Skip to content

Access point settings

Basics

After running the Quick installer, Docker setup or following the manual installation steps, RaspAP will start up a routed wireless access point (AP) with a default configuration. As part of this initial setup, the hostapd service broadcasts an AP with the following settings:

Interface: wlan0
SSID: raspi-webgui
Wireless Mode: 802.11n - 2.4GHz
Channel: 1
Security Type: WPA2
Encryption Type: CCMP
Passphrase: ChangeMe

Each of these settings may be changed on the Hotspot > Basic and Security tabs to any values you wish. Your changes will be applied and made visible on the broadcasted AP by choosing Save settings followed by Restart hotspot.

At this point, a dialog will appear to indicate the progress of the RaspAP service. This is a Linux systemd process that is responsible for starting up several network services in a specific order and timing.

Connecting clients

When the AP is operational, you may connect clients to it by using one of two methods:

  1. Select the SSID from the list of available networks on your device and enter the passphrase.
  2. Scan the QR code displayed on the Hotspot > Security tab and join the AP.

By default, clients are assigned IP addresses from the DHCP range 10.3.141.50 — 10.3.141.254. These values may be changed in the DHCP options section of the DHCP server settings UI. If for some reason a client is unable to obtain an IP address from your AP, consult this FAQ.

802.11ac 5 GHz

For devices with compatible wireless hardware, RaspAP version 3.0 largely removes the guesswork in creating a 5 GHz access point. It achieves this by being tightly integrated with the wireless regulatory database used by the Linux kernel. Behind the scenes, RaspAP queries iw and intelligently matches its output with the 5 GHz channels allowed by hostapd, the user space daemon access point software.

From the Hotspot > Advanced tab, select your country from the dropdown then choose Save settings. This sets the wireless regulatory domain for your device. Now, on the Hotspot > Basic tab choose an interface and select the 802.11ac - 5 GHz wireless mode option. RaspAP will automatically populate the available 5 GHz channels for your country. Select a channel followed by Save settings, then Start or Restart hotspot.

Tip

Not all AC channels may be compatible with your hardware. If your hotspot fails to start, enable hostapd service logging by sliding the Logfile output toggle on the Hotspot > Logging tab, followed by Save settings, then Restart hotspot. See this FAQ for more assistance.

If the Channel dropdown and Save settings button are disabled, refer to this FAQ.

Security settings

WPA2 is currently the most secure standard utilizing AES (Advanced Encryption Standard) and a pre-shared key for authentication. WPA2 is also backwards compatible with TKIP to allow interoperability with legacy devices. AES uses the CCMP encryption protocol which is a stronger algorithm for message integrity and confidentiality.

By default, RaspAP's access point is configured with WPA2 and CCMP encryption. You may of course change this to allow legacy clients (older mobile devices, for example) by selecting TKIP+CCMP as the encryption type. Choose Save settings and Restart hotspot for your changes to take effect.

WPA3-Personal

Experimental · Insiders only

WPA3 is an improved encryption standard, thanks to Simultaneous Authentication of Equals (SAE) which replaces the Pre-Shared Key (PSK) authentication method used in prior WPA versions. WPA3-Personal allows for better password-based authentication even when using simple passphrases. In general, WPA3-Personal networks with simple passphrases are more difficult to crack by using brute-force, dictionary-based methods, as with WPA/WPA2.

WPA3 also requires the use of Protected Management Frames (PMFs) to increase network security. If you wish to connect AP clients that may not have support for WPA3-Personal or PMFs, a transitional security mode is also available.

Note

The Raspberry Pi's onboard wireless chipsets do not currently support the WPA3 standard. For this reason, in order to use this setting you will need to configure your AP with an external wireless adapter that supports WPA3.

802.11w

Experimental · Insiders only

The 802.11w amendment was introduced as a way to secure Wi-Fi management frames against attacks by ensuring that these frames are legitimately exchanged between an AP and its clients, rather than a malicious third-party. These 802.11w Protected Management Frames (PMFs) can mitigate common types of "deauthentication" and "disassociation" attacks.

Similar to WPA3-Personal, 802.11w may be configured in one of two modes: enabled and required. Enabled allows for mixed operation by allowing legacy devices that do not support 802.11w to associate while also allowing devices that support 802.11w to use the PMF features. Required will prevent clients that do not support 802.11w from associating with the SSID.

Drag & drop widgets

Experimental · Insiders only

The default dashboard layout may be customized to suit your needs. Enable this option from the System > Theme menu by selecting the Dynamic widgets toggle. Next, from the Dashboard click or tap the icon to modify the widgets. Each widget may be resized, dragged and repositioned. Release the widget to drop it into a new location.

Tip

This option works best for large displays. The default dashboard widgets are optimized for mobile devices and smaller displays.

Click or tap the icon a second time when you're done making changes. The new responsive dashboard layout will be saved to your browser's local storage.

Printable signs

Experimental · Insiders only

Beneath the QR code on the Hotspot > Security tab, you will find a link to open a "Wi-Fi connect" sign suitable for printing. Click or tap the link after the printer icon to open a new window with your hotspot's QR code, SSID and password neatly formatted.

To print, select File > Print from your browser's toolbar and adjust print preferences as needed. This feature can be especially useful if you operate a public wireless access point. You may also opt to integrate a captive portal for your visitors.

Advanced options

The above sections cover everything you will need for a basic routed AP. The Hotspot > Advanced tab has several options that allow you to control advanced settings for the Linux hostapd service. These are discussed in the following sections.

Bridged AP mode

If you wish to configure RaspAP as a bridged AP, this may be done by sliding the Bridged AP mode toggle, saving settings and restarting the hotspot. Be aware that when the hotspot restarts you will no longer be able to access the web interface from the default 10.3.141.1 address. Refer to this explanation and tips for administering your bridged AP.

WiFi repeater mode

Experimental · Insiders only

RaspAP is capable of acting as a wireless repeater to connect to your wireless network and rebroadcast an existing signal. This requires configuring interface metrics and default routes with DHCP. Alternatively, enabling the WiFi repeater mode toggle will create these settings for you automatically.

WiFi repeater mode

Save settings and choose Restart hotspot to active the wireless repeater. As with AP-STA mode, described below, this option is disabled or "greyed out" until a wireless client is configured.

WiFi client AP mode

RaspAP has support for this special mode, also known as a micro-AP or simply AP-STA. Typically this can be difficult to configure manually, but RaspAP performs most of the config work behind the scenes for you.

Note

This option is disabled or "greyed out" until a wireless client is configured. This can be done via the WiFi client UI, or by manually configuring a valid wpa_supplicant.conf.

Before using this mode, it is recommended that users familiarize themselves with how AP-STA works. Users of AP-STA mode should also be aware of its limitations, and understand that performance and stability of this AP mode will not be equal to using a second wireless adapter bound to a separate interface. For the latter, refer to this FAQ.

Beacon interval

Wireless APs continuously send beacon frames to indicate their presence, traffic load, and capabilities. The default hostapd beacon interval is 100ms. If desired, you may change this to any value between 15 and 65535.

Disable disassoc_low_ack

An AP may disassociate a client due to inactivity, transmission failures or other indications of connection loss. This phenomenon can usually be observed in the hostapd logs like so:

wlan0: AP-STA-DISCONNECTED 24:62:ab:fd:24:34
wlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: disassociated
wlan0: STA 24:62:ab:fd:24:34 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

This option sets the disassoc_low_ack boolean value for hostapd. Be aware that this value is dependent on driver capabilities. Moreover, hostapd may disassociate a client (or station) for a variety of reasons, so this is not a silver bullet.

Transmit power

RaspAP allows you to control the transmit power of the configured AP interface. The default "auto" setting will suffice for the vast majority of APs. A lower txpower value can be useful to mitigate WiFi radio interference, for example if you are hosting multiple APs in a given area. It can also be advantageous to set txpower to a lower value in IoT or similar applications where reduced power consumption is needed.

Set the transmit power by selecting a value from the dropdown and choosing Save settings. The transmit power setting is expressed as dBm, or decibels (dB) with reference to one milliwatt (mW). It is not necessary to restart the AP for this to take effect.

Maximum number of clients

This option sets the max_num_sta value for hostapd, and is effective for placing a limit on the number of clients (stations) that can connect to your AP. When the limit is reached, new client connections will be rejected.

Note

The default setting is 2007, but this is merely the value set by hostapd from the IEEE 802.11 specification. It should not be interpreted as a guarantee that RaspAP can support this many simultaneous clients. In practice, this number depends on several factors and is a much lower value, as discussed in this FAQ.

Custom user settings

RaspAP gives you control over many common AP settings via the Hotspot > Basic, Security and Advanced tabs. However, hostapd has lots of other options that aren't exposed in the management UI. For this reason, RaspAP lets advanced users define any number of valid hostapd settings by adding them to a custom configuration file.

Begin by creating /etc/hostapd/hostapd.conf.users on your device's filesystem, then add your desired settings to this file. For example, to enable hostapd's built-in support for MAC address filtering, you may add the following:

# Accept/deny lists are read from separate files (containing list of
# MAC addresses, one per line).
accept_mac_file=/etc/hostapd.accept
deny_mac_file=/etc/hostapd.deny

Next, choose Hotspot > Save settings to parse this file and append your custom settings to RaspAP's hostapd configuration. Finally, choose Hotspot > Restart hotspot for your changes to take effect.

Tip

Direct manipulation of advanced hostapd settings may lead to your AP failing to start and/or other unanticipated behavior. For this reason, it's advisable to enable service logging on the Hotspot > Logging tab and monitor the log output for errors.

Discussions

Questions or comments about using access point settings? Join the discussion here.