Seeking Help: CoovaChilli on OpenWrt Not Connecting to the Internet Properly

Hello everyone,

I am a student currently learning about network management and configuration. I'm working on a project using OpenWrt and CoovaChilli to implement a fully functional authentication gateway. However, I've encountered some difficulties and am seeking help from this community.

Background Information:

  • Equipment Configuration: Using OpenWRT(22.03.04) as the router operating system equipped with CoovaChilli(1.6) + uhttpd (IP: 192.168.163.148). Additionally, there is an Ubuntu server (IP: 192.168.163.145) running RADIUS services and a MySQL database, responsible for handling authentication.

    The tutorial I'm following: How to Build a Captive Portal with Coova Chilli and a Local Splash Page on a Raspberry Pi Running OpenWrt

  • Problem Description: The test device successfully completes CPD (Captive Portal Detection) and displays the splash page. After entering authentication information on the splash page, users can authenticate successfully through RADIUS but cannot access the internet.

  • Additional Issue: Found that the /etc/chilli/up.sh script was using iptables, which was not initially installed. After installing iptables, CPD stopped working, and it is necessary to manually enter the splash page URL in the browser to access it, but it still does not allow internet access.

/etc/chilli/ipup.sh:

iptables -I INPUT -i tun0 -p tcp -m tcp --dport 80 --dst 192.168.163.148 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 443 --dst 192.168.163.148 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22 --dst 192.168.163.148 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 8000 --dst 192.168.163.148 -j ACCEPT
# force-add the final rule necessary to fix routing tables (Enabling NAT)
iptables -F POSTROUTING -t nat
iptables -I POSTROUTING -t nat -o eth1 -j MASQUERADE

/etc/config/chilli:

config chilli

option interval 3600
option swapoctets 1

option debug 10
######## TUN and DHCP Parameters ########

option tundev 'tun0'
option dhcpif 'br-lan'
option net 192.168.182.0/24
option lease 600
option dns1 8.8.8.8
option dns2 8.8.4.4
option ipup '/etc/chilli/up.sh'
option ipdown '/etc/chilli/down.sh'

######## Radius parameters ########

option radiusserver1 '192.168.163.145'
option radiusserver2 '127.0.0.1'
option radiusauthport 1812
#option radiusacctport 1813
option radiussecret 'testing123'
#option radiusnasid 'ap001'
#option ssid 'ACME-company'

######## Universal access method (UAM) parameters ########

option uamlisten 192.168.182.1
option uamserver 'http://192.168.163.148/hotspotlogin/hotspot-login-master/hotspotlogin.php'
option uamsecret 'uamtesting123'
option uamallowed ''
option uamdomain ''
option uamanydns 1
option uamaliasname 'login'
option nouamsuccess 1

/var/run/chilli_cfg011cfa.conf:

interval="3600"
swapoctets
tundev="tun0"
dhcpif="br-lan"
net="192.168.182.0/24"
lease="600"
dns1="8.8.8.8"
dns2="8.8.4.4"
ipup="/etc/chilli/up.sh"
ipdown="/etc/chilli/down.sh"
radiusserver1="192.168.163.145"
radiusserver2="127.0.0.1"
radiusauthport="1812"
radiussecret="testing123"
uamlisten="192.168.182.1"
uamserver="http://192.168.163.148/hotspotlogin/hotspot-login-master/hotspotlogin.php"
uamsecret="uamtesting123"
uamanydns
uamaliasname="login"
nouamsuccess

logread | grep chilli

Tue Jun 11 06:37:28 2024 daemon.info chilli[10593]: CoovaChilli shutting down
Tue Jun 11 06:37:29 2024 daemon.debug chilli[11221]: (Re)processing options [/var/run/chilli.11221.cfg.bin]
Tue Jun 11 06:37:29 2024 daemon.err chilli[11221]: chilli[11221]: (Re)processing options [/var/run/chilli.11221.cfg.bin]
Tue Jun 11 06:37:29 2024 daemon.debug chilli[11222]: running chilli_opt on /var/run/chilli.11221.cfg.bin
Tue Jun 11 06:37:29 2024 daemon.err chilli[11221]: chilli[11222]: running chilli_opt on /var/run/chilli.11221.cfg.bin
Tue Jun 11 06:37:29 2024 user.debug : PID 11222 saving options to /var/run/chilli.11221.cfg.bin
Tue Jun 11 06:37:29 2024 daemon.debug chilli[11221]: PID 11221 rereading binary file /var/run/chilli.11221.cfg.bin
Tue Jun 11 06:37:29 2024 daemon.debug chilli[11221]: PID 11221 reloaded binary options file
Tue Jun 11 06:37:29 2024 daemon.info chilli[11221]: CoovaChilli 1.6. Copyright 2002-2005 Mondru AB. Licensed under GPL. Copyright 2006-2012 David Bird (Coova Technologies). Licensed under GPL. See http://coova.github.io/ for details.
Tue Jun 11 06:37:29 2024 daemon.err chilli[11221]: chilli[11221]: PID 11221 rereading binary file /var/run/chilli.11221.cfg.bin
Tue Jun 11 06:37:29 2024 daemon.err chilli[11221]: chilli[11221]: PID 11221 reloaded binary options file
Tue Jun 11 06:37:29 2024 daemon.info chilli[11221]: TX queue length set to 100
Tue Jun 11 06:40:55 2024 daemon.info chilli[11221]: Received UAM logoff from username= IP=192.168.182.2
Tue Jun 11 06:40:57 2024 daemon.info chilli[11221]: Successful UAM login from username=test IP=192.168.182.2

chilli_query list:

00-0C-29-58-5D-F2 192.168.182.2 pass 171808801700000001 1 test 583/0 0/0 356393/0 118088/0 0 1 0%/0 0%/0 -

iptables-save:

# Generated by iptables-save v1.8.7 on Tue Jun 11 06:52:05 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jun 11 06:52:05 2024
# Generated by iptables-save v1.8.7 on Tue Jun 11 06:52:05 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d 192.168.163.148/32 -i tun0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -d 192.168.163.148/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.163.148/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 192.168.163.148/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i br-lan -j DROP
-A INPUT -d 192.168.182.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p tcp -m tcp --dport 3991 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 192.168.182.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i tun0 ! -o eth1 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o br-lan -j DROP
-A FORWARD -i br-lan -j DROP
COMMIT
# Completed on Tue Jun 11 06:52:05 2024
# Generated by iptables-save v1.8.7 on Tue Jun 11 06:52:05 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Jun 11 06:52:05 2024
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

/etc/config/firewall:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             'Allow-HTTPS'
        option src              'wan'
        option dest_port        '443'
        option proto            'tcp'
        option target           'ACCEPT'

config rule
        option name             'Allow-HTTP'
        option src              'wan'
        option dest_port        '80'
        option proto            'tcp'
        option target           'ACCEPT'

config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT
config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

config rule
        option name             Allow-SSH
        option src              wan
        option dest_port        22
        option proto            tcp
        option target           ACCEPT

or any other details I should provide for better assistance.
Additional Considerations:

  • Alternative Approach: I've considered using OpenNDS as a substitute for CoovaChilli, but since the school's previous setup already has a web interface based on CoovaChilli, I hope to maintain the existing web configuration. Exploring the feasibility of using OpenNDS to mimic CoovaChilli.

Requests for Assistance:

  • Any suggestions on how to resolve the issue of not being able to access the internet after CPD.
  • Has anyone encountered a situation where installing iptables caused CPD to stop working?
  • Opinions on the feasibility of using OpenNDS to replace CoovaChilli while maintaining the existing web configuration.

I greatly appreciate everyone's time and expertise. Any insights or experiences you could share would be immensely helpful to me. I have been struggling with these challenges for weeks now and hope to resolve them. Every piece of advice will be seriously considered and will substantively assist me. I look forward to hearing from you, and thank you all for your valuable time and support!

is the project the functionality, or the software ?

you should really drop Coova, and go for OpenNDS - CoovaChilli Random Failures: Manual Restarts Required - #3 by bluewavenet

1 Like

Strictly speaking a feature, but the project relies on using CoovaChilli to run web pages on an AWS web server that previous students and schools have set up. They don't want to change the content on the web server. Unless OpenNDS can run these web pages (which I think might be difficult), I'm also considering using OpenNDS...