Blog

Configure an internal Landing Page (Splash Page) on a Raspberry Pi running OpenWrt and Coova Chilli

In this article, I will explain how to configure a splash page on a Raspberry Pi. As you perhaps know, Coova-Chilli does not provide a landing page for the visitors of the captive portal. In this document, we will use the buitin web server (uhttpd) that provides the Luci administration interface to host a landing page for our visitors.

The Rapsberry Pi will run OpenWrt and will use following components to fulfill our needs:

  • Coova-Chilli (the captive portal)
  • Uhttpd (hosting the splash page and OpenWrt web management (LUCI))

An external radius server is also needed to authenticate the captive portal users. Any radius server (freeradius, Microsoft NPS , etc…) can do the job. The installation of the radius server is not covered in this document, but the following post (https://gremaudpi.emf-informatique.ch/configure-a-raspberry-pi-running-openwrt-and-coova-chilli-captive-portal-to-authenticate-visitors-to-active-directory/) describes a way to install and configure Microsoft NPS so serve as authenticator.

Schema

The following schema shows the actors in presence. Notice that the management workstation is just used for configuration and can be removed once the configuration is completed.

Prerequisite

The prerequisite for this installation is to configure the Rapberry Pi as a routed Access Point as described in my previous post available under this link: https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/

Once this is done, you should have a Raspberry Pi running OpenWrt and configured as a routed accesspoint. The SSID visible to the visitors will be "Guest", but you can rename it easily if you want.

WARNING : be aware that Chilli will create a tunnel (tun0) on the wlan0 interface of the Raspi.

The rest of the configuration is mainly based on https://openwrt.org/docs/guide-user/services/captive-portal/wireless.hotspot.coova-chilli

Install coova-chilli

Log on to the raspberry using root/<no password> and install coova-chilli.

opkg update
opkg install coova-chilli
opkg install nano

Stop and disable chilli to avoid lock down

/etc/init.d/chilli stop
/etc/init.d/chilli disable

The final configuration will be made later

Install the captive portal login page

Install php7-cgi

opkg install php7-cgi

Verify installation

ls /usr/bin/php*

Output:

/usr/bin/php-cgi

Configure uhttpd

Edit the main configuration file of the web server

nano /etc/config/uhttpd

Uncomment interpreter and save file

 

# List of extension->interpreter mappings.
# Files with an associated interpreter can
# be called outside of the CGI prefix and do
# not need to be executable.
list interpreter ".php=/usr/bin/php-cgi"

Restart uhttpd

service uhttpd restart

Now let's make some testing

Check if php is working

To check if php is running, we will create a test page in the /www directory

nano /www/test.php

Paste the following code into the newly created file

 

<html>
    <head>
        <title>PHP Test</title>
    </head>
    <body>
        <?php
            echo '<p>Hello World</p>';
            // prints e.g. 'Current PHP version: 4.1.1'
            echo 'Current PHP version: ' . phpversion();
            // prints e.g. '2.0' or nothing if the extension isn't enabled
            echo phpversion('tidy');
        ?>
    </body>
</html>

Opening the page in a browser from the management station should give the following output:

Copy hotspot-login-master.zip from https://github.com/mongramosjr/hotspot-login

Unzip to /www/hotspotlogin

Edit hotspotlogin.php to allow http and have a look to $uamsecret

nano /www/hotspotlogin/hotspotlogin.php

Change the variable « uamsecret » to your needs and comment out the SSL part to allow HTTP requests

 

# Shared secret used to encrypt challenge with. Prevents dictionary attacks.
# You should change this to your own shared secret.
$uamsecret = "greatsecret";

# /* if SSL was not used show an error */
# if (!($_SERVER['HTTPS'] == 'on')) {
#    include('hotspotlogin-nonssl.php');
#    exit(0);
# }

Restart uhttpd

service uhttpd restart

Test login page from a browser on the management station (http://192.168.0.30/hotspotlogin/hotspotlogin.php), output should look like this

Configure coova-chilli

Save original config file and recreate one

mv /etc/config/chilli /etc/config/chilli-orig

nano /etc/config/chilli

Paste the following content. The section containing the radius parameter should be adapted to your environment.

 

#
# Sample Coova-Chilli configuration file modified by gremaudpi
#

config chilli

option interval 3600
option swapoctets 1        

######## TUN and DHCP Parameters ########
    
option tundev 'tun0'
option dhcpif 'wlan0'
option net 192.168.182.0/24
option lease 600
option dns1 8.8.8.8
option dns2 8.8.4.4
option ipup '/etc/chilli/up.sh'
option ipdown '/etc/chilli/down.sh'

######## Radius parameters ########

option radiusserver1 '<external-radius-server-ip-address>'
option radiusserver2 ''
option radiusauthport 1812
option radiusacctport 1813
option radiussecret '<external-radius-server-secret>'
option radiusnasid 'ap001'
option ssid 'ACME-company'

######## Universal access method (UAM) parameters ########

option uamlisten 192.168.182.1
option uamserver 'http://192.168.0.30/hotspotlogin/hotspotlogin.php'
option uamsecret 'greatsecret'
option uamallowed ''
option uamdomain ''
option uamanydns 1
option uamaliasname 'login'
option nouamsuccess 1

Start chilli

/etc/init.d/chilli start

Verify that chilli loaded our configuration by looking at following file

cat /var/run/chilli*.conf

If this is okay, enable chilli to survive reboot

/etc/init.d/chilli enable

Now, if you connect a WiFi enabled device to your Guest SSID, a splash page should be presented to your visitor.

You will need to configure an external Radius (Freeradius, Microsoft NPS or a cloud based solution like Jumpcloud) and to configure Coova-Chilli to use it in order to allow your visitors to log in.

That's all folks…

Tags: , , , , , , , ,

Leave a Reply