5 replies to this topic

[cybermaus]

Hi,

To setup CoovaChilli on OpenWRT
(edited from a question about this subject)

There is no automatic config script for OpenWRT past White Russian, but as "any linux with CoovaChilli" is listed as supported, it should work. This does mean one must set all the Coova parameters self. I collected the parameters from the CoovaAP automatic setup script combined with the Coova man pages.

I assume you have OpenWRT already installed on your box, and know how to get to its command line, and know how to activate its wireless. If not, please go to the OpenWRT "first logon" page (search Google). Please note the instructions below assume all command line, no Web-Gui is used or needed.

Step 1: Install Coova:

opkg update
opkg install coova-chilli 

Step 2: edit file /etc/chilli/default

The first 3 parameters are very important. You should know your HotSpotSystems location and name parameters. The interfaces you need to check your device. The other parameters should be correct, but review anyway. The names of the wan and lan interfaces are retrieved, but if you want to be usre you could hardcode them. Check yourself with the "ifconfig | grep inet -B1" command.

# You *MUST* edit/validate these parameters
HS_LOC_ID="1"
HS_LOC_NAME="xxxxxxxxxxx"
HS_NASID="xxxxxxxxxx"
 
# You may edit these parameters
HS_WANIF=`uci -P/var/state get network.wan.ifname`
HS_LANIF=`uci -P/var/state get network.lan.ifname`
HS_DNS1=8.8.8.8
HS_DNS2=8.8.4.4
#HS_MACALLOWLOCAL=on
#HS_MACALLOW="XX-XX-XX-XX-XX-XX,XX-XX-XX-XX-XX-XX"
 
# You best leave these as they are (for HotSporSystems)
HS_TYPE="chillispot"
HS_LAN_ACCESS="allow"
HS_MODE="wireless"
 
HS_UAMPORT=3990			# HotSpot UAM Port (on subscriber network)
HS_UAMUIPORT=4990		  # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)
 
HS_NETWORK=192.168.182.0
HS_NETMASK=255.255.255.0
HS_UAMLISTEN=192.168.182.1
HS_DNS_DOMAIN=key.chillispot.info
HS_DYNIP=192.168.182.0
HS_DYNIP_MASK=255.255.255.0
HS_RADIUS=radius.hotspotsystem.com
HS_RADIUS2=radius2.hotspotsystem.com
 
HS_UAMHOMEPAGE=""
HS_UAMFORMAT="https://customer.hotspotsystem.com/customer/hotspotlogin.php"
HS_PROVIDER="HotSpotSystem"
HS_PROVIDER_LINK="http://www.hotspotsystem.com/"
HS_RADCONF="off"
HS_UAMSERVER="hotspotsystem.com"
HS_UAMSECRET="hotsys123"
HS_RADSECRET="hotsys123"
HS_UAMSERVER="customer.hotspotsystem.com"
HS_AAA="radius"
 
HS_UAMALLOW="194.149.46.0/24 198.241.128.0/17 66.211.128.0/17 216.113.128.0/17 70.42.128.0/17 \
			 128.242.125.0/24 216.52.17.0/24 62.249.232.74 155.136.68.77 155.136.66.34 \
			 66.4.128.0/17 66.211.128.0/17 66.235.128.0/17 88.221.136.146 195.228.254.149 \
			 195.228.254.152 203.211.140.157 203.211.150.204 \
			 www.paypal.com www.paypalobjects.com live.adyen.com \
			 www.worldpay.com select.worldpay.com secure.ims.worldpay.com \
			 www.rbsworldpay.com secure.wp3.rbsworldpay.com www.directebanking.com \
			 betalen.rabobank.nl ideal.ing.nl internetbankieren.frieslandbank.nl \
			 ideal.abnamro.nl ideal.snsreaal.nl ideal.triodos-onlinebanking.nl \
			 www.hotspotsystem.com customer.hotspotsystem.com tech.hotspotsystem.com \
			 a1.hotspotsystem.com a2.hotspotsystem.com a3.hotspotsystem.com a4.hotspotsystem.com \
			 a5.hotspotsystem.com a6.hotspotsystem.com a7.hotspotsystem.com a8.hotspotsystem.com \
			 a9.hotspotsystem.com a10.hotspotsystem.com a11.hotspotsystem.com a12.hotspotsystem.com \
			 a13.hotspotsystem.com a14.hotspotsystem.com a15.hotspotsystem.com a16.hotspotsystem.com \
			 a17.hotspotsystem.com a18.hotspotsystem.com a19.hotspotsystem.com a20.hotspotsystem.com"
HS_UAMDOMAINS="paypal.com paypalobjects.com worldpay.com rbsworldpay.com adyen.com hotspotsystem.com"

Step 3: init.d startup script

For some reason (which I consider a package error) the coova package does not come with init.d script. I found a /etc/init.d/chilli script for startup/shutdown, but slighty modified it. The original auto-renamed the wireless SSID name, but that was taken out. See the original here, and what I used below. It worked on both Broadcom WRT54GS and Atheros WR740N and WR941ND.

Put this in /etc/init.d/chilli and do a chmod a+x /etc/init.d/chilli to make it executeable.

#!/bin/sh /etc/rc.common
# - init script for chilli -
 
START=60
STOP=60
 
NAME=chilli
RUN_D=/var/run
CMDSOCK=$RUN_D/$NAME.sock
PIDFILE=$RUN_D/$NAME.pid
 
option_cb() { [ -n "$2" ] && echo "HS_$(echo $1|tr 'a-z' 'A-Z')=\"$2\"" | sed 's/\$/\\\$/g'; }
config_load hotspot > /etc/chilli/config
 
. /etc/chilli/functions
 
start() {
	case ${hs_type:-$HS_TYPE} in
		*chilli*)
			;;
		*)
			echo "Not running hotspot"
			exit
			;;
	esac
 
	HS_DNS_DOMAIN=${HS_DNS_DOMAIN:-cap.coova.org}
	HS_DNS1=${HS_DNS1:-$HS_UAMLISTEN}
	HS_DNS2=${HS_DNS2:-$HS_NASIP}
	HS_NASID=${HS_NASID:-$HS_NASMAC}
	HS_MACAUTHMODE=${HS_MACAUTHMODE:-local}
	HS_USELOCALUSERS=${HS_USELOCALUSERS:-off}
	HS_PROXY_TYPE=${HS_PROXY_TYPE:-none}
	HS_RADCONF_URL=${HS_RADCONF_URL:-http://ap.coova.org/config/tos.conf}
	HS_CFRAME_URL=${HS_CFRAME_URL:-http://coova.org/cframe/default/}
	HS_CFRAME_SZ=${HS_CFRAME_SZ:-100}
	HS_DEFSESSIONTIMEOUT=${HS_DEFSESSIONTIMEOUT:-0}
	HS_DEFIDLETIMEOUT=${HS_DEFIDLETIMEOUT:-0}
	HS_DEFINTERIMINTERVAL=${HS_DEFINTERIMINTERVAL:-300}
	HS_LAN_ACCESS=${HS_LAN_ACCESS:-deny}
	HS_CFRAME_POS=${HS_CFRAME_POS:-top}
	HS_PROVIDER=${HS_PROVIDER:-Coova}
	HS_PROVIDER_LINK=${HS_PROVIDER_LINK:-http://coova.org/}
	HS_LOC_NAME=${HS_LOC_NAME:-My HotSpot}
	HS_LOC_NETWORK=${HS_LOC_NETWORK:-Coova}
	HS_OPENIDAUTH=${HS_OPENIDAUTH:-off}
	HS_ANYIP=${HS_ANYIP:-off}
 
	[ -z "$HS_LANIF" ] && {
		[ -e /tmp/device.hotspot ] && { stop }
		echo $HS_LANIF > /tmp/device.hotspot
	}
	writeconfig
	radiusconfig
	[ -d $RUN_D ] || mkdir -p $RUN_D
	/sbin/insmod tun >&- 2>&-
	/usr/sbin/chilli
}
 
stop() {
	[ -f $PIDFILE ] && kill $(cat $PIDFILE)
	rm -f $PIDFILE $LKFILE $CMDSOCK 2>/dev/null
	rm /tmp/device.hotspot
}

Step 4: Optional WAN maintenance access

To ensure you can always get to the box using SSH and/or WEB (if you installed a Web GUI, which is not default in OpenWRT) you optionally can also put these lines into the /etc/firewall.user file.

# Always allow these ports on WAN interface for router admin as well
 
iptables -I zone_wan -p tcp --dport 443 -j ACCEPT;
iptables -I zone_wan -p tcp --dport 80 -j ACCEPT;
iptables -I zone_wan -p tcp --dport 22 -j ACCEPT;

Step 5: start and test

Now you can start coova and test if it works. After starting coova, if you are on it's lan side, you will probably loose connection, as you are not inside the hotspot and need to sign into the hotspot. Thats why you may have needed above wan side firewall lines, so you can get in from that side.

/etc/init.d/chilli start

if chilli does not run, check the following files that it should have generated:

/etc/chilli/hs.conf
/etc/chilli/main.conf
/var/run/chilli.tun0.sh

Also, you may want to run chilli in interactive debug to see if there are any hints: chilli -fd

Step 6: Finalize

If it does run, you can optionally set the hotspot to autostart on reboot.

/etc/init.d/chilli enable

and optionally, if you want to save valuable memory, disable these processes from autostarting:

/etc/init.d/dnsmasq disable
/etc/init.d/uhttpd disable

Good luck. If you used this guide to get coova to work on OpenWRT, drop in a note below.

Edited by cybermaus, 19 March 2012 - 11:00 PM.

[cybermaus]

Adding simple QoS to OpenWRT and hotspotsystems:

In reference to this page, simply install and activate qos-scripts.

opkg update
opkg install qos-scripts
uci set qos.wan.upload=700			# 90% of your Upload in kBits/s
uci set qos.wan.download=7000		 # 90% of your Download in kBits/s
uci set qos.wan.enabled=1
uci commit qos
/etc/init.d/qos start
/etc/init.d/qos enable

but I do advise one change to the /etc/config/qos scripts, being to add the radius and uim ports to the priority class:

config 'interface' 'wan'
		option 'classgroup' 'Default'
		option 'upload' '700'
		option 'download' '7000'
		option 'enabled' '0'
 
config 'classify'
		option 'target' 'Priority'
		option 'ports' '22,53,1812,1813,3990,4990'
.....
.....

Edited by cybermaus, 17 January 2012 - 04:25 PM.

[Marko]

Hi,

You will need to add the Cronjob to get the device to show up:

1 * * * * root /usr/bin/wget http://tech.hotspotsystem.com/up.php?mac=MACADDRESS\&nasid=YOUROPERATORID_YOURLOCATIONID\&uptime=`uptime|sed s/" "/\%20/g|sed s/:/\%3A/g|sed s/,/\%2C/g` -O /tmp/up.html

[cybermaus]

Ok, works

Provided you enter MAC as XX-XX-XX-XX-XX-XX and not as XX:XX:XX:XX:XX:XX , and also remove the 'root' parameter, so like this (put below into file /etc/crontabs/root )

1 * * * * /usr/bin/wget http://tech.hotspotsystem.com/up.php?mac=MA-CA-DD-RE-SS-XX\&nasid=YOUROPERATORID_YOURLOCATIONID\&uptime=`uptime|sed s/" "/\%20/g|sed s/:/\%3A/g|sed s/,/\%2C/g` -O /tmp/up.html
1 3 * * * reboot

PS: note that I also advise to reboot every night at 03h00, but make sure to translate your local 3am into UTC

Also, by adding this to the coova default file, it nicely locally authenticates some MAC addresses, while unknown ones still get a logon (the man page incorrectly lists the second one as macallowed). Multiple MAC should be comma separated:

# LOCAL MAC addresses
HS_MACALLOWLOCAL=on
HS_MACALLOW="XX-XX-XX-XX-XX-XX"

Going one step further, you can also set your self-owned equipment into the routers LAN natural (iow, non 182) subnet, but then above MACALLOW will not suffice, as coova will complain about spoofed IP addresses, and drop them. Adding below will solve that. Assuming your hotspot range is 182, and your private range is 20, set this in the configuration.

But move it to the local.conf file rather than the defaults, as I found these "non-hotspot settings" better contained there than the default file. The firewall modification can be done by the ipup.sh script. Here are the ones I am using:
(PS: this is on OpenWRT+Chilli, not sure if other platforms would respond the same)

The default session and default timeout is needed because otherwise the "macallow" sessions are infinite, and hotspotsystems graphs and counters are confused by that.

# LOCAL static IP range from 96 to 111
statip 192.168.20.96/255.255.255.240

lease 900		# default dhcp lease 900 seconds
leaseplus 300		# 5 minutes extra just in case
defsessiontimeout 90000 # 24 hour sessions for internal equipment (users are set by radius)
defidletimeout 3600	# 1 hour for internal equipment (users are set by radius)

# LOCAL MAC addresses
macallowlocal
macallowed XXXXXXXXXXXX #local device 1
macallowed YYYYYYYYYYY #local device 2

#!/bin/sh
#
# remove chilli build in added lines to allow native traffic again.
iptables -D INPUT -i br-lan -j DROP	# this rule should be deleted
#iptables -D FORWARD -i br-lan -j DROP # leave this as # otherwise duplicate traffic
iptables -D FORWARD -o br-lan -j DROP  # this rule should be deleted

Additional, or even instead of, the LOCAL MAC authentication, you can also temporary authenticate an address by one of these example commands:

chilli_query list
chilli_query authorize ip 192.168.20.xx sessiontimeout 600 username admin_access
chilli_query logout xx-xx-xx-xx-xx-xx

(Yes, with chilli_query you authorize based on IP but you kick them out based on MAC. A bit strange, but so what.)

Edited by cybermaus, 26 July 2012 - 04:35 PM.

[cybermaus]

Please note I change the STOP value in the startup script from 90 down to 60, as 90 resulted in Coova stopping too late and not properly report sessions closed to HSS, leaving eternal open sessions in HSS database.

[soundsticks]

But I'm not able to login to router page.