Difference between revisions of "User:Saul/Open WRT"

From Organic Design wiki
(Eth Drivers)
(Captive Portal Via NoDogSplash)
 
(2 intermediate revisions by the same user not shown)
Line 65: Line 65:
  
 
== Captive Portal Via NoDogSplash ==
 
== Captive Portal Via NoDogSplash ==
 +
=== Security ===
 +
To provide secure authentication over a captive portal you must use the Forwarding Authentication Service (FAS) that NDS/OpenNDS provides.<br>
 +
Without the FAS there is no way to encrypt sensitive data since JavaScript may be blocked by the client, therefore the only way to ensure sensitive data is not passed as plain text is to use FAS to an external server with a HTTPS cert.<br>
 +
Another note to be aware of is that if you have trusted macs that do not need authentication, someone could spoof their mac to match to get access.
 +
 +
=== Building From Source ===
 +
Building the latest nodogsplash from source can be a bit of a pain if it has not been officially released.<br>
 +
You need to follow the instructions [https://github.com/nodogsplash/nodogsplash/tree/master/openwrt here] but instead of cloning the nodogsplash repo do the following:<br>
 +
# Download the nodogsplash repo as a '''.zip'''.
 +
# Extract the '''zip'''.
 +
# Rename the directory from '''nodogsplash-master ''' to '''nodogsplash-4.5.1beta''' (replacing with your version).
 +
# Run '''tar -czvf nodogsplash-4.5.1beta.tar.gz nodogsplash-4.5.1beta/'''
 +
# Copy the '''nodogsplash-4.5.1beta.tar.gz''' file into the '''openwrt/dl''' directory. (Run make once to generate it if it does not exist.)
 +
# Run '''shasum -a 256 nodogsplash-4.5.1beta.tar.gz'''
 +
# Edit the '''nodogsplash-4.5.1beta/openwrt/nodogsplash/Makefile''' file and change the '''PKG_HASH:=YOU_HASH_HERE''', make sure there is no whitespace.
 +
# Copy the '''nodogsplash-4.5.1beta/openwrt/nodogsplash''' to the '''openwrt/package''' file and continue the make progress.
 +
# The ouput can be found in the '''bin/packages/YOUR_PROCCESSOR/base/''' directory.
 +
 +
==== Useful Links ====
 +
* https://github.com/nodogsplash/nodogsplash/tree/master/openwrt
 +
* https://github.com/nodogsplash/nodogsplash/issues/530
 +
* https://github.com/nodogsplash/nodogsplash/issues/355
 
=== Network Configuration ===
 
=== Network Configuration ===
 
Before installing NDS it is recommended to get your network setup and working properly.<br>
 
Before installing NDS it is recommended to get your network setup and working properly.<br>
Line 103: Line 125:
 
*https://finaldie.com/blog/install-openwrt-on-raspberry-pi-1b-model/
 
*https://finaldie.com/blog/install-openwrt-on-raspberry-pi-1b-model/
 
*https://github.com/nodogsplash/nodogsplash/issues/465
 
*https://github.com/nodogsplash/nodogsplash/issues/465
 +
 +
== My RPi4 Config ==
 +
Firewall
 +
<source>
 +
lan -> wan
 +
input: accept
 +
output: accept
 +
forward: accept
 +
wan -> REJECT
 +
input: reject
 +
output: accept
 +
forward: reject
 +
</source>
 +
 +
Wireless
 +
<source>
 +
Operating Frequency:
 +
Mode: Legacy
 +
Band: 5 GHz
 +
Channel: auto
 +
</source>
 +
 +
/etc/config/network
 +
<source>
 +
config interface 'loopback'
 +
        option ifname 'lo'
 +
        option proto 'static'
 +
        option ipaddr '127.0.0.1'
 +
        option netmask '255.0.0.0'
 +
 +
config globals 'globals'
 +
        option ula_prefix 'fd0a:e374:4912::/48'
 +
 +
config interface 'wan'
 +
        option ifname 'eth1'
 +
        option proto 'dhcp'
 +
 +
config interface 'lan'
 +
        option type 'bridge'
 +
        option ifname 'eth0'
 +
        option proto 'static'
 +
        option netmask '255.255.255.0'
 +
        option ipaddr '192.168.1.2'
 +
        option gateway '192.168.1.254'
 +
        list dns '122.56.237.1'
 +
        list dns '210.55.111.1'
 +
</source>
  
 
== See also ==
 
== See also ==

Latest revision as of 09:20, 29 July 2020

Documentation for my experience attempting to setup and run Open WRT on a Raspberry Pi.

Raspberry Pi Installation

Check what the SoC is for your Pi (see the Raspberry Pi link under Useful Links):

The Raspberry Pi is supported in the brcm2708 target.
Subtargets are bcm2708 for Raspberry Pi 1, bcm2709 for the Raspberry Pi 2, bcm2710 for the Raspberry Pi 3, bcm2711 for the Raspberry Pi 4.

bcm2709 subtarget can be used for bcm2710 and bcm2711 devices.
This subtarget features a 32 bit kernel instead of a 64 bit kernel (64 bit kernels aren't “officially supported” by the Raspberry Pi foundation).

Then find the image for your pi under the snapshots page (Useful Links) and flash it!

Useful Links

Using the Package Manager

Open WRT's default package manager is opkg, the docs for it can be found here.
To install a new package the package lists must be updated,

opkg update # update the package lists
opkg install PACKAGENAME # install a new package.

Wifi Drivers

The wifi drivers for my wifi dongle (Ralink) were not pre-installed so running this installed them:

opkg update # update the package lists
opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb
reboot

Eth Drivers

Had a couple of issues TP-Link UE300 setup and the following drivers solved the problem

opkg update
opkg install kmod-usb-net-rndis usb-modeswitch kmod-usb-net-rtl8152
reboot

See also:

Setup Network Via SSH

When compiling Open WRT from source it may have no internet connectivity and the interface (LuCI) may not be installed.
Following the instructions from Open WRT's Docs we can connect via SSH:

uci set network.lan.ipaddr='192.168.2.200' # static address for this device
uci set network.lan.gateway='192.168.2.1' # Router ip
uci set network.lan.dns='192.168.2.1' # router dns or provider
uci commit
service network restart

Then LuCI can be installed.

opkg update
opkg install luci

Captive Portal Via NoDogSplash

Security

To provide secure authentication over a captive portal you must use the Forwarding Authentication Service (FAS) that NDS/OpenNDS provides.
Without the FAS there is no way to encrypt sensitive data since JavaScript may be blocked by the client, therefore the only way to ensure sensitive data is not passed as plain text is to use FAS to an external server with a HTTPS cert.
Another note to be aware of is that if you have trusted macs that do not need authentication, someone could spoof their mac to match to get access.

Building From Source

Building the latest nodogsplash from source can be a bit of a pain if it has not been officially released.
You need to follow the instructions here but instead of cloning the nodogsplash repo do the following:

  1. Download the nodogsplash repo as a .zip.
  2. Extract the zip.
  3. Rename the directory from nodogsplash-master to nodogsplash-4.5.1beta (replacing with your version).
  4. Run tar -czvf nodogsplash-4.5.1beta.tar.gz nodogsplash-4.5.1beta/
  5. Copy the nodogsplash-4.5.1beta.tar.gz file into the openwrt/dl directory. (Run make once to generate it if it does not exist.)
  6. Run shasum -a 256 nodogsplash-4.5.1beta.tar.gz
  7. Edit the nodogsplash-4.5.1beta/openwrt/nodogsplash/Makefile file and change the PKG_HASH:=YOU_HASH_HERE, make sure there is no whitespace.
  8. Copy the nodogsplash-4.5.1beta/openwrt/nodogsplash to the openwrt/package file and continue the make progress.
  9. The ouput can be found in the bin/packages/YOUR_PROCCESSOR/base/ directory.

Useful Links

Network Configuration

Before installing NDS it is recommended to get your network setup and working properly.

You cannot just use a basic bridge configuration!

Here is a sample network configuration for achieving similar results to a bridge setup:
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'lan'
	option ifname 'wlan0'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

Install

To install NDS just use the package manager:

opkg update
opkg install nodogsplash
reboot

Useful Links

My RPi4 Config

Firewall

lan -> wan
	input: accept
	output: accept
	forward: accept
wan -> REJECT
	input: reject
	output: accept
	forward: reject

Wireless

Operating Frequency:
	Mode: Legacy
	Band: 5 GHz
	Channel: auto

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0a:e374:4912::/48'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.254'
        list dns '122.56.237.1'
        list dns '210.55.111.1'

See also