vrish
July 23, 2021, 4:37am
#1
Hello,
I'm trying to understand the best way to have a custom webpage that displays something along the lines of 'You don't have access to the internet because it's your homework time' when internet is blocked for my kids.
Currently, all they get is the standard 'webpage failed to load' from their browser.
My assumption is that I would have to setup a webserver separately and display a standard HTML page when traffic is blocked.
Has anyone done this? Any thoughts on how I could go about implementing this?
It can't be done for https connections and those are now 90% of all connections.
Disclaimer: if you install fake certificates on your kids devices it could be done but it's quite complicated and a huge security risk.
2 Likes
Most similar think to what you need is a "captive portal".
1 Like
Not easily, put it can…
AdGuard has a project of mitm proxy which use the same rules than their android blocker… and could be expanded !
I have build it and I am already testing it…
opened 01:09PM - 13 Jul 21 UTC
closed 05:09PM - 13 Jul 21 UTC
```
2021/07/13 13:04:01 [error] id=100260-1: failed to handshake with the clien… t: remote error: tls: bad certificate
```
Build with :
```
git clone https://github.com/AdguardTeam/urlfilter
cd urlfilter/cmd
go build -o adguard
```
Certificate generation with :
```
root@ultra:~/AdGuard# opkg install openssl-util
root@ultra:~/AdGuard# openssl genrsa -out root.key 2048
root@ultra:~/AdGuard# openssl req -new -x509 -key root.key -out root.crt
```
Have add root.crt in Firefox...
```
curl http://filters.adtidy.org/extension/android-content-blocker/filters/2.txt > adguard_base.txt
curl http://filters.adtidy.org/extension/android-content-blocker/filters/3.txt > adguard_tracking_protection.txt
curl http://filters.adtidy.org/extension/android-content-blocker/filters/4.txt > adguard_social.txt
```
Started with :
```
./adguard -l 0.0.0.0 -p 8080\
-c root.crt\
-k root.key\
-f adguard_base.txt\
-f adguard_tracking_protection.txt\
-f adguard_social.txt
```
...
```
2021/07/13 12:45:49 [info] starting proxy
2021/07/13 12:45:56 [info] Initializing the proxy server:
Listen addr: 0.0.0.0:8080
MITM status: true
Run as HTTPS proxy: false
API host: adguard
Filter lists: 3
0: adguard_base.txt
1: adguard_tracking_protection.txt
2: adguard_social.txt
2021/07/13 12:45:56 [info] start listening to [::]:8080
```
But I get errors;
```
2021/07/13 13:04:27 [error] id=100275-1: failed to handshake with the client: remote error: tls: bad certificate
2021/07/13 13:04:31 [error] id=100278-1: failed to handshake with the client: remote error: tls: bad certificate
2021/07/13 13:04:33 [error] id=100279-1: failed to handshake with the client: remote error: tls: bad certificate
```
And my surfing is still very 'incomplete' !
I also install the https://github.com/FelisCatus/SwitchyOmega in FireFox.
I configured the IP : 8080 to all protocols (HTTP/HTTPS...)
Then tried Youtube...
With partly success; I access but get no video and some more errors ;
```
2021/07/13 13:01:10 [error] id=100150-1: failed to handshake with the client: remote error: tls: bad certificate
2021/07/13 13:01:12 [error] id=100146-1-1-1: failed to round trip: x509: certificate is not valid for any names, but wanted to match r5---sn-h5q7knel.googlevideo.com
2021/07/13 13:01:12 [info] id=100146-1-1-1: adding r5---sn-h5q7knel.googlevideo.com to invalid TLS hosts due to: x509: certificate is not valid for any names, but wanted to match r5---sn-h5q7knel.googlevideo.com
2021/07/13 13:01:12 [error] id=100147-1-1-1: failed to round trip: x509: certificate is not valid for any names, but wanted to match r5---sn-h5q7knel.googlevideo.com
2021/07/13 13:01:12 [info] id=100147-1-1-1: adding r5---sn-h5q7knel.googlevideo.com to invalid TLS hosts due to: x509: certificate is not valid for any names, but wanted to match r5---sn-h5q7knel.googlevideo.com
2021/07/13 13:01:16 [error] id=100156-1: failed to handshake with the client: remote error: tls: bad certificate
```
It is still a work in progress to be included in the main AdGuardHome ;
opened 01:45PM - 03 Dec 19 UTC
P2: High
enhancement
We're going to add the proxy module in v0.102:
https://github.com/AdguardTeam/A… dGuardHome/issues/391
Here's the necessary minimum that should be configurable:
* Enable/disable
* Filter lists (consider extending `/#filters`)
* Certificate (we should generate it by ourselves, we should allow users to download this cert)
* Port, network interface
* Proxy authentication
* Proxy types: HTTP, HTTP over TLS
vrish
July 26, 2021, 1:47pm
#5
I thought of going the route of adding a self-signed cert and forcing all my traffic through a proxy.
I agree with @dlakelan . Not only is it too much work, but its also a security risk.
I like the idea of the captive portal by @eduperez but I think its overkill for my small home network of 10-15 devices.
Any other solutions are appreciated.
For now, I think the my blanket refusal to allow internet access during homework time should hopefully suffice!