New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question, not an issue really. Getting it to work... #587
Comments
@geedsen This can also be used as part of RFC 8910 support ( Captive-Portal Identification in DHCP and Router Advertisements (RAs)) Clearly, with a captive portal running in default mode, you cannot access port 80 of the router. Some years ago, Luci was changed to allow access using https on port 443, with access via http on port 80, although deprecated, still being provided. BUT NOT when you have a captive portal. You MUST use https on port 443. As openNDS configures a gateway FQDN, you can use that for accessing Luci without having to remember the gateway ip address. By default, when openNDS is running, you can get to Luci using this URL: Note, however - There is no support whatsoever for openNDS in Luci.
To find out what is going on, to start with, we need to know:
|
Ok. I just discovered I was accessing the router from my home network via the routers lan interface. While I assumed it was via the WAN interface. First of all I disabled openNDS. Need to get openWrt working correctly first. Shall I ask my questions here or shall I move to the openWrt forum for it? but to answer the questions
|
Might as well continue here. What is the router? ie make/model
It is very unusual to configure the wan interface as a static ipv4 address. The default proto 'dhcp' is the safest and best unless you have a very good reason to change it.
Configuring lan as static is indeed the norm and the default. Also, the default lan address in OpenWrt is 192.168.1.1
Why do you need to override the wan mac address? It would be safer to reset back to defaults at this stage. |
It is a xiaomi ax3000t, and running running "openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb" |
Usually press an hold fro around 15 seconds, depending on make/model. If successful it will have its wireless disabled and you have to connect by lan ethernet to turn it on. Show the output of: |
Ok. reset done. wireless turned on. I can now access it via ssh and luci via 192.168.1.1 (moved luci to port 8080 and 8443). So I could now give the wan a static address I guess (I can see it picked up something using dhcp)? |
Why? BTW port 8080 is reserved for other packages eg proxies, but probably will not be a problem.
Not needed and probably best not done. Why would you even want the address? It will be useless for incoming because of the default OpenWrt firewall. If you really need it, just run |
Again confusion here :( It was my understanding that luci on port 80 conflicts with openNDS. |
@geedsen Why can your daughter not offer free Internet? openNDS has many tools to limit customers without resorting to a voucher system... We can go into options once you get the basic system running. |
No, it is blocked by openNDS in addition to being deprecated in OpenWrt, even if it is still there by default. Maybe removed next release? Who knows, other than "deprecated" means end of life. Luci should be accessed via https (port 443 by default). |
It is free for het customers. Have a coffee and you get 2 hours of wifi. Something like that. It is not that they need to pay for the internet access itself. But the seating is outside in a garden. And she cannot provide internet to everybody standing next to it. |
@geedsen |
Ok. Moved it back to 443 and removed 8080 all together. Installed the services tab. When changing the listening ports using the services tab, I was hoping that the generated certificate would remove the 'non secure' warning in the browser. But it did not. |
That must be something in Luci? I have never heard of it ;-) I do not use Luci, or hardly ever.
This is because the certificate is self signed. Not much can be done about it other than accept it and let your browser create an exception, after which you will no longer see the popup error. Remember it is not insecure as such, just a warning that it is self signed. All access to Luci will be encrypted compared with if you use http on port 80 or 8080 or whatever, where all traffic to/from Luci will be clear text on the air. It is not possible to have an externally registered/signed certificate for use on a local network - a problem with ipv4 rather than anything else. |
Thanks for the help so far. Looks like openWrt is working now as expected. So next openNDS? Install it again? |
@geedsen
This applies worldwide and is enforced more and more, the degree depending on location of course. |
Yes but it is best NOT to use Luci, so we can see what is going on. With the Internet feed live, do:
You will be able to watch it starting and look for errors. |
Yes, those legal reasons are important too. |
Keep watching.
|
@geedsen |
It looks like it started up ok. |
|
Where can I find the html files to modify them? I can now indeed get to http://status.client. Pretty amazing what it shows in the advanced account details. So what would be a good option to limit the internet access to customers? |
@geedsen
There are no html files. The html is dynamically generated by the ThemeSpec scripts. Easy to do, but not yet. Lets change the splash page sequence. Do:
Give it a couple of minutes to get restarted then go to http://status.client and log out then log back in again and see what the login page looks like. |
@geedsen |
Splash with name and email is working now. |
@geedsen |
@geedsen |
I will. Thanks |
@bluewavenet |
Couple of questions about teh voucher system: |
I guess to answer my own question that would be something like this: |
There are many options you can specify in the config before even considering customising the login process. Config options:
If you want to create your own login system, ie a "credential verification system", it is down purely to your own imagination! The community produced voucher system is provided only as an example, and should be seen as a guideline to indicate how customisation can be done and not a "production ready" system. It is not officially supported by the openNDS project, but you may get some help from others that have used it. I would however not recommend any voucher system as there is an ongoing admin requirement for the venue. There is a pinned example here that would be worth reading: Although it is for different hardware, it is very much applicable to your daughter's cafe. It shows how to add your own logo, change a few things on the page etc etc. You would not need to go as far as setting up an Internet hosted FAS server unless your daughter wanted to build a chain of coffee shops, but it would not do any harm either, particularly if she is going to have a web site - FAS could very likely be hosted there. You should read this example and come back to me with questions/ideas.... For reference, the full openNDS documentation is available here: |
I guess the problem with all the options you mention is that it wont stop people outside of the cafe using it right? |
Question , if I want to modify the .sh script, can I easily debug it somehow, see what it is doing? |
The purpose of the "free wifi" is to encourage people to come in to the cafe, but yes people outside will try to use it if it is open. Your location and my location could be very different in terms of how easy it is to get Internet access! To minimise leaching you could:
This might not be sufficient for your needs, but the principle of keeping it simple (for your daughter at least - because her primary focus should be running the cafe). How about this:
You can turn debuglevel to 3 and see all the detail of what is going on in the system log (logread command) But to debug scripts where you might have a bit of code in error, you can test in foreground mode, not running as a service. |
Thanks again. As you can see on the photo, most people living there are poor, very poor. But one thing they all have is a mobile phone :) They buy data prepaid sims and data packages. And that is expensive for them. There is no doubt that they would use any free wifi if they get the chance, and I really cannot blame them. But it is not something my daughter can finance for them. In the end they may find out that it might be sometimes cheaper to get a coffee there and do there mail/whatsapp/youtube than to buy data for their phone. I will look into the possibilities and also discuss it with my daughter. What I would like to try is to create a small application that generates the voucher code on the fly. Basically she would use an app on her phone with a single button "Generate code", it will generate a 4 character code which will be visible in a large font on the app. She can show that then to the customer. The app uses a rest api, and the api that generates the code will store that in a database in the same format as the vouchers.txt now does. And the opennds voucher script will just query the api with the generated code and will get the same thing back that it now gets from the vouchers.txt. So there is very limited administration required. |
That is the most important factor to consider.. In a very short time, the overhead could otherwise make having wifi seem like a bad decision. |
@bluewavenet What exactly is this speed limits in the voucher: 1024 what? |
It is probably Kb/s. I am guessing because, as I mentioned, this is not officially supported. |
For security reasons, ad hoc access to services on the local network from the router is blocked by openNDS. |
@bluewavenet Can that be managed with the Walled Garden as well? |
No, the walled garden is to allow preauthenticated users to access Internet hosted resources before logging in. |
But I need the voucher sh script to access an api outside. I am testing it from the console logged in on root, but in the end it needs to be the script doing it. |
I can now access my rest api from the root account in OpenWrt. On incoming home network router I forwarded a port to the pc running my rest api (in Visual Studio). So from OpenWrt using my DDNS name, I can get to the api. Will that work from the voucher script as well? |
I don't know of anything built into the voucher script, but I don't see why you could not add it... |
New to OpenWrt and openNDS, so please be kind :)
I installed openWrt with Luci and openNDS on my router.
Before installing openNDS, luci was accessible. After the installation it no longer was. Apparently now blocked by openNDS
However I would have expected that connecting my samsung phone to the wireless LAN would now open a splash page than as well. But is does not. It just gives me access.
So how do I get access to luci again and how do I enable the splash screen?
I read about http://status.client , now I wonder how this should/could work? Only on a device connected to the routers wifi? Any help appreciated.
The text was updated successfully, but these errors were encountered: