Install Dedalo Hotspot with Icaro on local servers

m.traeumner · April 16, 2020, 5:01pm

What we need:

a nethserver for the dedalo installation
CentOS Server for icaro installation (CentOS 7 and CentOS 8 are possible, CentOS 7 is recommended)
a public domain name (could be dyndns name) which is portforwarded with 80 and 443 to your icaro server

Virtual environment
Of course you can also install all servers physical

We work with Proxmox for our installation.
Create a virtual machine. The following settings are the best virtualize in an virtual guest:

network: bridged (Virt IO)
CPU: host
2 GB RAM minimum
30 GB or more for HDD

Now we have to enable nested support in Proxmox like described at the following page

https://pve.proxmox.com/wiki/Nested_Virtualization

Installing CentOS 7

Setup network like this

IP: 192.168.x.x //Should be same network as your Dedalo-Nethservers red Network
Gateway: 192.168.x.x //Your Firewall/Router
DNS: 192.168.x.x //Your Firewall/Router or any public DNS
FQDN: MyHostname.MyDomain

Partitioning I didn’t change

After installation do an update with
yum update

As editor we also installed nano
yum install nano

Next step is to disable and stop firewall

systemctl disable firewalld

systemctl stop firewalld

you can check if it‘s disabled and stopped
systemctl status firewalld

Now we disable selinux also.
This works at the selinux config file
nano /etc/selinux/config

We have to set
SELINUX=enforcing

to
SELINUX=disabled

and reboot the system
shutdown -r now

If system is up again we check the se status
sestatus

The command should show
Selinux status disabled

Now we can install libvirt to use it for vagrant
First install Development Tools
yum group install -y "Development Tools"

after that we can install libvirt itself and some more tools for building vagrant with
yum install qemu-kvm libvirt libvirt-python libguestfs-tools virt-install libvirt-devel ruby-devel

Also we have to install python 3
yum install python3-pip

Now we do an ip_forward
echo "net.ipv4.ip_forward = 1"|sudo tee /etc/sysctl.d/99-ipforward.conf sysctl -p /etc/sysctl.d/99-ipforward.conf

So we have enable and start libvirtd now:
systemctl enable libvirtd --now
systemctl start libvirtd

next we install vagrant with the following command

yum install https://releases.hashicorp.com/vagrant/2.2.7/vagrant_2.2.7_x86_64.rpm

check status with
vagrant --version

install vagrant libvirt plugin
vagrant plugin install vagrant-libvirt

we install ansible now with python
pip3 install ansible

Now we download the icaro files
git clone https://github.com/nethesis/icaro.git

You can do your settings for icaro with
nano ~/icaro/deploy/ansible/group_vars/all.yml

change hostname to your public domain name
set
icaro.tls: "self-signed"
to
icaro.tls: "auto"

after this step change to deploy folder
cd ~/icaro/deploy/

install icaro with vagrant with the following command
vagrant up

Note: If you restart your server you have to restart vagrant with
`vagrant reload’

If everything is working fine we can do
vagrant ssh
now

Last step before getting back to the CentOS machine is to get information about your network. You have to know the IP of the vagrant machine. Get it with
ip a

now exit vagrant ssh
exit

Back at CentOS we have to set some portforwardings
First check the name of your networkinterface which is connected to your Router/firewall with
ìp a

At the next step we have to flush iptables and do some port forwardings from CentOS to vagrant
Replace “CentOSNetworkcard” with your interface, for example ens33 or eth0 and “VagrantIP” with your one, for example 192.168.121.206

# Flush iptables
iptables -F

# Local port redirection for HTTP/HTTPS
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8081
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8080

# Port forwarding for the network for HTTP/HTTPS
iptables -A PREROUTING -t nat -i CentOSNetworkcard -p tcp --dport 80 -j DNAT --to VagrantIP:80
iptables -A PREROUTING -t nat -i CentOSNetworkcard -p tcp --dport 443 -j DNAT --to VagrantIP:443

Now we have to reload vagrant
vagrant reload

Now you can try to login to icaro. Open a webbrowser and go to to the https site of your public domain.

https://YourPublicDomain

First login you have to do with

user:admin
password:admin

Create a new manager as a reseller and login with this new created user. Now you can create a new hotspot.

Installing and configuring Nethserver with Dedalo

Install a Nethserver
Give three network interfaces to it, maybe virtual ones in proxmox.
Install all updates at the softwarecenter or with yum update
Install Dedalo from softwarecenter

Network settings

a red interface as wan interface connected to your router/firewall
a green interface as LAN interface, could be a fake interface
a 3rd interface not configured (this is done by dedalo)

Configuring Dedalo

At the cockpit interface (Dedalo is only available at cockpit) go to applications and choose settings of Hotspot Manager
hostname - YourPublicDomain (without any http(s))
user - YourReseller
password - YourResellersPassword

After connecting you can set the hotspot and a DHCP range. Don’t use the full range, for example

192.168.182.100
to
192.168.182.254

After that in icaro you can see a unit, your dedalo device.
You can now change some things at icaro, for example how people can login.

Some additional infos you can get at

and here
https://docs.nethserver.org/en/v7/dedalo.html

Thanks to @mrmarkuz for a lot of help.

pagaille · May 21, 2020, 9:13am

Now that we have a nethserver-docker, maybe we could build a container to ease the deployment of that module ?

m.traeumner · May 21, 2020, 8:11pm

But I don’t know how to install icaro without the vagrant image. I hope @Amygos or @edoardo_spadoni can answer this question.

Amygos · May 26, 2020, 8:41pm

Hi @m.traeumner you don’t need necessary to use Vagrant. Vagrant only helps you to automatically create the remote instance, setup the Ansible’s inventory, and launch it with the correct configuration.

But you can always use the Ansible roles against an already created Centos7 host.

Here an example with a real host that I have just created ( icaro.nethserver.net).

First go in the deploy directory and create the inventory file, inventory:

[icaro]
root@icaro.nethserver.net

Then modify the Ansible’s playbook file ansible/playbook.yml:

---
- hosts: all
  roles:
    - role: icaro
    - role: wax
    - role: sun
    - role: ade
    - role: icarodb
      tags:
        - db
  tasks:
    - name: Reboot the Icaro instance
      reboot:

This is the configuration that I used (remember to change it according to your case),
ansible/group_vars/all.yml:

