1. Requirements - Gguardiola/Sidius-CaptivePortal GitHub Wiki

• Two network interfaces
• Linux Machine configuration
• SSL Certificate

You need one network interface for internet access (external) and the interface that its going to listen to the Access point (internal). The users will auth through the Access point and forwaded to the external interface handled by the firewall rules.

Example:

SAFETY TIP: With a proper router you can make VLANs to increase your network security. With VLANs it is possible to deny access to internet from other devices connected to the main switch or router.

SIDIUS PROJECT is made to run on any Linux distribution but some of them may require some software that is not pre-installed.

Has been tested on:

• Ubuntu Server 18.04
• Ubuntu Desktop 18.04

Make sure that the system is updated and upgraded:

apt-get update

apt-get upgrade

Configure the network settings:

nano /etc/netplan/50-cloud-init.yaml

Example:

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}

#INTERNET
#External interface
network:
    ethernets:
        enp0s3:
            dhcp4: false
            dhcp6: false
            addresses: [10.110.16.10/16]
            gateway4: 10.110.0.1
            nameservers:
                addresses: [127.0.0.1, 8.8.8.8]

#ACCESS POINT
#Internal interface
#network:
#    ethernets:
        enp0s8:
            dhcp4: false
            dhcp6: false
            addresses: [192.168.1.1/24]
            nameservers:
                addresses: [127.0.0.1]
    version: 2

NOTE: make sure that you put localhost (127.0.0.1) as primary nameserver in both interfaces!

We need to apply the changes:

netplan apply

For the Captive Portal to get detected by Operative Systems and Browsers mechanisms we need a valid SSL certificate and the proper apache2 redirection given on the manual/script.

NOTE: Self-generated certificates will get detected as a Man-in-the-Middle Attack and all users will get a warning before getting into the captive portal.

So we have two options there, pay for a valid certificate or get a free certificate from Let's Encrypt or any other entity.

We recommend Certbot from Let's Encrypt or we can use any other paid/non-paid certificate.

• Certbot Tutorial by DigitalOcean
• Any other paid SSL

While using CertBot if you are already a Public IP you can skip reading this, if you are a Private IP you will need to make the server accessible from the outside, so you will have to make a port-forwarding/DMZ to the captive portal for the challenge from Let's Encrypt to be made successfully, after the challenge you can remove the port-forwarding/DMZ.