WiFi Captive Portal Detection Program


#1

Background

When you connect to a WiFi network e.g. hotels or in public places, there will generally be a Captive portal page asking you for authorization information. If you don't get authorized in the portal page, you will not be able to use the Internet.

When you use a WiFi router to connect to such networks, there are more things to deal with in order to let the portal page pop up correctly. You need to:

  • Disable all VPN connections in the router.
  • Disable DNS rebind protection. This is generally true but not for all portal.
  • Disable DNS encryption. In GL.iNet routers there are CloudFlare DNS.

But if you use the router to protect data privacies, when you do the above, your data will be leaked.

This program is used to solve this problem by manipulating the firewall without disabling your VPN and DNS protection manually while not leaking your data.

How it works

The program tries to detect if there is any WiFi portal page. If there is, it will allow the portal page to pass firewall and DNS encryption so that it will pop up in your client device connected to the router. After you authorize via the portal the firewall policy will be restored.

The source code is here

While discussion from GL is here

I am not sure how this works in a generic openwrt built but I assume it should, maybe with minor modifications.


#2

There is a project around here called "travelmate" that also tried to solve the same issues; they will probably be interested in hearing about this.


#3

Thanks for the info. I just checked travelmate. It is great and used pure shell script.

TravelMate = GL.iNet Repeater manager + Portal detection

GL.iNet repeater manager is written in C and not open source now.

GL.iNet portal detection is using pure script and open source. The difference is that GL.iNet Portal Detection tries to detect the captive portal, change vpn and dns policies without leaking data. So this aim is not exactly the same.


#4

I cautiously question the DNS-part of the functionality of this approach. It is not unusual, to have something like openDNS with filtering on public hotspots, to allow access for minors, too. Bypassing it might open the gate for "legal discussions".
To prevent it, hotspot owners might try to prohibit your functionality.
Better to use mobile data service.


#5

Hi,reinerotto
In the DNS part, we made some changes to use the DNS server provided by owners when accessing the authentication page


#6

Hi,

I deal with the use of Shadowsocks, patch submission at https://github.com/gl-inet/portal-detection/commit/f465088c498d1b555629f6428a272b88ef154a3b


#7

Regarding rebind protection I've implemented a similar approach in travelmate 1.3.6 with this PR: https://github.com/openwrt/packages/pull/8275


#8

Good job.It would be nice if you could handle VPNS, such as openvpn,wireguard, and secure your data


#9

Hi,

I added the luci configuration page, the configure path in Admin-->network-->portal-detect.The patch on the https://github.com/gl-inet/portal-detection/commit/e48d1686c31b22b7e1fcb233bfc4bcea0bbc8de4