I could not get a password protected 802.11s up using only wpad-mesh with option encryption set to authsae or psk2/aes.
Having installed wpad-mini and authsae it seems to work with option encryption 'authsae'. My mesh nodes (FSC Futro S200 family thin clients and TL-WR703N (extrooted)) then only can communicate using the same password.
(Currently using LEDE-17.01.4 on all meshed systems.)
Uhm, I don't even have the /var/run/wpa_supplicant-wlan?.conf on my router, so I'm guessing it (and mesh support) is firmware/driver dependant. How can I check if my router radios support mesh?
Long: https://wiki.openwrt.org/doc/howto/mesh.80211s#known_issues
Short: iw list lists the modes you can use (and much more). Look for mesh point.
@yeti thank you for your prompt reply.
I can't get it to work on Linksys EA8500 running LEDE 17.01.4:
EA8500 in ~ # iw list | grep mesh
* mesh point
* #{ managed } <= 1, #{ AP, mesh point } <= 16,
* mesh point
* #{ managed } <= 1, #{ AP, mesh point } <= 16,
EA8500 in ~ # uci show wireless.@wifi-iface[3]
wireless.cfg083579=wifi-iface
wireless.cfg083579.device='radio0'
wireless.cfg083579.network='lan'
wireless.cfg083579.mode='mesh'
wireless.cfg083579.mesh_id='******.mesh'
wireless.cfg083579.encryption='psk2/aes'
wireless.cfg083579.key='*********'
EA8500 in ~ # ls -la /var/run/wpa_supplicant*.*
ls: /var/run/wpa_supplicant*.*: No such file or directory
EA8500 in ~ # ls /var/run/hostapd-phy*.*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
EA8500 in ~ # grep mesh /var/run/hostapd-phy*.*
Removing encryption/key does not help. 
I think with wpad-mesh I got an open mesh by setting
option encryption 'none'
and leaving away
option key 'whatsoever'
definition.
Even stranger: I got an open mesh when setting
option encryption 'authsae'
option key 'NotMyPassword'
and then I started experimenting with additionally adding the package authsae and switching to wpad-mini. That looks better here.
Does the log contain some lines about the mesh?
Is the channel set to a fixed value?
I think 802.11s doesn't like auto for channels.
Can please someone successfully using wpad-mesh jump in here?
Is there someone at all getting an encrypted mesh with wpad-mesh?
I didn't have time lately to play around with this, but after some google-ing and experimenting I seem to have success with encryption (finally). The trick was to change "option encryption 'authsae' ". If seems we just need to put 'psk2' or 'psk2+ccmp' like "normal". I am using wpad-mesh (without authsae)
This results in:
network={
ssid="MyMesh"
key_mgmt=SAE
mode=5
fixed_freq=1
frequency=2437
ht40=1
max_oper_chwidth=0
psk="PasswordMesh"
beacon_int=100
}
inside the /tmp/run/wpa_supplicant-wlan0-conf.
iw dev wlan0 station dump shows:
..
mesh plink : ESTAB
..
Changing the "key" to something different this changes to:
mesh plink : BLOCK
I'm not sure how else to verify that encryption is working. Can we Wireshark an "open" mesh and just see "plain-text" ??
That might be it, I'll try with a fixed channel a bit later.
