This section takes a lot from a document which can be found Here. Many thanks to the author for making things clear to me.
Before you install ChilliSpot you may need to know what it will be up to. This is a brief introduction to ChilliSpot.
The goal is to setup a gateway that will force users to login (via a captive portal web-page).
The machine containing ChilliSpot should have 2 network interfaces (we will use eth0 and eth1 in our example).
Eth0 is connected to the Internet.
Eth1 is an internal interface THROUGH which our other machines will connect to the Internet.
We can connect a switch to Eth1. To this switch we can attach a number of other machines or wireless Access Points (layer 2 transparent bridges).
ChilliSpot runs a program called 'chilli' which takes control of the internal interface (eth1) using a vtun kernel module to bring up a virtual interface (tun0). In fact the vtun kernel module is used to move IP packets from the kernel to user mode, in such a way that ChilliSpot can function without any non-standard kernel modules. ChilliSpot then sets up a DHCP server (this can be disabled from the ChilliSpot conf file) on the tun0 interface.
A client connecting to this interface has all packets rejected until it is authorized though the ChilliSpot login page (acting as a supplicant for authentication). When a non-authenticated client tries to connect to a web-page (on port 80 or 443) the request is intercepted by chilli and redirected to a perl-script called 'hotspotlogin.cgi' (served by Apache over https).
'hotspotlogin.cgi' serves a page to the end-user with a username and password field. These authentication data are then forwarded to the Free Radius server, which matches them with information in it's backend (using either PAP or CHAP). The backend in this case is MySQL, but could be any number of services such as LDAP, Kerberos, unix passwd files or even Active Directory (probably).
A user is then either rejected or authenticated by Free Radius, prompting hotspotlogin.cgi to present either a rejection message or a page with a success message and a logout link to the user.
ChilliSpot is back! As of this writing you can grab ChilliSpot here.
![]() | A VERY BIG Thank You for those involved in the recreation of our favourite Captive Portal's website. |
Alternatively CoovaChilli is available which includes a few enhancements.
The plan was to document the use of CoovaChilli instead of ChilliSpot here, but I've decided against it. I would rather create a recipe in the Cookbook dedicated to CoovaChilli, since it has lots of enhancements. It has been reported that the original ChilliSpot's config file does work perfect with CoovaChilli.
Grab the latest release of ChilliSpot and do the following:
tar -xzvf chillispot-1.1.0.tar.gz cd chillispot-1.1.0 ./configure make sudo make installThis will install ChilliSpot in the '/usr/local' directory.
For security reasons we want to present the login page only via an encrypted (https) connection, so we need to configure Apache to serve SSL encrypted pages.
You need to install the openssl package, if it is not already installed.
sudo apt-get install openssl
I'm not going to repeat documentation. This HOWTO Here will supply all required information to configure your SSL enabled website.
![]() |
|
![]() | If you fancy a more fancy login script, see Appendix A to use a PHP Login script. |
There are some important files which you will find inside the 'doc' directory situated below the 'chillispot-1.1.0' directory created when you extract the chillispot-1.1.0.tar.gz file.
Copy the hotspotlogin.cgi file to the directory defined for CGI scripts in Apache.
sudu mkdir /usr/lib/cgi-bin sudo cp /(where_you_extracted_chillispot_to)/doc/hotspotlogin.cgi /usr/lib/cgi-bin/ sudo chmod +x /usr/lib/cgi-bin/hotspotlogin.cgiBe sure the following two lines in /usr/lib/cgi-bin/hotspotlogin.cgi are configured. Please change the secret value to something difficult.
# Shared secret used to encrypt challenge with. Prevents dictionary attacks. # You should change this to your own shared secret. $uamsecret = "ht2eb8ej6s4et3rg1ulp"; # Uncomment the following line if you want to use ordinary user-password # for radius authentication. Must be used together with $uamsecret. $userpassword=1;
Eth0 should be active while Eth1 should not be configured. You can use a fixed IP or DHCP address on Eth0. To verify that Eth1 in not configured, go to 'System->Administration->Networking'. To disable an interface, select it, select 'Properties' and de-select 'Enable this connection'.
