1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Walkthrough: How To Setup A Public Hotspot with CoovaAP

Discussion in 'Other Firmware Projects' started by vmixus, Jan 4, 2014.

  1. vmixus

    vmixus Serious Server Member

    Summary:
    This is a step by step walk through guide with screen shots of how I setup a spare WRT54G v3 with CoovaAP to use as a public wifi hotspot.

    With the below setup, after a guest first connects via wifi, the router intercepts the clients browser and redirects the user to a page where they have to agree and accept the terms of service before proceeding.

    Prerequisites:
    Background:
    Finding myself with a spare WRT54G v3, I decided to put it to good use when the need for a public wifi arose. Since I'm using Tomato on my other routers; I first tried Victek's Version 1.28.121006 with Captive Portal but couldn't get it working. Seeking an alternative, I came across CoovaAP and it looked interesting. Also, I didn't see CoovaAP listed under Other Firmware Projects so I decided to add this guide here.

    CoovaAP firmware is designed especially for HotSpots and is built on some other similar open solutions including CoovaChilli. This guide is based on version 1.0-beta.12 which was released April 2, 2011, there's also another iteration of this project. Although dev on this project seems to have stalled, it did work for my needs.

    Steps:
    Other Reference:
     
    Last edited: Feb 8, 2014
  2. vmixus

    vmixus Serious Server Member

    STEP 1 : Install CoovaAP
    1. Download appropriate firmware for your compatible router and read/follow "Step 1" on the same page.
      I'm using Version 1.0-beta.12 for the Linksys WRT54G.
    2. Make sure you are connected to the router using a network cable and not wifi before proceeding then access your routers existing config using a browser.
      WRT54G gateway by factory default is located at http://192.168.1.1 using Logon: admin Password: admin
    3. Navigate to "Administration -> Firmware Upgrade", click "Choose File", then select the CoovaAP firmware file you downloaded for your router earlier. Click "Upgrade"
      [​IMG]
    4. Wait until you see "Upgrade Successful", then wait few more minutes before clicking "Continue".
      [​IMG]
    5. If all went well you should be prompted to setup the root password. Pick something and click "Set".
      [​IMG]
    CoovaAP is installed but there are still left over settings floating around from the original factory firmware. For example:
    [​IMG]
    To clean up and restore all settings to default, use an ssh client to connect to the router using:

    • Routers IP 192.168.1.1
    • Login : root
    • Password : (use the root password you setup previously)
    Then issue the following command to reset and reboot the router.
    Code:
    mtd erase nvram && reboot
    [​IMG]
    Once the router finishes rebooting, you can confirm that all settings are now at default. For example, the ESSID we saw previously should now be "Coova" instead of "linksys"

    Finally, to wrap up, navigate to "System -> Installed Software"
    [​IMG]
    Then click "Update package lists".
    [​IMG]
     
    Last edited: Jan 6, 2014
  3. vmixus

    vmixus Serious Server Member

    STEP 2 : Configure Hotspot
    1. With CoovaAP installed we're ready to configure the hotspot.
      Navigate to "Hotspot -> Configuration" and match the settings in the screen shot then click "Save Changes"
      [​IMG]
      After clicking "Save Changes", click "5 Config Changes Pending" near the top right corner.
      [​IMG]
      Then click "Apply Changes" and wait for settings to be applied.

    2. At this point the hotspot is working but unfortunately remains unusable as the TOS Acceptance page fails to load. A minor code fix is necessary to remedy this problem. If you plan on using the "Self Register" option then apply the other code fix mentioned in the link as well.

      To apply the fix, SSH back into the router as before and issue the following command to launch vi editor. If you haven't used vi before, several beginner tutorials are available.
      Code:
      vi /etc/chilli/www/tos.chi
      [​IMG]
      Then edit line 37:
      Code:
      from: if [ "$tos" = "1" ]; then
      to: if [ "$HS_REG_MODE" = "tos" ]; then
      [​IMG]
      After making the changes use ":" then "w" + <enter> to first write the changes, then ":" then "q" + <enter> to quit. You can confirm the changes were saved by reopening the file.

    3. Finally, test the hotspot by connecting via wifi and trying to access a webpage. The router should intercept and successfully redirect the browser to the TOS Acceptance page.
      [​IMG]
      After clicking "I Accept" you should get redirected to the webpage you originally requested.
      [​IMG]
      The hotspot name can be customized under "Hotspot -> Location -> Location Name"
     
    Last edited: Jan 5, 2014
  4. vmixus

    vmixus Serious Server Member

    STEP 3 : Security
    Due to various possible topologies it's impossible to cover all scenarios. You should modify the below settings to suit your needs.

    CoovaAP uses two different IP subnets, one for LAN clients and another for hotspot.
    LAN IP Settings are located under "Network -> LAN" and by default this is 192.168.1.x
    [​IMG]
    Hotspot IP Settings are located under "Hotspot -> DHCP" and by default this is 10.1.0.x[​IMG]
    Customize those settings as you desire then modify the below commands to match accordingly.

    Custom changes to the firewall settings are made using the iptables command. To ensure that custom changes to the firewall settings persist after the router reboots, it's necessary to save those changes in the file: /etc/firewall.user.
    The changes are appended to the bottom of that file and implemented via ssh as before using vi.

    First, I wanted to restrict access to the router's config (web, ssh, telnet) for clients using the hotspot.
    [​IMG]
    But applying the settings through the GUI had no effect and clients using the wifi hotspot were still able to reach the router's web, ssh password prompts. To compensate I used the following firewall rule:
    Code:
    ## Custom restrictions for public access
    # Restrict Public subnet access to router config and block FTP, SSH, TELNET, HTTP, HTTPS
    iptables -I INPUT -s 10.1.0.0/24 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
    
    You should test it out by:
    • SSH into router
    • Simply copy / paste the above command
      [​IMG]
    • Connect to router using wifi
    • Try to access a site on the internet
    • Try to access the router's web config via. http://10.1.0.1 or http://192.168.1.1
    Using wifi, you should've been able to access the internet but not any router config.
    Though the router config should still be accessible when connected via LAN.

    General recommendation is to test and confirm your rules at the command line first before saving them to avoid mistakes which may result for example in locking yourself out. In case a wrong command was issued on the command line a reboot would remove the changes but if the command was saved, it would persist which may leave hard reset as the only option. So as long as the above tests worked out you can save the changes to bottom of /etc/firewall.user file.

    Issue the following command via SSH to edit the file then copy / paste / save the firewall rule in the above code block to the bottom of the file to make the firewall changes permanent:
    Code:
    vi /etc/firewall.user
    
    If you'd like to restrict wireless hotspot clients from accessing clients connected to the routers LAN ports you can test and then include the following rule as well:
    Code:
    # Restrict public access to LAN
    iptables -t nat -I PREROUTING -i tap0 -d 192.168.1.0/24 -j DROP
    To further improve security, you can use an SSH key which may be defined under "System -> Admin Access -> Authorized Keys" and then disable password logins to prevent brute force attacks.
     
    Last edited: Jan 8, 2014
  5. vmixus

    vmixus Serious Server Member

    STEP 4 : Captive Frame
    Another interesting hotspot sepcifc feature included with Coova was captive frame.
    As the link shows, it uses an internal proxy to inject an iframe into the users browser.
    This did end up working for me but with some caveats:
    • The iframe would only appear for clients connected via routers LAN ports
    • iframe only seems to show up on some web pages but not all
    I'm not sure where/why this is breaking but if anyone has any insights, please let me know.

    To setup Coova captive frame :
    1. From "Hotspot -> Proxy" click "install now"
      [​IMG]
      Then wait before clicking "Continue"
      [​IMG]
    2. After clicking "Continue" you should have been redirected to "Hotspot -> Proxy"
      [​IMG]
      Under "Proxy Settings -> Proxy Setup" select "Captive Frame" from the drop down menu and click "install now"
      [​IMG]
      Wait for installation to finish then click "Continue"
      [​IMG]
      After being redirected to "HotSpot -> Proxy" page again, match the settings in the screen shot. Then click "Save Changes". When the "4 Config Changes Pending" appears, click it and then "Apply Changes".

    3. Captive Frame should now be working. To test it out connect a computer directly to the LAN port on the router and access a webpage. Also, don't forget to clear the browsers cache or use ctrl + F5.
      [​IMG]
     
    Last edited: Jan 6, 2014
  6. vmixus

    vmixus Serious Server Member

    STEP 5 : Replacing CoovaAP
    The instructions below will replace CoovaAP with the original factory firmware or any other firmware you choose. The "Firmware Upgrade" option in the GUI did not work for me. For Windows, download and install pscp before proceeding.

    These instructions are based on the following guides:
    1. First, as a precaution, enable "boot_wait" under "System -> Settings -> System Settings -> boot_wait"
      [​IMG]
    2. Download the correct original factory firmware for your router. (Linksys)
    3. If the firmware is packaged as a .bin file you have to first convert it to .trx
      Code:
      dd bs=32 skip=1 if=original.bin of=original.trx
      I was unable to convert the bin file on the router directly due to space limitations and had to convert the file first before uploading to the router. I converted mine on a Debian box but if you're on Windows you can try dd for Windows.
    4. Use scp to upload factory firmware file to router.
      This tells pscp to use the scp protocol (as it defaults to sftp) and to copy the file original.trx to the router.
      Code:
      pscp -scp original.trx root@192.168.1.1:original.trx
      The below example is using pscp for Windows, assuming the command is run from the same directory as the firmware file original.trx
      [​IMG]
    5. Finally, ssh into the router and confirm the firmware file was uploaded and then issue the following command to install the firmware:
      Code:
      mtd write original.trx linux && reboot
      [​IMG]

      Once the router finishes rebooting, the original factory firmware should be installed.
      Remember to clear browser cache before visiting http://192.168.1.1 and then perform another factory reset to remove any residual settings.
     
    Last edited: Jan 6, 2014
    56kb likes this.
  7. Ozgur

    Ozgur New Member Member

    So sad that all CoovaAP downloads have been removed with the web site change. :(
     

Share This Page