OpenWrt manages wireless through the /etc/config/wireless UCI file. The wifi-scripts package (and underlying mac80211 / hostapd) reads this file and configures both the radio hardware and the virtual access points running on top of it.
File structure
The wireless config file uses two section types:
| Section type | Purpose |
|---|
config wifi-device | Radio hardware — one section per physical radio |
config wifi-iface | Virtual interface — one per SSID/mode on a radio |
wifi-device) can host multiple virtual interfaces (wifi-iface), each with its own SSID, encryption, and network association.
wifi-device — radio hardware options
| Option | Description |
|---|
type | Driver type, always mac80211 on modern OpenWrt |
path | Kernel device path (set automatically by wifi config) |
band | Radio band: 2g, 5g, 6g, or 60g |
channel | Channel number or auto |
htmode | Channel width: HT20, HT40, VHT80, VHT160, HE80, etc. |
txpower | Transmit power in dBm (auto to use driver default) |
country | ISO 3166-1 country code (required for regulatory compliance) |
disabled | Set to 1 to disable the radio |
wifi-iface — virtual AP/station options
| Option | Description |
|---|
device | Name of the parent wifi-device (e.g. radio0) |
mode | Operation mode: ap, sta, adhoc, monitor, mesh |
ssid | Network name (up to 32 characters) |
bssid | Override the BSSID/MAC (optional) |
network | Logical interface name to attach to (links to /etc/config/network) |
encryption | Encryption type (see table below) |
key | Pre-shared key for WPA modes |
hidden | Set to 1 to suppress SSID broadcast |
isolate | Set to 1 to block client-to-client traffic |
ieee80211r | Set to 1 to enable fast BSS transition (802.11r) |
ieee80211w | Management frame protection: 0 off, 1 optional, 2 required |
disabled | Set to 1 to disable this interface without removing it |
Encryption values
encryption value | Description |
|---|
none | Open network, no encryption |
psk | WPA-Personal (TKIP) |
psk2 | WPA2-Personal (CCMP/AES) |
psk+psk2 | WPA/WPA2 mixed mode |
psk2+ccmp | WPA2-Personal, CCMP only |
sae | WPA3-Personal (SAE) |
sae-mixed | WPA2/WPA3 transition mode |
wpa2 | WPA2-Enterprise (requires RADIUS config) |
wpa3 | WPA3-Enterprise |
Configuration examples
Basic WPA2
WPA3 / SAE
Multiple SSIDs
Station (client) mode
A typical home router setup with one 2.4 GHz radio and one 5 GHz radio, each broadcasting a single WPA2 SSID.config wifi-device 'radio0'
option type mac80211
option path 'platform/ahb/18100000.wmac'
option band 2g
option channel 6
option htmode HT20
option country US
config wifi-iface 'default_radio0'
option device radio0
option mode ap
option network lan
option ssid MyHomeNetwork
option encryption psk2
option key 'mysecretpassword'
config wifi-device 'radio1'
option type mac80211
option path 'pci0000:00/0000:00:00.0'
option band 5g
option channel 36
option htmode VHT80
option country US
config wifi-iface 'default_radio1'
option device radio1
option mode ap
option network lan
option ssid MyHomeNetwork_5G
option encryption psk2
option key 'mysecretpassword'
WPA3-Personal using SAE. Recommended for new deployments. Management frame protection (ieee80211w) must be set to 2 (required) for pure WPA3.config wifi-iface 'default_radio1'
option device radio1
option mode ap
option network lan
option ssid MySecureNetwork
option encryption sae
option key 'mysecretpassword'
option ieee80211w 2
config wifi-iface 'default_radio1'
option device radio1
option mode ap
option network lan
option ssid MyNetwork
option encryption sae-mixed
option key 'mysecretpassword'
option ieee80211w 1
You can define multiple wifi-iface sections that reference the same wifi-device to broadcast several SSIDs from one radio. A common pattern is a private LAN SSID and an isolated guest SSID.config wifi-device 'radio0'
option type mac80211
option path 'platform/ahb/18100000.wmac'
option band 2g
option channel auto
option htmode HT20
option country US
# Private SSID — bridged to LAN
config wifi-iface 'priv_radio0'
option device radio0
option mode ap
option network lan
option ssid HomeNetwork
option encryption psk2
option key 'privatepassword'
# Guest SSID — bridged to a separate guest interface
config wifi-iface 'guest_radio0'
option device radio0
option mode ap
option network guest
option ssid HomeNetwork-Guest
option encryption psk2
option key 'guestpassword'
option isolate 1
The guest logical interface must be defined in /etc/config/network with its own subnet, DHCP pool, and firewall zone. Client isolation (option isolate 1) prevents guest clients from communicating with each other at the Wi-Fi layer.
Connect the router to an upstream Wi-Fi network as a wireless client.config wifi-iface 'wwan'
option device radio0
option mode sta
option network wwan
option ssid UpstreamNetwork
option encryption psk2
option key 'upstreampassword'
config interface 'wwan' entry in /etc/config/network:config interface 'wwan'
option proto dhcp
Applying wireless changes
Edit the configuration
Modify /etc/config/wireless directly or use UCI commands:uci set wireless.default_radio0.ssid='NewSSID'
uci set wireless.default_radio0.key='newpassword'
uci commit wireless
Reload wireless
Apply changes to all radios without fully restarting:To restart a specific radio only:wifi down radio0
wifi up radio0
Check status
Verify the radio and associated clients:# Show all wireless interface status
wifi status
# Show associated clients on a specific interface
iw dev wlan0 station dump
# Show radio info
iw dev
wifi reload briefly disrupts all wireless clients. For a live production router, prefer making incremental UCI changes and reloading only the affected radio where possible.
Auto-detecting radio hardware
When setting up a new device or after a factory reset, run:
This detects the available radios and generates default wifi-device and wifi-iface sections in /etc/config/wireless. The generated config has all interfaces disabled (option disabled 1) by default — set a key and remove the disabled line before running wifi up.