Chaos Calmer 15 05 Captive Portal

Plan

  1. We will remove the gl-inet standard software by flashing with factory image from OpenWrt
  2. We will allow internet through cable WAN and USB 4G HUAWEI E3372 LTE as WAN2 and loadbalance with package "mwan3"
  3. We will open SSH from outside to WAN.
  4. We will setup dynamic DNS through freedns.afraid.org to bot WAN and WAN2. To capture the IP from either WAN or WAN2
  5. We will log the the syslog file to papertrailapp.com
  6. We will setup an free account hotspotsystem.com to open a free wifi with a captive portal

Remove gl-inet router software and install default OpenWrt factory image

  • Click the reset button for 5 s.

Plugin cable from Router LAN to WAN on gl-inet router.

  • Join network: GL-iNet-a48
  • Password: goodlife

Visit: http://192.168.8.1/
Setup position and password. Go to advanced settings.

Go to: http://downloads.openwrt.org/chaos_calmer/15.05/

ar71xx -> generic -> openwrt-15.05-ar71xx-generic-gl-inet-6416A-v1-squashfs-factory.bin

Enable Wifi and set subnet to 192.168.3.1

This will set the standard network to 192.168.1.1 with DHCP server on.
This can clash with your current router. Unplug WAN cable to router.

From LAN on computer connect to LAN on gl-inet.

telnet 192.168.1.1
passwd
exit
ssh root@192.168.1.1

Change network

ifconfig
uci show network.lan
uci set network.lan.ipaddr=192.168.3.1
uci commit network
/etc/init.d/network restart

This stops the connection. Connect again. 
ssh root@192.168.3.1

Setup wifi

uci show wireless
uci set wireless.radio0.disabled=0    
uci show wireless
uci commit wireless
wifi

You should now be able to join the network: OpenWrt
with no password.
Unplug cable from Computer LAN to gl-inet LAN
Plugin in cable from router LAN to gl-inet WAN.

Join the wireless internet, access router, and test network access

ssh  root@192.168.3.1
ping google.com

Setup ssh

From your own computer do:

scp $HOME/.ssh/id_rsa.pub root@192.168.3.1:/etc/dropbear/authorized_keys
ssh-add
ssh root@192.168.3.1

A ssh config file in your computer could be

cat $HOME/.ssh/config
----
Host gl
HostName 192.168.3.1
Port 22
User root
----

So you can do

ssh gl

Install packages for 4 G usb dongle “HUAWEI E3372 LTE” and make new eth2 interface on the USB port

Check physical interface, and install packages for 4G usb dongle to attach to a physical interface

ifconfig -a
opkg update && opkg install kmod-usb-net-cdc-ether usb-modeswitch

Plugin 4 G usb dongle “HUAWEI E3372 LTE”, into USB port.

ifconfig -a

This should now show a new interface “eth2”.

Create new “wan2” interface

uci show network
uci set network.wan2=interface
uci set network.wan2.ifname='eth2'
uci set network.wan2.proto='dhcp'
uci commit network
ifdown wan2
ifup wan2
ifconfig

Check that eth2 now has an ip-address of 192.168.8.100 from the 4G dongle

ifconfig eth2

Add wan2 to wan zone.
Do in luci:
Go to luck -> Network —> Firewall
Edit zone: wan ; wan6 ⇒ REJECT. Add wan2 to Covered networks.

Or

uci set firewall.@zone[1].network='wan wan2 wan6'
uci commit firewall
/etc/init.d/firewall restart
uci show firewall

Check

uci show firewall | grep wan2
# firewall.@zone[1].network='wan wan2 wan6'

Then visit web address: 192.168.8.1 , to activate internet.
Preferably from another browser like firefox. Cache problems in browser?
Should activate internet.

Make a backup of settings.
Luci -> System -> Backup / Firmware -> Generate archive

Allow SSH on wan zone

On internet router: 192.168.1.1
Set static DHCP to gl-inet router to: 192.168.1.43 (The IP the gl-inet router should have statically).
Set NAT for port 22 (Start Port, End Port, Translation Start Port, Translation End port) to: 192.168.1.43

See:
https://wiki.openwrt.org/doc/uci/firewall
https://forum.openwrt.org/viewtopic.php?id=24683

On gl-inet, do

uci add firewall rule
uci set firewall.@rule[-1].name='WANSSH'
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci commit firewall
/etc/init.d/firewall restart
uci show firewall

Visit http://whatismyipaddress.com/ to get IP
From computer:

ssh root@IP

Read more here for advanced safety: https://wiki.openwrt.org/doc/howto/secure.access

  • Change default port away from 22
  • Make another user than root
  • Do not allow password authentication, but only SSH key

Access luci from outside through SSH port forwarding to local host

You can now access luci from outside

ssh -L 8080:localhost:80 root@IP

Then visit: http://127.0.0.1:8080/

Setup dynamic DNS

Read about dynamic ddns: https://wiki.openwrt.org/doc/howto/ddns.client

Install packages

opkg update && opkg install luci-app-ddns ddns-scripts curl ca-certificates

Use service from: http://freedns.afraid.org/
Register: http://freedns.afraid.org/signup/
Setup a subdomain, http://freedns.afraid.org/subdomain/
Type A, glinet, mooo.com, the suggested ip

Go to: http://freedns.afraid.org/dynamic/
Click “Direct link”, and get token from after ?: http://freedns.afraid.org/dynamic/update.php?**xxTOKEN_1xx**

See setup:

uci show ddns

Standard is:

ddns.global=ddns
ddns.global.date_format='%F %R'
ddns.global.log_lines='250'
ddns.global.allow_local_ip='0'
ddns.myddns_ipv4=service
ddns.myddns_ipv4.service_name='dyndns.com'
ddns.myddns_ipv4.domain='yourhost.example.com'
ddns.myddns_ipv4.username='your_username'
ddns.myddns_ipv4.password='your_password'
ddns.myddns_ipv4.interface='wan'
ddns.myddns_ipv4.ip_source='network'
ddns.myddns_ipv4.ip_network='wan'

Setup for wan

uci set ddns.myddns_ipv4=service
uci set ddns.myddns_ipv4.interface='wan'
uci set ddns.myddns_ipv4.enabled='1'
uci set ddns.myddns_ipv4.service_name='freedns.afraid.org'
uci set ddns.myddns_ipv4.domain='glinet.mooo.com'
uci set ddns.myddns_ipv4.username='NIL'
uci set ddns.myddns_ipv4.password='xxTOKEN_1xx'
uci set ddns.myddns_ipv4.use_syslog='1'
uci set ddns.myddns_ipv4.use_logfile='1'
uci set ddns.myddns_ipv4.ip_source='web'
uci set ddns.myddns_ipv4.ip_url='http://checkip.dyndns.com'
uci commit ddns    
/etc/init.d/ddns enable
/etc/init.d/ddns restart

Test that both have connection.

ping -c 1 -I eth0 www.google.com
ping -c 1 -I eth2 www.google.com

Add another for wan2.
Setup a a new subdomain, http://freedns.afraid.org/subdomain/
Type A, glinet4g, mooo.com, the suggested ip
Remember to get the new token from the “Direct link”.

