How to handle captive portals without vulnerability?

tsaylor · 2016-09-07T14:57:24.000Z

I’m using the MT300A to add a VPN to my otherwise insecure access (hotel, cafe, etc), and it works amazingly well for this! Such a great device. But I’m concerned about the time during initial connection, where some unknown number of Windows apps may be sending data over an unsafe connection. So I enable the “Force VPN” setting to disallow traffic before the VPN connection. This solves the problem, but what about the many hotels that use a captive portal and require a login (enter last name and room number for example), before granting internet access?

So, first question: Is it possible to log into a captive portal while the “Force VPN” setting is enabled? I’m guessing this doesn’t work, but I’m also thinking this sort of thing should be possible if it allowed just one IP through for this purpose (possibly any IP since the captive portal will catch it). Or maybe it is possible to get around the captive portal if the VPN connection is done by IP address?

Second question: If it isn’t possible to connect to the portal under “Force VPN”, then I’m wondering if anyone has ever created a “proxy” for the captive portal prompts. That is, a script that runs on a router and talks to the captive portal form, then asks the user for the answers (basically the text to put in the boxes and the button to click). The router GUI could present that information. The benefit is that we could perform the captive portal login indirectly, without exposing the PC (as the PC is talking only to the router at that point). I’m not sure if I worded that well enough, but it seems very possible to write something like this (yet I haven’t heard of it… anyone else hear of this?).

alzhao · 2016-09-08T23:29:36.000Z

Seems there is no easy solution for this.

For the 2nd question, maybe this is difficult because a captive portal can really be customised, which it is really hard to do this job automatically.

For the 1st question. One solution is that you connect using your phone and authorise you MAC address then clone it to the router. But you will worry about your phone have unsafe connection. Another solution is that we use a script to check if there is captive portal and then only authorise connection to the captive portal for all http connections. I think this could be done. The router can control which traffic goes to VPN and which goes to normal Internet depends on protocol, ip address etc.

tsaylor · 2016-09-09T01:24:10.000Z

Thanks alzhao for your thoughtful reply! Yes, I think that my idea of a script that does some “scraping” looking for input fields could work for most portals but it would never be 100%. And using a different device such as a phone helps a bit but is still insecure during the initial phases. The router is really in the best position to handle this, so if we could somehow extend the “Force VPN” logic that would be excellent!

I like your suggestion that the router could check whether a captive portal exists (probably by checking whether connecting to some known site is actually being sent elsewhere), and then deny any traffic going to any other location. I haven’t studied captive portals enough to know the best approach, but it seems to me that we would need to allow access to only one DNS name (and/or IP address). The captive portal might be doing a redirect, so it may not be as simple as only allowing the browser to use one name/ip, but perhaps the router could make its own request (curl, etc) to determine that.

If you are willing to add something like this to the “Force VPN” support, that would be excellent! If not, then allowing us to extend that logic could also let us solve this (please let me know if there is already a way to hook into that logic and add a script – or is that more a matter of generating custom iptables rules? hmm, perhaps it is possible in that way, could be an interesting project)…