Closed geedsen closed 3 weeks ago
@geedsen All captive portals use a port 80 redirect to facilitate the portal popup (Captive Portal Detection). In addition it is required that if port 80 is accessed directly, that a "511 Network Authentication Required" response is generated. See RFC 6585 - section 6: https://www.rfc-editor.org/rfc/rfc6585#section-6
This can also be used as part of RFC 8910 support ( Captive-Portal Identification in DHCP and Router Advertisements (RAs)) See: https://www.rfc-editor.org/rfc/rfc8910.html
Clearly, with a captive portal running in default mode, you cannot access port 80 of the router.
Some years ago, Luci was changed to allow access using https on port 443, with access via http on port 80, although deprecated, still being provided.
BUT NOT when you have a captive portal. You MUST use https on port 443.
As openNDS configures a gateway FQDN, you can use that for accessing Luci without having to remember the gateway ip address.
By default, when openNDS is running, you can get to Luci using this URL:
https://status.client
Note, however - There is no support whatsoever for openNDS in Luci.
I would have expected that connecting my samsung phone to the wireless LAN would now open a splash page than as well. But is does not. It just gives me access.
To find out what is going on, to start with, we need to know:
ndsctl status
uci show opennds
uci show network
Ok. I just discovered I was accessing the router from my home network via the routers lan interface. While I assumed it was via the WAN interface. First of all I disabled openNDS. Need to get openWrt working correctly first. Shall I ask my questions here or shall I move to the openWrt forum for it?
but to answer the questions 1) openWRT snapshot (there is no stable release for it yet) and openNDS the latest I just downloaded. 2) it is not enabled now 3) opennds.@opennds[0]=opennds opennds.@opennds[0].enabled='0' opennds.@opennds[0].faskey='9afa2a609ea4fcd54a233fe460129168089801671cb3836092d33d8de49d8923' 4)network.loopback=interface network.loopback.device='lo' network.loopback.proto='static' network.loopback.ipaddr='127.0.0.1' network.loopback.netmask='255.0.0.0' network.globals=globals network.globals.ula_prefix='fd88:da94:6614::/48' network.@device[0]=device network.@device[0].name='br-lan' network.@device[0].type='bridge' network.@device[0].ports='lan2' 'lan3' 'lan4' network.lan=interface network.lan.device='br-lan' network.lan.proto='static' network.lan.ipaddr='192.168.2.32' network.lan.netmask='255.255.255.0' network.lan.ip6assign='60' network.lan.gateway='192.168.2.1' network.lan.dns='192.168.2.1' network.@device[1]=device network.@device[1].name='wan' network.@device[1].macaddr='cc:d8:43:17:c2:1a' network.wan=interface network.wan.device='wan' network.wan.proto='static' network.wan.ipaddr='192.168.2.31' network.wan.netmask='255.255.255.0' network.wan.gateway='192.168.2.1' network.wan6=interface network.wan6.device='wan' network.wan6.proto='dhcpv6'
@geedsen
Might as well continue here.
What is the router? ie make/model
network.wan.device='wan'
network.wan.proto='static'
network.wan.ipaddr='192.168.2.31'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.2.1'
It is very unusual to configure the wan interface as a static ipv4 address. The default proto 'dhcp' is the safest and best unless you have a very good reason to change it.
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.2.32'
network.lan.netmask='255.255.255.0'
Configuring lan as static is indeed the norm and the default. BUT, you have configured it to be on the same subnet as wan, so this will not work.
Also, the default lan address in OpenWrt is 192.168.1.1 It is convention to have the last number = 1, ie xx.xx.xx.1 As your isp router appears to be using 192.168.2.x as its subnet, the OpenWrt default should be just fine.
network.@device[1].macaddr='cc:d8:43:17:c2:1a'
Why do you need to override the wan mac address?
It would be safer to reset back to defaults at this stage.
It is a xiaomi ax3000t, and running running "openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb" The reason is that the WAN actually will be my/a home network, not a provider. And in case I want to access openWrt from that home network, it is simpler that it has a static address otherwise I have to figure out what DHCP assigned to it. 'network.@device[1].macaddr='cc:d8:43:17:c2:1a'. No idea. It was there. Don't know how it picked that one up. Not even realized it was setting it. But I am fine with resetting. Is that just pressing the button?
