Re: Captive portal with OpenBSD as a hostap
On 08/10/15 23:17, Predrag Punosevac wrote: Somebody will correct me if I am wrong but the way that Authpf works (I have configured it in the past) is to load a new set of PF rules after successful ssh login. My understanding is that by default the traffic remains unencrypted unless we use more PF magic to force HTTP traffic (HTTPS should be encrypted itself) through some kind VPN over SSH. That way this chapter of the Book of PF was always such a mystery to me. http://home.nuug.no/~peter/pf/en/vegard.authpf.html authpf indeed loads rules per user, and also adds the user's IP in authpf_users table. This is done to allow further traffic to be routed through the ssh gateway (from authenticated users). It does not encrypt traffic. Usually you're doing this on the same LAN (client/server). The http redirect on the book is mostly a redirect to an informations page (and maybe ssh download location). as my understanding is that wpa2 will encrypt entire traffic (I am not discussing how securely). Installing ssh clients on various tablets/smart phones is non-trivial thing for uneducated user. Since I don't want to disturb bad spirits and bring back old flame wars fought over web interface for AuthPF I would like to suggest something else. Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec VPN is a breeze as I found out by setting it up. http://marc.info/?l=openbsd-misc=142791463307903=2 In my experience most Android/Kindel/Smart phone devices have a client for L2TP via IPSec and it is very easy to use it. What I am trying to say is that one could set an "unprotected" WiFi network allowing only L2TP/IPSec authentication. Once a device is authenticated PF rules would allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The devices will have Internet connection. Whole traffic will be inside an encrypted tunnel and no special software will be required on Android/Smart phone devices. Best, Predrag Have in mind that the traffic is encrypted only from client to the vpn server and not up to the final destination. VPN is usually used to get in the network from remote locations or remotely use local network resources to get out. Nevertheless it's an option :) Another option would be 802.1x but the OP asked for a captive portal and we're getting off topic... regards, G
Re: Captive portal with OpenBSD as a hostap
Kapetanakia Giannis wrote: > > On 05/10/15 14:35, David Coppa wrote: > > On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez> wrote: > >> Hi all, > >> > >> I have installed an openbsd vm to works as a hostap for tablets and > >> smartphones (android and iOS). > >> > >> All it is working ok: pf, hostapd and dhcpd server. All tablets and > >> smartphones that I have tested works ok, connects and surfs Internet. > >> > >> But now I am thinking to use some type of auth (user/pass using a > SSL/TLS > >> channel) instead to use wpa/wpa2 keys. > >> > >> Sometime ago exists this project: Chillispot > (http://www.chillispot.org/) > >> but it seems discontinued. > >> > >> Someone knows any type of project/software to accomplish?? I would > like to > >> keep simple as much as I can. > >> > >> Thanks. > >> > > You could try CoovaChilli. > > > > https://github.com/sevan/coova-chilli/ > > > > http://coova.github.io/ > > > > Ciao > > David > > Another option you could look is authpf(8) which is in base. > Not web based captive portal, but similar setup with ssh. > > G Somebody will correct me if I am wrong but the way that Authpf works (I have configured it in the past) is to load a new set of PF rules after successful ssh login. My understanding is that by default the traffic remains unencrypted unless we use more PF magic to force HTTP traffic (HTTPS should be encrypted itself) through some kind VPN over SSH. That way this chapter of the Book of PF was always such a mystery to me. http://home.nuug.no/~peter/pf/en/vegard.authpf.html as my understanding is that wpa2 will encrypt entire traffic (I am not discussing how securely). Installing ssh clients on various tablets/smart phones is non-trivial thing for uneducated user. Since I don't want to disturb bad spirits and bring back old flame wars fought over web interface for AuthPF I would like to suggest something else. Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec VPN is a breeze as I found out by setting it up. http://marc.info/?l=openbsd-misc=142791463307903=2 In my experience most Android/Kindel/Smart phone devices have a client for L2TP via IPSec and it is very easy to use it. What I am trying to say is that one could set an "unprotected" WiFi network allowing only L2TP/IPSec authentication. Once a device is authenticated PF rules would allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The devices will have Internet connection. Whole traffic will be inside an encrypted tunnel and no special software will be required on Android/Smart phone devices. Best, Predrag
Re: Captive portal with OpenBSD as a hostap
Here is the diff I made, it simply calls a program when a user logs in with authpf and when a user logs out. to use this diff you must add these lines to authpf.conf start=/path/to/startsession.pl end=/path/to/endsession.pl follows is the diff Index: src/usr.sbin/authpf/authpf.c === RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v retrieving revision 1.123 diff -u -r1.123 authpf.c --- src/usr.sbin/authpf/authpf.c 21 Jan 2015 21:50:32 - 1.123 +++ src/usr.sbin/authpf/authpf.c 8 Oct 2015 01:21:58 - @@ -52,12 +52,15 @@ static int change_filter(int, const char *, const char *); static int change_table(int, const char *); static void authpf_kill_states(void); +static int exec_callback(int); int dev; /* pf device */ char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf"; char rulesetname[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2]; char tablename[PF_TABLE_NAME_SIZE] = "authpf_users"; int user_ip = 1; /* controls whether $user_ip is set */ +char startcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = ""; +char endcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = ""; FILE *pidfp; int pidfd = -1; @@ -411,6 +414,19 @@ sizeof(tablename)) >= sizeof(tablename)) goto parse_error; } + if (strcasecmp(pair[0], "start") == 0) { + if (!pair[1][0] || strlcpy(startcommand, pair[1], + sizeof(startcommand)) >= sizeof(startcommand)) + goto parse_error; + syslog(LOG_INFO, "start: %s", startcommand); + } + + if (strcasecmp(pair[0], "end") == 0) { + if (!pair[1][0] || strlcpy(endcommand, pair[1], + sizeof(endcommand)) >= sizeof(endcommand)) + goto parse_error; + syslog(LOG_INFO, "end: %s", endcommand); + } } while (!feof(f) && !ferror(f)); fclose(f); return (0); @@ -821,11 +837,23 @@ goto error; } + if (startcommand != NULL) { + if (exec_callback(0) != 0) { + goto error; + } + } + gettimeofday(, NULL); syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser); } else { remove_stale_rulesets(); + if (endcommand != NULL) { + if (exec_callback(1) != 0) { + goto error; + } + } + gettimeofday(, NULL); syslog(LOG_INFO, "removed %s, user %s - duration %d seconds", ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec)); @@ -952,3 +980,78 @@ syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile); exit(ret); } + +/* + * execute an external program on start and or end of session + */ +static int +exec_callback(int end) +{ + pid_t pid; + gid_t gid; + int s; + char prog[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2]; + char *pargv[5] = {"/bin/ls", "luser", "ip", "pid", NULL}; + + if (end == 0) { + if (startcommand != NULL) { + strlcpy(prog, startcommand, sizeof(startcommand)); + } else { + goto done; + } + } + + if (end == 1) { + if (endcommand != NULL) { + strlcpy(prog, endcommand, sizeof(endcommand)); + } else { + goto done; + } + } + + pargv[0] = prog; + pargv[1] = luser; + pargv[2] = ipsrc; + if (asprintf([3], "%ld", (long)getpid()) == -1) + goto no_mem; + + switch (pid = fork()) { + case -1: + syslog(LOG_ERR, "fork failed"); + goto error; + case 0: + /* revoke group privs before exec */ + gid = getgid(); + if (setregid(gid, gid) == -1) { + err(1, "setregid"); + } + + execvp(prog, pargv); + syslog(LOG_INFO, "exec of %s %s %s %s", prog, pargv[1], + pargv[2], pargv[3]); + warn("exec of %s %s %s %s [] failed", prog, pargv[1], + pargv[2], pargv[3]); + _exit(1); + } + + /* parent */ + waitpid(pid, , 0); + if (s != 0) { + syslog(LOG_ERR, "%s exited abnormally", prog); + goto error; + } +done: + return (0); + +no_mem: + if (errno == ENOMEM) + syslog(LOG_ERR, "calloc failed"); + syslog(LOG_ERR, "NO MEM"); + return (-1); + +error: + free(pargv[3]); + syslog(LOG_ERR, "ERROR RETURNING -1"); + return (-1); +} + PS: I have used this for a little pocket money ISP for three years now along side a custom sqlite db for authentication on web, scraping zeroed users in pf is the way to go with a cron job. On 10/06/2015 07:43 AM, C. L. Martinez wrote: On Mon, Oct 5, 2015 at 1:26 PM, laudarchwrote: I made a custom implementation and a diff to authpf, will share that later just in case anyone wants it. I hope this helps you, it pretty simple http://bastienceriani.fr/?p=70 Thanks laudarch ... Very close to what I am searching... I will try your config.
