Walt’s Workbench

Note: If you’re looking to secure your hotspot with the older WPA2 security stanard (for older clients that cannot utilize WPA3), use this tutorial instead.

I recently performed a clean install of Raspberry Pi OS (the 64 bit version of Bookworm) on my Pi 3B+. With this particular pi, I have 2 wireless radios:

I like to use this pi when I travel as a simple “travel router”, hence the 2 radios. Prior to Bookworm , the default WiFi manager on Raspberry Pi OS was “Wicd”. However, starting with Bookworm, the default network manager is now “NetworkManager”. Upon installing this new OS and attempting to create my hotspot as I did with my previous operating system (32 bit Buster), I ran into (what I ultimately discovered to be) many of the same issues that numerous others have also encounted while attempting to create a hotspot with Bookworm. In a nutshell, you can create a hotspot just using the default GUI that is packaged with PIXEL (the default desktop environment)… so long as you do not secure your network with a password. However, if you wish to protect your hotspot with a password using WPA2 or WPA3 security , you cannot do it with the default GUI (or even the nmtui shell app). You’ll need to configure the hotspot using nmcli commands. (read on)

A few notes:

1. It might be possible to configure WEP security from within the GUI, but I really have no idea because I didn’t even try given WEP’s inherent vulnerabilities.
2. The acutal software for the network configuration GUI appears to be a part of the PIXEL (aka LXDE) desktop environment. The version of PIXEL that came packaged with my Raspberry Pi OS is lxde-common version: 0.99.2-4. It’s entirely possible (and hopefully likely) that future versions of this desktop environment will eliminate the issues that this post is designed to address. But, until that becomes reality, it’s not happening via the GUI.

Based on my findings, there are 2 NetworkManager settings which are not properly configured by the network configuration GUI when it comes to creating a WPA3 secured hotspot on Raspberry Pi OS:

1. The GUI does not properly configure the connection protocol to be used. (see step #5)
2. The GUI does not properly configure the security algorithm to be used. (see step #6)

So, without further ado, the steps below should allow you to properly secure your wifi hotspot with WPA3 personal using NetworkManager on Raspberry Pi OS.

Step 1: Before beginning to configure your hotspot with WPA3 security, it’s easiest if you simply create an unsecured (aka no password) hotspot using the GUI. Once you’ve created the unsecurred hotspot and verified that it is working, go on to step 2.
NOTE: When creating the hotspot, here’s a few recommendations:
1. You should specify the band as either “a” (aka 5GHz), or “b/g” (aka 2.4GHz). If you leave the band set with its default value of “automatic”, it tends create issues. Also, make sure when you’re selecting the band, that you select one that your wifi device is capable of utilizing. It’s worth noting here that many of the USB wifi dongles are 2.4 GHz only.
2. It’s also a good idea to specify the device on which you want your hotspot to operate vs just leaving it blank.

Step 2: For most of the nmcli commands, you’ll need the connection name for the unsecurred hotspot you just created.
NOTE: The connection name is not the SSID. However, the connection name and the SSID can use the same if you so desire. Regardless, the connection name will be whatever you specified when making the connection via the GUI in step 1. However, you can also get the connection name using the command:
sudo nmcli con show

pi@RaspberryPi:~ $ sudo nmcli con show
NAME                UUID                                  TYPE      DEVICE        
New_Hotspot         0123456-789a-bcde-f012-3456789abcde  wifi      edimax        
WiFi connection 1   1234567-89ab-cdef-0123-456789abcdef  wifi      wlan0 
lo                  2345678-9abc-def0-1234-56789abcdef0  loopback  lo                       
Wired connection 1  3456789-abcd-ef01-2345-6789abcdef01  ethernet  -- 

In the above example, the connection we want to modify is named “New_Hotspot”. Again, your connection will named whatever you named it via the GUI in step 1.

Step 3: Configure the connection’s method of key management using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.key-mgmt sae
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.key-mgmt sae

Step 4: Let’s assume that the desired password for your new hotspot is going to be “Raspbian”. You can modify your connection with this password using the commmand:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.psk <password>
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.psk Raspbian

Step 5: Configure the connection protocol using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.proto rsn
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.proto rsn

Step 6: Configure the security algoritm using the command:
sudo nmcli con modify “<connection name>” 802-11-wireless-security.pairwise ccmp
In our example:

pi@RaspberryPi:~ $ sudo nmcli con modify "New_Hotspot" 802-11-wireless-security.pairwise ccmp

Step 7: Restart the hotspot connection using the 2 commands:
sudo nmcli con down “<connection name>”
sudo nmcli con up “<connection name>”
In our example:

pi@RaspberryPi:~ $ sudo nmcli con down "New_Hotspot"
pi@RaspberryPi:~ $ sudo nmcli con up "New_Hotspot"

Step 8: At this point, you should have a properly WPA3 secured (and working) hotspot connection and you should be able to get your laptop or phone to connect to the Pi’s Wifi. However, there are a few things to consider: