Please provide a simple captive portal example #77
Replies: 23 comments 30 replies
-
Thanks for your interest! While the captive portal does provide the functionality you described, it is a bit "rough" around the edges and I wouldn't recommend it as a solution for non-technical users. Why? If the Pi only has a single WiFi (the typical case), the user is forced to take a manual step to reconnect to the ad-hoc WiFi after the test for correct credentials has completed. This step is not necessary for Pis that have two WiFi adapters on them, but that's the cadillac case. The single WiFi scenario can be confusing, so I'd encourage you to do some testing if you think it might work for your users. LMK your thoughts on this...is the above completely off-putting for your usage, or do you think it might still work? If it's not going to work for you, there is RaspAP that I believe does this (I've not tried it), and a few others. If you pursue other alternatives and find one that works well for you, LMK and I can look into providing an sdm plugin for it if that would be helpful for your usage. Also, if all the users have iPhones, you could look into btwifiset, which lets the user connect to the Pi from an iPhone via Bluetooth to provide the WiFi credentials. sdm has a plugin for it, so it's quite easy to install the Pi end, and the iPhone app is in the app store. At the current time the btwifiset author has not provided an Android app. |
Beta Was this translation helpful? Give feedback.
-
Yes,
Of course, updating country= for your country. The only reason I'd suggest using a "stub" is so you can verify that One note: I haven't tested this in quite some time, so if you run into any problems/mis-behaviors, LMK and I'll check it out.. I didn't think that btwifiset would be a solution due to iphone-only, but mentioned it just in case. |
Beta Was this translation helpful? Give feedback.
-
I researched how to get the device to go to the target IP address when I built this, but at the time was unable to find a technique that worked. Probably worth revisiting this. I'll have to set up a test system to see how it behaves for me. Will try to get to it later today (PDT here). |
Beta Was this translation helpful? Give feedback.
-
Sorry, honey-do list consumed almost all available time other than getting a system set up for testing. Tomorrow... |
Beta Was this translation helpful? Give feedback.
-
Thanks for the info on captive portals, it will be helpful. I (re-)discovered last night that I had done some additional work on this over a year ago, but put it aside. There are also some important code improvements that I never completed. I'm going to spend today updating sdm-cportal with those changes. Once that's done I'll look into how to make the captive portal automatically pop. While I do have time to work on this, it could very well take several days, and possibly up to a week or two to get it working reliably. How does this align with your goals/plans? |
Beta Was this translation helpful? Give feedback.
-
My goal is a system that has no keyboard, no monitor, just a WLAN connection (RP CM4). I want it to boot up and create an adhoc network, which can either be used "as is", or alternatively be used to configure the system to connect to an existing WiFi network, which can then be used for access. I connected a monitor and keyboard to the system which I created using the five commands in my first post above, and found the boot stalled in a query asking me to confirm the user "pi" and then enter a password. After completing this form, I was then able to connect to sdm and fill out the form, but never got a network connection to the wifi network, in spite of the console reporting an IP address correctly obtained from DHCP and that 'Internet is Accessible'. Immediately after that it re-enabled access for the sdm network. The problem may be that when the sdm connection dropped, my cell phone immediately reconnected to the normal WLAN network here. So when the sdm connection came back up, and I reconnected to it, I wasn't able to get back to the correct test page or dialog. My suggestion: please give me the exact command lines to generate a boot image, perhaps modified from the five commands in my first post above. This will ensure that we have identical starting points for comparison. I'll then test that. Cheers, |
Beta Was this translation helpful? Give feedback.
-
PS: I think I understand the basic issue. Let's suppose that I am using my cell phone to configure the device. My cell phone first connects to 10.1.1.1 where I enter the network info. The device then drops the connection because it is connecting to the network that I have specified, to get its IP from dhcp. At that point, my cell also drops the connection, since the 10.1.1.1 network no longer exists. The device then establishes the 10.1.1.1 network again, to which I must reconnect manually, in order to learn the device's new IP address. I don't see any way around this with clever redirection. What I would suggest is that the device, having obtained a valid IP via DHCP, now operates under the assumption that this will be a valid IP in the future. So after the user reconnects to 10.1.1.1, they find a DIFFERENT web page. This new web page displays the IP obtained from DHCP, and provides a clickable link that will (a) redirect the browser to that new IP and at the same time (b) reset the network connection to the DHCP-obtained IP. Hopefully this will then cause the browser to also shift to this new IP when the cell phone reconnects to the public network. |
Beta Was this translation helpful? Give feedback.
-
Not ignoring you, dealing with a few life things and reacquainting myself with the sdm-cportal code. Will get back to you here once I've got things running and remember how this all works 🤣 |
Beta Was this translation helpful? Give feedback.
-
Thanks for that. I've looked at a few captive portals, and have also been reading Apple and Android docs on all this. I have a few ideas to research and try out to figure out what works. Like you, I want a simple solution for this, but it seems that the client OS (Apple, Android, and probably Windows) are (rightfully) tightening up their security requirements which of course adds complexity. So, nothing concrete to report yet, other than simply setting DHCP option 114 (Captive portal URL) doesn't work with Apple. iOS (16.4.1a) doesn't seem to honor it at all, instead opting for captive.apple.com and a few others. Lots to investigate 😲 |
Beta Was this translation helpful? Give feedback.
-
I have been thinking about "how this should work" and can think of only two choices. The first choice is more or less what you have currently described. The second choice makes use of 'Zero Configuration Network' protocols. I am not sure if it would work, but if it does, I think it would be better. (1) This approach has no timers. It requires a hardware reset button to tell RP to forget the WLAN credentials and start an AdHoc network again. (2) (b) The form also asks what NAME should be given to the device, and proposes a name like "RP472" where "472" is randomly selected. (c) RP drops AdHoc network, connects to WLAN, gets IP. (d) RP uses Multicast DNS (MDNS) to inform the WLAN network "I should be reachable under the name RP472". One can also use DNS-SD for this, I think. (e) User goes to WLAN network. Even though the user does not know the IP of the RP, the RP will be reachable under the name RP472. (f) The RP only starts an AdHoc network again if step (c) fails or if the user toggles a 'hardware reset' button. Possible improvement, just before step (c), RP sends a redirect to user device, directing it to the URL "RP472.local". This eliminates step (e) for the user, since they are automatically redirected. |
Beta Was this translation helpful? Give feedback.
-
There are other techniques, including one that was posted about 2 years ago in the Pi Forums. I'm looking at that one in more detail, and hopefully it will be suitable to use, although I need to prototype it. This method could be a lot simpler. Besides this, there is the issue of needing to use HTTPS instead of HTTP for the redirected form. Apple requires HTTPS, so this is mandatory. |
Beta Was this translation helpful? Give feedback.
-
Making good progress (ie mostly running) on the new AP technique, which looks like it will keep the AP up while it's testing the SSID/password. This will greatly simplify the end-user experience. There's a fair amount of code cleanup to do since this required ripping out the old NIC handling code and trying various approaches to get it working AND fit with the rest of the code. Still need to sort out https so that the captive portal site pop works. I think it's doable, but I have a nagging concern about the cert for this. We'll see... |
Beta Was this translation helpful? Give feedback.
-
I'm glad you think that an https server shouldn't be hard. I've found that to be the case as well, but I previously mentioned that I have a nagging concern about the cert. You didn't ask why I was concerned, but I'll tell you anyhow. Apple is (rightly so) tightening up the whole system to reduce hacking exposure surfaces. I previously mentioned that HTTPS is mandatory. A captive portal that sends the portal address with an HTTP instead of HTTPS is summarily ignored by iOS, based on my testing. So, need to use HTTPS. But still uncertain how rigorously iOS checks the cert. If it needs to be a signed cert, this gets much more complex and less friendly to set up by a large swath of people. As far as Network Manager, I'm very aware of that, of course. I didn't do a deep dive on it yet but I'm pretty sure that NM doesn't do the type of AP that I'm working with now. Besides, it still has to work with dhcpcd unless/until it's removed from RasPiOS. Ultimately, sdm-cportal will have to support both dhcpcd and NM (and maybe dhclient as well). |
Beta Was this translation helpful? Give feedback.
-
Any news? Has the iOS requirement for a "proper chain of trust" certificate blocked the way forward? |
Beta Was this translation helpful? Give feedback.
-
The portal is working reliably now. In the interest of moving things forward, I've decided to leave it with non-automatic portal web page pop, so I should have something ready to post in the next couple of days after I add LED flashing (for status), finish some code cleanups, and do some additional testing. |
Beta Was this translation helpful? Give feedback.
-
I posted the new version in the master tree, since it's so much better than what was there IMHO. There are a lot of notes at the end of the file that will eventually turn into better documentation once I've completed this. LMK how your testing goes, and I highly recommend a defaults file for that 👍 |
Beta Was this translation helpful? Give feedback.
-
(0) Starting with fresh bullseye 64-bit lite install (My vanilla home router is assigning the 192.168.123.xxx addresses via DHCP by hashing the MAC address.) I would be happy to try to update my script as you suggest, but have not been able to figure out how to do this. Is the idea to create a virtual wireless device that can simultaneously act as an AdHoc network with IP 10.1.1.1 while also connecting to an external WiFi network as (say) 192.169.123.185? Meaning that the physical WiFi device on board the RP is operating on two different networks at the same time? |
Beta Was this translation helpful? Give feedback.
-
Two quick updates. 1) Confirmed that iOS 16.5 maintains the WiFi connection better than 16.4 did (for me, at least). It still sometimes disconnects when the ssid/password test starts. I haven't looked into this in detail to see if there's a way to ameliorate.
|
Beta Was this translation helpful? Give feedback.
-
I'm on the path to completing this round of updates to the captive portal. It's working quite reliably, and can handle either dhcpcd or network manager (meaning, shuts them off while the captive portal is running, as the portal uses systemd-networkd to control the WiFi device). If you are keen to try it sooner rather than later, LMK and I'll drop an almost-final update for you. If not, it will be another week or so to finish the code updates and update the documentation. |
Beta Was this translation helpful? Give feedback.
-
Of course I know what hashing is. I was not aware that DHCP servers hashed the MAC address as opposed to simply doing a lookup on it in some internal table. Most DHCP servers have a way to assign a static IP address to a MAC address, so when that system askes for an IP address it always gets the same one. Similarly, when an unknown MAC address asks for an IP address, the DHCP server first looks to see if that MAC address has had an IP address "recently", and if that particular IP address is free, it re-assigns it. If it's busy or it's a new MAC address, the DHCP server assigns it one from the pool. Given the above, it's not clear to me how your description of hashing has anything to do with DHCP servers and IP addresses. |
Beta Was this translation helpful? Give feedback.
-
I'm nearing completion on this, and have been updating the documentation. I went back and re-read much of this thread, and I see now that you might have some confusion about how the captive portal works, so explaining it here, along with a note as to why one of your proposals won't work. The steps the Captive Portal takes are:
You have stated a few times that the Captive Portal should switch to using the acquired IP address after step 7, when it has obtained said IP address from the local network. At this point, the user's web browser has no outstanding read to the Portal, because if it did, it could very easily time out, since the length of time to get an IP address assigned is indeterminate. Further, when the user is ready to retrieve the result, how would you expect the Portal to communicate that retrieved IP address to the user's browser to present a fully-formed URL? If your answer is to connect to the existing Portal (10.1.1.1) to get it, you would be correct. After the Portal displays the obtained IP address, it's done and on to cleanup and exit. So, there's no way to communicate the obtained IP address to the browser ahead of when the user checks results, and after the results are obtained the Portal is done. Therefore, there's literally no value in switching to using the acquired IP address from the perspective of the Portal. That said, the Portal DOES restart dhcpcd or NM (whichever was running before the Portal started), and that should cause the Pi to be on the network with the obtained IP address. As this happens, note that the Portal is exiting, as its job is done. |
Beta Was this translation helpful? Give feedback.
-
I've checked in the updated Portal as well as updated documentation. I'm interested in your feedback. At the moment there is no timeout on the captive portal. It will continue running until the WiFi successfully connects or |
Beta Was this translation helpful? Give feedback.
-
Awfully quiet here. The Captive Portal is now complete, including the missing timeout capability. I'm interested in your feedback after you've reviewed the documentation and tested it. |
Beta Was this translation helpful? Give feedback.
-
I'm looking for a method for non-technical users to configure the WiFi on a headless RP-based device. When the RP first powers up, I'd like it to be in ad-hoc mode, so that a phone or computer can easily connect to it. After a connection is established, the user's phone or computer should bring up a browser with a web page, asking for networking info (or, alternatively, letting them leave the RP in ad-hoc mode). If networking info is provided, the RP should switch to that network, rebooting if needed.
Does the code in sdm-cportal provide this functionality? If so, I wanted to ask if you might add an additional "Quick start" paragraph at the end of the documentation here: https://github.com/gitbls/sdm/blob/master/Docs/Captive-Portal.md, to make it easy to try this. From reading the docs I think that the following might be sufficient, but am not sure if --nowpa is correct.
curl -L https://raw.githubusercontent.com/gitbls/sdm/master/EZsdmInstaller | bash
wget https://downloads.raspberrypi.org//raspios_lite_arm64/images/raspios_lite_arm64-2023-02-22/2023-02-21-raspios-bullseye-arm64-lite.img.xz
xz -d -v 2023-02-21-raspios-bullseye-arm64-lite.img.xz
sudo sdm --customize --loadlocal wifi --nowpa --restart --user myuser --password-user mypassword 2023-02-21-raspios-bullseye-arm64-lite.img
sudo sdm --burn /dev/sde --hostname mypi1 --expand-root 2023-02-21-raspios-bullseye-arm64-lite.img
Beta Was this translation helpful? Give feedback.
All reactions