nothing can connect. I'd love to be able to see some logging on why things can't connect to it. The only thing I didn't do was add this to the config:

[main]
dns=dnsmasq

The reason I didn't do that is because I want it to use the default `systemd-resolved` as I found it easier to setup to be able to work with mdns and access a server the pi hosts using hostname.local over the hotspot.

 

Some outputs that might be useful:

$ nmcli
wlan0: connected to access_point
        "wlan0"
        wifi (unisoc_wifi), 44:FA:6D:94:C1:36, hw, mtu 1500
        inet4 10.42.0.1/24
        route4 10.42.0.0/24 metric 600
        inet6 fe80::3cba:c8ea:4090:3d0b/64
        route6 fe80::/64 metric 1024

lo: connected (externally) to lo
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
        inet4 127.0.0.1/8
        inet6 ::1/128

p2p-dev-wlan0: disconnected
        "p2p-dev-wlan0"
        wifi-p2p, hw

end0: unmanaged
        "end0"
        ethernet (dwmac-sun8i), 02:00:97:9B:CB:C0, hw, mtu 1500

$ nmcli con show
NAME            UUID                                  TYPE      DEVICE 
access_point    f19de078-4acb-4406-a250-08e2edc3d01e  wifi      wlan0  
lo              883ee445-38e7-4ec0-903b-48312d0cee87  loopback  lo

$ sudo systemctl status NetworkManager.service
● NetworkManager.service - Network Manager
     Loaded: loaded (/lib/systemd/system/NetworkManager.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-10-01 19:02:25 BST; 18min ago
       Docs: man:NetworkManager(8)
   Main PID: 1779 (NetworkManager)
      Tasks: 4 (limit: 4548)
     Memory: 4.3M
        CPU: 1.275s
     CGroup: /system.slice/NetworkManager.service
             ├─1779 /usr/sbin/NetworkManager --no-daemon
             └─1985 /usr/sbin/dnsmasq --conf-file=/dev/null --no-hosts --keep-in-foreground --bind-interfaces --except-interface=lo --clear-on-reload --strict-order --listen-address=10.42.0.1 --dhcp-range=10.42.0.10,10.42.0.254,60m --dhcp>

Oct 01 19:10:39 orangepizero3 NetworkManager[1779]: <info>  [1727809839.9410] device (wlan0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')
Oct 01 19:10:39 orangepizero3 NetworkManager[1779]: <info>  [1727809839.9422] manager: NetworkManager state is now CONNECTED_LOCAL
Oct 01 19:10:39 orangepizero3 NetworkManager[1779]: <info>  [1727809839.9437] device (wlan0): Activation: successful, device activated.
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: started, version 2.89 cachesize 150
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: chown of PID file /run/nm-dnsmasq-wlan0.pid failed: Operation not permitted
Oct 01 19:10:39 orangepizero3 dnsmasq-dhcp[1985]: DHCP, IP range 10.42.0.10 -- 10.42.0.254, lease time 1h
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: reading /etc/resolv.conf
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: using nameserver 127.0.0.53#53
Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: cleared cache

 

All the output looks as it should as far as I know.

 

I wanted to note some differences between my Zero and Zero3 incase anyone spotted something that might cause an issue:

Zero

* Runs a CLI build of Ubuntu 24.2.1 (6.6.20)

* I can run my `nmcli` commands from the first post without `sudo`

* Has files here: `/etc/polkit-1/localauthority`

* NetworkManager permissions (when logging in over SSH):

$ nmcli general permissions
PERMISSION                                                        VALUE
org.freedesktop.NetworkManager.checkpoint-rollback                yes
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes
org.freedesktop.NetworkManager.enable-disable-network             yes
org.freedesktop.NetworkManager.enable-disable-statistics          yes
org.freedesktop.NetworkManager.enable-disable-wifi                yes
org.freedesktop.NetworkManager.enable-disable-wimax               yes
org.freedesktop.NetworkManager.enable-disable-wwan                yes
org.freedesktop.NetworkManager.network-control                    yes
org.freedesktop.NetworkManager.reload                             yes
org.freedesktop.NetworkManager.settings.modify.global-dns         yes
org.freedesktop.NetworkManager.settings.modify.hostname           yes
org.freedesktop.NetworkManager.settings.modify.own                yes
org.freedesktop.NetworkManager.settings.modify.system             yes
org.freedesktop.NetworkManager.sleep-wake                         yes
org.freedesktop.NetworkManager.wifi.scan                          yes
org.freedesktop.NetworkManager.wifi.share.open                    yes
org.freedesktop.NetworkManager.wifi.share.protected               yes

 

Zero3

* Runs a minimal build of Debian (Bookworm) 24.11.0 (6.6.44)

