Skip to main content

Frequently Asked Questions

What does SPR stand for?

SPR stands for Secure Programmable Router

What is SPR?

SPR is Linux software for running a hardened wifi network that also makes it easy to add and manage devices. Devices are isolated into individual VLANs and then connected securely into the rest of the network.

How is SPR different from OpenWRT?

  • SPR is built to support the leading edge of Linux’s networking features, while applying best in class security practices and modern coding standards. The focus is on making usable micro-segmentation with zero-trust networking possible, which is not simple to configure with OpenWRT.
  • OpenWRT powers many of the proprietary consumer wifi routers on the market today and was originally intended as a replacement for proprietary embedded firmware. Some routers allow replacing the vendor’s OpenWRT with open source builds of the OpenWRT firmware.
  • SPR is designed to run in docker containers on systems with a bit more memory and storage, opening up many possibilities like hosting voice assistants, network fuzzers, and media servers. However, it likely won’t work as a replacement for embedded router firmware.
  • OpenWRT tries to optimize builds for embedded devices without much storage space or memory. It supports a tremendous range of devices and hardware, although older devices are losing support due to storage and memory limitations.
  • SPR is built mostly with golang and a react frontend. Where possible, memory-safe languages with good security track records are preferred over native code such as C or code that is difficult to write securely, like PHP.
  • OpenWRT is built mostly with C, Shell Scripts, and Lua/LUCI for the web front end.

How do I update SPR?

You do not need to reflash your system. From the UI: go to System Info -> SPR Release. You can run Check to see if there's an update and hit Update.

From the CLI: Go to the SPR directory (/home/spr/super/), Run:

cd /home/spr/super
git pull
docker compose pull
docker compose up -d

How is SPR different from an ordinary network and what is a supernetwork?

SPR places each WiFi device into its own VLAN and subnet, using per-device passphrases. When combined together, the devices form a supernetwork. The VLAN isolation creates strong hardening features. Devices can not sniff each other’s traffic, they can not perform ARP/MAC spoofing, and they can not communicate with each other without being granted access while they may still be able to access the internet.

Is there any telemetry or statistics sent from SPR to Supernetworks or Third Parties?

No. This can be confirmed by viewing the code in the github repo or if you prefer, look at the network traffic from SPR

What are policies vs groups vs tags?

Policies manage network access. The supported policies are:

  • wan : the device can communicate with the internet
  • dns : the device can make DNS queries
  • lan : the device can communicate with all other devices
  • lan_upstream : the device can communicate upstream to private LAN addresses.
  • disabled : the device has no network access, overriding all other groups and policies

Groups are sets of devices that can fully intercommunicate. For example, a custom gaming group could be created for devices that need to access one another, or a media group for streaming to TVs.

Tags are an additional mechanism for referring to a set of devices, and enable tag-based features.

DNS Block Lists support Tags and Firewall Desinations Endpoints can also have tags assigned to decide which devices have access in lieu of working with IP addresses.

For example, a user can set a focus tag on specific devices, and create a dns block list under the focus tag.

Tags are also supported by PLUS's Programmable Firewall plugin. An advanced feature is to use PFW to apply tags on a schedule. The focus tag could be applied from 9AM-5pm for example.

How does the "lan_upstream" policy work?

By default, SPR prevents devices from accessing LAN addresses upstream of SPR. This is useful to restrict access to other subnets that SPR may be on. If a user does want a device to be able to access LAN networks upstream of SPR, the device should have the lan_upstream policy applied to grant access.

Does SPR work with iCloud Keychain Sync?

Yes - however you need to set the same password on each of the iOS devices that are in the same keychain. Without this, they would sync the wrong password to each other and lock each other out of the network.

Can I try SPR without the hardware?

Yes. You can run SPR in docker, either locally or on a cloud instance. NOTE: wifi-features will not be available on MacOS & Windows

Can I run SPR without a wifi-card?

Yes. SPR runs great as a VPN service as well. See: Virtual Setup Guide to setup SPR with VPN and DNS support

Why does SPR need AP/VLAN mode?

AP/VLAN is used to place each wifi station into a VLAN with its own virtual interface. Not all drivers may support this feature.

It is possible to use SPR for wifi without this but it is not recommended. To do so run hostapd with VLANs disabled (set per_sta_vif=0), and under base/config/config.sh set LANIF to your wifi interface (i.e.wlan1). With this configuration, MAC spoofing and packet injection across devices is possible, as with an ordinary wifi network.

Does SPR run on x86 / x86-64?

Yes. We publish docker containers for both arm64 and x86-64. See: Building the project to build from source.

Does SPR support extensions?

SPR supports plugins running as docker containers. See: Extensions Documentation

Which wifi drivers work with SPR?

The MT76 family of drivers has been best tested. Mt76x2u, mt7915, mt7915e have seen the most use.

Note that iwlwifi, from intel, disables AP mode, and so the popular ax210/ax200 cards are not today compatible with hostapd. It is possible to run some AP with wpa_supplicant but important features are missing. Contributions to get these working with SPR are welcome but it may not be feasible.

Recommended features for SPR:

  • WPA3 Support
  • AP/VLAN mode

If you have SPR installed you can see if your card is supported under Wifi -> Interfaces -> SPR compatibility

Does SPR support Wifi 6?

Yes.

Does SPR support Mesh Networking?

Mesh is currently a PLUS plugin. It supports mesh nodes with wired backhaul. Mesh networking (802.11s) is not currently configurable for a wireless backhaul from the API, but can be applied by configuring wpa_supplicant manually.

What is PLUS?

Plus offers extended features & lets you back the development of SPR

Read more about SPR PLUS

What is PFW?

PFW is a Programmble Firewall available to PLUS users. It allows scheduling and event based firewall rules. It supports advanced features such as per-device rerouting to site-to-site VPNs and docker containers, and scheduled focus mode.

Think I've found a bug, where can I report it?

The best place to file an issue is our Github Issue Tracker

Do you have a mobile app for the admin interface?

The iOS app is available on App Store.

Can I use the mobile app for Virtual SPR?

Yes!

If you have setup SPR using the Virtual Setup Guide you can login to SPR (192.168.2.1) when connected to the VPN.

Can I run a dev branch of this project?

Yes, See System -> Releases

What Operating System is the SPR image based on?

Ubuntu Linux 24.04. It can run on a variety of Linux hosts though.

Do you have a custom Linux kernel?

The Clearfog release is running a custom build. The Raspberry Pi image is using the default kernel for ubuntu.

Where can I learn more about Wifi security?

Check out our turtles ctf challenges & write-ups

Troubleshooting

Device can't connect using WPA3

Some IOT devices may have problems with WPA3 support, or even incorrectly detect WPA3 as an Open Network. Try adding the device with WPA2 and connect again. Some IOT may not even support WPA2, and require WPA1.

How can I set a custom subnet for my SPR network?

System -> Supernetworks

I'm running other containers on my SPR & they have no internet connection

If SPR is not running, make sure to setup the firewall rules. Make sure WANIF is configured with your upstream interface in config/config.sh and try running the base/docker_nftables_setup.sh script. SPR disabled docker’s reliance on IPtables and so custom NFTable scripts are required for docker containers to reach the internet.

How can I debug dropped packets?

  1. Check the events page for nft:drop: events. If they are not recorded, enable them first under event settings. Dropped packets may be under nft:drop:mac, nft:drop:forward, nft:drop:input, or nft:drop:private

  2. Retrieve JSON packet logs with

docker exec -it superpacket_logs /stream-json-logs
  1. Or build the sprbus tool and connect with an API token. You can generate an API token in the UI under "Auth-> Add Auth Token" sprbus