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 1:26 PM, laudarchwrote: > I made a custom implementation and a diff to authpf, will share that > later just in case anyone wants it. > > I hope this helps you, it pretty simple > http://bastienceriani.fr/?p=70 > Thanks laudarch ... Very close to what I am searching... I will try your config.
Re: Captive portal with OpenBSD as a hostap
On 05/10/15 16:26, laudarch wrote: I made a custom implementation and a diff to authpf, will share that later just in case anyone wants it. I hope this helps you, it pretty simple http://bastienceriani.fr/?p=70 That's nice, but how do you log-out inactive users/IPs? There is no such option in pf a) expire after a certain amount of time and/or b) expire after a certain amount of inactivity pfsense (sorry) uses pf for all it's firewalling and ipf for tracking down users coming from it's captive portal. G
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 4:47 PM, Kapetanakis Gianniswrote: > On 05/10/15 16:26, laudarch wrote: >> >> I made a custom implementation and a diff to authpf, will share that >> later just in case anyone wants it. >> >> I hope this helps you, it pretty simple >> http://bastienceriani.fr/?p=70 > > > That's nice, but how do you log-out inactive users/IPs? > There is no such option in pf > a) expire after a certain amount of time and/or pfctl -t loggedusers -T expire 3600 # expire after one hour, regardless of activity > b) expire after a certain amount of inactivity > > pfsense (sorry) uses pf for all it's firewalling and ipf for tracking down > users coming from it's captive portal. > > G
Re: Captive portal with OpenBSD as a hostap
On 06/10/15 01:04, Abel Abraham Camarillo Ojeda wrote: That's nice, but how do you log-out inactive users/IPs? There is no such option in pf a) expire after a certain amount of time and/or pfctl -t loggedusers -T expire 3600 # expire after one hour, regardless of activity you're right on this. I'm also using it for bruteforcers but I've forgot. My main concern is inactive users. G
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 5:18 PM, Kapetanakis Gianniswrote: > On 06/10/15 01:04, Abel Abraham Camarillo Ojeda wrote: >> >> >> That's nice, but how do you log-out inactive users/IPs? >> There is no such option in pf >> a) expire after a certain amount of time and/or >> pfctl -t loggedusers -T expire 3600 # expire after one hour, >> regardless of activity > > > you're right on this. I'm also using it for bruteforcers but I've forgot. > My main concern is inactive users. > > G > # i think you can do that with two tables table counters persist run every hour: # ${script that reads pfctl table and reads addresses with counters in zero}; # pfctl -t loggedusers2 -T zero; # zero remaining users counters I've a script that does the first, but probably should be written a _lot_ better... ~
Captive portal with OpenBSD as a hostap
Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have tested works ok, connects and surfs Internet. But now I am thinking to use some type of auth (user/pass using a SSL/TLS channel) instead to use wpa/wpa2 keys. Sometime ago exists this project: Chillispot (http://www.chillispot.org/) but it seems discontinued. Someone knows any type of project/software to accomplish?? I would like to keep simple as much as I can. Thanks.
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinezwrote: > Hi all, > > I have installed an openbsd vm to works as a hostap for tablets and > smartphones (android and iOS). > > All it is working ok: pf, hostapd and dhcpd server. All tablets and > smartphones that I have tested works ok, connects and surfs Internet. > > But now I am thinking to use some type of auth (user/pass using a SSL/TLS > channel) instead to use wpa/wpa2 keys. > > Sometime ago exists this project: Chillispot (http://www.chillispot.org/) > but it seems discontinued. > > Someone knows any type of project/software to accomplish?? I would like to > keep simple as much as I can. > > Thanks. > You could try CoovaChilli. https://github.com/sevan/coova-chilli/ http://coova.github.io/ Ciao David -- "If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will." -- Stewart Nelson
Re: Captive portal with OpenBSD as a hostap
On 05/10/15 14:35, David Coppa wrote: On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinezwrote: Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have tested works ok, connects and surfs Internet. But now I am thinking to use some type of auth (user/pass using a SSL/TLS channel) instead to use wpa/wpa2 keys. Sometime ago exists this project: Chillispot (http://www.chillispot.org/) but it seems discontinued. Someone knows any type of project/software to accomplish?? I would like to keep simple as much as I can. Thanks. You could try CoovaChilli. https://github.com/sevan/coova-chilli/ http://coova.github.io/ Ciao David Another option you could look is authpf(8) which is in base. Not web based captive portal, but similar setup with ssh. G
Re: Captive portal with OpenBSD as a hostap
On Mon, Oct 5, 2015 at 2:49 PM, C.L. Martinezwrote: > On 10/05/2015 12:29 PM, Kapetanakis Giannis wrote: >> >> On 05/10/15 14:35, David Coppa wrote: >>> >>> On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez >>> wrote: Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have tested works ok, connects and surfs Internet. But now I am thinking to use some type of auth (user/pass using a SSL/TLS channel) instead to use wpa/wpa2 keys. Sometime ago exists this project: Chillispot (http://www.chillispot.org/) but it seems discontinued. Someone knows any type of project/software to accomplish?? I would like to keep simple as much as I can. Thanks. >>> You could try CoovaChilli. >>> >>> https://github.com/sevan/coova-chilli/ >>> >>> http://coova.github.io/ >>> >>> Ciao >>> David >> >> >> Another option you could look is authpf(8) which is in base. >> Not web based captive portal, but similar setup with ssh. >> >> G >> > > Thanks to both ... Previously, I am thinking to use authpf, but there is a > problem: I need to install a ssh client in these tablets and smartphones .. > If I could find any front-end to use with authpf, it will be the perfect > solution. > > About coova-chilli: well, maybe it is the only solution if I can't use > something similar to authpf. But it seems "too heavy" to maintain ... > >From GH: https://github.com/search?q=openbsd+captive
Re: Captive portal with OpenBSD as a hostap
On 10/05/2015 12:29 PM, Kapetanakis Giannis wrote: On 05/10/15 14:35, David Coppa wrote: On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinezwrote: Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have tested works ok, connects and surfs Internet. But now I am thinking to use some type of auth (user/pass using a SSL/TLS channel) instead to use wpa/wpa2 keys. Sometime ago exists this project: Chillispot (http://www.chillispot.org/) but it seems discontinued. Someone knows any type of project/software to accomplish?? I would like to keep simple as much as I can. Thanks. You could try CoovaChilli. https://github.com/sevan/coova-chilli/ http://coova.github.io/ Ciao David Another option you could look is authpf(8) which is in base. Not web based captive portal, but similar setup with ssh. G Thanks to both ... Previously, I am thinking to use authpf, but there is a problem: I need to install a ssh client in these tablets and smartphones .. If I could find any front-end to use with authpf, it will be the perfect solution. About coova-chilli: well, maybe it is the only solution if I can't use something similar to authpf. But it seems "too heavy" to maintain ...
Re: Captive portal with OpenBSD as a hostap
I made a custom implementation and a diff to authpf, will share that later just in case anyone wants it. I hope this helps you, it pretty simple http://bastienceriani.fr/?p=70 On 2015-10-05 11:18, C.L. Martinez wrote: Hi all, I have installed an openbsd vm to works as a hostap for tablets and smartphones (android and iOS). All it is working ok: pf, hostapd and dhcpd server. All tablets and smartphones that I have tested works ok, connects and surfs Internet. But now I am thinking to use some type of auth (user/pass using a SSL/TLS channel) instead to use wpa/wpa2 keys. Sometime ago exists this project: Chillispot (http://www.chillispot.org/) but it seems discontinued. Someone knows any type of project/software to accomplish?? I would like to keep simple as much as I can. Thanks.