question, not an issue really. Getting it to work...

[geedsen]

New to OpenWrt and openNDS, so please be kind :)
I installed openWrt with Luci and openNDS on my router.
Before installing openNDS, luci was accessible. After the installation it no longer was. Apparently now blocked by openNDS
However I would have expected that connecting my samsung phone to the wireless LAN would now open a splash page than as well. But is does not. It just gives me access.

So how do I get access to luci again and how do I enable the splash screen?

I read about http://status.client , now I wonder how this should/could work? Only on a device connected to the routers wifi? Any help appreciated.

[bluewavenet]

@geedsen
All captive portals use a port 80 redirect to facilitate the portal popup (Captive Portal Detection).
In addition it is required that if port 80 is accessed directly, that a "511 Network Authentication Required" response is generated.
See RFC 6585 - section 6:
https://www.rfc-editor.org/rfc/rfc6585#section-6

This can also be used as part of RFC 8910 support ( Captive-Portal Identification in DHCP and Router Advertisements (RAs))
See:
https://www.rfc-editor.org/rfc/rfc8910.html

Clearly, with a captive portal running in default mode, you cannot access port 80 of the router.

Some years ago, Luci was changed to allow access using https on port 443, with access via http on port 80, although deprecated, still being provided.

BUT NOT when you have a captive portal. You MUST use https on port 443.

As openNDS configures a gateway FQDN, you can use that for accessing Luci without having to remember the gateway ip address.

By default, when openNDS is running, you can get to Luci using this URL:
https://status.client

Note, however - There is no support whatsoever for openNDS in Luci.

I would have expected that connecting my samsung phone to the wireless LAN would now open a splash page than as well. But is does not. It just gives me access.

To find out what is going on, to start with, we need to know:

1. What versions of OpenWrt and openNDS you are using
2. The output of ndsctl status
3. The output of uci show opennds
4. The output of uci show network

[geedsen]

Ok. I just discovered I was accessing the router from my home network via the routers lan interface. While I assumed it was via the WAN interface. First of all I disabled openNDS. Need to get openWrt working correctly first. Shall I ask my questions here or shall I move to the openWrt forum for it?

but to answer the questions

1. openWRT snapshot (there is no stable release for it yet) and openNDS the latest I just downloaded.
2. it is not enabled now
3. opennds.@openNDS[0]=opennds
   opennds.@openNDS[0].enabled='0'
   opennds.@openNDS[0].faskey='9afa2a609ea4fcd54a233fe460129168089801671cb3836092d33d8de49d8923'
   4)network.loopback=interface
   network.loopback.device='lo'
   network.loopback.proto='static'
   network.loopback.ipaddr='127.0.0.1'
   network.loopback.netmask='255.0.0.0'
   network.globals=globals
   network.globals.ula_prefix='fd88:da94:6614::/48'
   network.@device[0]=device
   network.@device[0].name='br-lan'
   network.@device[0].type='bridge'
   network.@device[0].ports='lan2' 'lan3' 'lan4'
   network.lan=interface
   network.lan.device='br-lan'
   network.lan.proto='static'
   network.lan.ipaddr='192.168.2.32'
   network.lan.netmask='255.255.255.0'
   network.lan.ip6assign='60'
   network.lan.gateway='192.168.2.1'
   network.lan.dns='192.168.2.1'
   network.@device[1]=device
   network.@device[1].name='wan'
   network.@device[1].macaddr='cc:d8:43:17:c2:1a'
   network.wan=interface
   network.wan.device='wan'
   network.wan.proto='static'
   network.wan.ipaddr='192.168.2.31'
   network.wan.netmask='255.255.255.0'
   network.wan.gateway='192.168.2.1'
   network.wan6=interface
   network.wan6.device='wan'
   network.wan6.proto='dhcpv6'

[bluewavenet]

@geedsen

Might as well continue here.

What is the router? ie make/model

network.wan.device='wan'
network.wan.proto='static'
network.wan.ipaddr='192.168.2.31'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.2.1'

It is very unusual to configure the wan interface as a static ipv4 address. The default proto 'dhcp' is the safest and best unless you have a very good reason to change it.

network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.2.32'
network.lan.netmask='255.255.255.0'

Configuring lan as static is indeed the norm and the default.
BUT, you have configured it to be on the same subnet as wan, so this will not work.

Also, the default lan address in OpenWrt is 192.168.1.1
It is convention to have the last number = 1, ie xx.xx.xx.1
As your isp router appears to be using 192.168.2.x as its subnet, the OpenWrt default should be just fine.

network.@device[1].macaddr='cc:d8:43:17:c2:1a'

Why do you need to override the wan mac address?

It would be safer to reset back to defaults at this stage.

[geedsen]

It is a xiaomi ax3000t, and running running "openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb"
The reason is that the WAN actually will be my/a home network, not a provider. And in case I want to access openWrt from that home network, it is simpler that it has a static address otherwise I have to figure out what DHCP assigned to it.
'network.@device[1].macaddr='cc:d8:43:17:c2:1a'. No idea. It was there. Don't know how it picked that one up. Not even realized it was setting it.
But I am fine with resetting. Is that just pressing the button?

[bluewavenet]

@geedsen

But I am fine with resetting. Is that just pressing the button?

Usually press an hold fro around 15 seconds, depending on make/model.
Then let go and it boots up in defaults.

If successful it will have its wireless disabled and you have to connect by lan ethernet to turn it on.

Show the output of:
uci show wireless then I can give you a command string to turn it on.

[geedsen]

Ok. reset done. wireless turned on. I can now access it via ssh and luci via 192.168.1.1 (moved luci to port 8080 and 8443). So I could now give the wan a static address I guess (I can see it picked up something using dhcp)?

[geedsen]

And FYI, I am trying to setup a voucher system for wifi. My daughter is planning to open a cafe in Mfuwe. Now she cannot offer free internet. Only wifi for paying customers. Otherwise the locals would be hanging around the cafe too much. So I want to try to implement the voucher system.

Here the location :)

[bluewavenet]

@geedsen

moved luci to port 8080 and 8443

Why? BTW port 8080 is reserved for other packages eg proxies, but probably will not be a problem.

So I could now give the wan a static address I guess

Not needed and probably best not done. Why would you even want the address? It will be useless for incoming because of the default OpenWrt firewall.

If you really need it, just run ip addr and it will be listed.

[geedsen]

Again confusion here :( It was my understanding that luci on port 80 conflicts with openNDS.

[bluewavenet]

@geedsen
Where is "Mfuwe".... Ah! Zambia.

Why can your daughter not offer free Internet? openNDS has many tools to limit customers without resorting to a voucher system... We can go into options once you get the basic system running.

[bluewavenet]

@geedsen

It was my understanding that luci on port 80 conflicts with openNDS

No, it is blocked by openNDS in addition to being deprecated in OpenWrt, even if it is still there by default. Maybe removed next release? Who knows, other than "deprecated" means end of life.

Luci should be accessed via https (port 443 by default).

[geedsen]

It is free for het customers. Have a coffee and you get 2 hours of wifi. Something like that. It is not that they need to pay for the internet access itself. But the seating is outside in a garden. And she cannot provide internet to everybody standing next to it.

[bluewavenet]

@geedsen
Yes, but the problem is the voucher system was provided by a member of the community as an example and is not particularly reliable and involves a lot of administration someone will have to undertake eg refreshing the voucher roll, handing vouchers out to users amongst other things.
There are much better ways.
But first lets get openNDS working.

[geedsen]

Ok. Moved it back to 443 and removed 8080 all together. Installed the services tab. When changing the listening ports using the services tab, I was hoping that the generated certificate would remove the 'non secure' warning in the browser. But it did not.

[bluewavenet]

@geedsen

Installed the services tab.

That must be something in Luci? I have never heard of it ;-) I do not use Luci, or hardly ever.

the 'non secure' warning in the browser.

This is because the certificate is self signed. Not much can be done about it other than accept it and let your browser create an exception, after which you will no longer see the popup error. Remember it is not insecure as such, just a warning that it is self signed. All access to Luci will be encrypted compared with if you use http on port 80 or 8080 or whatever, where all traffic to/from Luci will be clear text on the air.

It is not possible to have an externally registered/signed certificate for use on a local network - a problem with ipv4 rather than anything else.

[geedsen]

Thanks for the help so far. Looks like openWrt is working now as expected. So next openNDS? Install it again?

[bluewavenet]

@geedsen
There are some legal reasons to have a Captive Portal.

1. Most countries and/or Internet service providers have legal obligations put on people providing public Internet access. Firstly, they want to pass on any liability for misuse onto the end user. In turn, the captive portal enforces acceptance of Terms of Service, legally making the end users, in this case, your daughter's customers.
2. To prove this liability has been passed on the captive portal must demonstrate the Terms have been accepted.
3. Secondly, the countries/ providers have other legal responsibilities for privacy of user data, so the captive portal must not pass on customer details to the public.
4. Police and Security bodies will have the right, usually by court warrant, to see the private data if it is required for security reasons eg fighting crime, terrorism etc.

This applies worldwide and is enforced more and more, the degree depending on location of course.

[bluewavenet]

@geedsen

Install it again?

Yes but it is best NOT to use Luci, so we can see what is going on.

With the Internet feed live, do:

opkg update
opkg install opennds; logread -f

You will be able to watch it starting and look for errors.

[geedsen]

Yes, those legal reasons are important too.

[geedsen]

Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure walledgarden....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure blocklist....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure walledgarden....]
Fri May 3 13:43:02 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq nftset complile option not available - Upgrade to dnsmasq-full version. Trying ipset option....]
Fri May 3 13:43:03 2024 daemon.warn opennds[21563]: libopennds - [Warning: dnsmasq ipset complile option not available -- Upgrade to dnsmasq-full version. Unable to configure blocklist....]

Post the whole log? It is still busy. It does not get back to the prompt. Is that normal ?

[bluewavenet]

Keep watching.

daemon.warn These are warnings telling you that you cannot use certain functions yet eg walledgarden etc.
If needed later you can install the necessary support packages.

[bluewavenet]

@geedsen
Just press ctrl c to get back to the prompt.

[bluewavenet]

@geedsen

It looks like it started up ok.
Show the output of:
ndsctl status

[geedsen]

openNDS Status
====
Version: 10.2.0
Uptime: 10m 37s
Gateway Name: [ openNDS Node:ccd8438f0868  ]
Debug Level: [ 1 ]
Gateway FQDN: [ status.client ]
Managed interface: br-lan
Upstream gateway(s) [ online:192.168.2.1,wan  ]
MHD Server [ version 0.9.77 ] listening on: http://192.168.1.1:2050
Maximum Html Page size is [ 10240 ] Bytes
Preemptive Authentication is Enabled
Binauth Script: /usr/lib/opennds/binauth_log.sh
ThemeSpec Core Library: /usr/lib/opennds/libopennds.sh
FAS: Secure Level 1, URL: http://status.client:2050/opennds_preauth/
Client Check Interval: 15s
Rate Check Window: 2 check intervals (30s)
Preauthenticated Client Idle Timeout: 30m
Authenticated Client Idle Timeout: 120m
Download rate limit threshold (default per client): no limit
Upload rate limit threshold (default per client): no limit
Download quota (default per client): no limit
Upload quota (default per client): no limit
Total download: 730 kByte; average: 9.39 kbit/s
Total upload: 322 kByte; average: 4.15 kbit/s
====
Client authentications since start: 1
Current clients: 1

Client 0
  Client Type: cpd_can
  IP: 192.168.1.176 MAC: d6:15:ef:c1:17:98
  Last Activity: Fri May 03 13:53:32 2024 (0s ago)
  Session Start: Fri May 03 13:52:48 2024 (44s ago)
  Session End:   Sat May 04 13:52:48 2024 (23h 59m 16s left)
  Token: 9f4777aa
  State: Authenticated
  Download Rate Limit Threshold: not set
  Upload Rate Limit Threshold: not set
  Download quota: not set
  Upload quota: not set
  Download this session: 728 kB; Session average: 135.60 kb/s
  Upload this session: 18 kB; Session average: 3.48 kb/s

====
Trusted MAC addresses:
none
====
Walledgarden FQDNs:
none

Walledgarden Ports:
all
====
Blocklist FQDNs:
none

Blocklist Ports:
all

[geedsen]

Where can I find the html files to modify them? I can now indeed get to http://status.client. Pretty amazing what it shows in the advanced account details. So what would be a good option to limit the internet access to customers?

[bluewavenet]

@geedsen
I edited your post. When adding blocks of preformatted text, surround them with two lots of 3 backtick characters or use the <> symbol on the menu bar at the top of the text box you are writing in.
This makes it easy to see the outputs of commands for example.

Where can I find the html files

There are no html files. The html is dynamically generated by the ThemeSpec scripts. Easy to do, but not yet.

Lets change the splash page sequence.

Do:

uci set opennds.@opennds[0].login_option_enabled='2'
uci commit opennds
service opennds restart

Give it a couple of minutes to get restarted then go to http://status.client and log out then log back in again and see what the login page looks like.

[bluewavenet]

@geedsen
I have to do some of my paid job now but will still be around, just might take a while to answer.

[geedsen]

Splash with name and email is working now.

[bluewavenet]

@geedsen
You can look at /tmp/ndslog to see the log files.

[bluewavenet]

@geedsen
I don't have time right now to go into any depth, but if you want to try the voucher themespec, installation instructions are here:
https://github.com/openNDS/openNDS/tree/master/community/themespec/theme_voucher

[geedsen]

I will. Thanks

[geedsen]

@bluewavenet
Would you know other options to accomplish the restricted access to customers?

[geedsen]

Couple of questions about teh voucher system:

1. I don't understand what this part means, what it does.
   
2. How would I need to change the theme_voucher.sh such that this
   "output=$(grep $voucher $voucher_roll | head -n 1) # Store first occurence of voucher as variable"
   would be an api call to a rest api that obtains the value

[geedsen]

I guess to answer my own question that would be something like this:
result=$(curl -X GET --header "Accept: /" "http://localhost:9090/employees")
echo "Response from server"
echo $result
exit

[bluewavenet]

@geedsen

options to accomplish the restricted access to customers?

There are many options you can specify in the config before even considering customising the login process.

Config options:

1. Time quota
2. Volume quota
3. Rate quota
4. Fair usage policy
5. All of the above in combination.

If you want to create your own login system, ie a "credential verification system", it is down purely to your own imagination!

The community produced voucher system is provided only as an example, and should be seen as a guideline to indicate how customisation can be done and not a "production ready" system.

It is not officially supported by the openNDS project, but you may get some help from others that have used it.

I would however not recommend any voucher system as there is an ongoing admin requirement for the venue.
Your daughter's time is precious and she needs to be selling coffee and snacks to her customers and not wasting time handing out vouchers, showing people how to do it etc etc.

There is a pinned example here that would be worth reading:
#509

Although it is for different hardware, it is very much applicable to your daughter's cafe.
The principle is to "keep it simple".

It shows how to add your own logo, change a few things on the page etc etc.

You would not need to go as far as setting up an Internet hosted FAS server unless your daughter wanted to build a chain of coffee shops, but it would not do any harm either, particularly if she is going to have a web site - FAS could very likely be hosted there.

You should read this example and come back to me with questions/ideas....

For reference, the full openNDS documentation is available here:
https://opennds.readthedocs.io

[geedsen]

I guess the problem with all the options you mention is that it wont stop people outside of the cafe using it right?

[geedsen]

Question , if I want to modify the .sh script, can I easily debug it somehow, see what it is doing?

[bluewavenet]

@geedsen

it wont stop people outside of the cafe using it right?

The purpose of the "free wifi" is to encourage people to come in to the cafe, but yes people outside will try to use it if it is open.
It depends on the situation. If locals have limited or expensive Internet access, they will try to leach off the cafe signal.
This might not matter if it encourages some to come in and buy a coffee, but on the other hand if the whole area is suffering from a lack of Internet, It could be a problem. You will have to outline the situation for me ;-)

Your location and my location could be very different in terms of how easy it is to get Internet access!

To minimise leaching you could:

1. reduce the transmitted power to reduce coverage outside the cafe area
2. Limit login time
3. set volume and speed quotas
4. dramatically restrict speed after a set time (fair usage policy)
5. limit total number of simultaneous logins to match expected demand

This might not be sufficient for your needs, but the principle of keeping it simple (for your daughter at least - because her primary focus should be running the cafe).

How about this:

1. You set up a basic login page, with logo, custom text etc etc.
2. You provide a simple admin page for "staff" to log in and set a code that must be entered along with username and email.
3. This code can be changed at any time say once a week or every morning, but is the same for everyone. Customers get the code on request. This will minimise the overhead on staff that would exist when having to manage vouchers. It would be in effect a very much simplified version of the voucher system

can I easily debug it somehow

You can turn debuglevel to 3 and see all the detail of what is going on in the system log (logread command)

But to debug scripts where you might have a bit of code in error, you can test in foreground mode, not running as a service.

[geedsen]

Thanks again. As you can see on the photo, most people living there are poor, very poor. But one thing they all have is a mobile phone :) They buy data prepaid sims and data packages. And that is expensive for them. There is no doubt that they would use any free wifi if they get the chance, and I really cannot blame them. But it is not something my daughter can finance for them. In the end they may find out that it might be sometimes cheaper to get a coffee there and do there mail/whatsapp/youtube than to buy data for their phone.

I will look into the possibilities and also discuss it with my daughter.

What I would like to try is to create a small application that generates the voucher code on the fly. Basically she would use an app on her phone with a single button "Generate code", it will generate a 4 character code which will be visible in a large font on the app. She can show that then to the customer.

The app uses a rest api, and the api that generates the code will store that in a database in the same format as the vouchers.txt now does. And the opennds voucher script will just query the api with the generated code and will get the same thing back that it now gets from the vouchers.txt. So there is very limited administration required.

[bluewavenet]

@geedsen

So there is very limited administration required.

That is the most important factor to consider.. In a very short time, the overhead could otherwise make having wifi seem like a bad decision.

[geedsen]

@bluewavenet What exactly is this speed limits in the voucher:
ZRPN-TVJO,1024,1024,0,0,1440,0

1024 what?
If my router can do speeds to 300Mbps , what is this 1024 than exactly? 1Mb?

[geedsen]

ANd another question, why can I not reach the api on my local pc from OpenWrt

[bluewavenet]

@geedsen

1024 what?

It is probably Kb/s. I am guessing because, as I mentioned, this is not officially supported.

[bluewavenet]

@geedsen

why can I not reach the api on my local pc from OpenWrt

For security reasons, ad hoc access to services on the local network from the router is blocked by openNDS.
You will have to specifically allow access to the router from your PC and initiate the transfer at the PC.
This would typically be done using scp.

[geedsen]

@bluewavenet Can that be managed with the Walled Garden as well?

[bluewavenet]

@geedsen

Can that be managed with the Walled Garden as well?

No, the walled garden is to allow preauthenticated users to access Internet hosted resources before logging in.

[geedsen]

But I need the voucher sh script to access an api outside. I am testing it from the console logged in on root, but in the end it needs to be the script doing it.

[geedsen]

I can now access my rest api from the root account in OpenWrt. On incoming home network router I forwarded a port to the pc running my rest api (in Visual Studio). So from OpenWrt using my DDNS name, I can get to the api. Will that work from the voucher script as well?

[bluewavenet]

@geedsen

Will that work from the voucher script as well?

I don't know of anything built into the voucher script, but I don't see why you could not add it...