@Johnex looks good – thx!
This sounds great and I saw the post on Cloudflare’s blog with a few details. I hope this is compatible with captive portals or has a way to see if the IPs are unreachable for easy troubleshooting.
Isn’t AP isolation just a simple option in UCI?
Good question. This is indeed a problem. Considering how to solve this.
There are two main problems I’ve been struggling to solve that don’t have a native solution (as far as I know). I know there have been some efforts to improve these areas but they are tricky:
- How to initially authenticate the router to a captive portal
- At the same time, how to prevent my PC from connecting to dozens of sites automatically before I’ve established the VPN
What I’ve been doing (still not a 100% clean solution but the best I’ve been able to think of so far) is adding tinyproxy to the mini router, and configuring a browser extension on my PC with a separate profile that uses only that proxy. Then I configure the router to reject all connections other than that proxy (I used the side switch to enter that mode).
With that in place, when establishing a new connection (say at a hotel), I use my alternate browser profile to connect through the proxy (different port number) and do the captive portal login. Once that is successful (and of course there are still some portals where that will fail for some reason), I can flip the switch to enable the VPN and then the internet should work normally from my client machines.
What do you think of this solution? Or do you have a better suggested approach? And if you like my suggestion, my more specific request would be to install/configure the proxy support by default and then add an option to disable all non-proxy access until a connection has been established (or possibly until the switch is flipped).
I think this is too complicated for the user to use the router. The router should work as a transparent proxy and it should do everything itself.
An idea solution is to develop on the router:
- Detect if there is a portal and resolve the link
- Only allow data to the portal itself before ahthentication
- After authentication, it allows all data to vpn
- The router itself should not work behind the vpn so that it can detect the status of the Internet
- It is better to pop up the portal page on user’s device because it may ask for username/password, given by the hotel
- The router itself should be able to pop up window if Internet or VPN is down. So the user knows why he don’t have Internet.
Although not implemented, I think this is possible and we will go this direction.
1 Like
Thanks alzhao! There is definitely some complexity there, trying to handle all the different portal schemes out there. But I’m glad to see you thinking in that way, and I would be very happy to see you doing something in that direction. 
Maybe you know how Captive Portal Detection works but its quite simple.
To test if there is internet on connection, try to access a well known page. For example:
detect.gl-inet.com or something like this.
The router gets a static page that the router also has, and you compare the 2. If you don’t get the same page, it means there is a captive portal that has modified the request.
Then you do all what you wrote above.
The router could basically do the same, replace all requests the user tries to make in their browser with a GL-iNet mini portal, telling the user they need to sign in to the captive portal, similar to the popup you get on android. In a frame show the captive portal or just let the captive portal do the rebinding for all.
1 Like
Yes, this should be the mechanism. But there are different portals, some use a local webpage, some use a remote web page and some use dns which cannot be resolved simply.
I think this is quite complicated to develop for different cases. But it is worth to try. We will do later.
Using wireshark it’s easy to check how different devices are doing. They do like i wrote you.
Local, Remote or DNS can all be detected like i wrote. You compare locally on the router the result.
Some devices:
-
Android Captive Portal Detection
clients3.google.com -
Apple iPhone, iPad with iOS 6 Captive Portal Detection
gsp1.apple.com *.akamaitechnologies.com *.apple.com -
Apple iPhone, iPad with iOS 7, 8, 9 and recent versions of OS X
*.appleiphonecell.com *.apple.com www.itools.info www.ibook.info www.airport.us www.thinkdifferent.us *.apple.com.edgekey.net *.akamaiedge.net *.akamaitechnologies.com -
Windows
ipv6.msftncsi.com ipv6.msftncsi.com.edgesuite.net www.msftncsi.com www.msftncsi.com.edgesuite.net teredo.ipv6.microsoft.com teredo.ipv6.microsoft.com.nsatc.net
On the other hand, what is hard is to detect what is a portal, and what is a Man In The Middle Attack 
Having an exclusion list of network ranges and domain names for the VPN would be really nice. For example, being able to exclude services that detects a VPN (e.g. Netflix) and bypass VPN for those. It’s not particularly difficult to do with the route tables yourself, but having a UI and automation would make it a lot more usable for normal users.
WIREGUARD IN GUI as LEDE instructions are too difficult even on current AR-750 although I managed to get it working it took me 2 days!!.
Please allow to work with MULLVAD WIREGUARD VPN
Thanks
Looking forward to this feature on AR-750 SLATE already pre-ordered!
It supports mullvad and azirevpn provider on ar750s.
I would like to have the VPN activation changing the led color of the router.
Then we know when is the VPN connected and when is not, so we can troubleshoot more easily. Like if it turns blue, VPN is on.
The reason is that I would like to have 2 network. One directly connected to the internet and the other one using VPN, so I can connect the chromecast and other devices that require breaking the geolocation filter.
Adblock doesnt seems to work.
I tried to install the package and no ads were blocked.
Connect to TOR network.
Aside the VPN, it would be nice if the router can connect to TOR. Sometimes VPNs are blocked by the network admin. Tor becomes an application level alternative.
Informative statistics and graphics.
LuCi statistic page is really bad and only available after a few clicks.
I would like to see those statistics directly in the mobile.
Speed test and network diagnose
It would be nice to have a preconfigured speed test application, one from the router to the station. Another from the router to the internet. Just to isolate wireless network and internet link issues.
Cache.
With a SDCard we have plenty of space for caching. Having to apt-get/yum packages many times in many machines is annoying. Optional caching with Squid or an alternative can help improving the users experience.