* I can not run my `nmcli` commands from the first post without `sudo`

* Does not have files here: `/etc/polkit-1/localauthority`

* NetworkManager permissions (when logging in over SSH):

$ nmcli general permissions
PERMISSION                                                        VALUE
org.freedesktop.NetworkManager.checkpoint-rollback                auth
org.freedesktop.NetworkManager.enable-disable-connectivity-check  no
org.freedesktop.NetworkManager.enable-disable-network             no
org.freedesktop.NetworkManager.enable-disable-statistics          no
org.freedesktop.NetworkManager.enable-disable-wifi                no
org.freedesktop.NetworkManager.enable-disable-wimax               no
org.freedesktop.NetworkManager.enable-disable-wwan                no
org.freedesktop.NetworkManager.network-control                    auth
org.freedesktop.NetworkManager.reload                             auth
org.freedesktop.NetworkManager.settings.modify.global-dns         auth
org.freedesktop.NetworkManager.settings.modify.hostname           auth
org.freedesktop.NetworkManager.settings.modify.own                auth
org.freedesktop.NetworkManager.settings.modify.system             auth
org.freedesktop.NetworkManager.sleep-wake                         no
org.freedesktop.NetworkManager.wifi.scan                          auth
org.freedesktop.NetworkManager.wifi.share.open                    no
org.freedesktop.NetworkManager.wifi.share.protected               no

When logging in directly with a keyboard more than half are yes, some auth and one no I think, is that strange?

I wonder does the answer to this and its comments point to a change in Debian Bookworm around this?

https://unix.stackexchange.com/questions/692316/cant-get-right-to-add-wifi-in-nmcli-polkit

 

The permissions thing is interesting as the only warning I see in the logs which I don't see on the Zero is:

Oct 01 19:10:39 orangepizero3 dnsmasq[1985]: chown of PID file /run/nm-dnsmasq-wlan0.pid failed: Operation not permitted

I'm not using `dnsmasq` but I believe `NetworkManager` does start an instance not using a service which is why I had to install `dnsmasq-base`.

 

If anyone has anything else I can try or anyway to maybe see a log or something on why the devices won't connect please shout!

 

Thanks!

Edited October 1 by av4625

[av4625]

This has been wrecking me head as nothing I tried worked!

I tried hostapd as well and couldn't connect to any hotspot that I created.

 

I found this about the chown warning above:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/859

 

I added CAP_CHOWN to the end of CapabilityBoundingSet in /lib/systemd/system/NetworkManager.service and that did stop the warning. I then tried to join the hotspot and it worked! I was trying lots of things before this but I didn't think I had made any permanent changes, so I re-flashed the SD card to try and set it up from scratch with the change to the capabilities and guess what... it didn't work 😭

 

I spent a long time trying everything that I thought I done and nothing worked.

 

I then came across this: https://superuser.com/questions/1721149/networkmanager-defined-hotspot-cant-connect-from-android-phone

I am not using Android to connect, I'm trying with a Mac and an iPhone.

In the first update of the original question the guy said he could only get it to work if he left out the password. This also works for me!

 

If I follow my original commands and don't add the capability above and leave these two out:

% sudo nmcli connection modify access_point wifi-sec.key-mgmt wpa-psk
% sudo nmcli connection modify access_point wifi-sec.psk "<password>"

 

I can connect to the hotspot! Not ideal with no password but it works.

I am shocked that there is no log saying that there was some issue with the password etc

Maybe I don't have a package I need, or some configuration somewhere?

The bottom answer on the post above does mention that this has been seen on Armbian before but a different device, suggesting: 

Quote

it should be a linux kernel or driver problem

 

I have no idea where to start to look, but if someone could guide me I'll try my best.

[MaxT]

If the AP mode is really just wpa-psk, it might be not supported by modern OSes (iOS, MacOS, etc).

Eg:
https://discussions.apple.com/thread/254452739?sortBy=rank

You might need to find an appropriate security mode for the AP and configure it right, but here you are on your own.

[av4625]

@MaxT I will definitely look into this more and give it a go as that link sounds like it’s not supported. 
 

Although these exact commands with the same password work on an OrangePi Zero running Ubuntu, but they don’t on an OrangePi Zero3 running Debian.

[ag123]

Imho for WiFi purposes nmcli (network manager cli) is not very different from hostapd, just that hostapd possibly has more configuration options.

 

To setup an access point, there are quite a few pieces of network configuration that needs to be setup:

• The WiFi AP itself (e.g. using network manager or hostapd) if you are able to connect and verify that in the log, that is probably solved. e.g.

  journalctl -u NetworkManager
  or for hostapd
  journalctl -u hostapd

  hostapd tends to have log entries for every host that connects, I'm not sure about NetworkManager.

• DHCP (issuing IP address to connected hosts) this is particularly true for IPv4 hosts on dynamic IP.
  DHCP would likely also need to distribute the DNS server, so configure that if it isn't done.
  e.g. https://ubuntu.com/server/docs/how-to-install-and-configure-isc-dhcp-server
• For IPv6 you may need to setup radvd (router advertisement daemon)  https://en.wikipedia.org/wiki/Radvd so that the connected hosts can setup their own IPv6 address
  quite often IPV6 requires its own /64 address range / network (* note below dnsmasq does this as well) e.g.

  apt install radvd

  https://wiki.archlinux.org/title/IPv6#For_gateways

• Configure the WiFi AP as a router or bridge.
• Router:
  • To run it as a router, you would need to do DHCP (and RADV) for your WiFi hosts as above
    For such reasons, I tend to use isc-dhcp-daemon so that I can configure the dhcpd precisely as I needed. But I'd guess it may be possible with Network manager. (* note below dnsmasq does this as well) e.g.

    apt install isc-dhcp-server

     

  • Configure routing and/or IP NAT (e.g. IP masquerading). I've tried IP NAT and that sometimes it is easier as up stream normally only a single IP address is needed.
    Routing would need a subnet to be setup, that is normally ok but that you would need to configure your main gateway router as well for the overall network setup so that it knows where/how to forward packets. many consumer getway/routers simply used NAT, that is ok as well. But that your main gateway/router may need a static route to say that for that subnet, send it to your OPi Zero 3 Wifi AP.
• Bridging:
  • To run it as a bridge you would need to setup the zero 3 WiFi AP as a bridge. This can be done using nmcli (network manager). In fact, this is my own personal preference for a small network.
    e.g.  https://www.cyberciti.biz/faq/how-to-add-network-bridge-with-nmcli-networkmanager-on-linux/
    https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3
  • DHCP (and RADV) can be done from the main gateway/router so long as the bridged packets reaches the WiFi hosts. Similarly, the DNS server likely needs to be distributed this way as well

 

I've not done it completely from within nmcli for this setup as I used hostapd for the WiFi AP. But that I used nmcli (network manager) for the bridge.

But that those notes above remains similar whether you used network manager or hostapd.

take note that with hostapd for WiFi AP, you probably need to un-manage the Wifi interface in Network Manager configs so that it doesn't conflict with hostapd.

https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3

oh and when messing with network interfaces use a debug usb-uart serial dongle or you may get 'locked out' from your zero 3

 

 

Apparently, dnsmasq does all three: DNS, DHCP, RADV

https://thekelleys.org.uk/dnsmasq/doc.html

but that there may be some configurations that are needed for it to work correctly

https://docs.fedoraproject.org/en-US/fedora-server/administration/dnsmasq/

https://wiki.archlinux.org/title/Dnsmasq

 

---

footnote: the Wifi AP on OPi Zero 3 has been running well on 5 ghz for me for quite a while, practically as my desktop Wifi AP

https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3

it is fast > 100 Mbps throughput, and stable (running for days to months on end without reboot)

it is a practical way to setup multiple WiFI AP , hotspot say in a home where signals is poor say due to walls etc.

these days 'mesh' router products does something similar, possibly more elaborate and faster than this for a premium.

 

[av4625]

I probably should have given more information about how I use the AP.

 

The OrangePi Zero3 is going to be a device that is not connected to the internet after setup, it runs an app and logs data.

 

It has an AP as it hosts a couple of webpages, you can connect to the AP, access the website and change some configuration and download the logged data. 
 

This all works correctly now as long as I have a passwordless AP. 
 

It provides me with an IP in the 10.42.0.* range, which is what I expect. If I connect an ethernet cable to it, it does also forward the traffic so that I can connect and access the internet. Although it won’t ever have an ethernet cable plugged in but wanted to show it works. 
 

When connected to the AP I can ssh to 10.42.0.1 or to hostname.local as I configured mDNS.

 

Haven’t looked into IPv6 but I don’t need that so not too worried at the minute. 
 

So everything seems to be working, in regards to the setup of the AP, DNS, DHCP.

 

Its just now if I require a password on the AP, I can no longer connect. The journalctl logs don’t show anything other than what I showed in precious posts  

[MaxT]

I guess you actually have not properly configured AP security mode wpa2 and/or wpa3 (not just wpa !!!)

[av4625]

I’d say this could be very likely. As this is the minimal image, the one that I used before that worked was a CLI image. Maybe it came pre configured. 
 

I did have a quick look the other day at the installed packages on both trying to compare and I couldn’t see a lot of differences. Maybe there is just some setup or configuration file I need to look for. 
 

Edit: NetworkManager came pre installed on the CLI build but not the minimal. So likely had some configuration.