uci set ddns.myddns_4g=service
uci set ddns.myddns_4g.interface='wan2'
uci set ddns.myddns_4g.enabled='1'
uci set ddns.myddns_4g.service_name='freedns.afraid.org'
uci set ddns.myddns_4g.domain='glinet4g.mooo.com'
uci set ddns.myddns_4g.username='NIL'
uci set ddns.myddns_4g.password=''xxTOKEN_2xx'
uci set ddns.myddns_4g.use_syslog='1'
uci set ddns.myddns_4g.use_logfile='1'
uci set ddns.myddns_4g.ip_source='web'
uci set ddns.myddns_4g.ip_url='http://checkip.dyndns.com'
uci commit ddns    
/etc/init.d/ddns enable
/etc/init.d/ddns restart

From your computer try pinging: You may have to wait 10 min before DNS script has been runned.

ping glinet.mooo.com
ping glinet4g.mooo.com

On gl-inet, for testing purposes

ps -w | grep dynami
cat /var/log/ddns/myddns_ipv4.log
cat /var/log/ddns/myddns_4g.log
curl --interface eth0 -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

Make a backup of settings.
Luci -> System -> Backup / Firmware -> Generate archive

Multiple WAN from router internet and 4G dongle

Multiple wan setup is needed, when setting up a router with more than 1 wan.
https://wiki.openwrt.org/doc/howto/mwan3

Change metric for wan interfaces

uci show network
uci set network.wan.metric='10'
uci set network.wan2.metric='20'
uci commit
ifdown wan
ifup wan
ifdown wan2
ifup wan2
uci show network

Install

opkg update && opkg install luci-app-mwan3
mwan3 status
mwan3 interfaces

wan2 is disabled. 
reboot

Check in luck, a new menu entry "Network > Load Balancing" should now be present.

See settings

uci show mwan3
uci set mwan3.wan2.enabled='1'
uci commit mwan3
mwan3 restart
mwan3 status
mwan3 interfaces

This should work.

Now test:

ping -c 3 -W 2 -I eth0 8.8.4.4
ping -c 3 -W 2 -I eth2 8.8.8.8

If both a cable and 4G modem is plugged in, we want to let traffic balance on only the cable. This is to minimise data consumption on 4G, when it is not needed.

uci show mwan3
uci show mwan3.balanced
uci del_list mwan3.balanced.use_member='wan2_m1_w2'
uci add_list mwan3.balanced.use_member='wan2_m2_w2'
uci commit mwan3
uci show mwan3
uci show mwan3.balanced
mwan3 restart

Check: http://whatismyipaddress.com/
Now unplug cable to WAN.

Check: http://whatismyipaddress.com/

Allow ssh on wan2 4G dongle - NOT WORKING

CANNOT GET THIS TO WORK

Check IP on: http://whatismyipaddress.com/

ping IP

There must be something closed on the modem.
Read this:

Sync syslog to papertrailapp.com

This is to keep track of MAC to internal IP's.

Make account on: https://papertrailapp.com

See:
http://help.papertrailapp.com/kb/configuration/configuring-remote-syslog-from-routers-switches-network-devices/

Get setup:
Dashboard -> Add systems -> Other -> My system's hostname changes
What should we call it? WIFI_01

Get: WIFI_01 to log to logsX.papertrailapp.com:YYYYY.

Where X is the server, and YYYYY is a desginated port.

Then do the following. You can only use IP address.

nslookup logsX.papertrailapp.com

uci show system
uci set system.@system[0].log_ip=173.247.107.218
uci set system.@system[0].log_port=YYYYY
uci commit system
uci show system
reboot

Check in: https://papertrailapp.com/dashboard

Make Captive portal through www.hotspotsystem.com

NOTE: This will not work together witn mwan3 package.
See: https://forum.openwrt.org/viewtopic.php?id=62744

Uninstall mwan3 package before continuing.

opkg remove luci-app-mwan3 mwan3
reboot

Make account at: http://www.hotspotsystem.com/

Go to: https://www.hotspotsystem.com/controlcenter/ and login.

  • Manage -> Locations
  • Add a New HotSpot Location
  • Hotspot FREE -> Basic
  • Name of Location* = WIFI_01
  • Make most default
  • Default Language: The language for the Captive Portal
  • Validity Period of Free Access Codes*: 1 Hour

Save. Then modify the location:

On computer download setup scripts

bash
cd $HOME/Downloads
OPERATOR=metheoperator
LocID=2
wget -O Setup_capt_Loc${LocID}.sh http://www.hotspotsystem.com/controlcenter/install.php?operator=${OPERATOR}\&location=${LocID}\&version=openwrt

IntIP=3
wget -O Setup_capt_Loc${LocID}_IP${IntIP}.sh http://www.hotspotsystem.com/controlcenter/install.php?operator=${OPERATOR}\&location=${LocID}\&version=openwrt\&subnet=${IntIP}

WDS=1
wget -O Setup_capt_Loc${LocID}_IP${IntIP}_WDS${WDS}.sh http://www.hotspotsystem.com/controlcenter/install.php?operator=${OPERATOR}\&location=${LocID}\&version=openwrt\&subnet=${IntIP}\&wds=${WDS}

chmod 755 Setup_capt*.sh
diff Setup_capt_Loc${LocID}.sh Setup_capt_Loc${LocID}_IP${IntIP}.sh
diff Setup_capt_Loc${LocID}.sh Setup_capt_Loc${LocID}_IP${IntIP}_WDS1.sh

This shows that there are only changes if more stations is attached to same router.

Copy setup script over

scp Setup_capt_Loc${LocID}.sh root@192.168.3.1:/tmp
ssh root@192.168.3.1
cd /tmp

In router, install packages and run setip:

opkg update && opkg install coova-chilli kmod-tun wget
ash Setup_capt_Loc2.sh

# Then disable chilli, since we are going to make a hotplug script
/etc/init.d/chilli stop
/etc/init.d/chilli disable

Run the crontab manually, to send the first messages to hotspotsystem.com

crontab -l | grep -v '^#' | cut -f 6- -d ' ' > /tmp/crontab.sh
ash /tmp/crontab.sh

Check then if the location is up:
https://www.hotspotsystem.com/controlcenter/locations.php

Restart router

reboot

This should set it up.
When connecting to Wifi, the IP should now be on subnet 192.168.182.x

Turn on Wifi, and turn on wifi from your computer. Check if IP is from correct subnet.

ifconfig | grep 192.168

Should give address of 192.168.182.x
Check also syslog: https://papertrailapp.com/systems/WIFI_01/events

Problems with setup

If problems login to router, to see if chilli is running

ssh root@192.168.3.1
ps -w | grep chil
cat /etc/hotplug.d/iface/30-chilli
cat /etc/chilli/defaults

If problems, start checking the default:

cat /etc/chilli/defaults | grep HS_

It seems that the mwan3 package is interfering with the setup.

Probably related to: https://wiki.openwrt.org/doc/howto/mwan3#nodogsplash

mwan3 stop

This should help.

