Re: Captive portal with OpenBSD as a hostap

2015-10-08 Thread Kapetanakis Giannis 

On 08/10/15 23:17, Predrag Punosevac wrote:

Somebody will correct me if I am wrong but the way that Authpf works (I
have configured it in the past) is to load a new set of PF rules after
successful ssh login. My understanding is that by default the traffic
remains unencrypted unless we use more PF magic to force HTTP traffic
(HTTPS should be encrypted itself) through some kind VPN over SSH. That
way this chapter of the Book of PF was always such a mystery to me.

http://home.nuug.no/~peter/pf/en/vegard.authpf.html


authpf indeed loads rules per user, and also adds the user's IP in 
authpf_users table.
This is done to allow further traffic to be routed through the ssh 
gateway (from authenticated users).


It does not encrypt traffic. Usually you're doing this on the same LAN 
(client/server).
The http redirect on the book is mostly a redirect to an informations 
page (and maybe ssh download location).




as my understanding is that wpa2 will encrypt entire traffic (I am not
discussing how securely).

Installing ssh clients on various tablets/smart phones is non-trivial
thing for uneducated user. Since I don't want to disturb bad spirits and
bring back old flame wars fought over web interface for AuthPF I would
like to suggest something else.

Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec
VPN is a breeze as I found out by setting it up.

http://marc.info/?l=openbsd-misc=142791463307903=2

In my experience most Android/Kindel/Smart phone devices have a client
for L2TP via IPSec and it is very easy to use it. What I am trying to
say is that one could set an "unprotected" WiFi network allowing only
L2TP/IPSec authentication. Once a device is authenticated PF rules would
allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The
devices will have Internet connection. Whole traffic will be inside an
encrypted tunnel and no special software will be required on
Android/Smart phone devices.

Best,
Predrag


Have in mind that the traffic is encrypted only from client to the vpn 
server and not up to the final destination.
VPN is usually used to get in the network from remote locations or 
remotely use local network resources to get out.

Nevertheless it's an option :)

Another option would be 802.1x but the OP asked for a captive portal and 
we're getting off topic...


regards,

G

Re: Captive portal with OpenBSD as a hostap

2015-10-08 Thread Predrag Punosevac 
Kapetanakia Giannis wrote:

> 
> On 05/10/15 14:35, David Coppa wrote:
> > On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez 
> wrote:
> >> Hi all,
> >>
> >>   I have installed an openbsd vm to works as a hostap for tablets and
> >> smartphones (android and iOS).
> >>
> >>   All it is working ok: pf, hostapd and dhcpd server. All tablets and
> >> smartphones that I have tested works ok, connects and surfs Internet.
> >>
> >>   But now I am thinking to use some type of auth (user/pass using a
> SSL/TLS
> >> channel) instead to use wpa/wpa2 keys.
> >>
> >>   Sometime ago exists this project: Chillispot
> (http://www.chillispot.org/)
> >> but it seems discontinued.
> >>
> >>   Someone knows any type of project/software to accomplish?? I would
> like to
> >> keep simple as much as I can.
> >>
> >> Thanks.
> >>
> > You could try CoovaChilli.
> >
> > https://github.com/sevan/coova-chilli/
> >
> > http://coova.github.io/
> >
> > Ciao
> > David
> 
> Another option you could look is authpf(8) which is in base.
> Not web based captive portal, but similar setup with ssh.
> 
> G

Somebody will correct me if I am wrong but the way that Authpf works (I
have configured it in the past) is to load a new set of PF rules after
successful ssh login. My understanding is that by default the traffic
remains unencrypted unless we use more PF magic to force HTTP traffic
(HTTPS should be encrypted itself) through some kind VPN over SSH. That
way this chapter of the Book of PF was always such a mystery to me.

http://home.nuug.no/~peter/pf/en/vegard.authpf.html

as my understanding is that wpa2 will encrypt entire traffic (I am not
discussing how securely).  

Installing ssh clients on various tablets/smart phones is non-trivial
thing for uneducated user. Since I don't want to disturb bad spirits and
bring back old flame wars fought over web interface for AuthPF I would
like to suggest something else.

Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec
VPN is a breeze as I found out by setting it up.

http://marc.info/?l=openbsd-misc=142791463307903=2

In my experience most Android/Kindel/Smart phone devices have a client
for L2TP via IPSec and it is very easy to use it. What I am trying to
say is that one could set an "unprotected" WiFi network allowing only
L2TP/IPSec authentication. Once a device is authenticated PF rules would
allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The
devices will have Internet connection. Whole traffic will be inside an
encrypted tunnel and no special software will be required on
Android/Smart phone devices.

Best,
Predrag

Re: Captive portal with OpenBSD as a hostap

2015-10-07 Thread laudarch 

Here is the diff I made,
it simply calls a program when a user logs in with authpf and when a
user logs out.

to use this diff you must add these lines to authpf.conf

start=/path/to/startsession.pl
end=/path/to/endsession.pl

follows is the diff

Index: src/usr.sbin/authpf/authpf.c
===
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.123
diff -u -r1.123 authpf.c
--- src/usr.sbin/authpf/authpf.c 21 Jan 2015 21:50:32 - 1.123
+++ src/usr.sbin/authpf/authpf.c 8 Oct 2015 01:21:58 -
@@ -52,12 +52,15 @@
static int change_filter(int, const char *, const char *);
static int change_table(int, const char *);
static void authpf_kill_states(void);
+static int exec_callback(int);

int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
int user_ip = 1; /* controls whether $user_ip is set */
+char startcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = "";
+char endcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = "";

FILE *pidfp;
int pidfd = -1;
@@ -411,6 +414,19 @@
sizeof(tablename)) >= sizeof(tablename))
goto parse_error;
}
+ if (strcasecmp(pair[0], "start") == 0) {
+ if (!pair[1][0] || strlcpy(startcommand, pair[1],
+ sizeof(startcommand)) >= sizeof(startcommand))
+ goto parse_error;
+ syslog(LOG_INFO, "start: %s", startcommand);
+ }
+
+ if (strcasecmp(pair[0], "end") == 0) {
+ if (!pair[1][0] || strlcpy(endcommand, pair[1],
+ sizeof(endcommand)) >= sizeof(endcommand))
+ goto parse_error;
+ syslog(LOG_INFO, "end: %s", endcommand);
+ }
} while (!feof(f) && !ferror(f));
fclose(f);
return (0);
@@ -821,11 +837,23 @@
goto error;
}

+ if (startcommand != NULL) {
+ if (exec_callback(0) != 0) {
+ goto error;
+ }
+ }
+
gettimeofday(, NULL);
syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
} else {
remove_stale_rulesets();

+ if (endcommand != NULL) {
+ if (exec_callback(1) != 0) {
+ goto error;
+ }
+ }
+
gettimeofday(, NULL);
syslog(LOG_INFO, "removed %s, user %s - duration %d seconds",
ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec));
@@ -952,3 +980,78 @@
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);
}
+
+/*
+ * execute an external program on start and or end of session
+ */
+static int
+exec_callback(int end)
+{
+ pid_t pid;
+ gid_t gid;
+ int s;
+ char prog[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2];
+ char *pargv[5] = {"/bin/ls", "luser", "ip", "pid", NULL};
+
+ if (end == 0) {
+ if (startcommand != NULL) {
+ strlcpy(prog, startcommand, sizeof(startcommand));
+ } else {
+ goto done;
+ }
+ }
+
+ if (end == 1) {
+ if (endcommand != NULL) {
+ strlcpy(prog, endcommand, sizeof(endcommand));
+ } else {
+ goto done;
+ }
+ }
+
+ pargv[0] = prog;
+ pargv[1] = luser;
+ pargv[2] = ipsrc;
+ if (asprintf([3], "%ld", (long)getpid()) == -1)
+ goto no_mem;
+
+ switch (pid = fork()) {
+ case -1:
+ syslog(LOG_ERR, "fork failed");
+ goto error;
+ case 0:
+ /* revoke group privs before exec */
+ gid = getgid();
+ if (setregid(gid, gid) == -1) {
+ err(1, "setregid");
+ }
+
+ execvp(prog, pargv);
+ syslog(LOG_INFO, "exec of %s %s %s %s", prog, pargv[1],
+ pargv[2], pargv[3]);
+ warn("exec of %s %s %s %s [] failed", prog, pargv[1],
+ pargv[2], pargv[3]);
+ _exit(1);
+ }
+
+ /* parent */
+ waitpid(pid, , 0);
+ if (s != 0) {
+ syslog(LOG_ERR, "%s exited abnormally", prog);
+ goto error;
+ }
+done:
+ return (0);
+
+no_mem:
+ if (errno == ENOMEM)
+ syslog(LOG_ERR, "calloc failed");
+ syslog(LOG_ERR, "NO MEM");
+ return (-1);
+
+error:
+ free(pargv[3]);
+ syslog(LOG_ERR, "ERROR RETURNING -1");
+ return (-1);
+}
+

PS: I have used this for a little pocket money ISP for three years now
along side a custom sqlite db for authentication on web, scraping
zeroed users in pf is the way to go with a cron job.


On 10/06/2015 07:43 AM, C. L. Martinez wrote:

On Mon, Oct 5, 2015 at 1:26 PM, laudarch  wrote:

I made a custom implementation and a diff to authpf, will share that
later just in case anyone wants it.

I hope this helps you, it pretty simple
http://bastienceriani.fr/?p=70



Thanks laudarch ... Very close to what I am searching... I will try 
your config.

Re: Captive portal with OpenBSD as a hostap

2015-10-06 Thread C. L. Martinez 
On Mon, Oct 5, 2015 at 1:26 PM, laudarch  wrote:
> I made a custom implementation and a diff to authpf, will share that
> later just in case anyone wants it.
>
> I hope this helps you, it pretty simple
> http://bastienceriani.fr/?p=70
>

Thanks laudarch ... Very close to what I am searching... I will try your config.

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis 

On 05/10/15 16:26, laudarch wrote:

I made a custom implementation and a diff to authpf, will share that
later just in case anyone wants it.

I hope this helps you, it pretty simple
http://bastienceriani.fr/?p=70


That's nice, but how do you log-out inactive users/IPs?
There is no such option in pf
a) expire after a certain amount of time and/or
b) expire after a certain amount of inactivity

pfsense (sorry) uses pf for all it's firewalling and ipf for tracking 
down users coming from it's captive portal.


G

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Abel Abraham Camarillo Ojeda 
On Mon, Oct 5, 2015 at 4:47 PM, Kapetanakis Giannis
 wrote:
> On 05/10/15 16:26, laudarch wrote:
>>
>> I made a custom implementation and a diff to authpf, will share that
>> later just in case anyone wants it.
>>
>> I hope this helps you, it pretty simple
>> http://bastienceriani.fr/?p=70
>
>
> That's nice, but how do you log-out inactive users/IPs?
> There is no such option in pf
> a) expire after a certain amount of time and/or

pfctl -t loggedusers -T expire 3600 # expire after one hour,
regardless of activity

> b) expire after a certain amount of inactivity
>
> pfsense (sorry) uses pf for all it's firewalling and ipf for tracking down
> users coming from it's captive portal.
>
> G

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis 

On 06/10/15 01:04, Abel Abraham Camarillo Ojeda wrote:


That's nice, but how do you log-out inactive users/IPs?
There is no such option in pf
a) expire after a certain amount of time and/or
pfctl -t loggedusers -T expire 3600 # expire after one hour,
regardless of activity


you're right on this. I'm also using it for bruteforcers but I've forgot.
My main concern is inactive users.

G

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Abel Abraham Camarillo Ojeda 
On Mon, Oct 5, 2015 at 5:18 PM, Kapetanakis Giannis
 wrote:
> On 06/10/15 01:04, Abel Abraham Camarillo Ojeda wrote:
>>
>>
>> That's nice, but how do you log-out inactive users/IPs?
>> There is no such option in pf
>> a) expire after a certain amount of time and/or
>> pfctl -t loggedusers -T expire 3600 # expire after one hour,
>> regardless of activity
>
>
> you're right on this. I'm also using it for bruteforcers but I've forgot.
> My main concern is inactive users.
>
> G
>

# i think you can do that with two tables
table  counters persist

run every hour:

# ${script that reads pfctl table and reads addresses with counters in zero};
# pfctl -t loggedusers2 -T zero; # zero remaining users counters

I've a script that does the first, but probably should be written a
_lot_ better...

~

Captive portal with OpenBSD as a hostap

2015-10-05 Thread C.L. Martinez 

Hi all,

 I have installed an openbsd vm to works as a hostap for tablets and 
smartphones (android and iOS).


 All it is working ok: pf, hostapd and dhcpd server. All tablets and 
smartphones that I have tested works ok, connects and surfs Internet.


 But now I am thinking to use some type of auth (user/pass using a 
SSL/TLS channel) instead to use wpa/wpa2 keys.


 Sometime ago exists this project: Chillispot 
(http://www.chillispot.org/) but it seems discontinued.


 Someone knows any type of project/software to accomplish?? I would 
like to keep simple as much as I can.


Thanks.

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread David Coppa 
On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez  wrote:
> Hi all,
>
>  I have installed an openbsd vm to works as a hostap for tablets and
> smartphones (android and iOS).
>
>  All it is working ok: pf, hostapd and dhcpd server. All tablets and
> smartphones that I have tested works ok, connects and surfs Internet.
>
>  But now I am thinking to use some type of auth (user/pass using a SSL/TLS
> channel) instead to use wpa/wpa2 keys.
>
>  Sometime ago exists this project: Chillispot (http://www.chillispot.org/)
> but it seems discontinued.
>
>  Someone knows any type of project/software to accomplish?? I would like to
> keep simple as much as I can.
>
> Thanks.
>

You could try CoovaChilli.

https://github.com/sevan/coova-chilli/

http://coova.github.io/

Ciao
David
-- 
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
-- Stewart Nelson

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread Kapetanakis Giannis 

On 05/10/15 14:35, David Coppa wrote:

On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez  wrote:

Hi all,

  I have installed an openbsd vm to works as a hostap for tablets and
smartphones (android and iOS).

  All it is working ok: pf, hostapd and dhcpd server. All tablets and
smartphones that I have tested works ok, connects and surfs Internet.

  But now I am thinking to use some type of auth (user/pass using a SSL/TLS
channel) instead to use wpa/wpa2 keys.

  Sometime ago exists this project: Chillispot (http://www.chillispot.org/)
but it seems discontinued.

  Someone knows any type of project/software to accomplish?? I would like to
keep simple as much as I can.

Thanks.


You could try CoovaChilli.

https://github.com/sevan/coova-chilli/

http://coova.github.io/

Ciao
David


Another option you could look is authpf(8) which is in base.
Not web based captive portal, but similar setup with ssh.

G

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread David Coppa 
On Mon, Oct 5, 2015 at 2:49 PM, C.L. Martinez  wrote:
> On 10/05/2015 12:29 PM, Kapetanakis Giannis wrote:
>>
>> On 05/10/15 14:35, David Coppa wrote:
>>>
>>> On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez 
>>> wrote:

 Hi all,

   I have installed an openbsd vm to works as a hostap for tablets and
 smartphones (android and iOS).

   All it is working ok: pf, hostapd and dhcpd server. All tablets and
 smartphones that I have tested works ok, connects and surfs Internet.

   But now I am thinking to use some type of auth (user/pass using a
 SSL/TLS
 channel) instead to use wpa/wpa2 keys.

   Sometime ago exists this project: Chillispot
 (http://www.chillispot.org/)
 but it seems discontinued.

   Someone knows any type of project/software to accomplish?? I would
 like to
 keep simple as much as I can.

 Thanks.

>>> You could try CoovaChilli.
>>>
>>> https://github.com/sevan/coova-chilli/
>>>
>>> http://coova.github.io/
>>>
>>> Ciao
>>> David
>>
>>
>> Another option you could look is authpf(8) which is in base.
>> Not web based captive portal, but similar setup with ssh.
>>
>> G
>>
>
> Thanks to both ... Previously, I am thinking to use authpf, but there is a
> problem: I need to install a ssh client in these tablets and smartphones ..
> If I could find any front-end to use with authpf, it will be the perfect
> solution.
>
> About coova-chilli: well, maybe it is the only solution if I can't use
> something similar to authpf. But it seems "too heavy" to maintain ...
>

>From GH:

https://github.com/search?q=openbsd+captive

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread C.L. Martinez 

On 10/05/2015 12:29 PM, Kapetanakis Giannis wrote:

On 05/10/15 14:35, David Coppa wrote:

On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez 
wrote:

Hi all,

  I have installed an openbsd vm to works as a hostap for tablets and
smartphones (android and iOS).

  All it is working ok: pf, hostapd and dhcpd server. All tablets and
smartphones that I have tested works ok, connects and surfs Internet.

  But now I am thinking to use some type of auth (user/pass using a
SSL/TLS
channel) instead to use wpa/wpa2 keys.

  Sometime ago exists this project: Chillispot
(http://www.chillispot.org/)
but it seems discontinued.

  Someone knows any type of project/software to accomplish?? I would
like to
keep simple as much as I can.

Thanks.


You could try CoovaChilli.

https://github.com/sevan/coova-chilli/

http://coova.github.io/

Ciao
David


Another option you could look is authpf(8) which is in base.
Not web based captive portal, but similar setup with ssh.

G



Thanks to both ... Previously, I am thinking to use authpf, but there is 
a problem: I need to install a ssh client in these tablets and 
smartphones .. If I could find any front-end to use with authpf, it will 
be the perfect solution.


About coova-chilli: well, maybe it is the only solution if I can't use 
something similar to authpf. But it seems "too heavy" to maintain ...

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread laudarch 

I made a custom implementation and a diff to authpf, will share that
later just in case anyone wants it.

I hope this helps you, it pretty simple
http://bastienceriani.fr/?p=70

On 2015-10-05 11:18, C.L. Martinez wrote:

Hi all,

 I have installed an openbsd vm to works as a hostap for tablets and
smartphones (android and iOS).

 All it is working ok: pf, hostapd and dhcpd server. All tablets and
smartphones that I have tested works ok, connects and surfs Internet.

 But now I am thinking to use some type of auth (user/pass using a
SSL/TLS channel) instead to use wpa/wpa2 keys.

 Sometime ago exists this project: Chillispot
(http://www.chillispot.org/) but it seems discontinued.

 Someone knows any type of project/software to accomplish?? I would
like to keep simple as much as I can.

Thanks.