f00b4r0 / uspot Goto Github PK
View Code? Open in Web Editor NEWA captive portal system for OpenWrt
License: GNU General Public License v2.0
A captive portal system for OpenWrt
License: GNU General Public License v2.0
This is a question ticket, not a bug report.
credentials provides a simple username/password authentication (usernames and passwords defined in configuration)
In "credential" mode, do clients have to re-login after the router is rebooted?
How to restrict only one device per account?
Is custom hooks/triggers supported? Like executing a shell script before/after when a client logs in?
Thank you!
Hi there!
Really cool project! Thanks for your work on this.
I installed it on a openwrt X86 VM and so far tested the "click-to-connect" and local password authentication.
Are the authorized MACs supposed to survive a reboot of openwrt? So far when I reboot openwrt I have to re-authentcate the client. I am sure I am doing something wrong but I wanted to check if that is expected behavior or not. before doing a bunch of troubleshooting The client is another VM on the same host and the MAC address isn't changing.
Thanks again!
Peter
Hi, I set the auth_mode to credentials but when I enter the 10.0.0.1 in my browser it redirects me to the click-to-continue mode? My configuration files are as following.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdae:8325:dd31::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'captive'
option proto 'static'
list ipaddr '10.0.0.1/22'
option device 'phy1-ap0'
/etc/config/uspot:
#for auth mode 'credentials', add any number of the following config entry
config credentials
option uspot 'captive'
option username 'amirmohammad'
option password 'arefkhani'
## Values provided for the options below reflect the defaults used when the option is not set.
config uspot 'captive'
option auth_mode 'credentials' # one of 'uam', 'radius', 'credentials', 'click-to-continue'
option idle_timeout '60' # client is kicked when idle for more than N seconds, defaults to 600, option used if not provided by radius
option session_timeout '120' # client is kicked if connected for more than N seconds, defaults to 0, option used if not provided by radius
option interface 'captive' # network interface (from config/network) on which captive clients will be managed
option setname 'uspot' # firewall ipset name for client management
option debug '0' # turn on debugging output in logs
# captive portal API (RFC8908) configuration:
# option cpa_can_extend '0' # 'can-extend-session' is true if this option is set to '1', false otherwise
# option cpa_venue_url 'mci.lab.captive.portal' # value is provided verbatim as 'venue-info-url'
# for auth mode 'uam' and 'radius':
# option auth_server '192.168.1.108' # radius authentication server name or address
# option auth_port '1812' # radius authentication server port
# option auth_secret 'xiaomi-router' # radius authentication server password
# option auth_proxy '' # radius authentication server proxy
# option acct_server '' # radius accounting server name or address
# option acct_port '1813' # radius accounting server port
# option acct_secret '' # radius accounting server password
# option acct_proxy '' # radius accounting server proxy
# option acct_interval '' # radius accounting interim interval override
# option das_secret '' # radius DAS secret
# option das_port '3799' # radius DAS listen port
# option nasid '' # radius NAS-Identitifer, UAM '&nasid='
# option nasmac '' # radius Called-Station, UAM '&called='
# option mac_format '' # MAC format specifier: 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff' or the equivalent uppercase
# option location_name '' # radius WISPr-Location-Name
# for auth_mode 'uam':
# option uam_port '3990' # local UAM server port
# option uam_secret '' # remote UAM server password
# option uam_server '' # remote UAM server base url, e.g. "https://server.example.com/" - NB: trailing slash
# option challenge '' # UAM CHAP shared challenge
# option final_redirect_url '' # URL the client will be redirected to upon login. Special value 'uam' enables UAM 'success/reject/logoff' redirections URLs.
