# [[OpenNDS]] Version 9 Config ## Custom Splash Debug Notes ### Notes - Can't use `192.168.2.1` to trigger CPD anymore - Have to turn off VPN and visit e.g. `google.com` ### PreAuth [[cURL]] ```bash curl 'http://192.168.2.1:2050/opennds_preauth/?fas=aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ==' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure ``` Query params: only fas - fas: aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ== ### Accept terms of service [[cURL]] ```bash curl 'http://192.168.2.1:2050/opennds_preauth/?fas=aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ%3D%3D&continue=clicked' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Referer: http://192.168.2.1:2050/opennds_preauth/?fas=aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ==' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure ``` Query params: - fas: aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ== - continue: clicked ### Continue [[cURL]] ```bash curl 'http://192.168.2.1:2050/opennds_preauth/?fas=aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ%3D%3D&landing=yes' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Referer: http://192.168.2.1:2050/opennds_preauth/?fas=aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ%3D%3D&continue=clicked' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure ``` query params: - fas: aGlkPTYzMDU3YTkxZTI0NTFmNmI3ZTM5MGZmNmFmMzUyZGExMDdmMWM4YzJmMzdiZGQxYjQ2ZTlhZmM2ZWM5NTcxODksIGNsaWVudGlwPTE5Mi4xNjguMi4xNTAsIGNsaWVudG1hYz0zODpmOTpkMzo4NDpmNzphNSwgZ2F0ZXdheW5hbWU9T3BlbldydCUyMG9wZW5ORFMsIHZlcnNpb249OS4zLjAsIGdhdGV3YXlhZGRyZXNzPTE5Mi4xNjguMi4xOjIwNTAsIGdhdGV3YXltYWM9NjI6Mzg6ZTA6YmM6M2Y6NjAsIG9yaWdpbnVybD1odHRwJTNhJTJmJTJmZ29vZ2xlLmNvbSUyZiwgY2xpZW50aWY9d2xhbjAsIHRoZW1lc3BlYz0obnVsbCksIChudWxsKShudWxsKShudWxsKShudWxsKQ== - landing: yes After this you just go directly to e.g. `google.com` ### Attempt 1: Setting `fas_secure_enabled='0'` Attempt ```bash uci set opennds.@opennds[0].fas_secure_enabled='0' uci commit opennds service opennds restart ``` Undo: ```bash uci delete opennds.@opennds[0].fas_secure_enabled uci commit opennds service opennds restart ``` Result: 404, no [[OpenNDS]] redirect ### Manual CPD detection URLs - http://status.client/? - https://detectportal.firefox.com/success.txt? ### Attempt 2: Setting `fasport='2080'` and `fas_secure_enabled='0'` (see custom html, can't auth) Attempt ```bash uci set opennds.@opennds[0].fasport='2080' uci set opennds.@opennds[0].fas_secure_enabled='0' uci commit opennds service opennds restart ``` Undo: ```bash uci delete opennds.@opennds[0].fasport uci delete opennds.@opennds[0].fas_secure_enabled uci commit opennds service opennds restart ``` CPD redirect [[cURL]]: ```bash curl 'http://192.168.2.1:2080/?authaction=http://192.168.2.1:2050/opennds_auth/?clientip=192.168.2.150&gatewayname=OpenWrt%20openNDS&tok=83161963&redir=http%3a%2f%2fcaptive.apple.com%2fhotspot-detect.html' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ --compressed \ --insecure ``` query params: - authaction: http://192.168.2.1:2050/opennds_auth/?clientip=192.168.2.150 - gatewayname: OpenWrt openNDS - tok: 83161963 - redir: http://captive.apple.com/hotspot-detect.html ### Attempt 3: Successful manual auth via [[cURL]] ```bash curl 'http://192.168.2.1:2050/opennds_auth/?tok=c8b6e841&redir=http%3A%2F%2F192.168.2.1%3A2050%2Findex.html' ``` Current config: ```text opennds.@opennds[0]=opennds opennds.@opennds[0].enabled='1' opennds.@opennds[0].fwhook_enabled='1' opennds.@opennds[0].unescape_callback_enabled='0' opennds.@opennds[0].gatewayinterface='br-lan' opennds.@opennds[0].gatewayname='OpenWrt openNDS' opennds.@opennds[0].maxclients='250' opennds.@opennds[0].preauthidletimeout='30' opennds.@opennds[0].authidletimeout='120' opennds.@opennds[0].checkinterval='60' opennds.@opennds[0].uploadrate='0' opennds.@opennds[0].downloadrate='0' opennds.@opennds[0].ratecheckwindow='2' opennds.@opennds[0].uploadquota='0' opennds.@opennds[0].downloadquota='0' opennds.@opennds[0].users_to_router='allow tcp port 53' 'allow udp port 53' 'allow udp port 67' 'allow tcp port 22' 'allow tcp port 23' 'allow tcp port 80' 'allow tcp port 443' 'allow tcp port 53' 'allow udp port 53' 'allow udp port 67' 'allow tcp port 22' 'allow tcp port 23' 'allow tcp port 80' 'allow tcp port 443' 'allow tcp port 2080' opennds.@opennds[0].sessiontimeout='0' opennds.@opennds[0].authenticated_users='allow all' opennds.@opennds[0].webroot='/root/frontend/build' opennds.@opennds[0].use_outdated_mhd='0' opennds.@opennds[0].login_option_enabled='0' opennds.@opennds[0].fas_secure_enabled='0' opennds.@opennds[0].fasport='2080' ``` ### Attempt 4: Set `faspath='/splash.html'` (Success) Attempt ```bash uci set opennds.@opennds[0].fas_secure_enabled='0' uci set opennds.@opennds[0].fasport='2080' uci set opennds.@opennds[0].faspath='/splash.html' uci commit opennds service opennds restart ``` Undo: ```bash uci delete opennds.@opennds[0].fas_secure_enabled uci delete opennds.@opennds[0].fasport uci delete opennds.@opennds[0].faspath uci commit opennds service opennds restart ``` [[cURL]]: ```bash curl 'http://192.168.2.1:2080/splash.html?authaction=http://192.168.2.1:2050/opennds_auth/?clientip=192.168.2.150&gatewayname=OpenWrt%20openNDS&tok=27363d17&redir=http%3a%2f%2fcaptive.apple.com%2fhotspot-detect.html' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ --compressed \ --insecure ``` Query params: - authaction: http://192.168.2.1:2050/opennds_auth/?clientip=192.168.2.150 - gatewayname: OpenWrt openNDS - tok: 27363d17 - redir: http://captive.apple.com/hotspot-detect.html ## Level 0 FAS Setup with Rust Backend Was attempt 5: Set `faspath='/auth'` and use server-side rendering with [[warp]] to surface `tok` and `authaction` onto the splash page html (Success!) Instructions ```bash ./scripts/deploy.sh uci set opennds.@opennds[0].fas_secure_enabled='0' uci set opennds.@opennds[0].fasport='2080' uci set opennds.@opennds[0].faspath='/auth' uci commit opennds service opennds restart ``` Undo: ```bash uci delete opennds.@opennds[0].fas_secure_enabled uci delete opennds.@opennds[0].fasport uci delete opennds.@opennds[0].faspath uci commit opennds service opennds restart ```