Frequently Asked Questions
What does SPR stand for?
SPR stands for Secure Programmable Router
What is SPR?
SPR is Linux software for running a hardened wifi network that also makes it easy to add and manage devices. Devices are isolated into individual VLANs and then connected securely into the rest of the network.
How is SPR different from OpenWRT?
- SPR is built to support the leading edge of Linux’s networking features, while applying best in class security practices and modern coding standards. The focus is on making usable micro-segmentation with zero-trust networking possible, which is not simple to configure with OpenWRT.
- OpenWRT powers many of the proprietary consumer wifi routers on the market today and was originally intended as a replacement for proprietary embedded firmware. Some routers allow replacing the vendor’s OpenWRT with open source builds of the OpenWRT firmware.
- SPR is designed to run in docker containers on systems with a bit more memory and storage, opening up many possibilities like hosting voice assistants, network fuzzers, and media servers. However, it likely won’t work as a replacement for embedded router firmware.
- OpenWRT tries to optimize builds for embedded devices without much storage space or memory. It supports a tremendous range of devices and hardware, although older devices are losing support due to storage and memory limitations.
- SPR is built mostly with golang and a react frontend. Where possible, memory-safe languages with good security track records are preferred over native code such as C or code that is difficult to write securely, like PHP.
- OpenWRT is built mostly with C, Shell Scripts, and Lua/LUCI for the web front end.
How do I update SPR?
You do not need to reflash your system. From the UI: go to System Info -> SPR Release. You can run Check to see if there's an update and hit Update.
From the CLI:
Go to the SPR directory (
docker compose pull
docker compose up -d
How is SPR different from an ordinary network and what is a supernetwork?
SPR places each WiFi device into its own VLAN and subnet, using per-device passphrases. When combined together, the devices form a supernetwork. The VLAN isolation creates strong hardening features. Devices can not sniff each other’s traffic, they can not perform ARP/MAC spoofing, and they can not communicate with each other without being granted access while they may still be able to access the internet.
Is there any telemetry or statistics sent from SPR to Supernetworks or Third Parties?
No. This can be confirmed by viewing the code in the github repo or if you prefer, look at the network traffic from SPR
What are groups vs tags?
Groups in SPR refer to network access and which devices should be able to communicate with one another. There are three special, built-in groups:
- wan : the device can communicate with the internet
- dns : the device can make DNS queries
- lan : the device can communicate with all other devices
When custom groups are created, all of the devices in that group can communicate with each other. For example, a custom gaming group could be created for devices that need to access one another, or a media group for streaming to TVs.
Tags are an additional mechanism for organizing devices and applying special features to them. Today there is one built-in tag, lan_upstream.
Custom tags can be used with DNS block lists, to apply blocklists to only select devices. Place the tag with both the list and the devices it should apply to. For example, a user can set a focus tag on specific devices, and create a dns block list under the focus tag.
Custom tags can be used with PLUS's Programmable Firewall plugin. An advanced feature is to use PFW to apply tags on a schedule. The focus tag could be applied from 9AM-5pm for example.
How does the "lan_upstream" tag work?
By default, SPR prevents devices from accessing LAN addresses upstream of SPR. This is useful to restrict access to other subnets that SPR may be on. If a user does want a device to be able to access LAN networks upstream of SPR, the device should have the lan_upstream tag applied to grant access.
Does SPR work with iCloud Keychain Sync?
Yes - however you need to set the same password on each of the iOS devices that are in the same keychain. Without this, they would sync the wrong password to each other and lock each other out of the network.
Can I try SPR without the hardware?
Yes. You can run SPR in docker, either locally or on a cloud instance. NOTE: wifi-features will not be available on MacOS & Windows
Can I run SPR without a wifi-card?
Yes. SPR runs great as a VPN service as well. See: Virtual Setup Guide to setup SPR with VPN and DNS support
Why does SPR need AP/VLAN mode?
AP/VLAN is used to place each wifi station into a VLAN with its own virtual interface. Not all drivers may support this feature.
It is possible to use SPR for wifi without this but it is not recommended. To do so run hostapd with VLANs disabled (set
per_sta_vif=0), and under
base/config/config.sh set LANIF to your wifi interface (i.e.
wlan1). With this configuration, MAC spoofing and packet injection across devices is possible, as with an ordinary wifi network.
Does SPR run on x86 / x86-64?
Yes. We publish docker containers for both arm64 and x86-64. See: Building the project to build from source.
Does SPR support extensions?
SPR supports plugins running as docker containers. See: Extensions Documentation
Which wifi drivers work with SPR?
The MT76 family of drivers has been best tested. Mt76x2u, mt7915, mt7915e have seen the most use.
Note that iwlwifi, from intel, disables AP mode, and so the popular ax210/ax200 cards are not today compatible with hostapd. It is possible to run some AP with wpa_supplicant but important features are missing. Contributions to get these working with SPR are welcome but it may not be feasible.
Recommended features for SPR:
- WPA3 Support
- AP/VLAN mode
If you have SPR installed you can see if your card is supported under Wifi -> Interfaces -> SPR compatibility
Does SPR support Wifi 6?
Does SPR support Mesh Networking?
Mesh is currently a PLUS plugin. It supports mesh nodes with wired backhaul. Mesh networking (802.11s) is not currently configurable for a wireless backhaul from the API, but can be applied by configuring wpa_supplicant manually.
What is PLUS?
Plus offers extended features & lets you back the development of SPR
What is PFW?
PFW is a Programmble Firewall available to PLUS users. It allows scheduling and event based firewall rules. It supports advanced features such as per-device rerouting to site-to-site VPNs and docker containers, and scheduled focus mode.
Think I've found a bug, where can I report it?
The best place to file an issue is our Github Issue Tracker
Do you have a mobile app for the admin interface?
The iOS app is available on App Store.
Can I use the mobile app for Virtual SPR?
If you have setup SPR using the Virtual Setup Guide you can login to SPR (192.168.2.1) when connected to the VPN.
Can I run a dev branch of this project?
Yes, See System -> Releases
What Operating System is SPR based on?
Ubuntu Linux 23.04. It can run on a variety of Linux hosts though.
Do you have a custom Linux kernel?
The Clearfog release is running a custom build. The Raspberry Pi image is using the default kernel for ubuntu.
Device can't connect using WPA3
Some IOT devices may have problems with WPA3 support, or even incorrectly detect WPA3 as an Open Network. Try adding the device with WPA2 and connect again. Some IOT may not even support WPA2, and require WPA1.
How can I set a custom subnet for my SPR network?
System -> Supernetworks
I'm running other containers on my SPR & they have no internet connection
If SPR is not running, make sure to setup the firewall rules. Make sure WANIF is configured with your upstream interface in config/config.sh and try running the base/docker_nftables_setup.sh script. SPR disabled docker’s reliance on IPtables and so custom NFTable scripts are required for docker containers to reach the internet.
How can I debug dropped packets?
Check the events page for
nft:drop:events. If they are not recorded, enable them first under event settings. Dropped packets may be under
Retrieve JSON packet logs with
docker exec -it superpacket_logs /stream-json-logs
- Or build the sprbus tool and connect with an API token. You can generate an API token in the UI under "Auth-> Add Auth Token"