====== OpenVPN Bridges ====== ===== Enable Packet forwarding for IPv4 ===== * The machine running CoovaChilli will act as a router and thus needs to be configured as such. * This means that the IP packets needs to be **forwarded** from one interface to the other. * Edit the **/etc/sysctl.conf**. * Find and uncomment **net.ipv4.ip_forward=1** line. ===== Building and Installing Coova Chilli ===== * The version of CoovaChilli is 1.6 as of this writing. * We will download and build the .deb package from source. * First ensure the required packages to build the .deb package are installed. sudo apt-get install build-essential libssl-dev libjson-c-dev gengetopt sudo apt install devscripts debhelper * Download the release **1.6**'s .tar.gz file of the source here: https://github.com/coova/coova-chilli/releases * Before we can build the package, we have to remove a dependency (hasrl) specified in the Debian control file. * This dependency is not required and including it causes trouble when you want to install the package. # If you downloaded with wget tar -xzvf 1.6.tar.gz # If you downloaded with the browser tar -xzvf coova-chilli-1.6.tar.gz cd coova-chilli-1.6/ vi debian/control #Look for this part #------ #Depends: # ${shlibs:Depends}, # iptables, # haserl, # adduser, #------ #------ CHANGE TO THIS (remove haserl as a dependency) #------ #Depends: # ${shlibs:Depends}, # iptables, # adduser, #----- debuild -i -us -uc -b cd .. sudo dpkg --install coova-chilli_1.6_amd64.deb * From the output of the dpkg command you will see that CoovaChilli is by default disabled. In the next section we will configure it to become a working entity. Selecting previously unselected package coova-chilli. (Reading database ... 125842 files and directories currently installed.) Preparing to unpack coova-chilli_1.6_amd64.deb ... Unpacking coova-chilli (1.6) ... Setting up coova-chilli (1.6) ... Chilli default off. Look at /etc/default/chilli Processing triggers for libc-bin (2.31-0ubuntu9.2) ... Processing triggers for systemd (245.4-4ubuntu3.6) ... Processing triggers for man-db (2.9.1-1) ... ===== Configuring Coova Chilli ===== ==== Enable CoovaChilli ==== * Edit the following file sudo vi /etc/default/chilli * Change it to look like this START_CHILLI=1 CONFFILE="/etc/chilli.conf" HS_USER="chilli" * Save the file. ==== Create the main config file ==== * Create a file called **/etc/chilli/config** and use the following as reference: HS_WANIF=eth0 # WAN Interface toward the Internet HS_DNS1=4.4.4.4 HS_DNS2=8.8.8.8 HS_RADIUS=164.160.89.129 HS_RADIUS2=164.160.89.129 HS_RADSECRET=testing123 # Set to be your RADIUS shared secret HS_UAMSECRET=greatsecret # Set to be your UAM secret HS_UAMALIASNAME=chilli HS_UAMSERVER=$HS_UAMLISTEN HS_UAMFORMAT=https://cloud.radiusdesk.com/cake4/rd_cake/dynamic-details/chilli-browser-detect/ HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html HS_MODE=hotspot HS_TYPE=coovachilli HS_WWWDIR=/etc/chilli/www HS_WWWBIN=/etc/chilli/wwwsh HS_PROVIDER=Coova HS_PROVIDER_LINK=http://coova.github.io/ HS_LOC_NAME="My HotSpot" # WISPr Location Name and used in portal HS_UAMUISSL=on HS_SSLKEYFILE=/etc/chilli/key.pem HS_SSLCERTFILE=/etc/chilli/cert.pem HS_UAMALIASNAME=uam HS_DNS_DOMAIN=mesh-manager.com HS_UAMUIPORT=4990 * Make sure you include the **key.pem** and **cert.pem** in order for SSL to work correct. * You can use these from the MESHdesk firmware * https://github.com/RADIUSdesk/openwrt-meshdesk/tree/main/MESHdesk/files/MESHdesk/captive_portals * Create the VLAN config directories #Here you will need **ifconfig** to be installed sudo su cd /etc/chilli ./newmulti.sh br0.101 ./newmulti.sh br0.102 * Create the three VLAN configs ./newmulti.sh br0.103 * Create the three VLAN configs HS_LANIF=br0.101 # WAN Interface toward the Internet HS_NETWORK=10.101.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.0.0 # HotSpot Network Netmask HS_UAMLISTEN=10.101.0.1 # HotSpot IP Address (on subscriber network) HS_UAMPORT=3990 # HotSpot UAM Port (on subscriber network) HS_UAMUIPORT=4990 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal) HS_DYNIP=10.101.1.1 HS_DYNIP_MASK=255.255.0.0 HS_STATIP=10.101.0.1 HS_STATIP_MASK=255.255.255.0 # HS_DNS_DOMAIN= HS_NASID=rd-vlan101 HS_SSID=rd-vlan101-ssid HS_LANIF=br0.102 # WAN Interface toward the Internet HS_NETWORK=10.102.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.0.0 # HotSpot Network Netmask HS_UAMLISTEN=10.102.0.1 # HotSpot IP Address (on subscriber network) HS_UAMPORT=3991 # HotSpot UAM Port (on subscriber network) HS_UAMUIPORT=4991 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal) HS_DYNIP=10.102.1.1 HS_DYNIP_MASK=255.255.0.0 HS_STATIP=10.102.0.1 HS_STATIP_MASK=255.255.255.0 # HS_DNS_DOMAIN= HS_NASID=rd-vlan102 HS_SSID=rd-vlan102-ssid HS_LANIF=br0.103 # WAN Interface toward the Internet HS_NETWORK=10.103.0.0 # HotSpot Network (must include HS_UAMLISTEN) HS_NETMASK=255.255.0.0 # HotSpot Network Netmask HS_UAMLISTEN=10.103.0.1 # HotSpot IP Address (on subscriber network) HS_UAMPORT=3992 # HotSpot UAM Port (on subscriber network) HS_UAMUIPORT=4992 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal) HS_DYNIP=10.103.1.1 HS_DYNIP_MASK=255.255.0.0 HS_STATIP=10.103.0.1 HS_STATIP_MASK=255.255.255.0 # HS_DNS_DOMAIN= HS_NASID=rd-vlan103 HS_SSID=rd-vlan103-ssid ===== Add NAT Support ===== * By default CoovaChilli does not do NAT between the two interfaces. We have to add NAT support during start-up in order to have a working system. Failing to do this step will leave you with a broken system. * Edit the /etc/init.d/chilli file and add the following: test ${HS_ADMINTERVAL:-0} -gt 0 && { (crontab -l 2>&- | grep -v $0 echo "*/$HS_ADMINTERVAL * * * * $0 radconfig" ) | crontab - 2>&- } #NAT mod iptables -F POSTROUTING -t nat iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE # ---HEADS-UP-- #NOTE The $HS_WANIF dit not populate for some unknown reason so I had to do #iptables -I POSTROUTING -t nat -o eth0 -j MASQUERADE #END NAT mod ifconfig $HS_LANIF 0.0.0.0 ===== Test it out ===== * Restart CoovaChilli for the latest changes to be effected. #This is required systemctl disable chilli #Now issue the following sudo systemctl stop chilli sudo systemctl status chilli sudo systemctl start chilli * Confirm it started fine sudo systemctl status chilli ....... ● chilli.service - LSB: Start CoovaChilli daemon at boot time Loaded: loaded (/etc/init.d/chilli; generated) Active: active (running) since Sat 2022-06-11 03:05:26 UTC; 2s ago Docs: man:systemd-sysv-generator(8) Process: 7619 ExecStart=/etc/init.d/chilli start (code=exited, status=0/SUCCES Tasks: 1 (limit: 1108) CGroup: /system.slice/chilli.service └─7706 /usr/sbin/chilli -c /etc/chilli.conf Dec 21 03:05:26 osboxes systemd[1]: Started LSB: Start CoovaChilli daemon at boo Dec 21 03:05:26 osboxes chilli[7706]: PID 7706 saving options to /var/run/chilli Dec 21 03:05:26 osboxes chilli[7706]: PID 7706 loading binary options file /var/ Dec 21 03:05:26 osboxes chilli[7706]: Loading modules Dec 21 03:05:26 osboxes chilli[7706]: CoovaChilli 1.4. Copyright 2002-2005 Mondr Dec 21 03:05:26 osboxes chilli[7706]: TX queue length set to 100 Dec 21 03:05:26 osboxes coova-chilli[7713]: PID 7713 loading binary options file Dec 21 03:05:26 osboxes coova-chilli[7713]: Loading modules Dec 21 03:05:26 osboxes coova-chilli[7713]: USER root(0/0), GROUP root(0/0) CHIL Dec 21 03:05:26 osboxes coova-chilli[7713]: Running /etc/chilli/up.sh (0/0) ....... * Reboot the system and make sure CoovaChilli started up fine ===== Startup sequence ===== * We need to make sure that CoovaChilli starts at the right time. * The right time will be: * First we configure the bridges. * Then we start up OpenVPN tunnels. * Then we start up CoovaChilli. * Disable the normal startup sequence of CoovaChilli systemctl disable chilli * Edit the **/etc/rc.local** file and add the following below the startup of OpenVPN #Add the startup of OpenVPN systemctl start openvpn@server_vlan_101 systemctl start openvpn@server_vlan_102 systemctl start openvpn@server_vlan_103 #Add the startup of CoovaChilli systemctl start chilli exit 0 * Reboot the system and make sure everything is up and running after the reboot. ===== System Checks ===== * To confirm the bridges are up along with the OpenVPN tunnels root@localhost:/home/system# brctl show bridge name bridge id STP enabled interfaces br0.101 8000.002222ffffff no eth1.101 tap0 br0.102 8000.002222ffffff no eth1.102 tap1 br0.103 8000.002222ffffff no eth1.103 tap2 * To check if CoovaChilli started up fine: ifconfig .... tun0: flags=81 mtu 1500 inet 10.101.0.1 netmask 255.255.0.0 destination 10.101.0.1 inet6 fe80::70ad:961c:836d:ea9 prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 592 (592.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun1: flags=81 mtu 1500 inet 10.1.0.1 netmask 255.255.255.0 destination 10.1.0.1 inet6 fe80::dfa6:b905:30f9:8478 prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 592 (592.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun2: flags=81 mtu 1500 inet 10.1.0.1 netmask 255.255.255.0 destination 10.1.0.1 inet6 fe80::c5e:ff84:c088:a947 prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 592 (592.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ....