2017-10-19 - Re: [GRASE-Hotspot] Re: Grase Hotspot working with DD-WRT routers in remote locations.

Header Data

From: Giuseppe Clarizio <gi***o@gmail.com>
Message Hash: b5cefb1f4d8662f090eadd46144930018ab71d5613ae5d648842ccdbd4454358
Message ID: <c9f2be8b-ef12-48b2-a677-16428fc3f7bd@grasehotspot.org>
Reply To: <01b5eb73-78c1-4ee0-b67a-561db1806be9@grasehotspot.org>
UTC Datetime: 2017-10-19 23:37:15 UTC
Raw Date: Thu, 19 Oct 2017 23:37:15 -0700

Raw message 

*Excellent Norberto, very good job!!! Awesome!!!!*

thank you very much for your competences!

I adjusted the config chilli file to openwrt firmware, dd-wrt is very often 
unstable! *It works like a charm for me!!... even If I spent some nights.*

next step for me is to change the php order in order to integrate social 
logins.

thanks again and keep in touch.

Giuseppe

Il giorno sabato 6 dicembre 2014 11:18:35 UTC+1, Norberto Esteves ha 
scritto:
>
> Hi again,
>
> Just a few extra information:
>
> I forgot to tell you that after modifying Chillispot, or some other 
> settings in DD-WRT configuration you will always need to reboot router.
>
> The last image on the Chillispot configuration will work but is not 100% 
> accurate (subnet mask is wrong and forgot to put YOUR.GRASE.SERVER.IP in 
> UAM Allowed ...), this is the correct one:
>
>
> <https://lh5.googleusercontent.com/-PyR13K7BpCE/VILOX34vpuI/AAAAAAAAALo/NZXeSRcjDNs/s1600/graseddwrt.jpg>
> The bad news, the things that will not work on Remote sites:
>
> - They will not record session log (only normal session information, time, 
> data, login, logout, etc..) since there is no squid3 to log locally. You 
> can use some DD-WRT tools to log sessions but that is not relevant for this 
> tutorial.
> - DHCP Leases wont show remote assigned IP adresses, (thats obvious since 
> each DHCP server is a different machine)
> - After a few more testes I found out that some devices, (Android with 
> opera mobile) wont work with javascript login, so I suggest to disable it 
> in Grase configuration.
>
> Other important information that is not directly related but will save you 
> a couple of hours is that if you want to use the UAM Domains on DD-WRT 
> routers they will not work if you just put the domains there (i.e. 
> google.com facebook.com ...). I found out there is a bug (at least there 
> is in the version I use) and you need to:
>
> - Enable Hotspot System
> - Select White Label Protocolhttp  
> - Write the UAM Domains you want to use:
> UAM Domains (space separated)
> Save settings
>
> - Then disable Hotspot System
> - Enable Chillispot again and put there the same UAM Domains, Save and 
> Reboot.
>
> I will be testing this for the next days, if I found out some other bugs 
> or things that need to be changed I will be updating this post.
> Also if you found any bugs, please let me know.
>
> Regards,
>
> Norberto Esteves
>
>
>
> Sábado, 6 de Dezembro de 2014 1:59:56 UTC, Norberto Esteves escreveu:
>>
>> Hi all,
>>
>> As promised, here is the information you need to setup Grase Hotspot on 
>> Multiple-locationst (please Tim, feel free to move this to the wiki if you 
>> wish). 
>>
>> I made several tests with the setup described below and everything seams 
>> to work fine, even the javascript login interface. 
>>
>> *Please note:*
>>
>> *This procedure is not for beginners, you can damage your router if you 
>> flash a wrong file to it. Also you can break Grase if you place the wrong 
>> code when editing the files, please make backup of the original files 
>> before editing.*
>> *Do it at your own risk!*
>>
>> *1 - Description:*
>>
>> The goal is to deploy multiple location Hotspots with one server in the 
>> main site (headquarters) and several routers in remote locations:
>>
>>
>> <https://lh5.googleusercontent.com/-SlK2BszGtB0/VIJJ5jrE8aI/AAAAAAAAAKE/rohge8JLbBk/s1600/Grase.jpg>
>>
>> To make this work we need:
>>
>> - One server running Grase Hotspot at the Headquarters.
>> - Static public IP address at the Headquarters. This wont work with 
>> dynamic ip address.
>> - Routers running DD-WRT at remote locations.
>>
>>
>> *2 - Redirecting Ports *
>>
>> First we need to allow remote routers to connect to our server, so we 
>> need to redirect the following ports to our Grase Server:
>>
>> Radius: UDP: 1812, 1813 and 1814
>> UAM: TCP: 3990
>> HTTP: TCP: 80
>> COA: TCP: 3779 (this one is optional)
>>
>> My Draytek Configuration:
>>
>> 1.  RADIUS1  All  UDP  1812  10.10.10.5  v
>> 2.  RADIUS2  All  UDP  1813  10.10.10.5  v
>> 3.  RADIUS3  All  UDP  1814  10.10.10.5  v
>> 4.  UAM  All  TCP  3990  10.10.10.5  v
>> 5.  HTTP  All  TCP  80  10.10.10.5  v
>> 6.  COA  All  TCP  3779  10.10.10.5  v
>>  
>>
>> *3 - Freeradius configuration*
>>
>> At this point we need to edit /*etc/freeradius/clients.conf* to allow 
>> our remote routers to connect:
>> If the remote router has a static public IP you should add them right 
>> after the following code: 
>>
>> #
>> #  You can now specify one secret for a network of clients.
>> #  When a client request comes in, the BEST match is chosen.
>> #  i.e. The entry from the smallest possible network.
>> #
>>
>> If they have dynamic IPs (the most common case) you should either use the 
>> nas table and advanced freeradius configuration to add them dynamically or 
>> you can allow all to connect (Please note, this is not the best way because 
>> its less secure).
>> If you are ok with less security you can add the following;
>>
>> client 0.0.0.0/1 {
>> secret = hotspotradius
>> shortname = NAS
>> nastype     = other
>> }
>>
>> client 128.0.0.0/1 {
>> secret = hotspotradius
>> shortname = NAS
>> nastype     = other
>> }
>>
>> This will allow any IP to connect to radius server as long as the secret 
>> is correct.
>> the default secret is *hotspotradius* its highly recommended to change 
>> this to a more complex password.
>>
>> clients.conf will look like this after line 190:
>>
>> *...*
>>
>> #
>> #  You can now specify one secret for a network of clients.
>> #  When a client request comes in, the BEST match is chosen.
>> #  i.e. The entry from the smallest possible network.
>> #
>>
>> client 0.0.0.0/1 {
>> secret = hotspotradius
>> shortname = NAS
>> nastype     = other
>> }
>>
>> client 128.0.0.0/1 {
>> secret = hotspotradius
>> shortname = NAS
>> nastype     = other
>> }
>>
>> #client 192.168.0.0/24 {
>> # secret = hotspotradius-1
>> # shortname = private-network-1
>> #}
>> #
>> #client 192.168.0.0/16 {
>> # secret = hotspotradius-2
>> # shortname = private-network-2
>> #}
>>
>> ...
>>
>>  
>> We are done with freeradius, *restart the serve*r in order to load new 
>> configuration.
>>
>>
>> *4 - Grase configuration and files editing*
>>
>> Go to grase admin interface -> Network settings and configure IP and 
>> netmask as follows:
>>
>>
>>
>> <https://lh4.googleusercontent.com/-B6Rd3-wkKOc/VIJXc0B29EI/AAAAAAAAAKs/QNMT6rJ45zQ/s1600/Grase2.jpg>
>> Go to Cooova Chilli Settings ad configure:
>>
>>
>> <https://lh6.googleusercontent.com/-NAxRz6I3qv4/VIJYHm-N49I/AAAAAAAAAK0/5tA-xMVGq90/s1600/Grase3.jpg>
>> We need to add different DHCP ranges for each remote router to avoid 
>> problems having same IP assigned to clients in the Grase server network and 
>> in the remote routers. In fact there are other ways to avoid it but that 
>> will include several modifications in the Grase structure. So , to keep it 
>> simple we use this method. Each site will have a different DHCP Start and 
>> End.
>>
>> *File editing:*
>>
