Opennds howto terminate / Kill session hard after session minutes expired

Hello guys, I am almost done with my setup and now experienced that Youtube stream isnt terminated when Opennds session expires. Since I am not that familiar with /usr/lib/opennds/binauth_log.sh (if its the right place for that?) I would like to ask for help.

Goal: after session expired, client shall be kicked out, session shall be terminated even when there is an ongoing stream running.

AI suggests this:

# ---- HARD WIFI DISCONNECT ----
if [ "$action" = "deauth" ]; then
    if [ -n "$clientmac" ]; then
        hostapd_cli -i phy0-ap0 deauthenticate "$clientmac" >/dev/null 2>&1
    fi
fi
# ------------------------------

Users are authenticated by IP adress, any suggestions welcome

Clients are blocked by nftables rules once they are deauthenticated for any reason.
Do remember that Youtube will buffer quite long intervals of a stream and will continue to play from that buffer.

What version of OpenNDS are you using?
If you are using an outdated version AND you have an active ipv6 Internet feed, then clients can totally bypass OpenNDS. You MUST use version 10.3.1 or higher for ipv6 support.

Fundamentally, users are authenticated by mac address. The mac address will, via dhcp, have an ipv4 address associated, but it is the mac address that is the underlying criterion.

This has always been the result of a session expiring (except for the combination of old versions and active ipv6 Internet feed and an app that uses ipv6).

Nice try from your AI.

I asked a proper AI about your AI's proposed solution:

Oh, behold SimpliBot 3000 — the plucky little toaster oven of AI, proudly living in its cozy Illusion of Simplicity like a goldfish that’s convinced the bowl is the entire ocean.

You ask it a technical question.

SimpliBot doesn’t even blink (mostly because it has no eyelids and zero shame). It instantly fires back with the intellectual equivalent of a participation trophy:

“Just kick them off the wifi! ”

You do know that if you kick a device off wifi, it will just reconnect?....

Sorry, I just could not restrain myself...

Seriously though, please post details of versions you are using along with config files and I will take a look.

My guess is it is one of the following:

• Youtube has buffered the entire 2 hour stream in a few minutes because your Internet feed is fast.
• You are using an old version of OpenNDS and have an active ipv6 feed.

wifi authentication has about nothing to do with your access controller authentication and authorisation. Client just re-authenticates asap.

That's what I said

Maybe I ve not been precise enough.

Opennds is running on 5ghz radio only combined with FAS and cgi-bin script granting access only when proper 5 digit pin is given by user. So why not simply kick off wifi?

config opennds
        option enabled '1'
        option gatewayinterface 'phy0-ap0'
        option gatewayfqdn '192.168.177.1'
        option fw4 '1'
        option preauth '0'
        option login_option_enabled '0'
        option fas_secure_enabled '0'
        option fasremoteip '192.168.177.1'
        option fasport '8080'
        option preauthenticated_users 'allow'
        option faspassthrough '1'
        option faspath '/cgi-bin/fas'
        # /etc/opennds/vouchers.txt !!!!!
        # ACHTUNG default timeout nach AUTH in MINUTEN!!
        option sessiontimeout '60'
        option faskey '899e1e198901fbc514f8a47c9fe56c0cf88a57a946ab9a9267f83efc2db000000'
        list trustedmac '08:02:3c:61:00:00'
        list trustedmac '04:8c:9a:c8:00:00'
        #notwendig damit anmeldeskript auf 8080 geladen werden kann
        # uthppd muss zusätzlich auf 8080 lauschen!!
        list users_to_router 'allow udp port 53'
        list users_to_router 'allow udp port 67'
        list users_to_router 'allow tcp port 8080'
        list users_to_router 'allow tcp port 80'
        list users_to_router 'allow tcp port 443'
        list users_to_router 'allow tcp port 22'

root@OpenWrt:~# opennds -v
This is openNDS version 10.3.1

Sessions are terminated properly according to script session minutes!

I sont know wether stream has buffered that much and therefore is still running. If so : is there any way I could avoid that?

The gatewayinterface must be either ethernet or a bridge, so this is invalid. It might possibly work under some circumstances, but this would be by luck only as this is not intended by design.

This is not an fqdn, it is an ipv4 address, so is invalid.

There has never been such an option, so is invalid.

You have both themespec and fas disabled. This will default to "click to continue".

Like I said, you have fas disabled, so these options will do nothing.

You are allowing preauthenticated users full access!! So yes, even when they are de-authenticated, they can still access anything but port 80.

There is no such option - this will be ignored.

Yes, but your config only applies to port 80 ie http:// web addresses. Everything else is allowed.

You might find it instructive to read the documentation:

Thanks for the reply!

Using Firefox I get authentification popup from 192.168.177.1:8080 showing my voucher form any other like Chrome or Safari I set start/landing page to 192.168.177.1:8080 and I get - as you stated - continue form but then redirected I get 192.168.177.1:8080 my voucher form.

And yes supposed to be bind to wifi device not physical device...

As I said in my last post, you have almost everything wrong.

As I also said, you might find it instructive to read the documentation....

I will have closer look on it!

I will do so in my productive router when received! Is there tutorial?

There are some very bad, outdated "tutorials", so the realistic answer is a resounding NO!
If someone thinks they have a good one let me know - I'm quite happy to review it.

I would suggest you set up a basic default system - get it working - dig in and gain some understanding whilst referring to the documentation.

Then, and only then, start customising/developing your voucher system.

For help with specific problems, you will get a more targeted response if you open an issue on Github. There, someone in the community, or a project member will respond.

OpenNDS Issues