Captive portal OpenVPN (2.1)



  • Hello Board,

    We are connecting a Mikrotik board to a hosted PFsense via OPENVPN site to site bridged connection over Internet.
    With DHCP from the PFsense and all, this setup works great!
    However, the goal is to have a captive portal on this connection. After enabling the captive portal, all we get is the Pfsense config GUI instead of the portal page.

    Below the setup;

    clients LAN –---MT--10.0.8.2/24--openvpntunnel----10.0.8.1----pfsense(OPVPNServer/DHCP)----Internet

    Where should we look to correct this and get this working.

    Thanks in advance for the reply....



  • Presently this will not work without some patching needed for this.



  • Thanks for the reply.

    Is it a simple or a complicated fix? The OpenVPN tap Bridging Fix?



  • Not easy, kernel changes required.



  • mhhh let me get the point..

    wifi network–-AP<---VPN-----> pfsense--- internet ??

    and you want to have wifi network users's request to be captured by the captive portal?

    i don't know if this can be done, because the captive portal works as a NAS (network access server) and afaik it recognizes users based on the mac address to determine if they are logged in or not.

    so, for it to work, you need your clients to be able to talk with the captive portal at layer2.

    for it to work over a VPN, you need your users to be direct openVPN bridged clients, if it's the router handling the VPN, then the mac seen by the captive portal is the one from the tap0 interface on the router, and not the clients which are NATed.

    i'm thinking this MIGHT work if on the MT board you make it to bridge tap0 and the network clients are connecting to, and then on the pfsense side have the captive portal to intercept on tap0 (i don't think this can be done via the webUI)



  • It is not necessary for CP to have the MAC you can just tell it to use only IP.



  • Thanks for the replies guys.

    We've got it working in the setup of two Vservers with PFsense back2back.  In other words, 1 pfsense for the OpenVPN tunnel terminating on the LAN interface of the second Pfsense with the captive portal. When it works in this setup, a CP on bridged interfaces should be possible. On a MT this is standard stuff, however lags UDP openvpn! 
    So the goal is to get it all working on 1Vserver!

    The IP only remark is interesting. Thanks. However, MAC wil be necessary in order to log users according to the Telecom Laws and future references and advertising. We are trying to build Free Wireless Internet access city networks based on this principle. By using OpenVPN's we can use existing infrastructures and roll-out the network quickly and flexible.



  • Hello Board,

    We've got it working as intended!
    On Pfsense 2.1 beta we have now 3 OpenVPN services running connected to 3 different Captive Portals.
    De virtual interfaces have each a DCHP range and also the squid proxy is listening.

    The downsides are;

    • RRD graphs are not there (yet) for providing statistical Information.
    • shaper isn't working on de openvpn interfaces.
    • IPv6 isn't working in conjuction with openvpn and / or captive portal.

    I'm sure this is only a matter of time!

    Thanks for delivering and stable box of pandora!


Locked