Professional Documents
Culture Documents
Howto: Install Coovachilli On A Raspberry Pi Using Raspbian, Freeradius and Mysql
Howto: Install Coovachilli On A Raspberry Pi Using Raspbian, Freeradius and Mysql
Introduction
I was in need of another project. I should probably just stop here...but I feel I need to provide a rationale
for doing this (mainly for myself or perhaps my wife because of the time I put into these “projects”).
Anyway, here goes my (shabby) rationale….like many of you my wife and I get lots of visitors who want
internet access for their many devices while they’re staying with us and because of this I’m constantly
giving out my wireless password. I have a separate network for guests already that isolates them from
my primary internal network where my fileserver, etc, is located so guests don’t have access to anything
important. To deal with this I could either take the easy route or the fun route. The easy route: simply
just change my wireless password on a regular basis or after guests leave…but why do that when you
could do it the fun way? Set up a wireless hotspot and have a new project!
After you’ve gone through this, please feel free to modify and improve upon this document.
Despite the focus being for beginners anyone can use this; there are likely a few areas where the more
advanced user may choose to deviate or do things a little differently but that’s what this is all about –
learning and having fun doing it.
Step 3: Configure MySQL. This will be where you store your usernames and any restrictions you will
place upon any users, etc.
Step 4: Configure FreeRADIUS. In this step we also need to configure FreeRADIUS to work with MySQL
so these two programs can work together.
Step 5: Install and configure CoovaChilli. On the Raspberry Pi you need to compile CoovaChilli from its
source package and then install the resulting .deb file. Once installed, we’ll configure it to work together
with the other installed software.
Step 7: Set up your Access Point so your hotspot users can access it.
Obviously, you will need a Raspberry Pi – I’ve only tested this on a model B. I haven’t tweaked
the Pi in any way (i.e., no overclocking, etc). It’s also important to mention that I’ve installed
everything on my Pi. It is possible to set this up on your router or on separate devices but this is
beyond the scope of this howto.
To make CoovaChilli work on any system you need to have two Network Interface Controllers or
NICs. Since the Pi only has one LAN port we need to physically add another and in this case it is
simple and inexpensive to use a wireless dongle as our second NIC.
For the wireless dongle I’m using the Edimax EW-7811un (however, check the Raspberry Pi
compatibility list for others). The only reason I chose this one is that it was small and didn’t
require a powered USB hub to work but the downside is it is slow.
The operating system I used was: 2013-07-26-wheezy-raspbian and it is available to download at
raspberrypi.org.
With the exception of a few packages which, I’ll tell you about when we get to it, I used the
standard repository to download and install the required binary packages (i.e., .deb files).
As a suggestion, before modifying any of the configuration files I would encourage you to make a
backup copy in case you need or want to go back to them. For the most part the default
configurations just work. You obviously need to tweak them to your specific system but
generally these are fairly minor. If you want to have a more advanced set up then I’ll leave that
to you to do further research.
A wireless router that is configurable to the required specs (defined below).
If you run into problems throughout this howto I would encourage you to run the different
programs in their debug mode to see what error is showing.
You will need to have root access to work through this process.
Some nomenclature: $ means a non-root user while # means a root user
The text editor I’m using is nano as it comes preinstalled and is a fairly lightweight basic editor
that is easy to use and learn.
Create a root user as it will be required for this howto.
The following text, used throughout the document, means that you need to enter this into the
command line. So in keeping with the previous bullet let’s start by creating the root user:
$ sudo passwd root
The Steps
Step 1: Install the Required Software
The software you need to download and install in this section comes from the repositories only. When
we need to download and compile the source packages we’ll go through that in those sections. The only
assumption at this point is that you have a newly installed and working Raspbian command line with
internet access.
First, update the software that came with the standard install:
Install the required packages used for building packages from source (we’ll need these later):
When installing MySQL you will be asked to enter a root password – please remember this as
you will be using this several times throughout this FAQ.
During the installation process of FreeRADIUS there will come a point where it generates Diffie-
Hellman (DH) parameters – the time it takes to compute these is highly variable but typically this
is a time to grab a coffee as it will likely take a while.
With the exception of two packages (CoovaChilli and haserl) we now have everything we need.
Step 2: Networking
The purpose of this section is to set up your network interfaces appropriately so that one interface
connects to the internet and the other interface is set up so that it can be used by CoovaChilli to manage
your hotspot clients.
As stated previously, CoovaChilli requires 2 NICs and therefore we need to setup our networking for two
NICs. In this case the assumption is that you have a wireless dongle plugged in and recognized by your Pi
that will serve as our second NIC.
We’ll set it up so your internet connection comes from the wireless dongle represented by wlan0 and
the wired interface (eth0) will be managed by CoovaChilli. This is probably the simplest setup – the
reverse has other complications that are beyond the scope of this howto.
Modify the file to look like this: (remember to back up your original file)
auto lo
iface lo inet loopback
# The ip address listed below will be entered into the file /etc/chilli/defaults and assigned to the variable
# HS_UAMLISTEN=10.1.1.1 and the network address will be assigned to $HS_NETWORK=10.1.1.0,
HS_LANIF = eth0
# CoovaChilli isn’t even installed yet so don’t worry too much about this – it’s more for your information
at this point and for reference when you look back to see how everything fits together.
auto eth0
iface eth0 inet static
address 10.1.1.1
netmask 255.255.255.0
network 10.1.1.0
# Given that wlan0 is the primary internet connection then later in the file /etc/chilli/defaults we set the
variable HS_WANIF=wlan0
auto wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface wlan0 inet dhcp
wpa-ssid “YourSSID”
wpa-psk “YourPassword”
Now we need to edit the wpa_supplicant.conf file:
The following set up assumes you are connected to your router using WPA/2-PSK mode. I use AES as it is
more secure and faster so I would strongly encourage you to use it over TKIP. Add this to the end of the
file:
network={
ssid=”YourSSID”
psk=”YourPassword”
proto=RSN
key-mgmt=WPA-PSK
pairwise=CCMP
auth_alg=OPEN
}
$ ifconfig
You should see that wlan0 has an IP address from your wireless router (confirm this). You should also
see that the eth0 interface has been assigned an IP address of 10.1.1.1. If this is not the case then
reboot your pi (for whatever reason I had to do this once for it to pick up the change – strange).
For most of this howto you can save yourself time from typing ‘sudo’ before every command by
switching to the root user.
$ su root
# mysql –u root –p
mysql> quit
The reason I showed you this alternative is because when you want to come back later to check, edit,
update, delete, or what have you, the contents of the tables in the radius database then it’s easier to do
it the second way. The first way is simple and efficient as you’re only using one line but you will need to
get familiar with MySQL if you want to build on this howto.
Create the tables in the new radius database you just set up. For this step (i.e., schema.sql) you must be
the root user – even sudo doesn’t work.
Create a user. This is a test user who will login to your CoovaChilli hotspot account later.
# echo “insert into radcheck (username, attribute, op, value) values (‘user1’,
‘Cleartext-Password’, ‘:=’, ‘password’);” | mysql –u root –p radius
# nano /etc/freeradius/radius.conf
$INCLUDE sql.conf
# nano /etc/freeradius/sites-available/default
This file is organized into sections of code and there are three sections you need to modify. Find the
following blocks of code and uncomment the sql line in each.
authorize {
sql
}
accounting {
sql
}
session {
sql
}
Now that we have FreeRADIUS configured to work with MySQL, let’s test it to ensure it is configured
properly. First we stop the FreeRADIUS daemon.
# /etc/init.d/freeradius stop
# freeradius –X
At this point you’ll see reams of output filling up your screen. What’s important here is to look at the
end and check for a line that says “Ready to process requests”. If you see that then great! If not then
check the reams of output as it will tell you where the error occurred. Check to make sure you didn’t
forget to uncomment something or you didn’t make a typo, etc.
Now that FreeRADIUS is processing requests we need to make sure it will authenticate the test user you
entered previously, that is, user1 with its associated ‘password’. Open up another terminal (alt-F2 or if
you’re using something like Putty then start a new session) and enter the following:
If all goes well, you should see output that says: “rad_recv: Access-Accept packet from host 127.0.0.1….”.
If not, check to make sure you added the user and password correctly and that you’ve followed the
correct sequence above to allow FreeRADIUS to read the MySQL database.
Note: testing123 is the shared secret that’s configured in /etc/freeradius/clients.conf. This is typically
shared between the router using the WPA2 Enterprise setting and FreeRADIUS to authenticate each
other. In our case it authenticates FreeRADIUS and CoovaChilli.
Now you can close the extra terminal you’ve opened and in the first terminal hit <ctrl-C> to stop
freeradius in debug mode. Now restart the freeradius daemon:
# /etc/init.d/freeradius start
# cd /usr/src
If you are installing this on an i386 system (and not a Raspberry Pi) then download the following binary
to make your life easier:
# wget http://ap.coova.org/chilli/coova-chilli_1.3.0_i386.deb
Back to the Pi…the first step is to get the source code from the CoovaChilli website:
# wget http://ap.coova.org/chilli/coova-chilli-1.3.0.tar.gz
ca24ac274340c65a8e7ff704e6866a04380a87c444f261ba84097f0bd1c162e8 coova-chilli-1.3.0.tar.gz
It’s a good habit to check this to make sure your file is complete. On your system simply do the following
to get the sha256sum of your .tar.gz file:
$ sha256sum coova-chilli-1.3.0.tar.gz
Now compare your number to the one listed above. If the hashes are the same – perfect! If not, then
you may want to re-download the file.
/usr/src/ # cd coova-chilli-1.3.0
We are now ready to configure the source code. To do this change back to a non-root user:
/usr/src/coova-chilli-1.3.0 # exit
As a normal user go back into the coova-chilli source code directory (if not already in it):
$ cd /usr/src/coova-chilli-1.3.0
Now we can configure the source files with the following options. It looks intimidating doesn’t it! Note
that the dashes preceding the tags below are double hyphens ( --) not singles; those joining two words
are a single hyphen.
Don’t worry it will come to the end in a bit….and when it does you need to set the compatibility level for
debhelper otherwise you’ll get something like:
On line 54 of the file (close to the bottom) under install: build, we need to replace the following line:
With:
This ensures the necessary files are put into /etc/chilli/ directory and not in the directory specified in the
original line. Failing to do this will cause an error.
We’re now at the point where we’re ready to compile the source code into an actual .deb file that you
can install!
Now that you just hit enter, you can sit back and watch the Pi do some real work. This takes about +/-20
minutes on my Pi (with no overclocking or tweaking). Once finished, the resulting .deb file (including a
few other files) will be located in the /usr/src directory and will be called: coova-chilli_1.3.0_armhf.deb
Now we can install our new .deb file. Make sure you go up a level to the /usr/src directory where the file
is located.
When this is finished you’ll be presented with the following options: (Just select the default)
This is okay. Chilli tried to start and since we haven’t configured it yet it failed.
Despite the error, this should be a happy moment in your progress….if you’ve never compiled and
installed a program from its source before give yourself a pat on the back!
Now that we’re on a roll compiling our code from source let’s do it once more. Let’s start by
downloading the source code:
Calculate the sha256sum of this file and compare it to the one below.
$ sha256sum haserl-0.9.30.tar.gz
01f9f942c58beb8eb6acd7fdbc5fa32e9156a9b8630992def7eb5a48c5f04b50 haserl-0.9.30.tar.gz
/usr/src $ cd haserl-0.9.30
/usr/src/haserl-0.9.30 $ ./configure
# nano /etc/default/chilli
START_CHILLI = 1
Okay, now we’re going to edit the main chilli configuration file:
# nano /etc/chilli/defaults
Note this is the file I referred to previously when we set up our networking. The first few items we’re
changing are to be consistent with what’s in the /etc/network/interfaces file.
Remember we installed haserl? We’ll now edit the following file and add the path to haserl:
haserl = /usr/local/bin/haserl
We’re nearly done. We only have to restart all of our services. Now this doesn’t have to be done (it’s
not Windows) but I’d suggest rebooting to ensure all changes are made.
$ sudo reboot
Once you’ve logged back into the Pi, you will need to start chilli.
Okay. Your CoovaChilli Captive Portal should now be configured and, if the stars are aligned, working.
If you check ifconfig you should see a new tun0 interface – this is a good sign.
$ ifconfig
Plug the Ethernet cable from your Pi into a LAN port on your router (not the WAN/internet port).
Remember your wireless dongle should already be receiving your internet signal.
From another computer wirelessly connect to the network you just set up. Start your web browser and
fingers crossed it should bring up the Coova login page. If so, then great job! You now have your own
wireless hotspot! Your (geeky) neighbours will be jealous!
Remember you set up a test user called ‘user1’ with a password of ‘password’. Enter those into the
user/password fields. If all is successful you should be able to access the internet through your hotspot.
Now enter a non-existent user and password to see if it fails – it should. If both of these work then
congrats!
There are many restrictions you can set up for your users. I’m going to show you some of the basic ones
but if you’d like more complicated restrictions then I’d send you to “google”.
For the most part the user restrictions are managed and setup through FreeRADIUS rather than
CoovaChilli which means we’ll be modifying our MySQL tables to set the restrictions. Okay, so let’s get
started. Edit the following file:
$INCLUDE sql/mysql/counter.conf
Within the authorize section of the file we’re going to uncomment sql; however, depending on the
restrictions you want to apply you must also add them to this file. We’re going to add four counters:
noresetcounter, dailycounter, monthlycounter, expiration. All but expiration are found in
/etc/freeradius/sql/mysql/counter.conf since expiration is a module.
authorize {
sql uncomment
noresetcounter add
dailycounter add
monthlycounter add
expiration add
daily uncomment this one
}
accounting {
daily uncomment
}
Now that we’ve modified this file we need to add some entries into the dictionary:
sqlcounter expiration {
count-attribute = "Acct-Session-Time"
counter-name = "Max-Allowed-Session"
check-name = "Expiration"
sqlmod-inst = "sql"
key = "User-Name"
reset = "never"
query = "SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), \
MIN(AcctStartTime))),0) FROM radacct WHERE \
UserName='${key}' ORDER BY AcctStartTime LIMIT 1;"
}
Now that we’ve got our system configured we can now proceed to add new users along with
restrictions:
If we want to add a new user called “Sam” with an associated password “Sam’sPassword” we do the
following:
# echo “insert into radcheck (username, attribute, op, value) values (‘Sam’,
‘Cleartext-Password’, ‘:=’, ‘Sam’sPassword’);” | mysql –u root –p radius
Now one of the benefits of using MySQL is that immediately after you added Sam, you can now login
as Sam without restarting any of your services.
You can add as many or as few (i.e., none) of the restrictions provided below to any or all of your
users. Add the desired restrictions to the appropriate users in the MySQL database. Some examples
follow:
Example 1:
This will set the maximum time that Sam can access the internet to 10800 seconds or 3 hours:
# echo “insert into radcheck (username, attribute, op, value) values (‘Sam’, ‘Max-Daily-Session’, ‘:=’,
10800);” | mysql –u root –p radius
Example 2:
The following will limit when user1 can logon to the internet. Note that user1 can only access the
internet between 9.00am and 6.00pm in the example.
# echo “insert into radcheck (username, attribute, op, value) values (‘user1’, ‘Login-Time’, ‘:=’,
‘Al0900-1800’);” | mysql –u root –p radius
Example 3:
Sam is only allowed to be logged on the system once. If you set this to 2 then Sam can logon to the
system twice simultaneously. This prevents people from sharing their user name and password with
their friends and each of them to login at the same time.
# echo “insert into radcheck (username, attribute, op, value) values (‘Sam’, ‘Simultaneous-Use’, ‘:=’,
1);” | mysql –u root –p radius
Example 4:
# echo “insert into radcheck (username, attribute, op, value) values (‘Sam’, ‘Expiration’, ‘:=’, ‘August 1
2013 20:00’);” | mysql –u root –p radius
Example 5:
# echo “insert into radcheck (username, attribute, op, value) values (‘Sam’, ‘Auth-Type’, ‘:=’,
‘Reject’);” | mysql –u root –p radius
Example 6:
Sam forgets to logout and therefore has an idle session and you want to automatically log Sam off if
the session is idle longer than 120 seconds:
# echo “insert into radreply (username, attribute, op, value) values (‘Sam’, ‘Idle-Timeout’, ‘=’, 120);” |
mysql –u root –p radius
Note a couple things: the equal sign is an ‘=’ sign and not a ‘:=’, the time is listed in seconds and the
entry is into the table radreply and not radcheck.
Example 7:
You want to limit Sam’s sessions to 10 minutes each. In other words, after Sam has been logged in
he will be automatically logged out after 10 minutes. If Sam logs out and back in, he will get another
10 minutes.
# echo “insert into radreply (username, attribute, op, value) values (‘Sam’, ‘Session-Timeout’, ‘=’,
600);” | mysql –u root –p radius
The final part which, is optional, is to get chilli to start at boot time. Edit the following file:
$ sudo /etc/init.d/chilli
By the way, if you don’t want chilli to start at boot time and you’ve entered the above command already
you can reverse it by entering the following:
By now you should have a working hotspot powered by CoovaChilli on your Raspberry Pi. Please feel
free to edit this document to improve on it as you see fit. Enjoy!