Opennds splash screens and captive portal

I have a Raspberry PI3 that I have installed the latest Openwrt on and configured as an AP. It's connected to the LAN port of my wireless fiber router by an Ethernet cable and has a static IP address. The guest wifi AP it creates shows up, I can connect to it and enter the SSID password and get internet access but the Splash screen for Opennds never shows up (even with a minimal /etc/config/opennds) config file. LUCI is only available on https so I am assuming it's running on port 443 and not hogging port 80. Opennds gatwayinterface is br-lan.

I was under the impression that '-' are not valid in uci configurations.

My first question is, do I really need to install dnsmasq-full to get opennds to work? I am getting conflicting answers.

Do I really need a SECOND Ethernet port (USB) on my Raspberry PI for WAN I don't think so as my internet feed is clearly coming through br-lan and being sent to my wireless AP so opendns should be looking for http access there? I've run level 3 debugging on opennds and see nothing out of the ordinary except a single uci invalid argument on install and running.

root@JDTRouter:~# apk add opennds
(1/2) Installing libmicrohttpd-no-ssl (1.0.2-r1)
Executing libmicrohttpd-no-ssl-1.0.2-r1.post-install
(2/2) Installing opennds (10.3.1-r2)
Installing file to etc/config/opennds.apk-new
Executing opennds-10.3.1-r2.post-install

• uci: Invalid argument
• This is openNDS version 10.3.1

There's a clue in the fact that I cannot install packages with opennds running. Maybe I am just missing an opennds firewall rule?

Any things to check would be appreciated. I would consider myself a reasonably competent user but after three days of trying many things I've decided to reach out for help.

That is your problem. OpenNDS requires to be run on a ROUTER.
To quote the documentation:

It provides a border control gateway between a public local area network and the Internet.

and:

Prerequisites

openNDS is designed to run on a device configured as an IPv4 router and will have at least two network interfaces:

A WAN interface (Wide Area Network). This interface must be connected to an Internet feed:

• Either an ISP CPE (Internet Service Provider Customer Premises Equipment)
• Or another router, such as the venue ADSL router.
• It must be configured as a DHCP client, obtaining its IPv4 address and DNS server from the connected network.

A LAN interface (Local Area Network). This interface MUST be configured to:

• Provide the Default IPv4 gateway in a private IPv4 subnet that is different to any private subnets between it and the ISP CPE
• Provide DHCP services to connected clients
• Provide DNS services to connected clients
• Provide Network Address Translation (NAT) for all outgoing traffic directed to the WAN interface.

If an improper routing configuration is detected, openNDS will shut down.

If you want blocklists/walledgarden support, you need dnsmasq-full

If you don't, or don't know what blocklists/walledgarden do, then the default dnsmasq is just fine.

Yes.
Alternatively you can use a managed switch and complex vlans, but that is asking for trouble unless you really know what you are doing. A usb dongle is pennies compared to the managed switch and the hair tearing setting it up would involve.

No, you need to start again with a router config.

Seriously though, get a cheap OpenWrt supported plastic router and use that.
The RPi (any model) is not really suitable for this use case.
For someone deeply interested and knowledgeable in OpenWrt, trying to use an RPi as a base is a challenge, only of any use as a "weird fun project".

I don’t use openNDS, so the rest of this post is speculation. It might help, it might lead you to a “eureka” moment, or it might be a red herring.

It seems that the prime requirement for openNDS is two layer 3 subnets, not one.

It also seems that you’ve got your Pi’s wireless interface bridged to the Ethernet interface, presenting a single logical layer 3 interface. It seems there is no other layer 3 interface in your current configuration.

So here’s a suggestion: take the wireless interface out of the bridge and configure it as a discrete layer 3 interface with an address in a different subnet. In addition, follow the rest of the openNDS guidance regarding DNS, DHCP, and (possibly) NAT.

The requirement is actually ipv4 routing with nat from lan to wan. So lan must have a different ipv4 subnet to wan as well as running dhcp and dns (aka dnsmasq).
Wan will normally be a dhcp client of something upstream.
This is the OpenWrt default.

That is correct.

Sorry, I wasn't asking, I was stating that OpenNDS expects what OpenWrt normally provides by default.

Is the OpenWrt default for an RPi an AP, rather than a router?
Possibly, because the wireless is usually disabled on first boot and that would make access via network a bit difficult as it would be blocked by the firewall.

If the OP REALLY wants to configure his RPi as a router, he can, but it is not a good choice for this use case.

Depends what hardware the OP has to hand, can scrounge up, or can afford. If the Pi is all that’s available, then the question of suitability becomes moot.

Regardless, the Pi does have both Wi-Fi and Ethernet capability so, on the face of it, it ought to be possible to turn it into a router. If it works, it works, and the OP can then in future take the knowledge acquired from bending the Pi into submission and use it on a device more suitable for the purpose.

Part of the fun of stuff like this is exploring edge cases, and working with sub-optimal scenarios. That’s how learning happens.

If I could remember where my own Pi 3 was buried I’d consider fishing it out and tinkering with the OP’s problem for the heck of it.

Yes, as a fun hobby project, or as a set academic task it can be fun, but the very poor network i/o options mean it will never be a practical usable solution.

The OP has not indicated his use case. It is sensible for us to make sure he is not wasting his time if it is something other than a learning experience.

He will genuinely be better off buying a cheap plastic router, even second hand, and jumping in to OpenWrt to get up to speed and keep his RPi for other projects for which it will be more ideally suited.

To be clear, I am the author/maintainer of OpenNDS, and many times I have seen people trying to use a RPi as a router, often as their first networking project, so my earlier comment comes from trying to help those trying this:

I am using a R-Pi 3. I figured I could use eth0 for my WAN access by plugging it in to my ISP router and use the WIFI as my LAN but I guess this is not the case. I have a USB->Ethernet dongle I can use to mess around with while I wait for my "cheap plastic WIFI router" to arrive which has OpenWrt preinstalled.

there's no such thing, did you buy something used ?
it would be the only explanation.

Yes it was used. The seller seems to have a bunch of them.

Screenshot 2026-03-23 19.19.111480×593 169 KB

I can't find any devide with a matching/similar name in https://firmware-selector.openwrt.org/?version=SNAPSHOT.
I would cancel the order, if possible.
don't trust any listings claiming their devices come with OpenWRT preinstalled.

same conclusion over att Immortal - https://github.com/immortalwrt/immortalwrt/discussions/2044.

Thanks for letting me know. After I read your message I got in touch with the seller and asked him to confirm that the router was running OpenWRT and he sent me the following screen shots. I do have full buyers protection on this platform and the seller has good feedback so I will go ahead and will let you know what I find out. Thanks for raising the flag though, that's good.

Screenshot 2026-03-24 05.48.57636×440 74.2 KB

Screenshot 2026-03-24 05.48.30629×347 29.4 KB

Screenshot 2026-03-24 05.48.17629×347 30.6 KB

Screenshot 2026-03-24 05.48.01629×347 28.8 KB

Screenshot 2026-03-24 05.47.50629×347 35.3 KB

Immortalwrt <> OpenWRT, and they (Immortal) didn't acknowledge the device.

There's no guarantee you'll be able to install opennds on it, and if you do, that it'll actually work.

I will certainly let you know. I have another use for the router regardless.

And those screenshots show that indeed it is NOT pre-installed with OpenWrt.

It will be based on a old version of OpenWrt that they "forked" then modified for their own use.
Many manufacturers do this. But they will usually be stuck with the basics of that forked version of OpenWrt.

This means, of course, even if OpenNDS is available in THEIR package feeds, it will be the version that was current at the time of the fork.
But there is no guarantee that it will be in the package feeds.

You could try to compile OpenNDS yourself, but it will probably be incompatible with that old fork - who knows.

Just buy a router that is in the official table of hardware for OpenWrt and you will have no problems. TPLink, Gl-inet, etc., one of the well known manufacturers.

First, some good news. Can you use a Raspberry Pi 3 (or other device with one Ethernet port and one Wi-Fi radio) to run a captive portal using openNDS? Absolutely. It’s trivially easy to do. I’ve done it, and I’ll describe how to do so here.

Now the bad news. Should you do so? Your experience may vary. @bluewavenet‘s point about hardware power and capabilities is a valid one. While it will work, if your hardware is low-powered then the performance may not be as good as you desire. I certainly experienced sluggish response when using my test equipment (see the next paragraph), and if I was going to deploy openNDS in production I’d use something much beefier to host it.

I can’t find my Raspberry Pi 3, but I do have something with equivalent connectivity (1x Ethernet, 1x Wi-Fi): a VoCore2 Ultimate. It’s a cracking little device which has lived in my kit bag for 10 years. It’s currently running OpenWRT 25.12.2.

After installing and configuring openNDS with the right interface name, this is what I saw when I connected my laptop to the SSID broadcast by the VoCore2:

image507×341 26.1 KB

The VoCore2’s configuration is thus:

• Ethernet - WAN interface, WAN firewall zone, DHCP client
• Wi-Fi - radio interface configured as AP, LAN firewall zone, DHCP server

NOTE: the rest of this post shows how openNDS can be installed and configured in one deployment scenario. It is not a guaranteed recipe for every scenario; the reader is expected to be able to understand the configuration files and concepts and translate them for other deployment scenarios. In addition, this post does not discuss more advanced openNDS configuration such as authentication; this post is solely about how to get openNDS working on a device with 1x Ethernet port and 1x Wi-Fi radio.

Here are the contents of the configuration files:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 6t'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'openwrt'
        option encryption 'psk2'
        option key 'password'

/etc/config/opennds contains the interface name shown in the output of ifconfig:

config opennds
        option enabled 1
        option gatewayinterface 'phy0-ap0'

So there you go. As indicated at the start of this post, you absolutely can use a low-powered device with limited connectivity to host an instance of openNDS... as long as you're willing to tinker and willing to put up with potentially sub-optimal performance.

Well done. The VoCore2 Ultimate though is a router with a Mediatek 7628, designed as a router, yes quite old but nevertheless quite capable, hardware supporting >30 users connected by wireless. It is very similar to the gl-mt300n-v2 but with one ethernet port left out to keep the price down.
Somewhat different to an RPi with its built in wireless designed with only wifi station use (STA) in mind.

No.
One big problem with Rpi models in particular is that most owners bought them originally for general programming/development work or for academic use - the primary target user.

Configuring an Rpi as a router is a more advanced task, above the usual knowledge base of this primary user base. There is nothing particularly wrong with that for the person wanting to expand their knowledge, perhaps except the inevitable frustrations that will occur as huge gaps in knowledge are revealed.
There is also of course the Dunning Kruger effect that leads some people to refuse to accept they have such a knowledge gap - much more common than you might expect.

For tinkering fun, by all means.

You have obviously had fun tinkering and yes of course it works, at least it does with OpenNDS v10.x.x for the config you ended up with - simple when you know how, but notably, you are doing this on what is actually dedicated Travel Router hardware, so of course, even though it is quite old and slow, it works just fine. (see my note about v11).

For anything serious, don't even think about using an RPi.
I have had some people comment "I'll just try it out on my RPi to get up to speed on how it works, then buy a router to implement my production system."

No, just no, they struggle to get it working even in the simplest way, then can't understand why what they just developed cannot be simply transferred to a "proper" router hardware.

One final point:

From OpenNDS v11 onwards, if gatewayinterface is detected as a wireless vif, the daemon will refuse to start.

It is excellent that you have taken the time to do this, and good that you would post it here.

But for anyone reading this - don't try to use a standard RPi class development board for any serious captive portal use. It is just a waste of an otherwise fairly useful general purpose project device.

Had one of those for several years as well. Even used it once to get around an awkward routing issue in the test lab at work. A colleague was so impressed with the little yellow box that he bought one.

image1920×1440 416 KB