Fix: “Sync error: Wrong time information is present in the router”

http://help.hotspotsystem.com/knowledgebase/how-to-fix-sync-error-wrong-time-information-is-present-in-the-router

You must not change any timezone related settings in the router. Time on routers must always be GMT / UTC: +00:00 with DST off, regardless of your local time zone. If you accidentally changed these settings please set it back to the following:
Time Zone / Summer Time (DST) > UTC / none
Use local time > unchecked

Go to: System -> System
Change time to EUROPE/London

See time:

date

See account user login/off

To Log-off, visit:
http://192.168.182.1:3990
http://192.168.182.1:3990/logoff

Trouble shooting

route -n
ip route
ip rule
iptables -L -t mangle -v -n

Setup admin wifi and modifi coova-chilli hotplug

coova-chilli is started as a hot plug event.
https://wiki.openwrt.org/doc/techref/hotplug
“Every time an interface goes up or down, all scripts in the /etc/hotplug.d/iface/ directory are executed, in alphabetical order”

Make new admin wifi

First we make a new wifi, which is not influenced by coova-chilli.
In this way, we always have a connection in.
And we rename the old wifi.

uci show wireless
uci set wireless.@wifi-iface[0].ssid='Free Wifi'
uci add wireless wifi-iface
uci set wireless.@wifi-iface[-1]=wifi-iface
uci set wireless.@wifi-iface[-1].device='radio0'
uci set wireless.@wifi-iface[-1].mode='ap'
uci set wireless.@wifi-iface[-1].ssid='Free Wifi admin'
uci set wireless.@wifi-iface[-1].network='lan'
uci set wireless.@wifi-iface[-1].encryption='psk-mixed'
uci set wireless.@wifi-iface[-1].key='goodlife'
uci show wireless
uci commit wireless
wifi

On your computer, join “Free Wifi admin”, and check 192.168.3.x

ifconfig | grep 192.168

On your computer, join “Free Wifi”, and check for 192.168.182.x
Join again “Free Wifi admin”, and stay on this.

Modify coova-chilli

Initial logging and inspection

Now let us check the hotplug startup scripts, and add some logging to syslog

cd /etc/hotplug.d/iface
ls -1 
cat 30-chilli

You should get something like:

#!/bin/sh
[ "$ACTION" == "ifup" ] || exit 0
[ "$INTERFACE" = "wan" ] && {
    /etc/init.d/chilli restart
}

Now add a logging event

sed -i '/#!\/bin\/sh/alogger -t chilli "Chilli hotplug due to $ACTION of $INTERFACE ($DEVICE)"' 30-chilli
cat 30-chilli
reboot

Now check syslog in https://papertrailapp.com/systems/WIFI_01/events or

logread | grep chilli:

or luci: Status > System Log

You should get something like

Mon Feb 15 16:03:12 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan)
Mon Feb 15 16:03:14 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo)
Mon Feb 15 16:03:15 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0)

From /etc/hotplug.d/iface/30-chilli we can then read that

  • If the $ACTION is different from “ifup”, then exit the script.
  • If the interface is “wan” then “/etc/init.d/chilli restart” is initiated.

Let us see if we can get the status of the wan and wan2, when hotplug is running.

Try in terminal in router:

cat /var/state/network
WANIF=`uci -P /var/state -q get network.wan.ifname`
WANUP=`uci -P /var/state -q get network.wan.up`
WAN2IF=`uci -P /var/state -q get network.wan2.ifname`
WAN2UP=`uci -P /var/state -q get network.wan2.up`
echo WAN $WANIF $WANUP
echo WAN2 $WAN2IF $WAN2UP
if [ -z "$WANUP" ]; then WANUP=0; fi; echo $WANUP
if [ -z "$WAN2UP" ]; then WAN2UP=0; fi; echo $WAN2UP

Now modify /etc/hotplug.d/iface/30-chilli

opkg update && opkg install nano
nano /etc/hotplug.d/iface/30-chilli

Add the following

#!/bin/sh

WANIF=`uci -P /var/state -q get network.wan.ifname`
WANUP=`uci -P /var/state -q get network.wan.up`
WAN2IF=`uci -P /var/state -q get network.wan2.ifname`
WAN2UP=`uci -P /var/state -q get network.wan2.up`
if [ -z "$WANUP" ]; then WANUP=0; fi; echo $WANUP
if [ -z "$WAN2UP" ]; then WAN2UP=0; fi; echo $WAN2UP
logger -t chilli "Chilli hotplug due to $ACTION of $INTERFACE ($DEVICE). WAN=${WANIF},${WANUP} WAN2=${WAN2IF},${WAN2UP}"

[ "$ACTION" == "ifup" ] || exit 0

[ "$INTERFACE" = "wan" ] && {
    /etc/init.d/chilli restart
}

Then do

ifdown wan
ifup wan
logread | grep chilli:
reboot
logread | grep chilli:

You should get something like:

Mon Feb 15 17:00:01 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:03 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:04 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0

Now plugin the 4G modem, wait 10 seconds, and unplug.

logread | grep chilli:

You should get something like:

Mon Feb 15 17:00:23 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:24 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:26 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0
Mon Feb 15 17:12:10 2016 user.notice chilli: Chilli hotplug due to ifup of wan2 (eth2). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 17:12:51 2016 user.notice chilli: Chilli hotplug due to ifdown of wan2 (). WAN=eth0,1 WAN2=eth2,1

This shows that something is wrong. Something is missing to update the state.

nano /etc/hotplug.d/iface/00-netstate

Add this:

[ ifdown = "$ACTION" ] && {
    uci_toggle_state network "$INTERFACE" up 0
}

Now plugin the 4G modem, wait 10 seconds, and unplug.

logread | grep chilli:

This gives:

Mon Feb 15 17:00:23 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:24 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 17:00:26 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0
Mon Feb 15 17:12:10 2016 user.notice chilli: Chilli hotplug due to ifup of wan2 (eth2). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 17:12:51 2016 user.notice chilli: Chilli hotplug due to ifdown of wan2 (). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 17:25:16 2016 user.notice chilli: Chilli hotplug due to ifup of wan2 (eth2). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 17:27:10 2016 user.notice chilli: Chilli hotplug due to ifdown of wan2 (). WAN=eth0,1 WAN2=eth2,0

More import about init script in OpenWrt
http://wiki.openwrt.org/doc/techref/initscripts

Now we have to understand the init script:

cat /etc/init.d/chilli 
ls -v1 /etc/rc.d/*

Since chili is started in hotplug, there is no initscript.

cat /etc/init.d/chilli 
cat /etc/chilli/functions | grep defaults

Let us change the interface to wan2 with eth2.

cat /etc/chilli/defaults | grep WANIF
sed -i "s/HS_WANIF=.*/HS_WANIF=eth2/g" /etc/chilli/defaults
cat /etc/chilli/defaults | grep WANIF

Large rewrite of chilli hotplug script

Let us make the chilli hotplug so:

  • if wan is up, use this interface
  • if wan and wan2 is up, use wan
  • if wan2 is up, and wan is down, use wan2
  • if wan goes down and wan2 is up, use wan2
nano /etc/hotplug.d/iface/30-chilli

And then put in:

#!/bin/sh

WANIF=`uci -P /var/state -q get network.wan.ifname`
WANUP=`uci -P /var/state -q get network.wan.up`
WAN2IF=`uci -P /var/state -q get network.wan2.ifname`
WAN2UP=`uci -P /var/state -q get network.wan2.up`
if [ -z "$WANUP" ]; then WANUP=0; fi
if [ -z "$WAN2UP" ]; then WAN2UP=0; fi
logger -t chilli "Chilli hotplug due to $ACTION of $INTERFACE ($DEVICE). WAN=${WANIF},${WANUP} WAN2=${WAN2IF},${WAN2UP}"

setwan() {
    #sed -i "s/HS_WANIF=.*/HS_WANIF=wan/g" /etc/chilli/defaults
    sed -i "s/HS_WANIF=.*/HS_WANIF=$WANIF/g" /etc/chilli/defaults
}

setwan2() {
    #sed -i "s/HS_WANIF=.*/HS_WANIF=wan2/g" /etc/chilli/defaults
    sed -i "s/HS_WANIF=.*/HS_WANIF=$WAN2IF/g" /etc/chilli/defaults
}

dorestart() {
    HSWANIF=`cat /etc/chilli/defaults | grep WANIF`
    logger -t chilli "In /etc/chilli/defaults: $HSWANIF"

    # Offer hotspot service via the LAN ports (wired connection)
    # https://help.hotspotsystem.com/knowledgebase/offer-hotspot-service-via-the-lan-ports-wired-connection
    #logger -t chilli "Starting chilli through $HSWANIF, and offering through br-lan"
    #sed -i "s/HS_LANIF=.*/HS_LANIF=br-lan/g" /etc/chilli/defaults 

    ## Disable DHCP on LAN
    logger -t chilli "Starting chilli on $HSWANIF, and setting dhcp.lan.ignore='1'"
    uci set dhcp.lan.ignore='1'
    uci commit dhcp
    /etc/init.d/dnsmasq restart

    # Now restart
    /etc/init.d/chilli restart
}

if [ "$ACTION" == "ifup" ]; then
    echo "ifup for $INTERFACE ($DEVICE)"
    if [ "$INTERFACE" == "wan" ]; then
        setwan
        dorestart
    elif [ "$INTERFACE" == "wan2" ]; then
        if [ "$WANUP" == "1" ]; then
            setwan
            dorestart
        else
            setwan2
            dorestart
        fi
    elif [ "$INTERFACE" == "lan" ]; then
        # Enable DHCP on LAN
        logger -t chilli "Starting $INTERFACE, and setting dhcp.lan.ignore='0'"
        uci set dhcp.lan.ignore='0'
        uci commit dhcp
        /etc/init.d/dnsmasq restart

        # Set default of chilli
        sed -i "s/HS_LANIF=.*/HS_LANIF=wlan0/g" /etc/chilli/defaults 
    else
        logger -t chilli "Not starting chilli, since $INTERFACE is not wan or wan2"
    fi

elif [ "$ACTION" == "ifdown" ]; then
    echo "ifdown for $INTERFACE ($DEVICE)"
    if [ "$INTERFACE" == "wan" ] || [ "$INTERFACE" == "wan2" ]; then
        if [ "$WANUP" == "1" ] || [ "$WAN2UP" == "1" ]; then
            if [ "$WANUP" == "1" ]; then
                setwan
            elif [ "$WAN2UP" == "1" ]; then
                setwan2
            fi
            dorestart
        else
            # Enable DHCP on LAN
            logger -t chilli "Since neither wan or wan2 up, setting dhcp.lan.ignore='0'"
            uci set dhcp.lan.ignore='0'
            uci commit dhcp
            /etc/init.d/dnsmasq restart

            # Set default of chilli
            sed -i "s/HS_LANIF=.*/HS_LANIF=wlan0/g" /etc/chilli/defaults 

            /etc/init.d/chilli stop
            logger -t chilli "Neither wan or wan2 up. Stopping chilli."
        fi
    else
        logger -t chilli "$ACTION for $INTERFACE ($DEVICE). Chilli not changed."
    fi

else
    echo "$ACTION for $INTERFACE ($DEVICE)"
    logger -t chilli "Unknown: $ACTION for $INTERFACE ($DEVICE)"
fi

Then

reboot

Check of logs and setup

This gives

logread | grep chilli:

Mon Feb 15 19:21:19 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:19 2016 user.notice chilli: Not starting chilli, since lan is not wan or wan2
Mon Feb 15 19:21:21 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:21 2016 user.notice chilli: Not starting chilli, since loopback is not wan or wan2
Mon Feb 15 19:21:22 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0
Mon Feb 15 19:21:22 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth0

Plugin 4G modem:
Now login to "Free Wifi".
Check ip on: http://whatismyipaddress.com/ = 2.110.xx.xx

logread | grep chilli:

Mon Feb 15 19:21:19 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:19 2016 user.notice chilli: Not starting chilli, since lan is not wan or wan2
Mon Feb 15 19:21:21 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:21 2016 user.notice chilli: Not starting chilli, since loopback is not wan or wan2
Mon Feb 15 19:21:22 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0
Mon Feb 15 19:21:22 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth0
Mon Feb 15 19:26:26 2016 user.notice chilli: Chilli hotplug due to ifup of wan2 (eth2). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 19:26:26 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth0

Unlug Cable to wan:
Check ip on: http://whatismyipaddress.com/ = 62.44.xx.xx

logread | grep chilli:

Mon Feb 15 19:21:19 2016 user.notice chilli: Chilli hotplug due to ifup of lan (br-lan). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:19 2016 user.notice chilli: Not starting chilli, since lan is not wan or wan2
Mon Feb 15 19:21:21 2016 user.notice chilli: Chilli hotplug due to ifup of loopback (lo). WAN=eth0,0 WAN2=eth2,0
Mon Feb 15 19:21:21 2016 user.notice chilli: Not starting chilli, since loopback is not wan or wan2
Mon Feb 15 19:21:22 2016 user.notice chilli: Chilli hotplug due to ifup of wan (eth0). WAN=eth0,1 WAN2=eth2,0
Mon Feb 15 19:21:22 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth0
Mon Feb 15 19:26:26 2016 user.notice chilli: Chilli hotplug due to ifup of wan2 (eth2). WAN=eth0,1 WAN2=eth2,1
Mon Feb 15 19:26:26 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth0
Mon Feb 15 19:28:54 2016 user.notice chilli: Chilli hotplug due to ifdown of wan (). WAN=eth0,0 WAN2=eth2,1
Mon Feb 15 19:28:54 2016 user.notice chilli: In /etc/chilli/defaults: HS_WANIF=eth2

On your own computer:

ifconfig | grep 192.168
# inet 192.168.182.2 netmask 0xfffff000 broadcast 192.168.191.255

Unplug 4G modem.
Turn off and turn on wifi. Join "Free Wifi".

ifconfig | grep 192.168
# inet 192.168.3.149 netmask 0xffffff00 broadcast 192.168.3.255

Plugin both Cable Wan and modem.¨
Join "Free Wifi admin": http://whatismyipaddress.com/ = 2.110.58.56

Make a crontab to reboot hotspot each 4 hours

A hotspot may run into several "problems" during a day.

This could be: "dhcp.c: 643: reached max connections 512!".
One could make a small script which checks logread for error messages, and then do a reboot upon problems.

The first try is just to make a crontab job, which makes the hotspot reboot each 4 hours.
That should hopefully clear out any problems.

#write out current crontab
crontab -l > mycron

#echo new cron into cron file.
# At the 30'th minute, at the hours 8, 12, 16, 20
echo "30 8,12,16,20 * * * /sbin/reboot" >> mycron
cat mycron

#install new cron file
crontab mycron
rm mycron
crontab -l

Full re-install

Make a backup of settings.
Luci -> System -> Backup / Firmware -> Generate archive

The following packages has been installed

opkg update && opkg install kmod-usb-net-cdc-ether usb-modeswitch luci-app-ddns ddns-scripts curl ca-certificates coova-chilli kmod-tun nano
  • Make a reset of router
  • Install packages
  • Flash the Generated archive

The device specific variables are in:

# DDNS
uci show ddns.myddns_ipv4.domain='glinet.mooo.com'
uci show ddns.myddns_ipv4.password
uci show ddns.myddns_4g.domain='glinet4g.mooo.com'
uci show ddns.myddns_4g.password
# syslog
uci show system.@system[0].log_ip
uci show system.@system[0].log_port
# hotspot system
cat /etc/chilli/defaults | grep HS_NASID
NEWNASID="MY_NAS"
sed 's/HS_NASID=.*/HS_NASID="'${NEWNASID}'"/g' /etc/chilli/defaults | grep HS_NASID

# In crontab
cat /var/spool/cron/crontabs/root
OLDMAC=`cat /var/spool/cron/crontabs/root | cut -d '=' -f2 | cut -d '\' -f1`
OLDNASID=`cat /var/spool/cron/crontabs/root | cut -d '=' -f3 | cut -d '\' -f1`
NEWMAC=`cat /sys/class/net/wlan0/address | tr [a-z] [A-Z] | sed 's/:/-/g'`
cat /var/spool/cron/crontabs/root
sed 's/'${OLDMAC}'/'${NEWMAC}'/g;s/'${OLDNASID}'/'${NEWNASID}'/g' /var/spool/cron/crontabs/root

Make new location with Social Login on hotspotsystem.com

Go to: https://www.hotspotsystem.com/controlcenter/ and login.

  • Manage -> Locations
  • Add a New HotSpot Location
  • Hotspot FREE -> Social
  • Name of Location* = WIFI_01_Social
  • Make most default
  • Default Language: The language for the Captive Portal
  • Validity Period of Free Access Codes*: 1 Hour
  • Save. Then modify the location:
# hotspot system
cat /etc/chilli/defaults | grep HS_NASID
NEWNASID="NASID_3"
sed 's/HS_NASID=.*/HS_NASID="'${NEWNASID}'"/g' /etc/chilli/defaults | grep HS_NASID
sed -i 's/HS_NASID=.*/HS_NASID="'${NEWNASID}'"/g' /etc/chilli/defaults
cat /etc/chilli/defaults | grep HS_NASID

# In crontab
cat /var/spool/cron/crontabs/root
OLDMAC=`cat /var/spool/cron/crontabs/root | cut -d '=' -f2 | cut -d '\' -f1`
OLDNASID=`cat /var/spool/cron/crontabs/root | cut -d '=' -f3 | cut -d '\' -f1`
NEWMAC=`cat /sys/class/net/wlan0/address | tr [a-z] [A-Z] | sed 's/:/-/g'`
sed 's/'${OLDMAC}'/'${NEWMAC}'/g;s/'${OLDNASID}'/'${NEWNASID}'/g' /var/spool/cron/crontabs/root
sed -i 's/'${OLDMAC}'/'${NEWMAC}'/g;s/'${OLDNASID}'/'${NEWNASID}'/g' /var/spool/cron/crontabs/root
cat /var/spool/cron/crontabs/root

# Need to add additional domains to allow
cat /etc/chilli/defaults
sed -i -e "/HS_UAMDOMAINS/d" /etc/chilli/defaults
cat /etc/chilli/defaults
echo HS_UAMDOMAINS=\"paypal.com paypalobjects.com worldpay.com rbsworldpay.com adyen.com hotspotsystem.com geotrust.com facebook.com facebook.net fbcdn.net licdn.net licdn.com akamaihd.net akamai.net cloudfront.com twimg.com api.twitter.com\" >> /etc/chilli/defaults

# Restart chilli
/etc/init.d/chilli restart

# Send message that location is up
crontab -l | grep -v '^#' | cut -f 6- -d ' ' > /tmp/crontab.sh
ash /tmp/crontab.sh

Login with phone or computer to "Free Wifi"
If not working, try to reboot.

Visit http://192.168.182.1:3990

Remove access from Captive Portal to wan subnet of 192.168.1.x, 192.168.8.x

This is to remove the possibility that Open Wifi users access the subnet of the wan and wan2.
To block the office network of 192.168.1.x, and to prevent access to the 4G modem.

See:

We are going to use REJECT instead of DROP

cd /etc/chilli/
grep -r -n ipup.sh *
cat up.sh

SRCIP=`grep HS_NETWORK /etc/chilli/defaults | cut -d"=" -f2`
echo $SRCIP

DESIP=192.168.1.1
MASK=255.255.255.0
echo $DESIP $MASK

echo "iptables -I FORWARD -s $SRCIP/$MASK -d $DESIP/$MASK -j REJECT"

echo "#!/bin/sh" > ipup.sh
echo "iptables -I FORWARD -s $SRCIP/$MASK -d $DESIP/$MASK -j REJECT" >> ipup.sh
chmod +x ipup.sh
cat ipup.sh
[ -e /etc/chilli/ipup.sh ] && echo "file exists"
. /etc/chilli/ipup.sh
iptables -L | grep 192.168.182

Then

reboot

And check settings

iptables -L | grep 192.168.182
iptables -L | grep -A 10 "Chain FORWARD "
  • Join "Free Wifi admin" -> Try 192.168.1.1 -> Should work
  • Join "Free Wifi" -> Try 192.168.1.1 -> Should NOT work

Add for 192.168.8.x, so Hotspot Clients cannot change 4g modem settings

cd /etc/chilli/
SRCIP=`grep HS_NETWORK /etc/chilli/defaults | cut -d"=" -f2`
echo $SRCIP
DESIP=192.168.8.1
MASK=255.255.255.0
echo $DESIP $MASK

echo "iptables -I FORWARD -s $SRCIP/$MASK -d $DESIP/$MASK -j REJECT"
echo "iptables -I FORWARD -s $SRCIP/$MASK -d $DESIP/$MASK -j REJECT" >> ipup.sh
cat ipup.sh

[ -e /etc/chilli/ipup.sh ] && echo "file exists"
. /etc/chilli/ipup.sh
iptables -L | grep 192.168.182

Remove access to internal network port ftp,ssh,telnet,www,https for hotspot clients

See:

cd /etc/chilli/
SRCIP=`grep HS_NETWORK /etc/chilli/defaults | cut -d"=" -f2`
MASK=255.255.255.0
echo $SRCIP $MASK

echo "iptables -I INPUT -s $SRCIP/$MASK -p tcp -m multiport --dports 21,22,23,80,443 -j REJECT"
echo "iptables -I INPUT -s $SRCIP/$MASK -p tcp -m multiport --dports 21,22,23,80,443 -j REJECT" >> ipup.sh
cat ipup.sh
[ -e /etc/chilli/ipup.sh ] && echo "file exists"
. /etc/chilli/ipup.sh
iptables -L | grep 192.168.182
reboot

Setup openvpn to privateinternetaccess.com PIA

See

Install packages

opkg update && opkg list | grep openvpn
opkg list | grep openvpn | grep -v Translation
opkg list | grep openvpn | grep luci | grep -v Translation

opkg install luci-app-openvpn openvpn-openssl
opkg install curl unzip bash

Now available in: Luci -> Services -> OpenVPN

See default configurations, which is not enabled.
Only enabled services can be started.

uci show openvpn
uci show openvpn | grep custom_config
uci show openvpn | grep sample_server
uci show openvpn | grep sample_client

ssh to router and get certicates

cd /etc/openvpn
mkdir pia
cd pia
curl -k -L https://www.privateinternetaccess.com/openvpn/openvpn.zip -o openvpn.zip
unzip openvpn.zip
rm openvpn.zip

We are going to make a "Simple client configuration for a routed point-to-point VPN"

Make setup script file

touch setup.sh
chmod +x setup.sh
nano setup.sh

And put this in it

#!/bin/bash

# Set variables
PIAFILES=$PWD
PIALOC=pia_vpn_setup
PIAPASSFILE=userpass.txt
PIASETUPDEF=Denmark.ovpn
PIAUSERDEF=YOUR_PIA_USER
PIAPASSDEF=YOUR_PIA_PASS

# Function to create userpasswd file
mkpasswdfile() {
    read -p "Enter Your PIA user [$PIAUSERDEF]:" PIAUSER
    PIAUSER=${PIAUSER:-$PIAUSERDEF}
    echo "You entered: $PIAUSER"

    read -p "Enter Your PIA passwd [$PIAPASSDEF]:" PIAPASS
    PIAPASS=${PIAPASS:-$PIAPASSDEF}
    echo "You entered: $PIAPASS"

    # Make password file
    echo $PIAUSER > $PIAFILES/$PIAPASSFILE
    echo $PIAPASS >> $PIAFILES/$PIAPASSFILE
    chmod 400 $PIAFILES/$PIAPASSFILE
    echo -e "\nYour PIA password file $PIAFILES/$PIAPASSFILE has the following content:"
    cat $PIAFILES/$PIAPASSFILE
}
mkpasswdfile

mkdhcpfile() {
    # Make a DHCP option file. When connected to the VPN, your ISP DNS server will no longer work.
    # This is because your IP address no longer belong to their own pool of accepted clients to their DNS servers.
    cat > $PIAFILES/up.sh << EOF
#!/bin/ash
uci add_list dhcp.@dnsmasq[-1].server=209.222.18.222
uci add_list dhcp.@dnsmasq[-1].server=209.222.18.218
uci commit dhcp
/etc/init.d/dnsmasq restart
EOF

    cat > $PIAFILES/down.sh << EOF
#!/bin/ash
uci del_list dhcp.@dnsmasq[-1].server=209.222.18.222
uci del_list dhcp.@dnsmasq[-1].server=209.222.18.218
uci commit dhcp
/etc/init.d/dnsmasq restart
EOF

    # Make executable
    chmod +x $PIAFILES/up.sh
    chmod +x $PIAFILES/down.sh
}
mkdhcpfile

mksettings() {
    echo ""
    read -p "Enter file name for settings [$PIASETUPDEF]:" PIASETUP
    PIASETUP=${PIASETUP:-$PIASETUPDEF}

    echo -e "\nNow reading settings from $PIASETUP"
    PIAREMOTE=`grep "remote " $PIASETUP | sed "s/remote //g"`

    uci set openvpn.${PIALOC}=openvpn
    uci set openvpn.${PIALOC}.enabled='1'
    uci set openvpn.${PIALOC}.remote="${PIAREMOTE}"
    uci set openvpn.${PIALOC}.up=${PIAFILES}/up.sh
    uci set openvpn.${PIALOC}.down=${PIAFILES}/down.sh
    uci set openvpn.${PIALOC}.script_security='2'

    # Set to 1
    while read p; do
        if [ `echo "$p" | wc -w` -eq 1 ]; then
            pc=`echo $p | sed "s/-/_/g"`
            if [ "$pc" == "comp_lzo" ]; then
                uci set openvpn.${PIALOC}.${pc}='yes'
            elif [ "$pc" == "disable_occ" ]; then
                :
            elif [ "$pc" == "auth_user_pass" ]; then
                uci set openvpn.${PIALOC}.${pc}="$PIAFILES/$PIAPASSFILE"
            else
                uci set openvpn.${PIALOC}.${pc}='1'
            fi
        fi
    done <$PIASETUP

    # Set 2 settings
    while read p; do
        if [ `echo "$p" | wc -w` -eq 2 ]; then
            IFS=' ' read -r -a pa <<< "$p"
            pcf=`echo ${pa[0]} | sed "s/-/_/g"`
            pcs=`echo ${pa[1]} | sed "s/-/_/g"`

            if [[  ${pa[0]} =~ ^(crl-verify|ca)$ ]]; then
                uci set openvpn.${PIALOC}.${pcf}=${PIAFILES}/${pcs}
            else
                uci set openvpn.${PIALOC}.${pcf}=${pcs}
            fi
        fi
    done <$PIASETUP

    uci commit openvpn
    uci show openvpn | grep $PIALOC
}
mksettings

Now run it

bash setup.sh

Now make network and firewall

# Make tun interface
PIANETWORK=pia_vpn
PIATUN=tun1

uci show network
uci set network.${PIANETWORK}=interface
uci set network.${PIANETWORK}.proto='none'
uci set network.${PIANETWORK}.ifname="$PIATUN"
uci set network.${PIANETWORK}.auto='1'
uci commit network
uci show network

# Add firewall zone
PIAFWZONE=vpn_fw

uci show firewall | grep zone
uci add firewall zone
uci set firewall.@zone[-1].name="$PIAFWZONE"
uci set firewall.@zone[-1].input='REJECT'
uci set  firewall.@zone[-1].output='ACCEPT'
uci set  firewall.@zone[-1].forward='REJECT'
uci set  firewall.@zone[-1].masq='1'
uci set  firewall.@zone[-1].mtu_fix='1'
uci set  firewall.@zone[-1].network=$PIANETWORK
uci commit firewall
uci show firewall | grep zone

# Add forward from lan to zone
uci show firewall | grep forwarding
uci add firewall forwarding
uci set  firewall.@forwarding[-1].dest="$PIAFWZONE"
uci set  firewall.@forwarding[-1].src='lan'
uci commit firewall
uci show firewall | grep forwarding

# Restart firewall and stop openvpn service
/etc/init.d/firewall restart
/etc/init.d/openvpn stop
/etc/init.d/openvpn disable

We are going to make a new init.d startup script.

  • The chilli daemon is slow to start, and we have to make sure that the tun0 and tun1 devices are opened in the right order

Do NOT insert dhcp-option=6,ipaddress1,ipaddress2.
This is not a smart solution. As long as clients are connected to the wifi, they will keep this DHCP option.
If you start or stop the VPN service, they will keep the DHCP options in their local options. Not smart

Instead we made a "up.sh" and "down.sh" script, which takes care of this.

Copy this into the shell

cat >> /etc/init.d/openvpnboot << EOF
#!/bin/sh /etc/rc.common
# - init script for openvpn -

START=99
STOP=11

restart() {
    stop
    sleep 5
    start
}

boot() {
    # coova-chilli has a long boot time. This needs to complete first to acquire tun0, so openvnp gets tun1.
    logger -t openvpnboot "Sleeping at boot"
    sleep 20
    logger -t openvpnboot "Done sleeping at boot"
    start
}

start() {
    # Start the service
    /etc/init.d/openvpn start
}

stop() {
    # Stop the service and bring down interface
    /etc/init.d/openvpn stop
    ifdown pia_vpn
}
EOF

Make executable

chmod +x /etc/init.d/openvpnboot

Enable it on boot

# First check
cat /etc/init.d/openvpnboot
ls -1v /etc/init.d/

# Enable and check
/etc/init.d/openvpnboot enable
ls -v1 /etc/rc.d/* | grep openvpn

Now you have to unplug the power, and plug in again.

Visit homepage. Should be green.
https://www.privateinternetaccess.com/pages/whats-my-ip/

Check the log

logread | grep openvpn
ps -w | grep openvpn

You can now stop and start in luci under: System -> Startup -> openvpnboot

Or

/etc/init.d/openvpnboot stop
/etc/init.d/openvpnboot start
/etc/init.d/openvpnboot restart
/etc/init.d/openvpnboot disable
/etc/init.d/openvpnboot enable

Test speed

Probably due to slow CPU

Dowload a legal piece of sotware through torrent. For example ubuntu, which have many users.

Check

Or with curl

curl -o /dev/null http://speedtest.sea01.softlayer.com/downloads/test100.zip
curl -o /dev/null http://speedtest.tele2.net/100MB.zip

The suggestions from PIA support includes

  • If the Connection type is set to "TCP", change it to "UDP". If it already says UDP, do not make any changes to this setting yet.
  • Change the remote port to 9201
  • If the issue persists, disconnect from the VPN, change the remote port to 1194, "Save", and reconnect.
  • If the issue persists, disconnect from the VPN, change the remote port to 8080, "Save", and reconnect.
  • If the issue persists, disconnect from the VPN, change the remote port to 53, "Save", and reconnect.
  • If this does not help,
  • Change the protocol to TCP
  • Change the remote port to 80
  • If the issue persists, disconnect from the VPN, change the remote port to 110, "Save", and reconnect.
  • If the issue persists, disconnect from the VPN, change the remote port to 443, "Save", and reconnect.
  • If you have been unable to connect this far, set the local port option to 53, and try each of the settings above again.
PORT=1194 #1194, 9201, 8080, 53, 80, 110, 443, 53
uci set openvpn.pia_vpn_setup.remote="denmark.privateinternetaccess.com $PORT"
uci set openvpn.pia_vpn_setup.proto='udp' #udp, tcp
uci commit openvpn
/etc/init.d/openvpnboot restart
logread | grep -e $PORT -e Completed
curl -o /dev/null http://speedtest.tele2.net/100MB.zip

Results

  • With no VPN, time to download = 1 min
  • VPN port 1194, time to download = 10 min
  • VPN port 9201, time to download = 15 min
  • VPN port 8080, time to download = 20 min
  • VPN port 53, time to download = 15 min
  • VPN, tcp, port 80, time to download = 20 min
  • VPN, tcp, port 110, time to download = 20 min
  • VPN, tcp, port 443, time to download = 25 min
  • VPN, tcp, port 53, time to download = Does not connect to PIA

This does not work.
So we try: http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/

So we try buffer

uci set openvpn.pia_vpn_setup.sndbuf='393216'
uci set openvpn.pia_vpn_setup.rcvbuf='393216'
uci commit openvpn
/etc/init.d/openvpnboot restart
logread | grep -e Completed
curl -o /dev/null http://speedtest.tele2.net/100MB.zip

This stil give a time to download = 10-15 min

Then we try

uci set openvpn.pia_vpn_setup.tun_mtu='1400'
uci commit openvpn
/etc/init.d/openvpnboot restart
logread | grep -e Completed
curl -o /dev/null http://speedtest.tele2.net/100MB.zip

This stil give a time to download = 17 min

To revert back to original options

uci delete openvpn.pia_vpn_setup.sndbuf
uci delete openvpn.pia_vpn_setup.rcvbuf
uci delete openvpn.pia_vpn_setup.tun_mtu
uci commit openvpn
uci show openvpn.pia_vpn_setup
uci commit openvpn
/etc/init.d/openvpnboot restart
logread | grep -e Completed
curl -o /dev/null http://speedtest.tele2.net/100MB.zip

This give a time to download = 17 min

Test if purevpn is faster

Pay 2.5$ for a 3 day trial

Get certicates

cd /etc/openvpn
curl -k -L https://s3-us-west-1.amazonaws.com/heartbleed/linux/linux-files.zip -o purevpn.zip
unzip purevpn.zip
rm purevpn.zip
mv "Linux OpenVPN Updated files" purevpn
cd purevpn
chmod 400 Wdc.key

Test of uci chilli

## From https://wiki.openwrt.org/doc/howto/wireless.hotspot.coova-chilli
uci show chilli

# Add new chilli
uci add chilli hotspotsystem

# disable to running chilli. remove this option before running.
uci set chilli.@hotspotsystem[0].disabled='0'

# Your user setup
#uci set chilli.@hotspotsystem[0].radiusnasid="USERNAME_Loc.IDName"
# Example
uci set chilli.@hotspotsystem[0].radiusnasid="$OPERATOR_$LocID"
uci set chilli.@hotspotsystem[0].uamsecret="$HOTPASS"
uci set chilli.@hotspotsystem[0].radiussecret="$HOTPASS"

uci set chilli.@hotspotsystem[0].locationname="human_readible_location_name"
#uci set chilli.@hotspotsystem[0].radiuslocationname="<SSID>,<sub-ID>"

#  WISPr the values are shown here. (cc=2-digit ISO country; idd=phone-country;ac=phone-area-code)
#uci set chilli.@hotspotsystem[0].radiuslocationid="isocc=<cc>,cc=<idd>,ac=<ac>,network=<SSID>"
#uci set chilli.@hotspotsystem[0].radiuslocationid="isocc=se,cc=46,ac=584,network=CampingTiveden"
uci set chilli.@hotspotsystem[0].radiuslocationid="1"

