One step further for #OpenHarbors with my #tc hackery/prototype. The client/supplicant seems to now receive the #EAPoL from the remote, bridged AP fine and replies to it. Next need to get the reply back to the remote AP.
Initially wasn't sure if I could get EAPoL injected like this. But as long as the MAC address is the same as the original authenticator then it seems to work. Did a bit of skb marking via tc to drop and allow the correct frames.

So, some small progress for #OpenHarbors. Currently trying to see how far I can get with what #hostapd, #wpasupplicant and Linux in general already provide and hacks around that. With control_port=0 and some #tc rules I was able to snitch the initial #EAPOL frame from hostapd and was able to forward it to a remote host. After that I took a little "detour" to play with more hostapd options and adding debug code to see if I could somehow make hostapd to avoid EAPOL, hoping to use less tc hacks.

Ok, some initial, interesting findings for #OpenHarbors. hostapd uses a separate control port (over netlink?) these days for EAPoL, instead of sharing the wlan0 network interface. This might explain the commit "kernel: remove 640-bridge-only-accept-EAP-locally.patch" in #OpenWrt, why this non-upstream kernel patch could finally be removed?
I also figured out that I could get EAPoL over wlan0 again via "driver_params=control_port=0" in a hostapd.conf.

Yaiy! I'm super excited, have gotten accepted for funding from @nlnet!!! This will finally give me the opportunity to work on this project idea that has been on my mind for quite a while now: https://nlnet.nl/project/OpenHarbors/
Which will hopefully create a ton of new possibilities for wireless community #MeshNetworks like @freifunk, #FunkFeuer, #Gufi, #Altermundi, NYC @mesh etc.
#OpenHarbors #WPAoverL2TP #WPAoverIP #Freifunk #mesh #hostapd #Linux #OpenWrt #eduroam (#OpenRoaming #OpenWISP #VPN)