• ubuntu18下安装coova-chilli


    Introduction

    • RADIUSdesk can function perfectly without CoovaChilli.
    • CoovaChilli however is the best open source captive portal software around.
    • If you want to install CoovaChilli on a machine; make sure that there are at least two functional network cards present.
    • One network card will be used by CoovaChilli as the Internet connection (WAN).
    • The second network card will be used to run a captive portal on (LAN).
    • This captive portal is created by the CoovaChilli program who in turn receives it's instructions from FreeRADIUS (RADIUSdesk)

    Installing CoovaChilli

    • The version of CoovaChilli is 1.6 as of this writing.
    • We will download and build the .deb package from source.
    • First ensure the required packages to build the .deb package are installed.

    sudo apt-get install build-essential libssl-dev libjson-c-dev gengetopt

    sudo apt install devscripts debhelper

    • Download the release 1.5's .tar.gz file of the source here: https://github.com/coova/coova-chilli/releases
    • A point of interest is that although the source's tar file specifies it as version 1.5; the package itself will be specified as 1.4.
    • Before we can build the package, we have to remove a dependency (hasrl) specified in the Debian control file.
    • This dependency is not required and including it causes trouble when you want to install the package.

    # If you downloaded with wget

    tar -xzvf 1.5.tar.gz

    # If you downloaded with the browser

    tar -xzvf coova-chilli-1.5.tar.gz

    cd coova-chilli-1.5/

     

     

    vi debian/control

    #Look for this part

    #------

    #Depends:

    # ${shlibs:Depends},

    # iptables,

    # haserl,

    # adduser,

    #------

    #------ CHANGE TO THIS (remove haserl as a dependency)

    #------

    #Depends:

    # ${shlibs:Depends},

    # iptables,

    # adduser,

    #-----

     

    debuild -i -us -uc -b

    cd ..

    sudo dpkg --install coova-chilli_1.4_amd64.deb

    • From the output of the dpkg command you will see that CoovaChilli is by default disabled. In the next section we will configure it to become a working entity.
    • You can also see it is listed as version 1.4 although we actually downloaded and built version 1.5

     sudo dpkg --install coova-chilli_1.4_amd64.deb

    [sudo] password for system:

    Selecting previously unselected package coova-chilli.

    (Reading database ... 119514 files and directories currently installed.)

    Preparing to unpack coova-chilli_1.4_amd64.deb ...

    Unpacking coova-chilli (1.4) ...

    Setting up coova-chilli (1.4) ...

    Chilli default off. Look at /etc/default/chilli

    Processing triggers for libc-bin (2.27-3ubuntu1) ...

    Processing triggers for systemd (237-3ubuntu10.33) ...

    Processing triggers for ureadahead (0.100.0-21) ...

    Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

    Configuring CoovaChilli

    Enable CoovaChilli

    • Edit the following file

        sudo vi /etc/default/chilli

    • Change it to look like this

        START_CHILLI=1

        CONFFILE="/etc/chilli.conf"

        HS_USER="chilli"

    • Save the file and start CoovaChilli

       #First enable the service so it will start up during boot

       sudo systemctl enable chilli

       # Feedback code should be...

       # chilli.service is not a native service, redirecting to systemd-sysv-install.

       # Executing: /lib/systemd/systemd-sysv-install enable chilli

       sudo systemctl start chilli

    • Check the feedback on our startup attempt.

    sudo systemctl status chilli

    • Because we have not yet configured anything; we do get some errors. This will be fixed and Coova should run fine once we configured the program.

    ● chilli.service - LSB: Start CoovaChilli daemon at boot time

       Loaded: loaded (/etc/init.d/chilli; generated)

       Active: active (exited) since Fri 2019-12-20 20:07:51 UTC; 1s ago

         Docs: man:systemd-sysv-generator(8)

      Process: 14452 ExecStop=/etc/init.d/chilli stop (code=exited, status=0/SUCCESS)

      Process: 14491 ExecStart=/etc/init.d/chilli start (code=exited, status=0/SUCCESS)

     

    Dec 20 20:07:51 osboxes chilli[14580]: TX queue length set to 100

    Dec 20 20:07:51 osboxes coova-chilli[14585]: PID 14585 loading binary options file /var/run/chilli.14580.cfg.bin

    Dec 20 20:07:51 osboxes coova-chilli[14585]: Loading modules

    Dec 20 20:07:51 osboxes coova-chilli[14585]: USER root(0/0), GROUP root(0/0) CHILLI[UID 113, GID 116]

    Dec 20 20:07:51 osboxes coova-chilli[14585]: Running /etc/chilli/up.sh (0/0)

    Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFFLAGS) failed on eth1

    Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFFLAGS) failed

    Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(SIOCSIFADDR) failed

    Dec 20 20:07:51 osboxes chilli[14580]: No such device: ioctl(d=2, request=35111) failed

    Dec 20 20:07:51 osboxes chilli[14580]: Failed to create dhcp listener on eth1

    Modify the configuration file

    • CoovaChilli is configured by editing or creating certain files under the /etc/chilli directory.
    • Before we proceed with the config we have to touch the bit about our interfaces.
    • For CoovaChilli to work correct; there needs to be at least two network interfaces on the machine. (Excluding the loopback interface lo)
    • One interface will be directly connected to the Internet. We will refer to this interface as the WAN interface
    • The other interface will be running the captive portal on top of it. We will refer to this interface as the LAN interface.
    • With previous versions of Ubuntu, the network interfaces would have fairly predictable names like eth0 and eth1.
    • With the current versions of Ubuntu, the naming convention changed.
    • We would advice you to issue the ip addr command to see which it present.

     ip addr

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

        inet 127.0.0.1/8 scope host lo

           valid_lft forever preferred_lft forever

        inet6 ::1/128 scope host

           valid_lft forever preferred_lft forever

    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

        link/ether 08:00:27:fe:57:09 brd ff:ff:ff:ff:ff:ff

        inet 192.168.1.111/24 brd 192.168.1.255 scope global dynamic enp0s3

           valid_lft 256221sec preferred_lft 256221sec

        inet6 fe80::a00:27ff:fefe:5709/64 scope link

           valid_lft forever preferred_lft forever

    3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

        link/ether 08:00:27:8c:d3:32 brd ff:ff:ff:ff:ff:ff

        inet6 fe80::a00:27ff:fe8c:d332/64 scope link

    • Using this, on our system, the WAN will be enp0s3 and the LAN will be enp0s8.
    • Next lets look at how to configure CoovaChilli under /etc/chilli.

    File

    Comment

    config

    start as a copy of defaults and is edited to override specific variables defined in defaults

    新增的config文件,将跳过defaults里对应的变量

    defaults

    To avoid the splash screen we have to remove one line from this file

    up.sh

    Custom firewall rules for start-up

    down.sh

    Custom firewall rule clean-up during shut-down.

    • Use the following /etc/chilli/config file as a guideline to configure CoovaChilli

    HS_WANIF=enp0s3              # WE ALSO Need to specify this

    HS_LANIF=enp0s8              # Subscriber Interface for client devices(把这个LAN口叫订阅者接口)

    HS_NETWORK=10.1.0.0        # HotSpot Network (must include HS_UAMLISTEN)(这个订阅者接口对应的网络是热点网络)

    HS_NETMASK=255.255.0.0     # HotSpot Network Netmask

    HS_UAMLISTEN=10.1.0.1      # HotSpot IP Address (on subscriber network)

    HS_UAMPORT=3990            # HotSpot UAM Port (on subscriber network)

    HS_UAMUIPORT=4990          # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)

    HS_NASID=localhost

    HS_RADIUS=localhost

    HS_RADIUS2=localhost

    HS_RADSECRET=testing123    # Set to be your RADIUS shared secret

    HS_UAMSECRET=greatsecret     # Set to be your UAM secret

    HS_UAMALIASNAME=chilli

    HS_SSID="Struisbaai"

    HS_NASIP=127.0.0.1    # To explicitly set NAS-IP-Address

    HS_UAMSERVER=$HS_UAMLISTEN

    HS_UAMFORMAT=http://\$HS_UAMLISTEN/cake3/rd_cake/dynamic-details/chilli-browser-detect/

    HS_MACAUTH=on              # To turn on MAC Authentication

    HS_TCP_PORTS="80 23 8000"

    HS_MODE=hotspot

    HS_TYPE=chillispot

    HS_WWWDIR=/etc/chilli/www

    HS_WWWBIN=/etc/chilli/wwwsh

    HS_PROVIDER=Coova

    HS_PROVIDER_LINK=http://www.coova.org/

    HS_LOC_NAME="My HotSpot"           # WISPr Location Name and used in portal

    HS_COAPORT=3799

    #Please specify the DNS servers of your choice here

    #Here we specified out own DSL router and as a fallback one of the Google servers

    HS_DNS1=192.168.1.1

    HS_DNS2=8.8.8.8

    • Comment the following line out of /etc/chilli/defaults.

    #   Same principal goes for HS_UAMHOMEPAGE.

    #HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

    • 安装haserl(此程序提供类似phpcgi网关操作)

    apt install -y haserl

    • Use the following /etc/chilli/up.sh file as a guideline

    up.sh使用默认的

    • Use the following /etc/chilli/down.sh file as a guideline

    down.sh使用默认的

    安装完毕后,配置SNAT。

    iptables -F POSTROUTING -t nat
    iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE

    Test it out

    • Restart CoovaChilli for the latest changes to be effected.

    sudo systemctl stop chilli

    sudo systemctl status chilli

    sudo systemctl start chilli

    • Confirm it started fine

    sudo systemctl status chilli

     

    .......

    ● chilli.service - LSB: Start CoovaChilli daemon at boot time

       Loaded: loaded (/etc/init.d/chilli; generated)

       Active: active (running) since Sat 2019-12-21 03:05:26 UTC; 2s ago

         Docs: man:systemd-sysv-generator(8)

      Process: 7619 ExecStart=/etc/init.d/chilli start (code=exited, status=0/SUCCES

        Tasks: 1 (limit: 1108)

       CGroup: /system.slice/chilli.service

               └─7706 /usr/sbin/chilli -c /etc/chilli.conf

     

    Dec 21 03:05:26 osboxes systemd[1]: Started LSB: Start CoovaChilli daemon at boo

    Dec 21 03:05:26 osboxes chilli[7706]: PID 7706 saving options to /var/run/chilli

    Dec 21 03:05:26 osboxes chilli[7706]: PID 7706 loading binary options file /var/

    Dec 21 03:05:26 osboxes chilli[7706]: Loading modules

    Dec 21 03:05:26 osboxes chilli[7706]: CoovaChilli 1.4. Copyright 2002-2005 Mondr

    Dec 21 03:05:26 osboxes chilli[7706]: TX queue length set to 100

    Dec 21 03:05:26 osboxes coova-chilli[7713]: PID 7713 loading binary options file

    Dec 21 03:05:26 osboxes coova-chilli[7713]: Loading modules

    Dec 21 03:05:26 osboxes coova-chilli[7713]: USER root(0/0), GROUP root(0/0) CHIL

    Dec 21 03:05:26 osboxes coova-chilli[7713]: Running /etc/chilli/up.sh (0/0)

    .......

    • Reboot the system and make sure CoovaChilli started up fine

    Troubleshooting tips

    • When things does not work is can be a bit tricky to figure out which part does not work.
    • It might help if you see the captive portal as a mini router with a WAN side and a LAN side.
    • So then there are a couple of important things to check.

    Are you getting an IP address

    • The captive portal also serve as a DHCP server and a device connecting to it with DHCP enabled should get an IP address from it.
    • You can check both sides (server and client)
    • To check on the server issue the following command.

    sudo chilli_query list

    08-00-27-54-A5-85 10.1.0.3 dnat 157706717100000002 0 08-00-27-54-A5-85 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

    08-00-27-8C-D3-32 10.1.0.2 dnat 157706713900000001 0 08-00-27-8C-D3-32 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

    • You can read more about the chilli_query command here: Chilli Query
    • After consulting the documentation we can conclude that the captive portal has two clients connected but none has been authenticated.
    • This means that they 'should' be redirected to a login page.
    • If you are not redirected to a login page we can try the following procedure which basically comes down to two things that is not working as intended.
      • The routing between the LAN and WAN is not working correct.
      • The DNS on the setup is not working correct.

    Forcing the login page to display

    • CoovaChilli has a special URL which will log you out and redirect you to the login page.
    • The URL is http://1.0.0.0
    • If you do get a login page you can next try to test the routing and the DNS.

    Test the routing

    • To test the routing you can use the chilli_query command and manually authorize the client.

