Connecting to free wifi that requires simple authentication
169 views
Skip to first unread message
tel
Feb 10, 2015, 11:39:20 AM2/10/15
to qubes...@googlegroups.com
Imagine this not uncommon scenerio:
There is a free wifi spot that I'd like to use, but I'll connect to it using a VPN. The wifi spot requires a simple authentication however (just a simple Terms and Conditions page that you have to agree to, no username, no password).
Network Manager connects to this wifi spot, but I still have to authenticate. If I open up a standard appvm (which connects via firewallvm via netvm) I can get to the Terms and Conditions page without a problem. If I want to add my vpnvm to the path (appvm -> vpnvm -> firewallvm -> netvm) the appvm won't connect to the VPN because there's no way to authenticate the vpnvm to the free wifi. At some point in this chain, I still have to authenticate the wifi network, but I'm unsure how and where to do it.
Any thoughts on this?
Marek Marczykowski-Górecki
Feb 10, 2015, 11:43:44 AM2/10/15
to tel, qubes...@googlegroups.com
one purpose). Because of limited memory, something small, like
text-based w3m or links is a good choice.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
ora...@riseup.net
Feb 10, 2015, 12:02:05 PM2/10/15
to qubes...@googlegroups.com
Marek Marczykowski-Górecki:
(https://en.wikipedia.org/wiki/Captive_portal).
Tails deals with this with an "unsafe browser" only used to authenticate
with captive portals:
https://tails.boum.org/doc/anonymous_internet/unsafe_browser/index.en.html
This is because you have to connect to the captive portal without a VPN,
Tor, etc -- so in your case you have to connect to it prior to your
vpnvm in your network stack, as Marek notes. You could use a dedicated
unsafe appvm if you wanted for this purpose (appvm -> firewallvm -> netvm).
> On Tue, Feb 10, 2015 at 08:39:20AM -0800, tel wrote:
>> Imagine this not uncommon scenerio:
>>
>> There is a free wifi spot that I'd like to use, but I'll connect to it
>> using a VPN. The wifi spot requires a simple authentication however (just a
>> simple Terms and Conditions page that you have to agree to, no username, no
>> password).
>>
>> Network Manager connects to this wifi spot, but I still have to
>> authenticate. If I open up a standard appvm (which connects via firewallvm
>> via netvm) I can get to the Terms and Conditions page without a problem. If
>> I want to add my vpnvm to the path (appvm -> vpnvm -> firewallvm -> netvm)
>> the appvm won't connect to the VPN because there's no way to authenticate
>> the vpnvm to the free wifi. At some point in this chain, I still have to
>> authenticate the wifi network, but I'm unsure how and where to do it.
>>
>> Any thoughts on this?
>
> In such case, you can simply start a web brower in netvm (for only this
> one purpose). Because of limited memory, something small, like
> text-based w3m or links is a good choice.
>
More generally, this is the problem of captive portals
>> Imagine this not uncommon scenerio:
>>
>> There is a free wifi spot that I'd like to use, but I'll connect to it
>> using a VPN. The wifi spot requires a simple authentication however (just a
>> simple Terms and Conditions page that you have to agree to, no username, no
>> password).
>>
>> Network Manager connects to this wifi spot, but I still have to
>> authenticate. If I open up a standard appvm (which connects via firewallvm
>> via netvm) I can get to the Terms and Conditions page without a problem. If
>> I want to add my vpnvm to the path (appvm -> vpnvm -> firewallvm -> netvm)
>> the appvm won't connect to the VPN because there's no way to authenticate
>> the vpnvm to the free wifi. At some point in this chain, I still have to
>> authenticate the wifi network, but I'm unsure how and where to do it.
>>
>> Any thoughts on this?
>
> In such case, you can simply start a web brower in netvm (for only this
> one purpose). Because of limited memory, something small, like
> text-based w3m or links is a good choice.
>
(https://en.wikipedia.org/wiki/Captive_portal).
Tails deals with this with an "unsafe browser" only used to authenticate
with captive portals:
https://tails.boum.org/doc/anonymous_internet/unsafe_browser/index.en.html
This is because you have to connect to the captive portal without a VPN,
Tor, etc -- so in your case you have to connect to it prior to your
vpnvm in your network stack, as Marek notes. You could use a dedicated
unsafe appvm if you wanted for this purpose (appvm -> firewallvm -> netvm).
Zrubi
Feb 11, 2015, 2:09:05 AM2/11/15
to qubes...@googlegroups.com
On 02/10/15 17:43, Marek Marczykowski-Górecki wrote:
> In such case, you can simply start a web brower in netvm (for only this
> one purpose). Because of limited memory, something small, like
> text-based w3m or links is a good choice.
Well that's really scary idea.
> In such case, you can simply start a web brower in netvm (for only this
> one purpose). Because of limited memory, something small, like
> text-based w3m or links is a good choice.
- netvm may come from a different template where no browser installed at
all.
- I guess text based browsers barely be able to use such captive portals.
I would suggest to use a simple disposable VM (connected diretly to
netvm) for captive portal instead.
--
Zrubi
Todd Lasman
Feb 11, 2015, 11:03:49 AM2/11/15
to qubes...@googlegroups.com
nothing for the vpnvm. Somehow, I've got to get the vpnvm to get through
the captive portal, allowing appvm's to connect to that now
authenticated vpnvm.
If I understand this correctly, the authentication has to be at the
lowest common denominator; that is, either the firewallvm or the netvm.
7v5w7go9ub0o
Feb 11, 2015, 11:58:21 AM2/11/15
to qubes...@googlegroups.com
to register your MAC address - from that point on your MAC is authorized
access to whatever ports the WAP allows.
So I typically bring up the Firefox dispvm; agree to their terms; then
fire up my dispVM to check mail, browser, and etc.
(Some WAPs will allow only ports 80 and 443 - so I've configured my vpn
to use 443. I suppose it is conceivable that the WAP HTTP/S server will
want an occasional cookie exchange with the initial browser contact, but
I've had no problems shutting down the browser after initial authorization)
cprise
Feb 11, 2015, 11:59:16 AM2/11/15
to Todd Lasman, qubes...@googlegroups.com
On 02/11/15 11:03, Todd Lasman wrote:
On 2015-02-10 23:09, Zrubi wrote:
On 02/10/15 17:43, Marek Marczykowski-Górecki wrote:
In such case, you can simply start a web brower in netvm (for only this
one purpose). Because of limited memory, something small, like
text-based w3m or links is a good choice.
Well that's really scary idea.
- netvm may come from a different template where no browser installed at
all.
- I guess text based browsers barely be able to use such captive portals.
I would suggest to use a simple disposable VM (connected diretly to
netvm) for captive portal instead.
--
Zrubi
Well, that would allow the disposable VM to access the wifi, but does nothing for the vpnvm. Somehow, I've got to get the vpnvm to get through the captive portal, allowing appvm's to connect to that now authenticated vpnvm.
That has worked for me to get my VPN connected. The access point
usually just needs to see an acknowledgment coming from any browser
at your MAC address.
Todd Lasman
Feb 11, 2015, 1:21:19 PM2/11/15
to qubes...@googlegroups.com
support
Feb 12, 2015, 6:09:50 AM2/12/15
to qubes...@googlegroups.com
We are actually working on a set up for raspberry pi that could be
plugged into your laptop and log into the wifi for you and then create a
private wap for your devices such that your devices never run the log in
app for the public wifi. A physical proxy.
plugged into your laptop and log into the wifi for you and then create a
private wap for your devices such that your devices never run the log in
app for the public wifi. A physical proxy.
Reply all
Reply to author
Forward
0 new messages