@geedsen
But I am fine with resetting. Is that just pressing the button?
Usually press an hold fro around 15 seconds, depending on make/model. Then let go and it boots up in defaults.
If successful it will have its wireless disabled and you have to connect by lan ethernet to turn it on.
Show the output of:
uci show wireless
then I can give you a command string to turn it on.
Ok. reset done. wireless turned on. I can now access it via ssh and luci via 192.168.1.1 (moved luci to port 8080 and 8443). So I could now give the wan a static address I guess (I can see it picked up something using dhcp)?
And FYI, I am trying to setup a voucher system for wifi. My daughter is planning to open a cafe in Mfuwe. Now she cannot offer free internet. Only wifi for paying customers. Otherwise the locals would be hanging around the cafe too much. So I want to try to implement the voucher system.
Here the location :)
@geedsen
moved luci to port 8080 and 8443
Why? BTW port 8080 is reserved for other packages eg proxies, but probably will not be a problem.
So I could now give the wan a static address I guess
Not needed and probably best not done. Why would you even want the address? It will be useless for incoming because of the default OpenWrt firewall.
If you really need it, just run ip addr
and it will be listed.
Again confusion here :( It was my understanding that luci on port 80 conflicts with openNDS.
@geedsen Where is "Mfuwe".... Ah! Zambia.
Why can your daughter not offer free Internet? openNDS has many tools to limit customers without resorting to a voucher system... We can go into options once you get the basic system running.
@geedsen
It was my understanding that luci on port 80 conflicts with openNDS
No, it is blocked by openNDS in addition to being deprecated in OpenWrt, even if it is still there by default. Maybe removed next release? Who knows, other than "deprecated" means end of life.
Luci should be accessed via https (port 443 by default).
It is free for het customers. Have a coffee and you get 2 hours of wifi. Something like that. It is not that they need to pay for the internet access itself. But the seating is outside in a garden. And she cannot provide internet to everybody standing next to it.
@geedsen Yes, but the problem is the voucher system was provided by a member of the community as an example and is not particularly reliable and involves a lot of administration someone will have to undertake eg refreshing the voucher roll, handing vouchers out to users amongst other things. There are much better ways. But first lets get openNDS working.
Ok. Moved it back to 443 and removed 8080 all together. Installed the services tab. When changing the listening ports using the services tab, I was hoping that the generated certificate would remove the 'non secure' warning in the browser. But it did not.
@geedsen
Installed the services tab.
That must be something in Luci? I have never heard of it ;-) I do not use Luci, or hardly ever.
the 'non secure' warning in the browser.
This is because the certificate is self signed. Not much can be done about it other than accept it and let your browser create an exception, after which you will no longer see the popup error. Remember it is not insecure as such, just a warning that it is self signed. All access to Luci will be encrypted compared with if you use http on port 80 or 8080 or whatever, where all traffic to/from Luci will be clear text on the air.
It is not possible to have an externally registered/signed certificate for use on a local network - a problem with ipv4 rather than anything else.
Thanks for the help so far. Looks like openWrt is working now as expected. So next openNDS? Install it again?
@geedsen There are some legal reasons to have a Captive Portal.
This applies worldwide and is enforced more and more, the degree depending on location of course.
@geedsen
Install it again?
Yes but it is best NOT to use Luci, so we can see what is going on.
With the Internet feed live, do:
opkg update
opkg install opennds; logread -f
You will be able to watch it starting and look for errors.
Yes, those legal reasons are important too.
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure walledgarden....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure blocklist....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure walledgarden....] Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....] Fri May 3 13:43:03 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure blocklist....]
Post the whole log? It is still busy. It does not get back to the prompt. Is that normal ?
Keep watching.
daemon.warn
These are warnings telling you that you cannot use certain functions yet eg walledgarden etc.
If needed later you can install the necessary support packages.
@geedsen Just press ctrl c to get back to the prompt.
@geedsen
It looks like it started up ok.