Had a bit more time to experiment with mesh -- I can't get the WiFi SSID (***E0BC) to show up on my devices, these are my settings/output:
MT300N in ~ # show network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd10:5bf1:5470::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.8.1'
option ifname 'eth0.1 wlan0 mesh'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'e4:95:6e:40:e0:bc'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option hostname 'MT300N'
option peerdns '0'
option delegate '0'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'e4:95:6e:40:e0:bd'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
MT300N in ~ # show wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/10180000.wmac'
option channel '1'
option country 'US'
option htmode 'HT40'
option txpower '30'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key '***'
option encryption 'psk2+ccmp'
option ssid '***E0BC'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'mesh'
option mesh_id '***mesh'
option encryption 'psk2+ccmp'
option key '***'
MT300N in ~ # iw list
Wiphy phy0
max # scan SSIDs: 4
max scan IEs length: 2257 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short long limit: 2
Coverage class: 0 (up to 0m)
Available Antennas: TX 0 RX 0
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* mesh point
Band 1:
Capabilities: 0x2fe
HT20/HT40
SM Power Save disabled
RX Greenfield
RX HT20 SGI
RX HT40 SGI
TX STBC
RX STBC 2-streams
Max AMSDU length: 3839 bytes
No DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 2 usec (0x04)
HT TX/RX MCS rate indexes supported: 0-15, 32
Frequencies:
* 2412 MHz [1] (30.0 dBm)
* 2417 MHz [2] (30.0 dBm)
* 2422 MHz [3] (30.0 dBm)
* 2427 MHz [4] (30.0 dBm)
* 2432 MHz [5] (30.0 dBm)
* 2437 MHz [6] (30.0 dBm)
* 2442 MHz [7] (30.0 dBm)
* 2447 MHz [8] (30.0 dBm)
* 2452 MHz [9] (30.0 dBm)
* 2457 MHz [10] (30.0 dBm)
* 2462 MHz [11] (30.0 dBm)
* 2467 MHz [12] (disabled)
* 2472 MHz [13] (disabled)
* 2484 MHz [14] (disabled)
valid interface combinations:
* #{ managed, AP, mesh point } <= 8,
total <= 8, #channels <= 1
HT Capability overrides:
* MCS: ff ff ff ff ff ff ff ff ff ff
* maximum A-MSDU length
* supported channel width
* short GI for 40 MHz
* max A-MPDU length exponent
* min MPDU start spacing
MT300N in ~ # cat /var/run/wpa_supplicant-wlan0.conf
country=US
network={
ssid="***mesh"
key_mgmt=SAE
mode=5
frequency=2412
psk="***"
}
Any ideas?
PS. If I comment out the mesh interface settings in /etc/config/wireless then my other interface comes up and I can see it on my WiFi devices.
Turns out the encryption is at fault. If I remove the encryption and the key options, everything works.
With the encryption enabled I can't get the interface to start.
I've tried both (individually/separately):
option encryption 'psk2+ccmp'
option encryption 'authsae'
And neither works. I have wpad-mesh installed and trying it on LEDE 17.01.4.
I had no success with wpad-mesh and encryption. My experiments are using the packages wpad-mini and authsae (17.01.4 on x86-legacy thin clients and extrooted TL-WR703Ns).
My guinea pigs only can join the mesh when the password matches, so it at least halfway works.
As long as I don't know how to verify that encryption really is doing its job I do not bridge the mesh to my LAN or WAN interfaces. So I have not tried bridging it yet.
Sorry late reply, I was on the road so I could not check my wireless setting:
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '6'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT40'
option noscan '1'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'mesh'
option mesh_id 'RichieMesh'
option encryption 'psk2+ccmp'
option key 'Secret'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'RichieAP'
option encryption 'psk2+ccmp'
option key 'Password'
The router is just plugged in one of my bedrooms in the "middle" of my apartment. I can connect just fine the its AP and get internet/lan via the Mesh. IP addresses are via DHCP on my main router, and my devices get these just fine via the "mesh". Using only wpad-mesh. The authsae package is really old and depreciated.
Does encryption really work...thats a good question. I don't know how to check, I can only confirm that without a key or wrong key it doesn't connect. Suppose it doesn't work, should I be able to see the mesh-traffic as "plain-text" using wireshark, and how?
I'll give it another shot when I have some free time, but I just wanted to say @drbrains -- huge thank you for replying in this thread and to PMs of multiple people trying to achieve working mesh setup.
No way! I cannot get my mesh up with wpad-mesh.
It works with wpad-mini and authsae.
Maybe I'm really old and depreciated too... 
Hi there.
I'm new to working with Mesh Networks. I've been trying to install packages on my R7800 Netgear router, via opkg. But everytime I try this 'opkg install wpad authsae', I get the following message :
Package authsae (2014-06-09-8531ab158910a525d4bcbb3ad02c08342f6987f2) installed
in root is up to date.
Configuring libnl-tiny.
//usr/lib/opkg/info/libnl-tiny.postinst: //usr/lib/opkg/info/libnl-tiny.postinst
: 4: default_postinst: not found
Configuring authsae.
//usr/lib/opkg/info/authsae.postinst: //usr/lib/opkg/info/authsae.postinst: 4: d
efault_postinst: not found
Configuring babeld.