Edited October 3 by av4625

[ag123]

can you show the result of 

nmcli conn edit access_point
then in the prompt
describe wifi-sec.key-mgmt

 

I think wpa-psk is after all correct, that should be wpa2

That describe statement should probably show all the available options

 

another thing that may help is to look at dmesg output especially when you are connecting to see if that detect any issues.

 

accordingly, some wifi hardware does wpa within the wifi soc itself, while some others implement all that in software, I'm not sure which is done in this case.

Accordingly, there may be some protocol changes / unsupported protocol as well (e.g. wpa3) which I'm not sure if it is there in the (kernel) stack for that particular driver or even the hardware itself.

wpa2 should be mostly there.

 

[MaxT]

Probably worth just googling for hostapd and wpa2 and/or wpa3, no?

[av4625]

@ag123 I will definitely try this later. Thank you

 

@MaxT I’d like to stay with network manager and resolved rather than hostapd and dnsmasq as it doesn’t seem trivial to switch from resolved to dnsmasq. I know it is weird that network manager does spin up its own instance of dnsmasq-base.

[ag123]

just a thought ahead, if dmesg shows protocol errors during WiFi authentication, it could be that your device (phone?) could be attempting wpa3, and that if it is after all not supported, those errors may show up in dmesg.

in that case, it may mean needing to use wpa2 to connect, which I think most devices (phones?) does it automatically.

 

another thing is to check things like character encoding etc, ascii is the safest, but otherwise maybe utf-8 should be ok. A thing is if the encoding is different, what is saved as the password may be *different* from what you think it is.

the quotes (") for the password may affect it too, try with and without quotes. alternatively try 

nmcli conn edit access_point
then in the prompt
set wifi-sec.psk 

save persistent
activate

that would be manually setting the password

 

note also that the notation may have changed between NetworkManager releases e.g.

802-11-wireless-security.key-mgmt

802-11-wireless-security.psk

etc

if that is changed in the nmcli edit prompt, print command should show them

--

blurb: network manager seemed to use dnsmasq, but that network manager seemed to manage that internally rather than running an dnsmasq instance.

I've orignally used hostapd because I wanted more control over how wifi AP works, e.g. that I wanted to setup a bridge with wifi and ethernet without dnsmasq and I'm not too sure how Network Manager does that.

But I think Network Manager should be possible for that. 

A side perk with hostapd is that it logs every connection (e.g. journalctl -u hostapd), that'd help at least with troubleshooting disconnects etc.
hostapd has a lot of other features (e.g. radius ) , and lots of wifi config options which probably can be omitted (e.g. using default) in simple Wifi setups.

 

[av4625]

I'll include the commands I ran from a clean install:

sudo apt update -y
sudo apt upgrade -y
sudo apt install network-manager dnsmasq-base vim -y
sudo reboot now
sudo nmcli connection add type wifi ifname wlan0 con-name access_point autoconnect yes ssid TEST_AP
sudo nmcli connection modify access_point 802-11-wireless.mode ap 802-11-wireless.band bg ipv4.method shared
sudo nmcli connection modify access_point connection.mdns 2
sudo nmcli connection up access_point
# Point 1
sudo nmcli connection modify access_point wifi-sec.key-mgmt wpa-psk
sudo nmcli conn edit access_point
describe wifi-sec.key-mgmt
# Output 2
set wifi-sec.psk
# Here I just typed "password" (with no quotes)
save persistent
activate
# Output 3
# Point 4
dmesg
# Output 5

 

# Point 1

A working hotspot with no password

 

# Output 2

=== [key-mgmt] ===
[NM property description]
Key management used for the connection. One of "none" (WEP or no password protection), "ieee8021x" (Dynamic WEP), "owe" (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This property must be set for any Wi-Fi connection that uses security.

 

# Output 3

Connection 'access_point' (0485b77e-4d65-4c8c-94c6-77d3d0a60cf9) successfully updated.
Monitoring connection activation (press any key to continue)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

 

# Point 4

Can no longer connect to the hotspot on Mac/iPhone

You can see that Mac says it requires a WPA2 password:

 

# Output 5

dmesg doesn't show anything when connecting, the only thing I can really see about Wi-Fi is this and its red except the first 4 lines and last line:

[   10.571410] WCN: start_marlin [MARLIN_WIFI]
[   10.571442] WCN: marlin power state:1, subsys: [MARLIN_WIFI] power 1
[   10.571450] WCN: marlin have open, GNSS is closed
[   10.594361] WCN: get_board_ant_num [one_ant]
[   10.594384] wifi ini path = /lib/firmware/wifi_2355b001_1ant.ini
[   10.613536] sprdwl:sprdwl_get_fw_info length mismatch: len_count=83, r_len=89
[   10.613569] sprdwl:sprdwl_get_fw_info, drv_version=1, fw_version=2, compat_ver=0
[   10.613574] sprdwl:chip_model:0x2355, chip_ver:0x0
[   10.613578] sprdwl:fw_ver:0, fw_std:0x7f, fw_capa:0x120f7f
[   10.613583] sprdwl:mac_addr:5c:8a:ae:32:c1:63
[   10.613589] sprdwl:credit_capa:TX_WITH_CREDIT
[   10.613592] sprdwl:ott support:0
[   10.632409] unisoc_wifi unisoc_wifi wlan0: mixed HW and IP checksum settings.
[   10.635851] dwmac-sun8i 5020000.ethernet end0: Too many address, switching to promiscuous

...

[  134.071438] warning: `iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211

 

 

# Interesting observation

I tried to connect using a windows laptop (please excuse these pictures of the screen, its not my device and was trying it quickly)

 

It said this about the PIN, I clicked the "Connect using a security key instead". I then typed in the password "password" and it connected. I went to settings and saw this:

 

Here we can see it is using WPA, if I change this setting to WPA2-Personal, I can no longer connect again. Which explains why the apple products can't connect as a link above says they wont do WPA.

 

This does suggest that the device has a problem with WPA2, does wpa_supplicant have anything to do with this? Is there anything I could cross reference with my working OrangePi Zero LTS? Its likely I just need to install or enable something for this although I'm struggling to find solutions online although you can find other people with similar issues.

[ag123]

it seemed possible that WPA is used after all (even with hostapd)

wlan0: STA mac_add IEEE 802.11: associated
wlan0: STA mac_add RADIUS: starting accounting session EC98EEE1B63146E8
wlan0: STA mac_add WPA: pairwise key handshake completed (RSN)
wlan0: STA mac_add IEEE 802.11: disassociated

 

I'm using

wifi-sec.key-mgmt wpa-psk

as well

 

the documentation shown with "describe" command in your run literally says "wpa2 + wpa3 personal", but it seemed wpa is used instead

 

in my hostapd.conf

# 1=wpa, 2=wep, 3=both
auth_algs=1
# WPA2 only
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

 

it is uncertain here if that message literally means wpa or that actually wpa2 is used. 

https://wireless.wiki.kernel.org/en/users/documentation/hostapd

Quote

Settings Summary:

macaddr_acl: This controls MAC address filtering. MAC addresses are easily spoofed, so only consider the use of this to be augmenting other security measures you have in place.

auth_algs: This is a bit field where the first bit (1) is for open auth, the second bit (2) is for Shared key auth (WEP) and both (3) is both.

ignore_broadcast_ssid: This enables/disables broadcasting the SSID.

wpa: This is a bit field like auth_algs. The first bit enables WPA1 (1), the second bit enables WPA2 (2), and both enables both (3)

wpa_psk/wpa_passphrase: These establish what the pre-shared key will be for WPA authentication.

wpa_key_mgmt: This controls what key management algorithms a client can authenticate with.

wpa_pairwise: This controls WPA's data encryption.

rsn_pairwise: This controls WPA2's data encryption. First, scratch macaddr_acl and ignore_broadcast_ssid from your priorities as they only enhance security (and even then, only slightly). Also, WEP has been effectively broken now, so unless you HAVE to support WEP, scratch that from your list. This just leaves WPA/WPA2. Per the draft standard, WPA2 is required for 802.11n, and as there are known attacks on WPA now, WPA2 is the recommended authentication and encryption suite to use. Fortunately, you can have both enabled at once. If Windows clients are going to be connecting, you should leave CCMP encryption out of the wpa_pairwise option, as some windows drivers have problems with systems that enable it.

 

apparently RSN is probably WPA2

-----

apparently there is one more configuration option in Networkmanager

https://people.freedesktop.org/~lkundrak/nm-dbus-api/nm-settings.html

Table 30. 802-11-wireless-security setting

pairwise	array of string	[]	A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of "tkip" or "ccmp".

proto	array of string	[]	List of strings specifying the allowed WPA protocol versions to use. Each element may be one "wpa" (allow WPA) or "rsn" (allow WPA2/RSN). If not specified, both WPA and RSN connections are allowed.

 

based on these descriptions it is likely that if "proto" is not specified both wpa and wpa2 (RSN) is allowed.

 

my guess is the connecting device (e.g. phone)  would choose the preferable more secure protocol e.g. wpa2

 

nevertheless, you may like to tweak them to see if that helps

[av4625]

Trying those settings also make no difference, I think I have definitely tried the pairwise one before following a different tutorial 😩

[av4625]

Looking at this (and the linked bug tickets): https://askubuntu.com/a/1444282

 

It looks like its an issue with wpa_supplicant 2.10, I’ll have to double check my version, I did check earlier and I think it is 2.10, but I’ll double check that tomorrow. I’ll also check on the working device. 

[ag123]

 there is another thing I did though, I disabled bluetooth as well, a pretty paranoid setup

systemctl stop bluetooth.service
systemctl disable bluetooth.service

you may want to try this first just in case that makes a difference

 

another thought though, try hostapd as well at least for a 'last resort' solution, if hostapd works while Network manager (uses wpa_supplicant) doesn't it probably confirms your suspicions.

a thing about hostapd is that it logs every connection in the journalctl logs

journalctl -u hostapd

that would likely help with troubleshooting connection issues.

 

to get hostapd 

#install hostapd
apt install hostapd  
#check that it is not masked
systemctl status hostapd 
#enable that so that it auto starts on reboot
systemctl enable hostapd

 

then followed by various configs (e.g. unmanage it from NetworkManager), I disabled wpa_supplicant as well.

https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3

 

I remembered that there is something about having hostapd listen on the bridge by specifying the bridge in hostapd.conf.

There are times where hostapd did not work if that bridge is not specified, but works when it is specified.

I think there are also occasions that hostapd works without that bridge, so this observation is not conclusive.

 

 

[av4625]

I tried your instructions above for hostapd from a clean install and when trying to connect I get “Incorrect Password”, I didn’t get this with nmcli, I got no feedback with it. It just didn’t connect.

 

Only hostapd logs were:

IEEE 802.11: associated
IEEE 802.11: disassociated

 

I double checked versions on both my devices:

 

Working OrangePi Zero:

network-manager 1.36.6-0 armhf
wpasupplicant 2:2.10-6 armhf

Not working OrangePi Zero3:

network-manager 1.42.4-1 arm64
wpasupplicant 2:2.10-12 arm64

 

Because both the devices above are on 2.10 wpasupplicant and it still doesn’t work with hostapd with wpasupplicant disabled, I really don’t know if its to do with the device or versions anymore.

 

Sort of losing my patience with it now lol but scared about trying another device for the same thing to happen if its to do with versions. 

[av4625]

@ag123 I really appreciate all your help on this. I did see a thing about changing the NM backend from wpasupplicant to iwd.

 

I tried that twice but I seem to just break the device and all commands hang when following the instructions even over serial debug port.

 

I might try that again before giving up.

[ag123]

a couple of thoughts, in hostapd.conf the password is specified in wpa_passphrase, you need to specify that in that file. hostapd.conf normally lives in /etc/hostapd/hostapd.conf, use that installed with the "apt install hostapd" command.

for the exact file used look in /usr/lib/systemd/system/hostapd.service

that hostapd log is nevertheless 'useful' at least it shows that hostapd is attempting to setup the connection, rather than perhaps wpa_supplicant.

 

in my setup, I limited the protocol to WPA2

https://gist.github.com/ag88/de02933ba65500376d1ff48e504b1bf3

 

I assume you are working through the ethernet port e.g. using ssh.

it is possible to stay with 'default' network setup and omitting those nmcli configurations if you are just testing connectivity to WiFi. Those nmcli commands are mainly to set a fix ip on the ethernet interface and to setup a bridge across both wifi and lan. Not re-configuring the network especially the ethernet port would not hang things if you are working from the ethernet port.

messing with network configuration practically mandates using the usb-uart serial debug port as your console, it is not possible to configure the ethernet port while you are connected through it e.g. using ssh.

 

But it is recommended to still 'unmanage' the wifi interface from Network manager to prevent conflicts.

it is possible to temporarily unmanage the connection during the session

nmcli dev set wlan0 managed no

but that I find it a hassle as it reverts to managed on reboot, so I added in /etc/NetworkManager/conf.d/99-unmanaged-devices.conf

[keyfile]
unmanaged-devices=interface-name:wlan0

 

i go to the extent of disabling wpa_supplicant

systemctl stop wpa_supplicant.service
systemctl disable wpa_supplicant.service  

I'm not too sure if that is after all necessary, but that I just wanted to be sure only hostapd is controlling the WiFi interface.

 

it is possible to setup hostapd.conf to use both WPA and/or WPA2, some changes are needed in hostapd.conf

# 1=wpa, 2=wep, 3=both
auth_algs=1
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
# both WPA and WPA2
wpa=3

# use a pre-shared key
wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# Pairwise cipher for WPA (v1) (default: TKIP)
wpa_pairwise=TKIP CCMP
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
#rsn_pairwise=CCMP

# you need to set the wifi password here
wpa_passphrase=your_wifi_passphrase_min_8_char

# Levels (minimum value for logged events):
#  0 = verbose debugging
#  1 = debugging
#  2 = informational messages
#  3 = notification
#  4 = warning
#
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
# you may want to set logger_stdout_level=1 debug 
logger_stdout_level=2

 

in the above changes, that should allow hostapd to do both wpa and wpa2, this is just in case your devices are actually using wpa rather than wpa2.

 

a complete hostapd.conf example is here

https://web.mit.edu/freebsd/head/contrib/wpa/hostapd/hostapd.conf

 

I think the default character encoding in armbian is utf-8, that can be checked using the command "locale"  or checking the environment variables using "env". type a plain text password for that wpa_passphrase config in the file.

 

note that if you are not using a network bridge and there is no DHCP servers, you would need to configure the wlan0 interface with an ip address and network using say ip commands e.g.

/etc/network/interfaces

source /etc/network/interfaces.d/*
# Network is managed by Network manager
auto lo
iface lo inet loopback
# added the following
auto wlan0
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0

^ note I'm not too sure if this'd work given that Network Manager is in use. This is kind of trying to setup wlan0 'outside' of Network manager. In my setup using the bridge, I let network manager manage the bridge and I patched the wlan0 interface into the bridge. (ref: https://wiki.debian.org/NetworkConfiguration )

 

and run a dhcp server. e.g. dnsmasq or isc-dhcp-server

apt install isc-dhcp-server

https://ubuntu.com/server/docs/how-to-install-and-configure-isc-dhcp-server

 

I think network manager is easier in this aspect as it manages the interface setting ip address and running a dhcp server and configure forwarding. Just that I find network manager 'opaque' in that very little logs are found when wifi clients/hosts connects and that the dhcpd etc are not explicit in network manager configs.

 

hope that helps

[av4625]

I will follow through this after the weekend. I didn’t even install network-manager when I tried. I just installed hostapd and vim from a clean install. I unmasked the hostspd service. I disabled the wpasupplicant service too. I used the conf file from the gist.github link. I just changed the ssid and password in the conf file. 
 

I had no issue with hanging with hostapd, just when trying to change NM’s backend in a different attempt and clean install.

[av4625]

Haven't had a chance yet to follow the steps above but thought I'd update and say that I can't get iwd to work at all. Tried the steps here https://wiki.debian.org/NetworkManager/iwd under "Enabling IWD backend" and after doing that a `systemctl status NetworkManager` hangs indefinitely. It also hangs when trying to log in using the serial debug port and the red LED flashes quicker than normal. This is annoying as this normally fixes my issue for most people.

 

To answer some questions above, I am using ssh over ethernet if I'm not using serial and the debug port.

 

I also tried disabling and stopping wpa_supplicant when trying hostapd.

[av4625]

I tried downgrading wpasupplicant to 2.9. The version from here: https://packages.debian.org/bullseye/arm64/ I also needed to get libssl1.1 from there as it is a missing dependency.

This still didn't work even though this fixed the know bug for lots of users.

 

I then tried downgrading network manager to the version from the link above and installing policykit-1 as it was a missing dependency.

This also didn't work.

 

I'm going to say that this is an issue with this specific board (and maybe others I'm not sure) and Armbian.

There must be some issue in how ever WPA2 works. I read somewhere that some devices might store a key on the wifi/network chip and some don't. Maybe there is some difference like this with this device compared to the Orange Pi LTS.

 

Sad  

[av4625]

Just for info, the Ubuntu image that you can download from the OrangePi site also doesn't work

The OpiOS fails to even setup a access point

[ag123]

@av4625

imho you may want to try the hostapd.conf edits as suggested in the last comment. that basically enables WPA in addition to WPA2. Beyond that, i'm not sure what else can be done for authentication and encryption (e.g. WPA, WPA2).

 

other things may be to review the hostapd logs e.g. journalctl -u hostapd to see if there are any hints and perhaps enable 'debug' to standard output (that goes to journalctl) as suggested in the prior comment for hostapd.conf. 

 

Another thing is to look in the nightlly rolling releases and perhaps use a recent image to see if that helps

https://github.com/armbian/os/releases

This likely matters as those uses kernels that are beyond 6.6 and may have additional fixes patched into the drivers.

 

it may be possible to study the kernel driver for Wifi CdTech 20U5622 module. That goes beyond configuration.

It is after all possible to build it completely from source, the kernel and an armbian iamge (not too difficult for a default build, it lets you choose the base distribution e.g. debian, ubuntu, edge vs current, with the full set of kernel build configuration as part of it)

https://docs.armbian.com/Developer-Guide_Building-with-Docker/

This makes Armbian different vs the vendor releases, though the vendor released the (kernel) sources as well in github. But I've not tried building from there.

