OpenWrt Forum Archive

Topic: Mini HOW TO captive portal with social login (Wifidog+authpuppy)

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi

I've managed to have a captive portal allowing users to sign in using their facebook social login, this wouldn't be possible without the help of many users of this forum who helped me at some points.

I've decided to write this mini how to in retribution and as a resource for anyone who wants to do something similar.

I'm not going to get into detail because for most of the actions required, there's plenty of documentation about it.
But i will describe the parts i found by trial and error (wifidog and authpuppy the documentation is not quite clear)

For this I've used a Tp-link TL-WA701ND V2.

1. Flash the router

This is very straight forward, you access the web administration interface of the router and make the flashing using the image in this link https://yadi.sk/d/n-Y5sXuXJLGLE

I did'n got any trouble at this point.
After flashing you have to re enable the wireless interface.

2.- Configure as Routed AP.
Configure the device to work as a routed AP, I've followed this tutorial http://wiki.openwrt.org/doc/recipes/routedap
But I've changed this:
*Delete the bridge interface
*Create a ethernet interface and a wireless interface
*for the ethernet used dhcp to get the ip
*For wireless fix the ip of the interface to 192.168.2.1 and configure dhcp to provide ip in that range to the stations.

Once you have the ap working and stations able to connect and browse the internet we can continue

3.- Install wifidog
You can follow this tutorial
http://wiki.openwrt.org/doc/howto/wirel … .wifidog?s[]=wifidog

4. Install authpuppy in your server

this is a little bit tricky, first of all, you need a server to run the authpuppy, i've used a rackspace server of 1cpu, 1gb ram with centOs and lamp ($15dll month)
Download the sources of the authpuppy and then proceed to upload the files to your server, put the symphony config files outside your www folder and put the authpuppy files inside the www, otherwise authpuppy could throw some errors.  Take into consideration having a mysql database ready with a user with all privileges.

5. Configure authpuppy.
Once you have installed authpuppy, create a new node
Install the plugins of CMS and Webservices https://code.launchpad.net/~alliancecsf … vicePlugin

6.- Configure your wifidog.conf
In your router configure your wifidog.conf to indicate the address of your authpuppy server, you easily can find where to indicate the url or ip.
Also you should configure the name of the wifi interface, in my case wlan0

Reboot your router and test it.
once you are connected to the wireless network, you should see the authpuppy log in screen, create an account and you should be able after that to navigate freely.
With this you have the base, now we need to do some tweaks to use fb as authenticator.

7.-allow FB set of ip's in wifidog.conf
as we need to connect to facebook for the social login, we need to whitelist the ips of facebook.
You should include this in the global firewall rules of wifidog.conf.

Firewallrule allow to 31.13.24.0/21
                    FirewallRule allow to 31.13.64.0/18
                    FirewallRule allow to 66.220.144.0/20
                    FirewallRule allow to 69.63.176.0/20
                    FirewallRule allow to 69.171.224.0/19
                    FirewallRule allow to 74.119.76.0/22
                    FirewallRule allow to 103.4.96.0/22
                    FirewallRule allow to 173.252.64.0/18
                    FirewallRule allow to 204.15.20.0/22

You also should add the url of the server where you are gonna host the splash page (if different from the same ip of the authpuppy)

You also have to open the ip's used by facebook to host the static content, but this ip's change from location to location because they are hosted with akamai, so, to bypass this i've used rc.local to execute this commands for the iptables

iptables -t nat -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT

then i've used the cronjobs to execute this commands every 20min because in some cases akamai switch ips during the day depending on traffic and load, running those commands make the iptables to resolve and update the ip of the url indicated in the command.

8. Configure the cms plugin in authpuppy

Login in your authpuppy and in the configuration of the cms plugin, you have to indicate the the url of your welcome page and if it's the case, the url users see after validation. it's important you pass the %getparameters%?%originurl% in the url, otherwise you couldn't develop the authentication script customized for your intentions.

9. Develop the welcome page and the validation page.
In the welcome page I've used the php sdk of facebook to create the login url for the social login.
Once the user authorized my app and I am able to get their info, I've manually create the user in the ap_users table used by authpuppy, for the password I've used a fixed value of 6Afx/PgtEy+bsBjKZzihnw== (encription of 1234567890) and for the username the mail of the user, the validation token could be any string with a random hex value of 40 chars.

Once you created the user in the table, you need to create an access token for wifidog so the users can navigate internet, for that you use the web service plugin of authpuppy.
you need to invocate this url

http://YOURURL/ws/?action=auth&authenticator=apAuthLocalUser&submit[apAuthLocalUserconnect]=Connect&apAuthLocalUser[username]=$correo&apAuthLocalUser[password]=1234567890&gw_id=$gw_id&gw_address=$gw_address&gw_port=$gw_port

the gw id, gw address, gw port are the values you get from the GET parameters the wifidog send to your welcome page.

This url will return a json with the token and a url, use this url to redirect the user (is a internal url of the router with some parameters to authenticate the user inside the router and open the navigation)

after this wifidog will redirect the user to the validation page you configured in the cms plugin.

I'm not an expert so possibly i couldn't answer any specific problem you could fin depending on your harwdware but for sure following this steps you could have a captive portal up and running.

I'll try to use chillispot in the following days, maybe it's easier, i'll let you know.
thanks

kavastudios wrote:

I'll try to use chillispot in the following days, maybe it's easier, i'll let you know.

You should try coova-chilli instead (which is actively maintained and reported to scale quite well, e.g. at the UBNT forum there are reports of 100s APs and 14K users/day), although I'm not sure how easy a task it would be to try to fit CC on a 4MB device like the TL-WA701ND ...

As I mentioned before, the caveat with the above is it allows all users free access to the whole of Facebook without ever having to log in at all.

Secondly, if you're going to re-fetch akamai's DNS entries instead of every 20 minutes you should really be doing it according to the DNS TTL value. And no, they don't "change" throughout the day, they just resolve to numerous different addresses.

(Last edited by qasdfdsaq on 21 Jun 2014, 23:54)

Hello there kavastudios.
I am trying to do the same thing but I am experiencing some problems.
Could you please help me out a bit with them??? I tried to find out how to contact you directly but I couldn't find a way to send a PM.

Hi Tony

Post here your questions so everybody can benefit from the knowledge.

actually I have several problems as I couldn't get internet access after installing nodogsplash and some other mods and making some changes in the config files.
I am wondering if you could please share the configuration files or router backup with us.

Hi.

Before installing nodogsplash you have a propoer routed ap working?

My router is the TL-WA701ND V2 so I dunno if my config files would work for your router.
But in fact my config is the same as the routed ap recipe http://wiki.openwrt.org/doc/recipes/routedap

Hi all,

Thankyou very much for that kavastudios. We followed all an we are in the facebook implementation step. Can you share the code to login with facebook? we added the firewall rules but we dont have any idea to follow that:

8. Configure the cms plugin in authpuppy
Login in your authpuppy and in the configuration of the cms plugin, you have to indicate the the url of your welcome page and if it's the case, the url users see after validation. it's important you pass the %getparameters%?%originurl% in the url, otherwise you couldn't develop the authentication script customized for your intentions.
9. Develop the welcome page and the validation page.
In the welcome page I've used the php sdk of facebook to create the login url for the social login.
Once the user authorized my app and I am able to get their info, I've manually create the user in the ap_users table used by authpuppy, for the password I've used a fixed value of 6Afx/PgtEy+bsBjKZzihnw== (encription of 1234567890) and for the username the mail of the user, the validation token could be any string with a random hex value of 40 chars.
Once you created the user in the table, you need to create an access token for wifidog so the users can navigate internet, for that you use the web service plugin of authpuppy.
you need to invocate this url
http://YOURURL/ws/?action=auth&authenticator=apAuthLocalUser&submit[apAuthLocalUserconnect]=Connect&apAuthLocalUser[username]=$correo&apAuthLocalUser[password]=1234567890&gw_id=$gw_id&gw_address=$gw_address&gw_port=$gw_port
the gw id, gw address, gw port are the values you get from the GET parameters the wifidog send to your welcome page.
This url will return a json with the token and a url, use this url to redirect the user (is a internal url of the router with some parameters to authenticate the user inside the router and open the navigation)
after this wifidog will redirect the user to the validation page you configured in the cms plugin.



We are using exactly the same AP (we was lucky with that). If you can post that part it will be very helpful.

Thanks!

Hi kavastudios!

Via the topic, I had found that you are very good at openwrt and wifidog. Can I get your skype IM or something else like email so I can contact you to ask for some issues I had got.

Thanks you!

@kavastudios, You are a life saviour. Will be giving Feedback.

I want to do it on some cheap router rather than expensive facebook wifi ones

kavastudios wrote:

Hi

I've managed to have a captive portal allowing users to sign in using their facebook social login, this wouldn't be possible without the help of many users of this forum who helped me at some points.

I've decided to write this mini how to in retribution and as a resource for anyone who wants to do something similar.

I'm not going to get into detail because for most of the actions required, there's plenty of documentation about it.
But i will describe the parts i found by trial and error (wifidog and authpuppy the documentation is not quite clear)

For this I've used a Tp-link TL-WA701ND V2.

1. Flash the router

This is very straight forward, you access the web administration interface of the router and make the flashing using the image in this link https://yadi.sk/d/n-Y5sXuXJLGLE

I did'n got any trouble at this point.
After flashing you have to re enable the wireless interface.