>> we neeed to edit: */usr/share/grase/www/uam/hotspot.php *beecause we 
>> need to capture the remote client IP address and pass it to the 
>> nojsstatus.php file to get the correct status information.
>>
>> Edit *hotspot.php *and add: "session_start();" in the second line:
>>
>> <?php
>> session_start();
>> require_once('includes/site.inc.php');
>> ....
>>
>> And the code:"$_SESSION['ipaddress'] = $_GET['ip'];" after line 30 to 
>> look like this:
>>
>> ...
>>
>> $res = @$_GET['res'];
>> $userurl = @$_GET['userurl'];
>> $challenge = @$_GET['challenge'];
>>
>> // add this line to store user IP address in session.
>> $_SESSION['ipaddress'] = $_GET['ip'];
>>
>> if($userurl == 'http://logout/') $userurl = '';
>> if($userurl == 'http://1.0.0.0/') $userurl = '';
>>
>> ...
>>
>> Then we need to edit 
>>
>> */usr/share/grase/www/uam/nojsstatus.php*
>>
>> Also need to start the session so, add: "session_start();" in the second 
>> line:
>>
>> <?php
>> session_start();
>> require_once('includes/site.inc.php');
>>
>> ...
>>
>> Then we need to retrieve the IP address commenting out the code: 
>> "//$ipaddress = $_SERVER['REMOTE_ADDR'];"
>> and adding: "$ipaddress = $_SESSION['ipaddress'];" at line 12:
>>
>> ...
>>
>> // Meta refresh to update
>>
>> //$ipaddress = $_SERVER['REMOTE_ADDR'];
>>
>> $ipaddress = $_SESSION['ipaddress'];
>>
>> $username = 
>> DatabaseFunctions::getInstance()->getRadiusUserByCurrentSession($ipaddress);
>>
>> ...
>>
>> Save both files and we are done with editing.
>>
>>
>> *5 - DD-WRT*
>>
>> I'm not going to explain how to install DD-WRT, I will assume that you 
>> already have a router with DD-WRT firmware.
>> If you are already familiar with DD-WRT this is going to be piece of 
>> cake. If not, you should visit http://www.dd-wrt.com and check if your 
>> router is supported and follow the procedures to flash it. You can brick 
>> your router doing this, please be careful.
>>
>> I use D-link DIR-615 for testing and Netgear WNDR3700 V4 at the remote 
>> sites since this are very reliable routers.
>>
>> *Configuration:*
>>
>> Configure Wan interface in order to get internet access:
>>
>>
>> <https://lh3.googleusercontent.com/-u1XM9_yogqA/VIJViDVwBvI/AAAAAAAAAKU/lSdjB4SK2g4/s1600/ddwrt%2Bwan.jpg>
>>  LAN IP Is not important, just configure something out of the chillispot 
>> range (10.1.0.0/16). Disable DHCP and make sure that you enable NTP 
>> Client and use the correct Server and Time Zone:
>>
>>
>> <https://lh4.googleusercontent.com/-E_kIqIU0bo8/VIJWfmB7HvI/AAAAAAAAAKg/PlSBo1EDCGY/s1600/ddwrt%2Blan.jpg>
>>    Configure the Wireless interface:
>>
>>
>> <https://lh6.googleusercontent.com/-_PXOMiKAvE4/VIJbb1ucw4I/AAAAAAAAALA/O4k9KCPtYvc/s1600/Grase4.jpg>
>> Now the Coova Chilli configuration:
>> Go to Services -> Hotspot, enable Cillispot and configurre as follows:
>>
>>
>>
>> <https://lh3.googleusercontent.com/-cbyIbcDR-6g/VIJebFOkvuI/AAAAAAAAALY/Txgg9lsEj8o/s1600/Grase5.jpg>
>> Redirect url is: *http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot 
>> <http://YOUR.GRASE.SERVER.IP/grase/uam/hotspot>*
>>
>> You can add as many DD-WRT Routers as you want, just make sure to use 
>> different and non overlaping DHCP ranges on each. 
>>
>> The changes made in the files may be replaced when updating Grase 
>> package. Hope this will be included in next releases.
>>
>> Thats it!!
>>
>> Hope this could help someone.
>>
>> Regards,
>>
>> Norberto Esteves
>>
>>
>>
>>
>>
>> Quinta-feira, 4 de Dezembro de 2014 21:37:45 UTC, michele.campanelli 
>> escreveu:
>>
>>> Great Norberto!
>>>
>>> For every support you need, ask if you need.
>>>
>>> Good Job!
>>>
>>> Michele
>>>
>>>
>>> Il giorno 04/dic/2014, alle ore 22.02, Norberto Esteves ha scritto:
>>>
>>> Hi all!
>>>
>>> António, that is the configuration I have right now. I moved Grase to a 
>>> virtual machine. 
>>> I plan to use this setup to replace an old server with the old version 
>>> of Chillispot that we bought a few years ago and is used to manage several 
>>> hotspots (arround 20). All the hotspots are already using DD-WRT, so I'm 
>>> trying to adapt Grase to the DD-WRT configuration I already have.
>>>
>>> Everything seams to work fine with non Java login. And I found a way to 
>>> use the Javascipt login, the problem I still have with it is the pop up 
>>> window not showing the information after login and the logout button not 
>>> working, also some android phones with Opera mobile are not able to login.
>>>
>>> Since I had a very busy week I hope I can do some more tests in the 
>>> weekend and make a document on how to get this working. 
>>> In order to make a document valid to every one I will have to setup a 
>>> new machine with the nighttly build because mine has lots of modifications 
>>> on the original code and I don't know anymore which files are original and 
>>> which are modified by me...
>>>
>>> Regards,
>>>
>>> Norberto Esteves  
>>>
>>> Terça-feira, 2 de Dezembro de 2014 19:38:54 UTC, Norberto Esteves 
>>> escreveu:
>>>>
>>>> Hi all,
>>>>
>>>> I managed to get this configuration working.
>>>>
>>>> Basically I have the Grase Hotspot installed in a machine (shuttle XPC 
>>>> DS6) in the office and one router (D-Link DIR-615) with DD-WRT in my house 
>>>> for testing.
>>>> The remote site (D-Link Router) uses the Coova Chilli included with the 
>>>> DD-WRT firmware to redirect users to the Grase authentication Portal, after 
>>>> that, the username, password, and other attributes are checked with the 
>>>> radius server. If the authentication is successful then the user is allowed 
>>>> to use the Internet and DD-WRT Coova Chilli takes care of the session even 
>>>> if the main site (Grase) goes down. DD-WRT Coova Chilli also sends 
>>>> periodical data (every 5 minutes) to Radius server to keep information up 
>>>> to date. 
>>>>
>>>> So far I had to change a few things in the follwing files:
>>>> hotspot.php, nojsstatus.php, /includes/site.inc.php
>>>>
>>>> I do not use VPN, so, there is a few ports that need forwarding:
>>>> In the main site: Radius (1812, 1813, 1814), UAM (3990) and HTTP (80) 
>>>> ports forward to Grase Hotspot machine.
>>>> The remote site only needs port forwarding for COA port 3779 if you are 
>>>> going to use the radclient to disconnect users.
>>>>
>>>> Freeradius also needs to allow remote site to connect, to do this you 
>>>> need to add remote client to clients.conf, or use nas table.
>>>>   
>>>> So far I'am still testing and correcting some "bugs" i found.
>>>>
>>>> The bad new is that this setup don't work with Javascript login, I did 
>>>> some tests and I think DD-WRT is not able to use the JSON interface for 
>>>> Coova Chilli. So if you want to use DD-WRT, Java script login should be 
>>>> disabled.
>>>>
>>>> If anyone is interested in multi-location setup using DD-WRT I can make 
>>>> a document and share with the community.
>>>>
>>>> Regards,
>>>>
>>>> Norberto Esteves
>>>>
>>>>
>>>>
>>> -- 
>>> This mailing list is for the Grase Hotspot Project 
>>> http://grasehotspot.org
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Grase Hotspot" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to gr***.@grasehotspot.org.
>>> To post to this group, send email to gr***.@grasehotspot.org.
>>> Visit this group at 
>>> http://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org 
>>> <https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/c48e0523-9428-473c-9469-f2e43a4aa49d%40grasehotspot.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>>

Thread