Walt’s Workbench

Note: If you’re looking to secure your hotspot with newer WPA3 security standard, use this tutorial instead.

As of the current Raspberry Pi OS (Bookworm) running the PIXEL desktop version, if you wish to protect your hotspot with a password using WPA2 or WPA3 security , you cannot do it with the default GUI (or even the nmtui shell app). You’ll need to configure the hotspot using nmcli commands. (read on)

A few notes:

1. It might be possible to configure WEP security from within the GUI, but I really have no idea because I didn’t even try given WEP’s inherent vulnerabilities.
2. The acutal software for the network configuration GUI appears to be a part of the PIXEL (aka LXDE) desktop environment. The version of PIXEL that came packaged with my Raspberry Pi OS is lxde-common version: 0.99.2-4. It’s entirely possible (and hopefully likely) that future versions of this desktop environment will eliminate the issues that this post is designed to address. But, until that becomes reality, it’s not happening via the GUI.

Based on my findings, there are 3 NetworkManager settings which are not properly configured by the network configuration GUI when it comes to creating a WPA2 secured hotspot on Raspberry Pi OS:

1. The GUI does not properly hash to passprase into a workable key. (see step #4)
2. The GUI does not properly configure the connection protocol to be used. (see step #5)
3. The GUI does not properly configure the security algorithm to be used. (see step #6)

So, without further ado, the steps below should allow you to properly secure your wifi hotspot with WPA2-personal using NetworkManager on Raspberry Pi OS.

Step 1: Before beginning to configure your hotspot with WPA2 security, it’s easiest if you simply create an unsecured (aka no password) hotspot using the GUI. Once you’ve created the unsecurred hotspot and verified that it is working, go on to step 2.
NOTE: When creating the hotspot, here’s a few recommendations:
1. You should specify the band as either “a” (aka 5GHz), or “b/g” (aka 2.4GHz). If you leave the band set with its default value of “automatic”, it tends create issues. Also, make sure when you’re selecting the band, that you select one that your wifi device is capable of utilizing. It’s worth noting here that many of the USB wifi dongles are 2.4 GHz only.
2. It’s also a good idea to specify the device on which you want your hotspot to operate vs just leaving it blank.

Step 2: For most of the nmcli commands, you’ll need the connection name for the unsecurred hotspot you just created.
NOTE: The connection name is not the SSID. However, the connection name and the SSID can use the same if you so desire. Regardless, the connection name will be whatever you specified when making the connection via the GUI in step 1. However, you can also get the connection name using the command:
sudo nmcli con show

pi@RaspberryPi:~ $ sudo nmcli con show
NAME                UUID                                  TYPE      DEVICE        
New_Hotspot         0123456-789a-bcde-f012-3456789abcde  wifi      edimax        
WiFi connection 1   1234567-89ab-cdef-0123-456789abcdef  wifi      wlan0 
lo                  2345678-9abc-def0-1234-56789abcdef0  loopback  lo                       
Wired connection 1  3456789-abcd-ef01-2345-6789abcdef01  ethernet  -- 

In the above example, the connection we want to modify is named “New_Hotspot”. Again, your connection will named whatever you named it via the GUI in step 1.

Step 3: Configure the connection’s method of key management using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.key-mgmt wpa-psk
For example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.key-mgmt wpa-psk

Step 4: For whatever reason, this is the step that seems to be missing from most of the other tutorials I’ve come across on the internet. Regardless… let’s assume that the SSID you used when creating the hotspot was “HOTSPOT” and the desired passphrase for your new hotspot is going to be “Raspbian”. With WPA2, the passphrase with which you configure your connection needs to first be hashed into a 64 character key. The passphrase is hashed using the command:
wpa_passhrase <SSID> <passphrase>
In our example:

pi@RaspberryPi:~ $ wpa_passphrase HOTSPOT Raspbian
network={
	ssid="HOTSPOT"
	#psk="Raspbian"
	psk=42aefd23113e4f9aba4c9d8faf315026107f2e6c0e927a0cda790734eae84cf9
}

Your hashed key is that which follows “psk=”.
You then add this key to your connection using the commmand:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.psk <key>
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.psk 42aefd23113e4f9aba4c9d8faf315026107f2e6c0e927a0cda790734eae84cf9

Step 5: Configure the connection protocol using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.proto wpa
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.proto wpa

Step 6: Configure the security algoritm using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.pairwise ccmp
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.pairwise ccmp

Step 7: Restart the hotspot connection using the 2 commands:
sudo nmcli con down “<connection name>”
sudo nmcli con up “<connection name>”
In our example:

pi@RaspberryPi:~ $ sudo nmcli con down "New_Hotspot"
pi@RaspberryPi:~ $ sudo nmcli con up "New_Hotspot"

Step 8: At this point, you should have a properly WPA2 secured (and working) hotspot connection and you should be able to get your laptop or phone to connect to the Pi’s Wifi. However, there are a few things to consider: