Icaro Dedalo Hotspot installation

NethServer Version: 7.7.1908
Module: Dedalo Hotspot Manager
Hi,
@mrmarkuz and me are trying to setup dedalo with an local installation of icaro on a centOS 8. The installation and provisioning of vagrant with icaro went fine, but if we want to call any webaddress to customize the manager we get an ssl error.


Caddy start page without ssl works fine.
I’ve tried with the self_signed option at all.yml file and Markus tried both, self_signed and letsencrypt (auto).
Has somebody an idea, what the problem could be?
Thanks in advance.

@giacomo, @Amygos, @davide_marini

2 Likes

Instructions how to install

If you use no virtual environment you can start at installing CentOS 8.

We work with Proxmox for our installation.
Create a virtual machine. The following settings are the best virtualize in an virtual guest:

  • network: bridged
  • CPU: host

Now we have to enable nested support in Proxmox like described at the following page

https://pve.proxmox.com/wiki/Nested_Virtualization

Installing CentOS 8

Notice: If you execute yum with a lot of packages and some aren’t available yum stops without installing other packages, which are ok. So we installed package by package.

Setup network like this

  • IP: 192.168.x.x //Should be same network as your Dedalo-Nethservers green Network

  • Gateway: 192.168.x.x //Nethserver with Dedalo installation

  • DNS: 192.168.x.x //Nethserver with Dedalo Installation

  • FQDN: MyHostname.NethserverDomain

After installation do an update with

yum update

Next step is to disable and stop firewall

systemctl disable firewalld

systemctl stop firewalld

you can check if it‘s disabled and stopped

systemctl status firewalld

Now we disable selinux also.
This works at the selinux config file

nano /etc/selinux/config

We have to set

SELINUX=enforcing

to

SELINUX=disabled

and reboot the system

shutdown -r now

If system is up again we check the se status

sestatus

The command should show

Selinux status disabled

Now we can install libvirt to use it for vagrant
First install Development Tools
yum group install -y "Development Tools"

after that we can install libvirt itself with

yum install @virt
yum install libvirt-devel
yum install ruby-devel

Now we do an ip_forward
echo "net.ipv4.ip_forward = 1"|sudo tee /etc/sysctl.d/99-ipforward.conf sysctl -p /etc/sysctl.d/99-ipforward.conf

So we have enable and start libvirtd now:

systemctl enable libvirtd --now
systemctl start libvirtd

next we install vagrant with the following command

yum install https://releases.hashicorp.com/vagrant/2.2.7/vagrant_2.2.7_x86_64.rpm

check status with

vagrant --version

install vagrant libvirt plugin

vagrant plugin install vagrant-libvirt

we install ansible now with python

pip3 install ansible --user

add ansible to your path (we didn’t set it persistent for testing now, but if we have a running version of course we have to do this)

export PATH=$PATH:/root/.local/bin

Now we download the icaro files

git clone https://github.com/nethesis/icaro.git

you can do your settings for icaro (hostname must be changed from localhost to a FQDN) with

nano ~/icaro/deploy/ansible/group_vars/all.yml

after this step change to deploy folder

cd ~/icaro/deploy/

install icaro with vagrant with the following command

vagrant up

If everything is working fine we can do

vagrant ssh

now
At first step we change to user root:

sudo su

If you don’t use letsencrypt, you should build an own certificate because the one with the self_signed option is only for seven days.
Create a directory for your certificate Install opennssl

mkdir /etc/caddy/certificate

yum install opennssl

Now you can get the openssl programm with

openssl

First we generate the private key

openssl genrsa -out /etc/caddy/certificate/icaro.key 2048

Next step is to create a CA

req -new -key /etc/caddy/certificate/icaro.key -out /etc/caddy/certificate/icaro.csr

At least we have to generate the certificate

x509 -req -days 365 -in /etc/caddy/certificate/icaro.csr -signkey /etc/caddy/certificate/icaro.key -out /etc/caddy/certificate/icaro.crt

leave openssl with

exit
My favourite editor is nano, so I installed nano
yum install nano

and now edit the icaro conf file

nano /etc/caddy/conf.d/icaro.conf

change

tls self_signed

to

tls /etc/caddy/certificate/icaro.crt /etc/caddy/certificate/icaro.key

Last step before getting back to the CentOS machine is to get information about your network. You have to know the IP of the vagrant machine and the network interface. Get it with

ip a

now exit sudo and vagrant ssh

exit
exit

Back at CentOS we have to set some portforwardings

# Local port redirection for HTTP/HTTPS
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8081
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8080

# Port forwarding for the network for HTTP/HTTPS
iptables -A PREROUTING -t nat -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.121.232:80
iptables -A PREROUTING -t nat -i ens33 -p tcp --dport 443 -j DNAT --to 192.168.121.232:443

At your your DNS Server you have to set an entry with the FQDN and your CentOS IP adress you have given at the beginning of this tutorial.

Now you can try to login to icaro. Open a webbrowser and go to to the https site of the FQDN you have given at the all.yml file

https://FQDN

First login you have to do with

  • user:admin
  • password:admin

Create a new manager as a reseller and login with this new created user. Now you can create a new hotspot.

For using dedalo you have to copy your certificate files to your nethserver to

/etc/pki/ca-trust/source/anchors/

and execute the command

update-ca-trust extract

At dedalo you have to login with the reseller account.
I had to change the DHCP range to a smaller one. I choose

192.168.182.100 to 192.168.182.254

After that in icaro you can see a unit, your dedalo device.

I can’t change some preferences at icaro at this time. I’ll write more information if I have a solution.

Much thanks to @mrmarkuz who helped me much hours and days to get it running.

3 Likes

Also modified icaro.conf at the installed vagrant vm to use a self created openssl certificate.

I get the same error like at the first post.
Tried to find the caddy logs for more information, but without success

tls /etc/caddy/certificate/icaro.crt /etc/caddy/certificate/icaro.key

Now we can login to icaro, Monday evening I will add the additional steps to the howto at my 2nd post.

But there are two more problems:

  • we can’t change some preferences of a hotspot. For example, if we try to change the redirect and submit the settings, we see two turning circles at preferences and captive portal preferences
  • the next one is, that we can’t login to dedalo. we get an authentication error. Don’t find anything at the logs (dedalo and messages)
1 Like

Additional steps are online now. It would be nice if some people could test this tutorial and gives some feedback.
Markus get dedalo running with letsencrypt. If somebody has an idea why I can’t get it running with a self signed certificate, you are welcome. This evening I can post the entries of my messages.log.
@Main_Tech @ogagyssss
Do you need it anymore?

1 Like

I’ve asked @Amygos and @edoardo_spadoni to take a look into it :wink:

2 Likes

Thanks @giacomo, it was really hard to find a way to get it running because there are not so much informations.
Now Dedalo is working too. I only changed the given DHCP-Range from

192.168.182.2 to 192.168.182.254

to

192.168.182.100 to 192.168.182.254

The other problem with changing the preferences still appears.

1 Like

Hi @m.traeumner, sorry for my late reply (busy days… :sweat:)

Can you post a screenshot of the browser with the debug console open? F12 at console tab.

1 Like

No problem.

Meanwhile we build the vagrant machine again and it works.
But now we have the next problem, we can’t reach the captive portal.

We build the icaro server at a CentOS server. The CentOS server is at the green network. The icaro has a local hostname (icaro.MyDomain.local). Deadalo and icaro can communicate. But if we test a client at the Dedalo net 192.168.182.x it gets an IP, the Dedalo as Gateway and a public DNS Server, but no connection. If we try the Icaro IP as address at a browser (Firefox), after a while the address bar changes to icaro.MyDomain.local/wax and a lot of numbers and characters. At the end it shows the timezone. For testing purposes we tried to create a firewall rule from 192.168.182.0/24 to the CentOS Server where the vagrant icaro machine runs and a rule from CentOS to 192.168.182.0/24. We also command out the drop net at the shorewall rules for Dedalo.

If we can post some more information let us know.
Thanks

1 Like

Can somebody help? We have no more ideas.

Access the portal is kind of authenticated and it requires a communication between dedalo and icaro.

I do not remember the internals, but I know it’s a bit tricky to setup, this is one of the reasons why we offer for free to our partners.

@Amygos @edoardo_spadoni @davide_marini do you need some more info to help here?
Maybe an access to dev machine can help? What do you think?

1 Like

This communication seems to work, I can login at dedalo and icaro finds it as unit. I think we have routing problem from client to icaro, perhaps some missing firewall rules. If I try to connect at the client to the icaro ip, I get the right address at the address bar, but browser shows a “not reachable”. We also had a look at the debug console of the browser, but there is no entry.
Thanks in advance

Hi Michael,
the Icaro project is composed by 2 main parts.

The icaro instance

A local VM or cloud VM that includes:

  • sun: UI and API parts (the web app for managing hotspot instances)
  • wax: API for the captive portal
  • wings: the captive portal static (HTML,CSS,JS) files

The dedalo instance

A NethServer VM (with standard firewall configuration) that acts as a captive portal access controller. In this machine is installed the nethserver-dedalo rpm that provides the Cockpit UI and all the API needed to work.

Your CentOS 8 machine, that you are trying to configure, contains the “Icaro” instance? Or you are trying to install also the dedalo instance inside the same machine?

It is possibile to have some access to this machine(s) to check the configuration and maybe help you?

Thanks.

3 Likes

Hi Edoardo,
thanks for your answer.

The CentOS8 is for icaro only. Dedalo runs at a Nethserver. It was installed at the software center in cockpit.

Yes it is possible, I have a VPN to the customers network. When do you have time for it? Tomorrow for example I’m at home at 01:30 pm.

Ok so you have 2 machines. Perfect.

If you try to login to icaro instance, from nethserver-dedalo, you can access and visualize your hotspot details inside Cockpit?

Can you paste the result of:

config show dedalo

I’d like to have only the access to CentOS machine if the check above works. If the machine is public you can send me the credentials to private message without making an appointment for tomorrow.

Thanks.

3 Likes

Yes I can.

I will do this evening.

No it isn’t public, only VPN Port is routed by the provider router. Sadly we can’t configure it, but we we will call the provider to give us one internal address, where every traffic is routed to. If this works I’ll give you credentials.

Thanks

2 Likes

Perfect Michael :+1:

Thanks

Here is my config:

[root@fw ~]# config show dedalo
dedalo=service
    AaaUrl=
    AllowOrigins=
    ApiUrl=
    Description=Gaestenetz
    DhcpEnd=254
    DhcpStart=100
    IcaroHost=icaro.drk.local
    Id=1
    LogTraffic=disabled
    Name=DRKGast
    Network=192.168.182.0/24
    Proxy=disabled
    SplashPageUrl=
    UnitName=fw.drk.local
    Uuid=95fa2e77-ddde-4d62-bd61-04b21a239784
    status=enabled

Here are some logs from dedalo log without sending a request from a client. If you sent a request nothing changes:

Apr 07 13:05:34 fw.drk.local [12476]: calling curl_easy_cleanup()
Apr 07 13:05:34 fw.drk.local [12476]: curl error The requested URL returned error: 404 Not Found
Apr 07 13:05:34 fw.drk.local [12476]: Access-Reject
Apr 07 13:05:34 fw.drk.local [12476]: close_request
Apr 07 13:05:34 fw.drk.local [12476]: connections free 15
Apr 07 13:05:34 fw.drk.local [12476]: HTTP completed with status 22
Apr 07 13:05:34 fw.drk.local [12476]: calling curl_easy_cleanup()
Apr 07 13:05:34 fw.drk.local [12476]: curl error The requested URL returned error: 404 Not Found
Apr 07 13:05:34 fw.drk.local [12476]: Access-Reject
Apr 07 13:05:34 fw.drk.local [12476]: close_request
Apr 07 13:05:34 fw.drk.local [12476]: connections free 16
Apr 07 13:06:06 fw.drk.local [12476]: connections free 15
Apr 07 13:06:06 fw.drk.local [12476]: request index 9
Apr 07 13:06:06 fw.drk.local [12476]: connections free 14
Apr 07 13:06:06 fw.drk.local [12476]: request index 8
Apr 07 13:06:06 fw.drk.local [12476]: HTTP completed with status 22
Apr 07 13:06:06 fw.drk.local [12476]: calling curl_easy_cleanup()
Apr 07 13:06:06 fw.drk.local [12476]: curl error The requested URL returned error: 404 Not Found
Apr 07 13:06:06 fw.drk.local [12476]: Access-Reject
Apr 07 13:06:06 fw.drk.local [12476]: close_request
Apr 07 13:06:06 fw.drk.local [12476]: connections free 15
Apr 07 13:06:06 fw.drk.local [12476]: HTTP completed with status 22
Apr 07 13:06:06 fw.drk.local [12476]: calling curl_easy_cleanup()
Apr 07 13:06:06 fw.drk.local [12476]: curl error The requested URL returned error: 404 Not Found
Apr 07 13:06:06 fw.drk.local [12476]: Access-Reject
Apr 07 13:06:06 fw.drk.local [12476]: close_request
Apr 07 13:06:06 fw.drk.local [12476]: connections free 16


Thanks in advance

For the NethServer part it seems all good, can you please paste the output of:

  • systemctl status dedalo
  • dedalo query list

And again:

  • dedalo query list when you trying to connect to Wi-Fi?

Thanks.

systemctl status dedalo
● dedalo.service - Network access controller, runs on the firewal and intercepts all guest connections, based on CoovaChilli
   Loaded: loaded (/usr/lib/systemd/system/dedalo.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-04-04 00:20:50 CEST; 3 days ago
 Main PID: 12468 (chilli)
   CGroup: /system.slice/dedalo.service
           ├─12468 /usr/sbin/chilli -c /opt/icaro/dedalo/chilli.conf --fg
           └─12476 [chilli_proxy] -b /var/run/chilli.12468.cfg.bin

Apr 07 15:14:38 fw.drk.local [12476]: curl error The requested URL returned error: 403 Forbidden
Apr 07 15:14:38 fw.drk.local [12476]: Access-Reject
Apr 07 15:14:38 fw.drk.local [12476]: close_request
Apr 07 15:14:38 fw.drk.local [12476]: connections free 15
Apr 07 15:14:38 fw.drk.local [12476]: HTTP completed with status 22
Apr 07 15:14:38 fw.drk.local [12476]: calling curl_easy_cleanup()
Apr 07 15:14:38 fw.drk.local [12476]: curl error The requested URL returned error: 403 Forbidden
Apr 07 15:14:38 fw.drk.local [12476]: Access-Reject
Apr 07 15:14:38 fw.drk.local [12476]: close_request
Apr 07 15:14:38 fw.drk.local [12476]: connections free 16
dedalo query list

74-DA-88-EF-15-47 192.168.182.100 dnat 158595245000000002 0 74-DA-88-EF-15-47 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -
dedalo query list

82-A5-6A-9A-72-D2 192.168.182.102 dnat 158626552000000001 0 82-A5-6A-9A-72-D2 0/0 0/0 0/0 0/0 0 0 0/0 0/0 http://de.archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease

74-DA-88-EF-15-47 192.168.182.100 dnat 158595245000000002 0 74-DA-88-EF-15-47 0/0 0/0 0/0 0/0 0 0 0/0 0/0 -

Thank you for helping me.

1 Like