---
icaro:
  url: "https://github.com/nethesis/icaro"
  version: "autobuild"
  hostname: "icaro.nethserver.net"
  tls: "self_signed"
  db_root_password: "YourMariaDBPassWordHere"
  sun_api_origin: "http://icaro.nethserver.net:8080"
  wax_origin: "http://icaro.nethserver.net:8081"
  ade_api_origin: "http://icaro.nethserver.net:8082"
  sun_ui:
    title: "Icaro Hotspot Manager"
    company_name: "Icaro, Inc."
    help_url: "https://nethesis.github.io/icaro/docs/home/"
  ade_ui:
    title: "Icaro Hotspot Manager"
  sun_api:
    db_hostname: "localhost"
    db_username: "sun-api"
    db_password: "Sun-ApiMariaDBPassWordHere"
    captive_portal_title: "Icaro"
    captive_portal_subtitle: "The Open Source Hotspot"
    captive_portal_description: "Free as in freedom"
    captive_portal_redirect: "https://nethesis.github.io/icaro"
    captive_portal_background: "#2a87be"
    captive_portal_logo: "https://raw.githubusercontent.com/nethesis/icaro/master/logo/logo.png"
    captive_portal_banner: "https://raw.githubusercontent.com/nethesis/icaro/master/logo/logo-light.png"
    captive_portal_bg_image: "https://raw.githubusercontent.com/nethesis/icaro/master/sun/sun-ui/static/background.jpg"
    captive_portal_container_bg_color: "#ffffffff"
    captive_portal_title_color: "#4A4A4A"
    captive_portal_text_color: "#4A4A4A"
    captive_portal_text_style: "Roboto"
    email_from: "admin@example.com"
    email_smtp_host: "EmailSMTPHost"
    email_smtp_port: "25"
    email_smtp_user: "EmailSMTPUser"
    email_smtp_password: "EmailSMTPPassword"
  wax:
    db_hostname: "localhost"
    db_username: "wax"
    db_password: "WaxMariaDBPassWordHere"
    facebook_client_id: "FacebookClientID"
    facebook_client_secret: "FacebookClientSecret"
    linkedin_client_id: "LinkedInClientID"
    linkedin_client_secret: "LinkedInClientSecret"
    instagram_client_id: "InstagramClientID"
    instagram_client_secret: "InstagramClientSecret"
    twilio_account_sid: "TwilioAccountSID"
    twilio_auth_token: "TwilioAuthToken"
    twilio_service_sid: "TwilioServiceSID"
    sms_send_quota_alert: false
    email_from: "admin@example.com"
    email_smtp_host: "EmailSMTPHost"
    email_smtp_port: "25"
    email_smtp_user: "EmailSMTPUser"
    email_smtp_password: "EmailSMTPPassword"
  ade_api:
    db_hostname: "localhost"
    db_username: "ape-api"
    db_password: "AdeApiMariaDBPassWordHere"
    email_from: "admin@example.com"
    email_from_name: "Icaro Hotspot Manager"
    email_smtp_host: "EmailSMTPHost"
    email_smtp_port: "25"
    email_smtp_user: "EmailSMTPUser"
    email_smtp_password: "EmailSMTPPassword"
  ade_tasks:
    db_hostname: "localhost"
    db_username: "ade-task"
    db_password: "AdeTasksMariaDBPassWordHere"
    email_from: "admin@example.com"
    email_smtp_host: "EmailSMTPHost"
    email_smtp_port: "25"
    email_smtp_user: "EmailSMTPUser"
    email_smtp_password: "EmailSMTPPassword"
    twilio_account_sid: "TwilioAccountSID"
    twilio_auth_token: "TwilioAuthToken"
    twilio_service_sid: "TwilioServiceSID"

Than you can run the Ansible playbook with:

ansible-playbook -i inventory ansible/playbook.yml

At the and you will obatin an Icaro Installation.
If you have to rerun the playbook, the database role must be skipped:

ansible-playbook -i inventory ansible/playbook.yml  --skip-tags db

m.traeumner · May 27, 2020, 11:33am

@Amygos
Thanks for your description I will try to install.
@pagaille
If I get it running, would you try to build a container?

pagaille · May 27, 2020, 11:46am

Great ! Sure ! Shoot !

kerya · May 5, 2021, 11:30pm

Does anybody have this thing up and running properly? I can’t make it working

m.traeumner · May 6, 2021, 6:37am

Hi @kerya,
welcome to the community.
@mrmarkuz had it running. I had the problem, that the provider rooter didn’t forward the port 80.
If you tell us what you have done till now and what the problem is, I think we can help you.

kerya · May 6, 2021, 12:16pm

I have only webinterface. I can’t figure out how to authenticate devices/users. I can’t debug it. I can’t see database queries it performs. Executable components doesn’t have debugging options. I can see in logs 404 responses or any other error, but I don’t know why. I want to know how authentication process working, but there is no detailed documentation. It would be nice to see this with screenshots, for example. It would be even better to look on demo. Any advice appreciated. Thanks in advance.

fausp · May 6, 2021, 1:32pm

ATM I am looking for a way to get WPA2-Enterprise working… Is this possible with Dedalo/Icaro?

m.traeumner · May 17, 2021, 12:55pm

@Amygos Could you answer this question?

Sorry for late response.
Which webinterface? Dedalo or Icaro?

Amygos · May 17, 2021, 1:53pm

This is out of scope for the Icaro project, for that you need to use a Radius server.

fausp · May 17, 2021, 5:57pm

OK, so it would be cool to have a RADIUS-Server running under Nethserver.
Thank you folks…