• Tweet

A very Brief introduction

OpenWrt is a Linux distribution for Linksys WRT54G. It provides minimal firmware with add-on packages. Its allows the customization with broad range of software packages available for it.
We will be using OpenWrt as a replacement to the original Linksys firmware that comes pre-installed with the router.

ChilliSpot is a wireless LAN access controller. It is used for authenticating users of wireless LAN. It supports web based login for hotspots.
The Chilli daemon plays a primary role in the entire hotspot setup. It runs on the router and provides users access to the wireless Hotspot.

FreeRadius is a server that manages remote user authentication and accounting.

Mysql is a premier opensource database server.
All user database, authentication and accounting is stored in a Mysql database.

Follow this howto at your own risk...!!!

I have followed steps similar to those demonstrated here. They have worked for me. They may work for you too..

You may require special customization according to your need. Let me know if it worked for you.

<yunusbookwala @ gmail.com>

Setting up the Linksys router

I used the Linksys WRT54GS routers for this setup. For other supported routers see

http://wiki.openwrt.org/OpenWrtDocs/Installing

We need to install OpenWrt on the router. This is done by flashing the pre-installed Linksys firmware with openwrt.

<!--[if !supportLists]-->You may find the procedure to do this is a bit complex depending on your skills.

You may need to downgrade the linksys firmware to enable boot_wait. To do this <!--[endif]-->

1. Download this firmware from here

wget ftp://ftp.linksys.com/pub/network/WRT54GS_3.37.2_US_code.zip on your computer.

2. The Ethernet cable should be connected to the PORT 1 of the router.

3. Point your browser to the Linksys Web administration panel, usually its http://192.168.1.1 and goto the Admin Page -> Upgrade firmware link

4. upload the above firmware.

5. Once you have successfully downgraded the firmware, navigate to Administration -> Diagnostics -> Ping test

6. Enter exactly each line listed below, one line at a time into the "IP Address" field, pressing the Ping button after each entry.

;cp${IFS}*/*/nvram${IFS}/tmp/n
;*/n${IFS}set${IFS}boot_wait=on
;*/n${IFS}commit
;*/n${IFS}show>tmp/ping.log

7. When you get to the last command the ping window should be filled with a long list of variables including boot_wait=on somewhere in that list.

8. Now you are ready to install the actual openwrt firmware. You need a TFTP client for this.

9. Download the openwrt firmware

wget http://downloads.openwrt.org/whiterussian/rc3/bin/openwrt-wrt54gs-jffs2.bin

The basic procedure of using a tftp client to upload a new firmware to your router<!--[endif]-->

1. unplug the power to your router

2. start your tftp client

give it the router's address (usually 192.168.1.1)

set mode to octet

tell the client to resend the file, until it succeeds.

put the file

3. plug your router, while having the tftp client running and constantly probing for a connection.

4. the tftp client will receive an ack from the bootloader and starts sending the firmware

Please be patient, the reflashing occurs AFTER the firmware has been transferred. DO NOT unplug the router, it will automatically reboot into the new firmware. These steps have to be done in quick succession.

A typical tftp session look like this

tftp 192.168.1.1s

tftp> binary
tftp> trace
Packet tracing on.
tftp> put openwrt-wrt54gs-jffs2.bin

On windows you may try this to tftp

tftp -i 192.168.1.1 PUT openwrt-wrt54gs-jffs2.bin

from the command prompt.

On routers with a DMZ led, OpenWrt will light the DMZ led while booting, after bootup it will turn the DMZ led off. Sometimes automatic rebooting does not work, so you can safely reboot after 5 minutes.

If everything up to this point goes fine, we are ready to use the router with the new openwrt.

Using the openwrt router

You can now login to the router like a regular Linux box. But the first thing after the router has rebooted is to set a password for the `root’ account.

At this point you can telnet on to the router. Once you have set a password for `root’ on next reboot you will only be able to ssh in to the router.

The default IP address on the router is 192.168.1.1 hence bring your machine to the 192.168.1. network range.

# telnet 192.168.1.1

Check whether boot_wait is ON. boot_wait must be on for upgrades or recovering from bad installations.

# nvram get boot_wait
boot_wait=on

Set a password for `root’

# passwd

If you get any error setting password, run the following command

# firstboot

Or the router may require a reboot.

# reboot

Now you can ssh in to the router and start configuring it.

# ssh root@192.168.1.1

We will be using the router as a ‘Access Point’. Run the following commands on the router.
These command set the networking parameters for the router to access the Internet(WAN).

# nvram set wan_ifname=vlan1
# nvram set wan_proto=static
# nvram set wan_ipaddr=xxx.xxx.xxx.xxx
# nvram set wan_netmask=255.255.255.0
# nvram set wan_gateway=192.168.1.1
# nvram set wan_dns=192.168.1.1
# nvram commit

If your router need to get IP address through DHCP you only need to run these

# nvram set wan_ifname=vlan1
# nvram set wan_proto=dhcp
# nvram commit

For PPPoE Internet connection

# nvram set wan_ifname=ppp0
# nvram set wan_proto=pppoe
# nvram set ppp_mtu=1492
# nvram set pppoe_ifname=vlan1
# nvram set ppp_username=your_isp_login
# nvram set ppp_passwd=your_isp_password
# nvram commit

You may need to reboot the router now.

Installing ChilliSpot

Download following packages on your machine

A module to create tunnel on the router

# wget http://downloads.openwrt.org/experimental-20050525/bin/packages/kmod-tun_2.4.30-1_mipsel.ipk

# wget http://chillispot.org/download/chillispot_1.0-1_mipsel.ipk
# wget http://chillispot.org/download/chillispot-1.0.tar.gz

Copy the files on to the router

# scp kmod-tun_2.4.30-1_mipsel.ipk root@192.168.1.1:/tmp
# scp chillispot_1.0-1_mipsel.ipk root@192.168.1.1:/tmp

login to the router

# ssh root@192.168.1.1

On the router

# cd /tmp
# ipkg install kmod-tun_2.4.30-1_mipsel.ipk

Edit /etc/modules and append `tun` to it.

This will load the tun module whenever the router is restarted.

You can use vi on the router

OpenWRT comes with the following network interfaces:

• eth0: LAN Switch. Is used as the connection point for the VLANs. Do never use this port directly.
• eth1: Wireless Interface
• vlan1: Virtual LAN: Internet
• vlan0: Virutal LAN: Port 1 to 4
• br0: Bridge between vlan0 and eth1.

We will have the LAN not accessible through wireless and vice-versa, we will remove eth1 from the brigde

Run these commands

# nvram set lan_ifnames="vlan0 eth3"
# nvram commit
# /etc/init.d/S40network restart

Install chillispot

# cd /tmp
# ipkg install chillispot_1.0-1_mipsel.ipk

Now have the firewall in place. Copy the firewall script from the chillispot sources to the router.

Untar the chillispot source on your machine

# tar zxvf chillispot-1.0.tar.gz
# cd chillispot-1.0/doc
# scp firewall.openwrt root@192.168.1.1:/tmp

On the router

# rm /etc/init.d/S45firewall
# cp /tmp/firewall.openwrt /etc/init.d/S45firewall
# chmod 755 /etc/init.d/S45firewall

I had to edit the S45firewall script and change

WANIF=$(nvram_get wan_ifname)
to
WANIF=$(nvram get wan_ifname)

Chilli takes care of assigning IP to the wireless clients, hence we can safely delete dnsmasq the openwrt dns and dhcp service.

# rm /etc/init.d/S#dnsmasq

Substitue the # in S#dnsmasq with the appropriate number.

Configure chilli to start on booting the router

edit /etc/init.d/S50services and append this line at the bottom

sleep 5
/usr/sbin/chilli

The configuration file for chilli daemon can be found at /etc/chilli.conf on the router. Now before any further chilli configuration we will be installing and configuring the UAM server and FreeRadius server.

We will be using the Universal Access Method(UAM) for authentication and login to the wireless HotSpot. With UAM the wireless client is redirected to a login web page to be authenticated on first Internet or Extranet request.

I suppose you have installed and configured Apache httpd server to serve CGI pages. The UAM method uses the hotspotlogin.cgi script which can be found at doc/hotspotlogin.cgi in the chillispot source directory.

Place this CGI script in the apache cgi-script directory usually /var/www/cgi-bin/ of your server.

Edit the hotspotlogin.cgi file. Uncomment following line

$uamsecret = "ht2eb8ej6s4et3rg1ulp"; Change this to your liking.
$userpassword=1;

The hotspotlogin.cgi script requires https(SSL) to access it. You may need to configure SSL certificates accordingly.

FreeRadius

We will have the FreeRadius server configured with MySql backend for user authentication and accounting.

If compiling from source

# wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.0.5.tar.gz
# tar zxvf freeradius-1.0.5.tar.gz
# cd freeradius-1.0.5
# ./configure –with-mysql
# make && make install

Configure FreeRadius

We prepare the database for using with freeradius.

# mysql -u root -p
> create database radius;
> quit

# mysql -u root -p radius < /usr/share/doc/freeradius-x.x.x/db_mysql.sql

# mysql -u root -p
> GRANT select,insert,update,delete,create,drop ON radius.*
TO ‘radiususer’@’localhost’ IDENTIFIED BY 'radiuspasswd';
> quit

edit /etc/raddb/radius.conf or /usr/local/etc/raddb/radius.conf

The end of your radiusd.conf should then look something like this:

authorize {
preprocess
chap
mschap
# auth_log
# attr_filter
# digest
suffix
sql
# file
# eap
# etc_smbpasswd
# ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP{
mschap
}
# pam
# unix
# Auth-Type LDAP {
# ldap
# }
# eap
}
preacct {
pre process
acct_unique
suffix
# files
}
accounting {
acct_unique
detail
# counter
unix
sql
radutmp
# sradutmp
}
session {
radutmp
}

The radius.conf file is pretty good commented you can customize it as per your needs.

Edit the /etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database.

Dialupadmin

Dialupadmin is a web based administration tool to manage Radius users and their accounting and authorization information.

Copy the dialup_admin directory from the freeradius source directory to /usr/local/dialup_admin

# cp -r freeradius-x.x.x/dialup_admin /usr/local/

Create as symlink from your web server root directory to dialup_admin/htdocs

# ln -s /usr/local/dialup_admin/htdocs /var/www/html/dialupadmin

edit the dialup_admin/conf/admin.conf. Attributes to lookout for are

general_radiusd_base_dir: /usr/local/radiusd
general_domain: company.com
general_lib_type: sql
general_radius_server: localhost
general_radius_server_port: 1812
general_encryption_method: clear
sql_type: mysql
sql_server: localhost
sql_port: 3306
sql_username: radiususer
sql_password: radius69passwd
sql_database: radius

You can now access dailup_admin with following kind of URL, http://yourwebsever/dialupadmin

Now we can move ahead configuring chilli on the router. The chilli configuration file can be found at /etc/chilli.conf on the router. The configuration derectives that needs to be taken care of are

#dns server that will be specified to the clients machines
dns1 172.16.0.5
dns2 172.16.0.6

#domain name that will be suggested to the clients
domain your.hotspot.com

#radius server IP
radiusserver1 192.168.0.100
radiusserver2 192.168.0.101

#secret shared between the router and the radius servers
#on the radius server it in the file clients.conf
radiussecret somesecret123

#Location ID of the router that will be sent to the radius for #accounting purpose
radiuslocationid isocc=in,cc=91,ac=400078,network=HOME_Nework

#Location name
radiuslocationname HOME,magnet
dhcpif eth1

#DHCP lease period in seconds
lease 900

#UAM paramter. URL of web server handling authentication.
Uamserver https://youruamserver/cgi-bin/hotspotlogin.cgi

#secret shared between chilli and authentication web server.
#Specify same as mentioned in the hotspotlogin.cgi
uamsecret ht2eb8ej6s4et3rg1ulp

#Domains that users can browse with out authentication
uamallowed www.chillispot.org,www.openwrt.org

There are other parameter that can be changed according to your preferences.

Testing the entire setup
All the basic configuration has been done, and ready to be tested.

Point your browser to the dialup_admin web interface. Create a test user account.
Just a username and password will do. You can leave the other fields blank.

Start the chilli server on the router in debug mode.

# /usr/sbin/chilli -f -d

Also start the radius on the server if not running. Use -X to see debugging output.

# /usr/sbin/radiusd -X

Now with your wireless client machine try to browse the Internet.

Your browser should be redirected to the hotspotlogin.cgi page.
Use the username/password information of the test account you created to login.
Once authenticated you will be able to surf the Internet.

TODO:

• Add troubleshooting tips
• configurations for mac authorization
• Better navigation on this page

• Tweet