Kapetanakia Giannis wrote: > > On 05/10/15 14:35, David Coppa wrote: > > On Mon, Oct 5, 2015 at 1:18 PM, C.L. Martinez <carlopm...@gmail.com> > wrote: > >> Hi all, > >> > >> I have installed an openbsd vm to works as a hostap for tablets and > >> smartphones (android and iOS). > >> > >> All it is working ok: pf, hostapd and dhcpd server. All tablets and > >> smartphones that I have tested works ok, connects and surfs Internet. > >> > >> But now I am thinking to use some type of auth (user/pass using a > SSL/TLS > >> channel) instead to use wpa/wpa2 keys. > >> > >> Sometime ago exists this project: Chillispot > (http://www.chillispot.org/) > >> but it seems discontinued. > >> > >> Someone knows any type of project/software to accomplish?? I would > like to > >> keep simple as much as I can. > >> > >> Thanks. > >> > > You could try CoovaChilli. > > > > https://github.com/sevan/coova-chilli/ > > > > http://coova.github.io/ > > > > Ciao > > David > > Another option you could look is authpf(8) which is in base. > Not web based captive portal, but similar setup with ssh. > > G
Somebody will correct me if I am wrong but the way that Authpf works (I have configured it in the past) is to load a new set of PF rules after successful ssh login. My understanding is that by default the traffic remains unencrypted unless we use more PF magic to force HTTP traffic (HTTPS should be encrypted itself) through some kind VPN over SSH. That way this chapter of the Book of PF was always such a mystery to me. http://home.nuug.no/~peter/pf/en/vegard.authpf.html as my understanding is that wpa2 will encrypt entire traffic (I am not discussing how securely). Installing ssh clients on various tablets/smart phones is non-trivial thing for uneducated user. Since I don't want to disturb bad spirits and bring back old flame wars fought over web interface for AuthPF I would like to suggest something else. Namely OpenBSD includes npppd and IPSec and setting and L2TP over IPsec VPN is a breeze as I found out by setting it up. http://marc.info/?l=openbsd-misc&m=142791463307903&w=2 In my experience most Android/Kindel/Smart phone devices have a client for L2TP via IPSec and it is very easy to use it. What I am trying to say is that one could set an "unprotected" WiFi network allowing only L2TP/IPSec authentication. Once a device is authenticated PF rules would allow HTTP, HTTPS and what not through L2TP/IPSec VPN tunnel. The devices will have Internet connection. Whole traffic will be inside an encrypted tunnel and no special software will be required on Android/Smart phone devices. Best, Predrag