 

 

Edited Friday at 04:29 AM by ag123

[av4625]

Unfortunately enabling WPA wont solve my issue as apple don’t allow/support it. I am only trying to connect from an iPhone or Mac. 
 

WPA works with nmcli commands without the need for hostapd and I can connect to it using WPA using windows. 
 

I tried the latest armbian release as it was slightly newer than the one I had, but no joy

 

Next step is probably playing with the driver and kernel source code but that is a bit beyond my knowledge. 
 

I appreciate all the help though!

Edited Friday at 08:27 AM by av4625

[ag123]

I tried searching for an image in

https://github.com/armbian/os/releases

unfortunately, I did not seem to find a nightly image for zero 3

 

I'd like to suggest you can try to build an image off the edge release, which would be a recent kernel

https://docs.armbian.com/Developer-Guide_Build-Preparation/

https://docs.armbian.com/Developer-Guide_Building-with-Docker/

and you can make distribution related selections e.g. debian, ubuntu, minimal, 'full' (gui) etc.

 

that do not necessarily fix the problem as using a recent kernel may possibly break things, but that you can nevertheless try rebuild with the 'current' kernel if that doesn't work.

a thing would be I'm not too sure if a recent kernel could help in any way, but that if using an edge kernel makes a difference (i'm not sure if it does) it may be worth a try.

 

** one thing about building the kernel / distribution image from source is that it may get more recent patches even for that matter fror the drivers to be bundled and included. That may 'accidentally' help if someone pushed a patch to fix some issues.

 

I do not know enough about wifi, in particular if encryption related stuff e.g. WPA, WPA2 is after all only in the wifi driver itself  or that the linux kernel does that for the drivers. e.g. more like a 'library' .

if it is only in the driver itself, that would possibly mean that every wifi dfirver for a different soc will behave differently. e.g. that one driver supports WPA, WPA2 doesn't mean that another does it.

deeper down there may be protocol differences as well which makes it 'incompatible' with some platforms e.g. Mac, iphone etc.

 

oops it seemed that is done by wpa_supplicant?

https://wireless.docs.kernel.org/en/latest/en/users/documentation/wpa_supplicant.html

https://w1.fi/wpa_supplicant/

^ this is important, if WPA, WPA2 etc is handled by wpa_supplicant then my understanding about running hostapd without wpa_supplicant is perhaps flawed. 

As it seemed wpa_supplicant is The thing that does WPA/WPA2 etc (i.e. it is The library for WPA/WPA2) 

If this is true (i.e. wpa_supplicant does WPA/WPA2 and nothing else does it, then the question is what breaks wpa_supplicant from being able to do so?

what is the thing 'in-the-middle' that makes wpa_supplicant fail to authenticate? and establish WPA/WPA2?

 

when I'm reviewing the docs for hostapd

https://wireless.docs.kernel.org/en/latest/en/users/documentation/hostapd.html

I've an impression that hostapd merely *configures* the wifi driver rather than literally doing WPA/WPA2 etc

I'm not too sure about wpa_supplicant though.

if this is true, then WPA, WPA2 is either in the driver itself or that the kernel handles it (e.g. by means of a 'library' kind of stuff).

 

 

 

[ag123]

@av4625
blurb

I stumbled into this

https://w1.fi/wpa_supplicant/devel/

googling around

 

if this is true both wpa_supplicant and hostapd does part of WPA / WPA2 probably the protocol negotiation parts, i.e. maintaining state in some ways.

still more questions than answers

 

Quote

The design goal for wpa_supplicant was to use hardware, driver, and OS independent, portable C code for all WPA functionality. 

The design goal for hostapd was to use hardware, driver, and OS independent, portable C code for all WPA functionality. T

 

If this is true try to build an Armbian image yourself as in the prior comment. 

my  speculations: if you rebuild the image from source, it would pull new (possibly updated copies of hostapd and wpasupplicant) into your image.
the kernel and wifi driver may have the relevant patches that connect the driver and wpa_supplicant/hostapd ( since wpa_supplicant and/or hostapd does everything that is required for WPA/WPA2)

 

i.e. if all these are true and read verbatim, since wpa_supplicant/hostapd does all of WPA/WPA2 if WPA2 is broken itself it probably means a broken wpa_supplicant and/or hostapd (depending on the one that you use)

but that if it isn't wpa_supplicant / hostapd that breaks WPA / WPA2, then this must means that the plumbing between the wifi driver and wpa_supplicant / hostapd is broken which cause things like authentication / wpa / wpa 2 to fail. 

This seemed so key, wpa_supplicant / hostapd is the 'technology' / 'secret' to a good WPA/WPA2 etc implementation for wifi (in general, all, any wifi) a key part of wifi.

 

hope this helps