CoovaChilli is an open-source captive portal system for linux that I personally use to run a free wireless access system around my area. The reason I use coovachilli instead of, oh I don’t know, nocatspash, is that with CoovaChilli I can not only limit speed per each connection, but I am also able to log IP and MAC Address’s to prevent abuse. So, lets go install coovachilli.
To start, you need a Fresh Ubuntu 12.04.2 LTS i386 server install on a server with 2 physical network ports. (or VLANS, but that won’t be covered in this)
So, first off open up /etc/network/interfaces and make sure that you have one NIC with a static IP. This is the IP coovachilli will run off of as a server. Here is what I used:
auto lo iface lo inet loopback # Web In Connection auto eth0 iface eth0 inet dhcp # Web OUT Connection, used vi coovachilli auto eth1 iface eth1 inet static address 10.0.1.0 netmask 255.255.255.0
The next thing you need to do is enable packet forwarding and NAT between the interfaces, so I added the following code:
post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE post-up echo 1 > /proc/sys/net/ipv4/ip_forward
And in the end, I ended up with this:
auto lo iface lo inet loopback # Web In Connection auto eth0 iface eth0 inet dhcp # Web OUT Connection, used vi coovachilli auto eth1 iface eth1 inet static address 10.1.1.0 netmask 255.255.255.0 # Used to open up packet forwarding, and set up NAT post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE post-up echo 1 > /proc/sys/net/ipv4/ip_forward
And thats it for interface setup.
To make sure packet forwarding is enabled, I also enable it from /etc/sysctrl.conf. To do that, you just need to run this command
sed --in-place=.old 's/^#\(net.ipv4.ip_forward=1\)/\1/' /etc/sysctl.conf
Now to install freeradius, as I use a radius server for user authentication with coovachilli. We will also install some library’s used by coovachilli.
apt-get update apt-get upgrade apt-get install freeradius freeradius-utils libtool libssl-dev libcurl4-openssl-dev
Now we need to set it up. open up /etc/freeradius/clients.conf and change the secret from “testing123” to a secure password that you will remember.
Now for adding users to freeradius. What I do is I delete the file /etc/freeradius/users and just create a new file, and start fresh. Here is the format used for user accounts:
useraccountname Cleartext-Password := "userpass1" Simultaneous-Use = 999999, Idle-Timeout = 86400, Acct-Interim-Interval = 120, WISPr-Bandwidth-Max-Down = 1236000, WISPr-Bandwidth-Max-Up = 600000
so as you can guess useraccountname is the name of the user, and userpass1 is the password for that account. For the rest of the stuff
- Simultaneous-Use = How many times the same account can be logged in at once.
- Idle-Timeout = How long it will wait to logout the user after idling, in seconds.
- Acct-Interm-Interval = the number of seconds between each interim update in seconds for a specific session.
- WISPr-Bandwidth-Max-Down = The max allowed download speed, in bits (not kilobits)
- WISPr-Bandwidth-Max-Up = The max allowed upload speed, in bits
So with this, create as many users as you want to use. If you don’t want to limit a users speed, or timeout, then just don’t add those lines to that user and it won’t apply.
Next up is testing. restart the freeradius service, and then test the account you made to make sure it authenticates. So, for our above example, we would do the following:
service freeradius restart radtest useraccountname userpass1 localhost 0 SecretCode
Where SecretCode is the secret we changed in freeradius earlier in this tutorial. If everything worked, you should get some output like this:
Sending Access-Request of id 35 to 127.0.0.1 port 1812 User-Name = "useraccountname" User-Password = "userpass1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=35, length=56 Idle-Timeout = 86400 Acct-Interim-Interval = 120 WISPr-Bandwidth-Max-Down = 1236000 WISPr-Bandwidth-Max-Up = 600000
This means the user was authenticated successfully, and freeradius is now setup!
Now for the fun part, coovachilli. So, download the precompiled package and install it.
wget -c http://ap.coova.org/chilli/coova-chilli_1.3.0_i386.deb dpkg -i coova*.deb
Now that its installed, we need to configure it before we enable it. To do this, copy the defaults to the config file
cd /etc/chilli cp ./defaults ./config
From here, edit /etc/chilli/config to whatever you have setup. Just make sure to uncomment HS_WANIF=eth0 so it knows where to look for the WAN interface, and you place the freeradius secret in HS_RADSECRET otherwise it won’t be able to authenticate users.
Now you can enable coovachilli by opening /etc/defaults/chilli and set boot to 1
From here, do a restart and coovachilli should be running! If not, stop the service, and use the following to start coovachilli in debug mode to see what is going on.
chilli --fg --debug
I personally have never used the default coovachilli portal program, so if you plan on using it, this tutorial may not work with the configuration part, but it will get you a working coovachilli install.
Hope this helps some of you out there!