Show the output of:
ndsctl status
openNDS Status
====
Version: 10.2.0
Uptime: 10m 37s
Gateway Name: [ openNDS Node:ccd8438f0868 ]
Debug Level: [ 1 ]
Gateway FQDN: [ status.client ]
Managed interface: br-lan
Upstream gateway(s) [ online:192.168.2.1,wan ]
MHD Server [ version 0.9.77 ] listening on: http://192.168.1.1:2050
Maximum Html Page size is [ 10240 ] Bytes
Preemptive Authentication is Enabled
Binauth Script: /usr/lib/opennds/binauth_log.sh
ThemeSpec Core Library: /usr/lib/opennds/libopennds.sh
FAS: Secure Level 1, URL: http://status.client:2050/opennds_preauth/
Client Check Interval: 15s
Rate Check Window: 2 check intervals (30s)
Preauthenticated Client Idle Timeout: 30m
Authenticated Client Idle Timeout: 120m
Download rate limit threshold (default per client): no limit
Upload rate limit threshold (default per client): no limit
Download quota (default per client): no limit
Upload quota (default per client): no limit
Total download: 730 kByte; average: 9.39 kbit/s
Total upload: 322 kByte; average: 4.15 kbit/s
====
Client authentications since start: 1
Current clients: 1
Client 0
Client Type: cpd_can
IP: 192.168.1.176 MAC: d6:15:ef:c1:17:98
Last Activity: Fri May 03 13:53:32 2024 (0s ago)
Session Start: Fri May 03 13:52:48 2024 (44s ago)
Session End: Sat May 04 13:52:48 2024 (23h 59m 16s left)
Token: 9f4777aa
State: Authenticated
Download Rate Limit Threshold: not set
Upload Rate Limit Threshold: not set
Download quota: not set
Upload quota: not set
Download this session: 728 kB; Session average: 135.60 kb/s
Upload this session: 18 kB; Session average: 3.48 kb/s
====
Trusted MAC addresses:
none
====
Walledgarden FQDNs:
none
Walledgarden Ports:
all
====
Blocklist FQDNs:
none
Blocklist Ports:
all
Where can I find the html files to modify them? I can now indeed get to http://status.client. Pretty amazing what it shows in the advanced account details. So what would be a good option to limit the internet access to customers?
@geedsen
I edited your post. When adding blocks of preformatted text, surround them with two lots of 3 backtick characters or use the <>
symbol on the menu bar at the top of the text box you are writing in.
This makes it easy to see the outputs of commands for example.
Where can I find the html files
There are no html files. The html is dynamically generated by the ThemeSpec scripts. Easy to do, but not yet.
Lets change the splash page sequence.
Do:
uci set opennds.@opennds[0].login_option_enabled='2'
uci commit opennds
service opennds restart
Give it a couple of minutes to get restarted then go to http://status.client and log out then log back in again and see what the login page looks like.
@geedsen I have to do some of my paid job now but will still be around, just might take a while to answer.
Splash with name and email is working now.
@geedsen You can look at /tmp/ndslog to see the log files.
@geedsen I don't have time right now to go into any depth, but if you want to try the voucher themespec, installation instructions are here: https://github.com/openNDS/openNDS/tree/master/community/themespec/theme_voucher
I will. Thanks
@bluewavenet Would you know other options to accomplish the restricted access to customers?
Couple of questions about teh voucher system:
1) I don't understand what this part means, what it does.
2) How would I need to change the theme_voucher.sh such that this
"output=$(grep $voucher $voucher_roll | head -n 1) # Store first occurence of voucher as variable"
would be an api call to a rest api that obtains the value
I guess to answer my own question that would be something like this: result=$(curl -X GET --header "Accept: /" "http://localhost:9090/employees") echo "Response from server" echo $result exit
@geedsen
options to accomplish the restricted access to customers?
There are many options you can specify in the config before even considering customising the login process.
Config options:
If you want to create your own login system, ie a "credential verification system", it is down purely to your own imagination!
The community produced voucher system is provided only as an example, and should be seen as a guideline to indicate how customisation can be done and not a "production ready" system.
It is not officially supported by the openNDS project, but you may get some help from others that have used it.
I would however not recommend any voucher system as there is an ongoing admin requirement for the venue. Your daughter's time is precious and she needs to be selling coffee and snacks to her customers and not wasting time handing out vouchers, showing people how to do it etc etc.
There is a pinned example here that would be worth reading: https://github.com/openNDS/openNDS/issues/509
Although it is for different hardware, it is very much applicable to your daughter's cafe. The principle is to "keep it simple".
It shows how to add your own logo, change a few things on the page etc etc.
You would not need to go as far as setting up an Internet hosted FAS server unless your daughter wanted to build a chain of coffee shops, but it would not do any harm either, particularly if she is going to have a web site - FAS could very likely be hosted there.
You should read this example and come back to me with questions/ideas....
For reference, the full openNDS documentation is available here: https://opennds.readthedocs.io
I guess the problem with all the options you mention is that it wont stop people outside of the cafe using it right?
Question , if I want to modify the .sh script, can I easily debug it somehow, see what it is doing?
@geedsen
it wont stop people outside of the cafe using it right?
The purpose of the "free wifi" is to encourage people to come in to the cafe, but yes people outside will try to use it if it is open. It depends on the situation. If locals have limited or expensive Internet access, they will try to leach off the cafe signal. This might not matter if it encourages some to come in and buy a coffee, but on the other hand if the whole area is suffering from a lack of Internet, It could be a problem. You will have to outline the situation for me ;-)
Your location and my location could be very different in terms of how easy it is to get Internet access!
To minimise leaching you could:
This might not be sufficient for your needs, but the principle of keeping it simple (for your daughter at least - because her primary focus should be running the cafe).
How about this:
can I easily debug it somehow
You can turn debuglevel to 3 and see all the detail of what is going on in the system log (logread command)
But to debug scripts where you might have a bit of code in error, you can test in foreground mode, not running as a service.
Thanks again. As you can see on the photo, most people living there are poor, very poor. But one thing they all have is a mobile phone :) They buy data prepaid sims and data packages. And that is expensive for them. There is no doubt that they would use any free wifi if they get the chance, and I really cannot blame them. But it is not something my daughter can finance for them. In the end they may find out that it might be sometimes cheaper to get a coffee there and do there mail/whatsapp/youtube than to buy data for their phone.
I will look into the possibilities and also discuss it with my daughter.
What I would like to try is to create a small application that generates the voucher code on the fly. Basically she would use an app on her phone with a single button "Generate code", it will generate a 4 character code which will be visible in a large font on the app. She can show that then to the customer.
The app uses a rest api, and the api that generates the code will store that in a database in the same format as the vouchers.txt now does. And the opennds voucher script will just query the api with the generated code and will get the same thing back that it now gets from the vouchers.txt. So there is very limited administration required.
@geedsen
So there is very limited administration required.
That is the most important factor to consider.. In a very short time, the overhead could otherwise make having wifi seem like a bad decision.
@bluewavenet What exactly is this speed limits in the voucher: ZRPN-TVJO,1024,1024,0,0,1440,0
1024 what? If my router can do speeds to 300Mbps , what is this 1024 than exactly? 1Mb?
ANd another question, why can I not reach the api on my local pc from OpenWrt
@geedsen
1024 what?
It is probably Kb/s. I am guessing because, as I mentioned, this is not officially supported.
@geedsen
why can I not reach the api on my local pc from OpenWrt
For security reasons, ad hoc access to services on the local network from the router is blocked by openNDS.
You will have to specifically allow access to the router from your PC and initiate the transfer at the PC.
This would typically be done using scp
.
@bluewavenet Can that be managed with the Walled Garden as well?
@geedsen
Can that be managed with the Walled Garden as well?
No, the walled garden is to allow preauthenticated users to access Internet hosted resources before logging in.
But I need the voucher sh script to access an api outside. I am testing it from the console logged in on root, but in the end it needs to be the script doing it.
I can now access my rest api from the root account in OpenWrt. On incoming home network router I forwarded a port to the pc running my rest api (in Visual Studio). So from OpenWrt using my DDNS name, I can get to the api. Will that work from the voucher script as well?
@geedsen
Will that work from the voucher script as well?
I don't know of anything built into the voucher script, but I don't see why you could not add it...
New to OpenWrt and openNDS, so please be kind :) I installed openWrt with Luci and openNDS on my router. Before installing openNDS, luci was accessible. After the installation it no longer was. Apparently now blocked by openNDS However I would have expected that connecting my samsung phone to the wireless LAN would now open a splash page than as well. But is does not. It just gives me access.
So how do I get access to luci again and how do I enable the splash screen?
I read about http://status.client , now I wonder how this should/could work? Only on a device connected to the routers wifi? Any help appreciated.