    #Show the current list

    sudo chilli_query list

    08-00-27-54-A5-85 10.1.0.3 dnat 157706717100000002 0 08-00-27-54-A5-85 0/0 0/0 0/0 0/0 0 0 0/0 0/0 http://detectportal.firefox.com/success.txt

    08-00-27-8C-D3-32 10.1.0.2 dnat 157706713900000001 0 08-00-27-8C-D3-32 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

    #Authorize the client we want to test

     sudo chilli_query authorize ip 10.1.0.3

    #Note how 'dnat' now changed to 'pass' and the 5th field changed from 0 to 1

    system@osboxes:~$ sudo chilli_query list

    08-00-27-54-A5-85 10.1.0.3 pass 157706717100000002 1 08-00-27-54-A5-85 6/0 0/0 7073/0 3253/0 0 0 0%/0 0%/0 http://detectportal.firefox.com/success.txt

    08-00-27-8C-D3-32 10.1.0.2 dnat 157706713900000001 0 08-00-27-8C-D3-32 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

    • On the client you can now try to go to an IP Address that is reachable on the WAN side. I tried to get to the IP Address of my DSL router (192.168.1.1) and could reach it. This means that the traffic flow between the LAN of my captive portal to the LAN of the captive portal is fine.
    • I can now again log this client off using the chilli_query command

    sudo chilli_query logoff ip 10.1.0.3

    #'pass' changed again back to 'dnat'

    system@osboxes:~$ sudo chilli_query list

    08-00-27-54-A5-85 10.1.0.3 dnat 157706939200000002 0 08-00-27-54-A5-85 0/0 0/0 460326/0 146821/0 0 0 0/0 0/0 http://detectportal.firefox.com/success.txt

    08-00-27-8C-D3-32 10.1.0.2 dnat 157706713900000001 0 08-00-27-8C-D3-32 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

    • Next we will test DNS

    Test the DNS

    • DNS traffic has to flow regardless of a client being authurised (pass) or not (dnat).
    • In order for the client to magically pop up the login page, DNS has also to work correct.
    • A common problem is that sometimes the client has their own DNS servers specified and then (depending on the configuration settings of CoovaChilli) it might not allow the DNS traffic to those server through. (Leaving things broken).
    • After you confirmed that the client does not have any hard defined DNS servers you can try a ping test.
    • With a ping test you just want to test and confirm that the DNS is working correct on the client.
    • You can try and ping any known FQDN and see if the system resolve that to an IP address.
    • Here I try to ping www.radiusdesk.com. As you can see the name resolution worked correct, but since I am not yet authorized (still in dnat state) the pings are not going through which is fine.

    ping www.radiusdesk.com

    PING radiusdesk.com (164.160.91.12) 56(84) bytes of data.

    ^C

    --- radiusdesk.com ping statistics ---

    2 packets transmitted, 0 received, 100% packet loss, time 1025ms

    Chilli程序的FAQ

    • 需要为LAN口单独配置IP地址吗?答复,不需要。此时创建的tuntap口接管了10.1.0.1这个地址。
    • 客户端怎么配置?答复,用户采用DHCP申请地址。申请到的地址是10.1.0.3
    • 客户端访问baidu.com是怎么重定向的?答复:首先重定向到10.1.0.1:3990,然后由3990重定向到4990.4990弹出登陆界面。
    • 客户端访问登陆界面,发现HTTP请求无回应,为什么?答复:需要在ubuntu上安装haserl,这个负责将login.chi里面的脚本解释成CGI内容发给客户端。

    Conclusion

    • By using these check points on the captive portal setup, you can now point to a component which does not work as intended and try to resolve it.
      • Be it the login page.
      • The routing between WAN and LAN.
      • The DNS service.
  • 相关阅读:
    【proverif】proverif的语法-解决中间人攻击-代码详解
    如何正确复制CSDN文章到自己的博客
    MATLAB算法实战应用案例精讲-【深度学习】ECANet注意力机制
    五、【Vue-Router】路由的params参数
    【JUC系列-09】深入理解ReentrantReadWriteLock的底层实现
    2022“杭电杯” 中国大学生算法设计超级联赛(3)2 9题解
    IB 化学考纲巨变 ,全面分析新旧考纲区别
    【SwitchyOmega】SwitchyOmega 安装及使用
    HTML5的高级应用
    #WEB前端(HTML属性)
  • 原文地址:https://blog.csdn.net/anzhuangguai/article/details/126793836