ChilliSpot will use Eth1 to create a virtual tunnel on top of it, so it must not be configured.
You need to enable the routing of IP packets between the two network interfaces (eth0 and eth1). To enable this you need to make sure the '/etc/sysctl.conf' file contains the following:
# Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.conf.default.forwarding=1This will enable routing between the network interfaces.
![]() | Sometimes this does not activate the routing, and you'll have to then 'brute force' it with: net.ipv4.ip_forward = 1 |
You also need to secure your 802.11 hotspot from the outside world. There is a sample firewall script 'firewall.iptables' which you can use. Please look inside it to ensure it is according to your setup. (your network interfaces may differ from it) You may also want to add extra rules to open certain incoming ports.
sudo cp /(where_you_extracted_chillispot_to)/doc/firewall.iptables /etc/init.d/ sudo ln -s /etc/init.d/firewall.iptables /etc/rcS.d/S40firewall.iptablesThis will ensure that the firewall is up and running during startup.
ChilliSpot by default will look for the file called 'chilli.conf' inside the '/etc' directory upon startup. Again there is a sample one inside the 'doc' directory which you should use.
sudo cp /(where_you_extracted_chillispot_to)/doc/chilli.conf /etc/chilli.confBe sure you check and specify the following list of items inside this file
Table 4. Important parameters to specify or verify
Parameter | Comment |
---|---|
uamserver | https://192.168.182.1/cgi-bin/hotspotlogin.cgi |
uamhomepage | http://192.168.182.1/cake/hotcakes/welcome/login_page.html |
uamsecret | (same as value specified in hotspotlogin.cgi) |
uamallowed | Specify the DNS servers defined on your machine |
radiusserver1 | 127.0.0.1 |
radiusserver2 | 127.0.0.1 |
radiussecret | testing123 |
dhcpif | eth1 (the network interface NOT on the Internet) |
It is important to verify what the DNS servers are that your machine uses. Go to 'System->Administration->Networking' to specify or verify them.
ChilliSpot will specify them (if not exclusively specified in /etc/chilli.conf) to clients requesting DHCP IP addresses. You need to allow traffic through to these DNS servers even BEFORE a client machine is authenticated in order to resolve domain names to IP address numbers. This is why they need to be specified in the 'uamallowed' list.
The 'uamhomepage' is typically where you will inform clients about your mega, ultra, supa cool hotspot. Please edit this file to suit your needs. This is the first page they will be greeted with - first impressions :).
The startup script included with ChilliSpot is not suitable for Ubuntu. You can use the following one. Create a file called 'chillispot' inside the 'etc/init.d' directory.
#!/bin/sh # # chillispot Start the chilli daemon. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Copyright (C) 2007 Hotcakes prefix=/usr/local exec_prefix=${prefix} sbindir=${exec_prefix}/sbin localstatedir=${prefix}/var rundir='/var/run/' sysconfdir=${prefix}/etc export LD_LIBRARY_PATH LD_RUN_PATH LD_PRELOAD CHILLID=$sbindir/chilli DESC="Chillispot" #ARGS="" #To allow hotcakes to disconnect a user ARGS="--coaport 3799" test -f $CHILLID || exit 0 test -f /etc/chilli.conf || exit 0 case "$1" in start) echo -n "Starting $DESC:" $CHILLID $ARGS echo "chillispot" ;; stop) [ -z "$2" ] && echo -n "Stopping $DESC: " [ -f $rundir/chilli.pid ] && kill -TERM `cat $rundir/chilli.pid` [ -z "$2" ] && echo "chillispot." ;; restart) sh $0 stop quiet sleep 3 sh $0 start ;; *) echo "Usage: /etc/init.d/chillispot {start|stop|restart}" exit 1 esac exit 0Then you need to enable it during start up
sudo chmod +x /etc/init.d/chillispot sudo ln -s /etc/init.d/chillispot /etc/rcS.d/S90chillispot