2.- Configure as Routed AP.
Configure the device to work as a routed AP, I've followed this tutorial http://wiki.openwrt.org/doc/recipes/routedap
But I've changed this:
*Delete the bridge interface
*Create a ethernet interface and a wireless interface
*for the ethernet used dhcp to get the ip
*For wireless fix the ip of the interface to 192.168.2.1 and configure dhcp to provide ip in that range to the stations.

Once you have the ap working and stations able to connect and browse the internet we can continue

3.- Install wifidog
You can follow this tutorial
http://wiki.openwrt.org/doc/howto/wirel … .wifidog?s[]=wifidog

4. Install authpuppy in your server

this is a little bit tricky, first of all, you need a server to run the authpuppy, i've used a rackspace server of 1cpu, 1gb ram with centOs and lamp ($15dll month)
Download the sources of the authpuppy and then proceed to upload the files to your server, put the symphony config files outside your www folder and put the authpuppy files inside the www, otherwise authpuppy could throw some errors.  Take into consideration having a mysql database ready with a user with all privileges.

5. Configure authpuppy.
Once you have installed authpuppy, create a new node
Install the plugins of CMS and Webservices https://code.launchpad.net/~alliancecsf … vicePlugin

6.- Configure your wifidog.conf
In your router configure your wifidog.conf to indicate the address of your authpuppy server, you easily can find where to indicate the url or ip.
Also you should configure the name of the wifi interface, in my case wlan0

Reboot your router and test it.
once you are connected to the wireless network, you should see the authpuppy log in screen, create an account and you should be able after that to navigate freely.
With this you have the base, now we need to do some tweaks to use fb as authenticator.

7.-allow FB set of ip's in wifidog.conf
as we need to connect to facebook for the social login, we need to whitelist the ips of facebook.
You should include this in the global firewall rules of wifidog.conf.

Firewallrule allow to 31.13.24.0/21
                    FirewallRule allow to 31.13.64.0/18
                    FirewallRule allow to 66.220.144.0/20
                    FirewallRule allow to 69.63.176.0/20
                    FirewallRule allow to 69.171.224.0/19
                    FirewallRule allow to 74.119.76.0/22
                    FirewallRule allow to 103.4.96.0/22
                    FirewallRule allow to 173.252.64.0/18
                    FirewallRule allow to 204.15.20.0/22

You also should add the url of the server where you are gonna host the splash page (if different from the same ip of the authpuppy)

You also have to open the ip's used by facebook to host the static content, but this ip's change from location to location because they are hosted with akamai, so, to bypass this i've used rc.local to execute this commands for the iptables

iptables -t nat -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d fbstatic-a.akamaihd.net -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d s-static.ak.facebook.com -j ACCEPT
iptables -t nat -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT
iptables -t filter -A WiFiDog_wlan0_Global -d connect.facebook.net -j ACCEPT

then i've used the cronjobs to execute this commands every 20min because in some cases akamai switch ips during the day depending on traffic and load, running those commands make the iptables to resolve and update the ip of the url indicated in the command.

8. Configure the cms plugin in authpuppy

Login in your authpuppy and in the configuration of the cms plugin, you have to indicate the the url of your welcome page and if it's the case, the url users see after validation. it's important you pass the %getparameters%?%originurl% in the url, otherwise you couldn't develop the authentication script customized for your intentions.

9. Develop the welcome page and the validation page.
In the welcome page I've used the php sdk of facebook to create the login url for the social login.
Once the user authorized my app and I am able to get their info, I've manually create the user in the ap_users table used by authpuppy, for the password I've used a fixed value of 6Afx/PgtEy+bsBjKZzihnw== (encription of 1234567890) and for the username the mail of the user, the validation token could be any string with a random hex value of 40 chars.

Once you created the user in the table, you need to create an access token for wifidog so the users can navigate internet, for that you use the web service plugin of authpuppy.
you need to invocate this url

http://YOURURL/ws/?action=auth&authenticator=apAuthLocalUser&submit[apAuthLocalUserconnect]=Connect&apAuthLocalUser[username]=$correo&apAuthLocalUser[password]=1234567890&gw_id=$gw_id&gw_address=$gw_address&gw_port=$gw_port

the gw id, gw address, gw port are the values you get from the GET parameters the wifidog send to your welcome page.

This url will return a json with the token and a url, use this url to redirect the user (is a internal url of the router with some parameters to authenticate the user inside the router and open the navigation)

after this wifidog will redirect the user to the validation page you configured in the cms plugin.

I'm not an expert so possibly i couldn't answer any specific problem you could fin depending on your harwdware but for sure following this steps you could have a captive portal up and running.

I'll try to use chillispot in the following days, maybe it's easier, i'll let you know.
thanks

Thank you for sharring, can you open a demo account in your puppy server so we can try router part first, then we will get our own server for implementation later

The discussion might have continued from here.