After finished setting up a dedicated guest vlan in virtualized opnsense and re-flashing my second-hand trusted Asus AC-68U from dd-wrt to fresh-tomato, I finally have a great wifi set up that I am happy with (for now). That is until my friends and families traveled to California to attend my wedding and it’s time to put my “great” and “secure” guest wifi to prime time.

Living in a cramped apartment complex, I generally hesitate to keep un-needed access point broadcasting all the time. First, it increases the attack-surface, which is a minor deal as long as the AP setup is secured with WPA. Second, it’s a personal principle of optimization and efficiency. Why leave an 99% of the time un-used wifi broadcasting just so that 1% of the time I don’t have to go and manually turn it on? Hence, up to this point the guest AP was disabled under my fresh-tomato interface and I totally forgot about it. Once my families arrived in my apartment, I was hit with the great responsibility by them. “What’s the wifi?” they asked. With two handful of suit cases, I started mubbling, sweating, and frantically started my manual process of re-enabling the guest wifi.

I now had to startup my slow triple-boot laptop, get to the router’s admin page, type-in my admin password, click through “Advanced → Virtual Wireless → wl1.2 row → check enabled → click on OK → click on Save” and finally wait for the wireless interface to re-start and the guest wifi to come online. This would have been an ok process but after having to repeat the same process for several friends/families throughout the 1 month span, I wanted/needed a better engineered solution. Well, what if I told you that I could turn on/off the guest wifi with the google homes around the apartment?

Having both home assistant, google assistant, secured SSL all in place previously, I am ready to add my voice-controlled guest wifi to my overly engineered home automation buckle list. First, I have to enable key-based ssh access on the fresh tomato interface so my dockerized home assistant and log onto it to toggle the guest wifi. Log into the router’s admin page, navigate to “Administration” → “Admin Access” and scroll down the the SSH Daemon section. Check “Enable at Startup” and uncheck “Allow Password Login”, and finally add the public ssh that I generated for home assistant to use. As a friendly reminder, never ever use/expose your private ssh key(s)!

Next, we need to figure out the actual cli commands that actually toggles the guest wifi virtual interface. At first, I tried using the commands from the official FreshTomato wiki, but the WL binary actually turns off my entire 5G chipset instead of just the guest wifi. Hence, after a bit of googling I was able to find the right commands thanks to folks at Linksysinfo.org forum. Here’s the final command that my home assistant executes:

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /config/.ssh/id_rsa [email protected] 'sleep 10; int=wl1.2; if [ $(nvram get ${int}_radio) -eq 0 ]; then nvram set ${int}_bss_enabled=1 && nvram set ${int}_radio=1 && nvram commit && service wireless restart; else nvram set ${int}_bss_enabled=0 && nvram set ${int}_radio=0 && nvram commit && service wireless restart; fi'

Essentially by checking the nvram configuration of the wlx.x (ie. wl1.2 in my case) interface, we can commit the opposite value and restart the wireless service to bring the guest network up/down. Once the command was tested successfully inside the docker instance, I simply added it into my home assistant yaml and exposed it to the google integration. Now I can control my guest network on/off with just my voice without even sweating!

Last note, since all my google homes are connected to the same wifi network which gets disconnected as part of the process. I had to add a 10 second delay at the start of the ssh command so google assistant don’t freak out when it loses connection mid-way through.