# Radius parameters (change to the one for your provider)
uci set chilli.@hotspotsystem[0].radiusserver1='radius.hotspotsystem.com'
uci set chilli.@hotspotsystem[0].radiusserver2='radius2.hotspotsystem.com'

# Your device's LAN interface on which to put the hotspot
# Subscriber Interface for client devices
# Get by: WLAN=`ifconfig | grep wl | sort | head -1 | cut -d " " -f1` && echo $WLAN
#uci set chilli.@hotspotsystem[0].dhcpif='wlan0'
# Or use a bridged network between LAN and wireless radio
uci set chilli.@hotspotsystem[0].dhcpif='br-lan'

# set DNS to whatever is fastest. On slow saturated lines, best use your local router for caching.
# on fast & wide lines, use or Google or your ISP's dns, whichever is fastest 
# Will be suggested to the client. If omitted the system default will be used.
#uci set chilli.@hotspotsystem[0].dns1='8.8.8.8'
#uci set chilli.@hotspotsystem[0].dns2='8.8.4.4'
# PIA https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219460397-How-to-change-DNS-settings-in-Windows
#uci set chilli.@hotspotsystem[0].dns1='209.222.18.222'
#uci set chilli.@hotspotsystem[0].dns2='209.222.18.218'
# https://www.lifewire.com/free-and-public-dns-servers-2626062
# https://freedns.zone/en/ Surf freely. No DNS redirects. No Logging.
uci set chilli.@hotspotsystem[0].dns1='37.235.1.174'
uci set chilli.@hotspotsystem[0].dns2='37.235.1.177'
uci set chilli.@hotspotsystem[0].domain='key.chillispot.info'

# Tunnel and Subnet 
# name of TUN device name. required.
uci set chilli.@hotspotsystem[0].tundev='tun0'
# For 1000 addresses. Default is 182/24 subnet
uci set chilli.@hotspotsystem[0].net='192.168.180.0/22'
# keep it at 182.1 despite the 180/22 subnet
uci set chilli.@hotspotsystem[0].uamlisten='192.168.182.1'
# 1 day. 24 H
uci set chilli.@hotspotsystem[0].lease='86400'
# 2 days. 48 H
#uci set chilli.@hotspotsystem[0].lease='172800'
# plus 10 minutes
uci set chilli.@hotspotsystem[0].leaseplus='600'

# Universal access method (UAM) parameters
uci set chilli.@hotspotsystem[0].uamhomepage=""
uci set chilli.@hotspotsystem[0].uamserver="https://customer.hotspotsystem.com/customer/hotspotlogin.php"

# HotSpot UAM Port (on subscriber network)
uci set chilli.@hotspotsystem[0].uamport='3990'
# HotSpot UAM "UI" Port (on subscriber network, for embedded portal)
uci set chilli.@hotspotsystem[0].uamuiport='4990'
uci set chilli.@hotspotsystem[0].uamanydns='1'

# Is not set. Change so default: http://1.0.0.1 will goto login page
#uci set chilli.@hotspotsystem[0].uamaliasip='1.0.0.1'
# Set so http://login will goto login page
#uci set chilli.@hotspotsystem[0].uamaliasname='login'
# Is not set. Change so default: http://1.0.0.0 will logout
#uci set chilli.@hotspotsystem[0].uamlogoutip='1.0.0.0'
# no success page, to original requested URL
uci set chilli.@hotspotsystem[0].nouamsuccess='1'

# Hosts; services; network segments the client can access without first authenticating (walled garden)
# Hosts are evaluated every 'interval', but this does not work well on multi-homed (multi-IP'ed) hosts, use IP instead.
#uci set chilli.@hotspotsystem[0].uamallowed="customer.hotspotsystem.com,www.directebanking.com,betalen.rabobank.nl,ideal.ing.nl,ideal.abnamro.nl,www.ing.nl"
uci set chilli.@hotspotsystem[0].uamallowed="194.149.46.0/24,198.241.128.0/17,66.211.128.0/17,216.113.128.0/17,70.42.128.0/17,128.242.125.0/24,216.52.17.0/24,62.249.232.74,155.136.68.77,155.136.66.34,66.4.128.0/17,66.211.128.0/17,66.235.128.0/17,88.221.136.146,195.228.254.149,195.228.254.152,203.211.140.157,203.211.150.204,www.paypal.com,www.paypalobjects.com,live.adyen.com,www.worldpay.com,select.worldpay.com,secure.ims.worldpay.com,www.rbsworldpay.com,secure.wp3.rbsworldpay.com,www.directebanking.com,betalen.rabobank.nl,ideal.ing.nl,ideal.abnamro.nl,www.ing.nl,api.mailgun.net,www.hotspotsystem.com,customer.hotspotsystem.com,tech.hotspotsystem.com,a1.hotspotsystem.com,a2.hotspotsystem.com,a3.hotspotsystem.com,a4.hotspotsystem.com,a5.hotspotsystem.com,a6.hotspotsystem.com,a7.hotspotsystem.com,a8.hotspotsystem.com,a9.hotspotsystem.com,a10.hotspotsystem.com,a11.hotspotsystem.com,a12.hotspotsystem.com,a13.hotspotsystem.com,a14.hotspotsystem.com,a15.hotspotsystem.com,a16.hotspotsystem.com,a17.hotspotsystem.com,a18.hotspotsystem.com,a19.hotspotsystem.com,a20.hotspotsystem.com,a21.hotspotsystem.com,a22.hotspotsystem.com,a23.hotspotsystem.com,a24.hotspotsystem.com,a25.hotspotsystem.com,a26.hotspotsystem.com,a27.hotspotsystem.com,a28.hotspotsystem.com,a29.hotspotsystem.com,a30.hotspotsystem.com"

# Domain suffixes the client can access without first authenticating (walled garden)
# Host on the domain are checked by spying on DNS requests, so this does work for multi-homed hosts too.
#uci set chilli.@hotspotsystem[0].uamdomain=".paypal.com,.paypalobjects.com,.worldpay.com,.rbsworldpay.com,.adyen.com,.hotspotsystem.com"
uci set chilli.@hotspotsystem[0].uamdomain="paypal.com,paypalobjects.com,worldpay.com,rbsworldpay.com,adyen.com,hotspotsystem.com,geotrust.com,triodos.nl,asnbank.nl,knab.nl,regiobank.nl,snsbank.nl"

# Various debug and optimization values
# swap input and output octets
uci set chilli.@hotspotsystem[0].swapoctets='1'        
# Re-read configuration file at this interval. Will also cause new domain name lookups to be performed. Value is given in seconds. Config file and host lookup refresh.     
uci set chilli.@hotspotsystem[0].interval='3600'

# Add the chilli firewall rules
uci set chilli.@hotspotsystem[0].ipup '/etc/chilli/up.sh'
uci set chilli.@hotspotsystem[0].ipdown '/etc/chilli/down.sh'

# Include this flag to include debug information.
#uci set chilli.@hotspotsystem[0].debug='9'

# Finish
uci commit chilli
uci show chilli
page revision: 90, last edited: 19 Oct 2016 14:35
Edit Tags History Files Print Site tools + Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License