# option mac_auth '0' # Attempt MAC-authentication first
# option mac_password '' # Password sent for MAC-auth, defaults to MAC address
# option mac_suffix '' # Optional suffix appended to username for MAC-auth
# option uam_sslurl '' # optional base url to local UAM SSL (requires valid SSL setup in uhttpd UAM config), e.g. "https://uspot.lan:3991/" - NB: trailing slash
/etc/config/firewall:
# create a 'captive' zone for captive portal traffic
config zone
option name 'captive'
list network 'captive'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
# setup CPD hijacking for unauthenticated clients
config redirect
option name 'Redirect-unauth-captive-CPD'
option src 'captive'
option src_dport '80'
option proto 'tcp'
option target 'DNAT'
option reflection '0'
option ipset 'uspot' # match with uspot option 'setname'
# allow DHCP for captive clients
config rule
option name 'Allow-DHCP-NTP-captive'
option src 'captive'
option proto 'udp'
option dest_port '67 123'
option target 'ACCEPT'
# prevent access to LAN-side services from captive interface
# Linux implements a weak host model and traffic crossing zone boundary isn't considered forwarding on the router:
# it must be explicitely denied - NB order matter: DHCP is broadcast that would be caught by this rule
config rule
option name 'Restrict-input-captive'
option src 'captive'
option dest_ip '!captive'
option target 'DROP'
# allow incoming traffic to CPD / web interface and local UAM server
config rule
option name 'Allow-captive-CPD-WEB-UAM'
option src 'captive'
option dest_port '80 443 3990'
option proto 'tcp'
option target 'ACCEPT'
# allow forwarding traffic to wan from authenticated clients
config rule
option name 'Forward-auth-captive'
option src 'captive'
option dest 'wan'
option proto 'any'
option target 'ACCEPT'
option ipset 'uspot' # match with uspot option 'setname'
# allow DNS for captive clients
config rule
option name 'Allow-DNS-captive'
option src 'captive'
list proto 'udp'
list proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
# if using RFC5176 RADIUS DAE:
#config rule
# option name 'Allow-captive-DAE'
# option src 'wan'
# option proto 'udp'
# option family 'ipv4'
# option src_ip 'XX.XX.XX.XX' # adjust as needed
# option dest_port '3799' # match value for 'das_port' in config/uspot
# option target 'ACCEPT'
# create the ipset that will hold authenticated clients
config ipset
option name 'uspot' # match with uspot option 'setname'
list match 'src_mac'
# optional whitelist for e.g. remote UAM host and/or dynamic hosts via dnsmasq ipset functionality
config rule
option name 'Allow-Whitelist'
option src 'captive'
option dest 'wan'
option proto 'any'
option ipset 'wlist'
option target 'ACCEPT'
# associated whitelist ipset with prepopulated entries
config ipset
option name 'wlist'
list match 'dest_ip'
# list entry 'XX.XX.XX.XX' # adjust as needed for e.g. remote UAM server
# list entry 'XX.XX.XX.XX'
/etc/config/uhttpd:
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
# if using TLS and/or supporting RFC8908 CapPort API:
#list listen_https '10.0.0.1:443'
#option cert '/usr/share/certs/captive.pem' # to be provided manually
#option key '/usr/share/certs/captive.key' # to be provided manually
# for RFC8908 support:
#list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
/etc/config/dhcp:
config dhcp 'captive'
option interface 'captive'
option start '2'
option limit '1000'
option leasetime '2h'
# add the following for RFC8910 Captive Portal API - DNS name is setup below
#list dhcp_option '114,https://captive.example.org/api'
# optionally provide NTP server (if enabled on the device) - recommended for SSL cert validation
#list dhcp_option_force '42,10.0.0.1'
# add a local domain name for HTTPS support, name must match TLS certificate
config domain
option name 'captive.example.org'
option ip '10.0.0.1'
# if using optional dynamic hosts whitelist
config ipset
list name 'wlist' # match value with whitelist ipset name in config/firewall
list domain 'my.whitelist1.domain'
list domain 'my.whitelist2.domain'
Hello, I need traffic accounting for my project. Could you please inform me, how long does it take to add the traffic accounting section?
I'm grateful for the good support.
Hi, considering the radius-client.c, I added following attributes to the dictionary file.
radius-client.c:
#define VENDORSPEC_WBAL 14122
#define ATTR_WBAL_WISPR_LOCATION_NAME 2
#define ATTR_WBAL_WISPR_LOGOFF_URL 3
#define VENDORSPEC_CHILLI 14559
#define ATTR_CHILLI_CHILLISPOT_LANG 7
dictionary:
.
.
.
ATTRIBUTE WBAL-WISPR-Logoff-Url 60653528154115 string
ATTRIBUTE WBAL-WISPR-Location-Name 60653528154114 string
ATTRIBUTE ATTR-Chilli-Chillispot-Lang 62530428862471 string
.
.
.
But when I use radius-client it returns "failed to lookup attribute key 22" error, while key 22 is ATTR_WBAL_WISPR_LOGOFF_URL.
Hello. My configuration for uhttpd is as below :
config uhttpd 'main'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
list listen_http '192.168.3.1:80'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
config uhttpd 'uspot'
list listen_http '10.0.0.1:80'
option redirect_https '0'
option max_requests '5'
option no_dirlists '1'
option home '/www-uspot'
list ucode_prefix '/hotspot=/usr/share/uspot/handler.uc'
list ucode_prefix '/cpd=/usr/share/uspot/handler-cpd.uc'
option error_page '/cpd'
# # if using TLS and/or supporting RFC8908 CapPort API:
# #list listen_https '10.0.0.1:443'
# option cert '/usr/share/certs/captive.pem' # to be provided manually
# option key '/usr/share/certs/captive.key' # to be provided manually
# # for RFC8908 support:
# list ucode_prefix '/api=/usr/share/uspot/handler-api.uc'
# if using RADIUS UAM authentication:
#config uhttpd 'uam3990'
# list listen_http '10.0.0.1:3990'
# option redirect_https '0'
# option max_requests '5'
# option no_dirlists '1'
# option home '/www-uspot'
# list ucode_prefix '/logon=/usr/share/uspot/handler-uam.uc'
# list ucode_prefix '/logoff=/usr/share/uspot/handler-uam.uc'
# list ucode_prefix '/logout=/usr/share/uspot/handler-uam.uc'
#
when I start uhttpd service, it returns "daemon.err uhttpd[6084]: Error: Unable to open ucode handler: No such file or directory".
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.