//usr/lib/opkg/info/babeld.postinst: //usr/lib/opkg/info/babeld.postinst: 4: def
ault_postinst: not found
Configuring hostapd-common.
//usr/lib/opkg/info/hostapd-common.postinst: //usr/lib/opkg/info/hostapd-common.
postinst: 4: default_postinst: not found
Collected errors:
* check_data_file_clashes: Package wpad wants to install file /usr/sbin/hostapd
But that file is already provided by package * qca-hostap
* check_data_file_clashes: Package wpad wants to install file /usr/sbin/wpa_sup
plicant
But that file is already provided by package * qca-wpa-supplicant
* opkg_install_cmd: Cannot install package wpad.
* pkg_run_script: package "libnl-tiny" postinst script returned status 127.
* opkg_configure: libnl-tiny.postinst returned 127.
* pkg_run_script: package "authsae" postinst script returned status 127.
* opkg_configure: authsae.postinst returned 127.
* pkg_run_script: package "babeld" postinst script returned status 127.
* opkg_configure: babeld.postinst returned 127.
* pkg_run_script: package "hostapd-common" postinst script returned status 127.
* opkg_configure: hostapd-common.postinst returned 127.
This is the content of my opkg.conf file
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz snapshots_base http://downloads.openwrt.org/snapshots/trunk/ipq806x/generic/packages/base
Any ideas on how to resolve this ?? This is the link that i'm following :
https://wiki.openwrt.org/doc/howto/mesh.80211s
Any help would be much appreciated !!
You can only have one package providing a specific file. You need to remove the conflicting package before replacing it.
For me to bring up encrypted 802.11s on an Archer C7 under 17.01.4, I remove wpad-mini and then install wpad-mesh then seem to need to reboot.
config wifi-iface
option device 'radio1'
option mode 'mesh'
option mesh_id '<mesh ID redacted>'
option mesh_fwding '1'
option encryption 'psk2/aes'
option key '<pass-string redacted>'
option network 'mesh_if'
# iw phy phy0 interface add mon0 type monitor
# ip link set mon0 up
# tcpdump -i mon0 -s 65535 -w /tmp/wireless.cap
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
Copy to an appropriate machine and open with wireshark
Frame 1: 145 bytes on wire (1160 bits), 145 bytes captured (1160 bits)
Radiotap Header v0, Length 13
802.11 radio information
IEEE 802.11 Data, Flags: .p....FT
Type/Subtype: Data (0x0020)
Frame Control Field: 0x0843
.000 0000 0000 0000 = Duration: 0 microseconds
Receiver address: <redacted>
Destination address: <redacted>
Transmitter address: <redacted>
Source address: <redacted>
BSS Id: <redacted>
.... .... .... 0000 = Fragment number: 0
1000 0101 0010 .... = Sequence number: 2130
WEP parameters
Initialization Vector: 0x001f6b
Key Index: 0
WEP ICV: 0x00000000 (not verified)
Data (94 bytes)
Data: 0000aaaa0300000008004500005812ec4000402ffb700a0b...
[Length: 94]
Looks like it to me...
Do you also have authsae installed?
No, I don't see it in the output of okpg list-installed
Ones I see that seem to me to be related are:
It also runs with 17.01.4 and its packages. Those versions happen to be what is on them right now.
Edit: When I look at the authsae package, it looks like it hasn't been updated in content since 2015
commit 939175e9f253959fa3d68c1bc85cd985680183ba
Author: John Crispin <john@openwrt.org>
Date: Tue Nov 24 18:28:35 2015 +0000
The only changes since then have been in the Makefile and the version given is
PKG_SOURCE_DATE:=2014-06-09
hostapd shows
PKG_SOURCE_DATE:=2016-12-19
Is libopenssl required for mesh encryption to work?
Edit: Yes libopenssl gets pulled in by wpad-mesh
Package: wpad-mesh
Version: 2016-12-19-ad02e79d-7
Depends: libc, libnl-tiny, libubus, libopenssl
If you do build libopenssl into an image, you might want to set CONFIG_OPENSSL_WITH_COMPRESSION=y otherwise uhttpd won't run TLS sucessfully, at least as configured by default.