How to control guest users?
What is the proper location to install
Opengate?
I get a radius error message during 'make'.
Why?
How to start?
How to use executable files?
Control panel?
The authentication page does not appear.
Why?
The authentication page does not
appear(2). Why?
Socket error occurs. Why?
What is the best authentication
protocol?
Can I add transparent proxy?
Windows Active Directory?
Information sent from my PC?
Custom URLs in Opengate?
IE7 Hangs?
How to setup for Radius authentication?
Why is network access to an application
left available after closing Opengate?
Firewall for dynamic IP?
Modifying the firewall rules?
Malfunction of login page button?
Setting default connection time?
Adding other languages?
Error during "make install"?
Personalizing web pages?
"Terminate" link doesn't work. Why?
Button in httpkeep page doesn't work.
Why?
Can you recommend some PAM settings?
Why is the connection closed after
several minutes with some browsers?
I only want to show my page just once. How?
One day free usage?
The contents of index.html.var are shown
in my browser. Why?
The # mark cannot disable a line in the
config file. Why?
Why does Firefox hang when closing a
browser window?
With the Safari3 browser, the gate is
opened only for 1 minute?
How to identify Squid proxy users?
How to use ipfw tag rule?
How to control plural user groups?
How to control iPhone?
Why is the connection for some users
closed after 5 minutes?
Why Opengate cannot show authentication page
after inserting proxy?
Opengate ports restriction.
Why isn't the inserted image shown?
Why iOS cannot show accept page after
authentication?
The delay of network closing
The button 'Portal Site' is disabled
Q: I want to know whether it is possible to exclude some users from authentication by Opengate. There are some situations in which some users need to be exempted from this. An example is in the school cybercafe: Members of the university community who could not subscribe to the school network go to the cafe to buy units in order to browse the internet. They are provided with the username and password for the duration of their unit. After they have logged into the system they would have to go through the Authentication process by Opengate. It would not be good for them to have to undergo double authentication before they can access the network. I want to know if it is possible to prevent this?
Q: What is the physical as well as the logical location of the opengate system?
i.e. Is opengate implemented in the actual server (proxy server in our case) or could it be a separate server?
Also, where can I get comprehensive documentation on Opengate?
- The installation is performed on the router, based on FreeBSD.
Opengate is a program that controls the firewall rules on the router.
- If other servers can share this router machine, integration may be possible.
Or it may be realistic that the proxy machine is inserted after passing the router.
- All documents are shown in the homepage and the archive.
Q: I want to install Opengate captive portal on my FreeBSD router. But i get an error like this:
root@router: make
............
auth-rad.o(.text+0x2c): In function `authRadius':
: undefined reference to `rad_auth_open'
............
What is the problem ?
Opengate uses the FreeBSD standard radius library "libradius".
The library contains "rad_auth_open" and other functions.
FreeRadius also installs a radius library with the same name ("libradius"),
but the library does not have above functions.
You might have installed the FreeRadius library in /usr/lib, overwriting the BSD standard library.
Please install the BSD standard library in /usr/lib/ and the FreeRadius library in another directory,
such as /usr/local/lib or /usr/lib/freeradius.
Q: I've already installed opengate, how can I start it?
Do I just type "opengatesrv" or any other command or maybe just launch the rc.firewall script
that you supplied in conf?
No start operation is needed. Opengate is started as CGI.
After installation, just access an external URL from a PC using the Opengate gateway.
The authentication page will be displayed.
When "accept" is set in AuthServer/Protocol, any userid and/or password is accepted.
After the authentication, an accept page is displayed.
Q: What is the function of opengateauth, opengatefwd, opengatesrv, test-get-param, test-comm-ipfw?
Do they need to be copied to /usr/bin or /usr/local/bin or /usr/local/www/cgi-bin?
The Opengate installation is done by running "make install" and installs "opengateauth.cgi",
"opengatefwd.cgi" and "opengatesrv.cgi" to the cgi-bin/opengate directory.
The "test-*" scripts are for debugging, and not needed for normal Opengate operation.
Q: We will wait for another good development of this script.
Something like Bandwidth Management, Black List and White List User,
User History, Control Panel and Network-user Status, Blocking IP in Control Panel,
etc.
- Bandwidth management: The bandwidth can be set in ipfw rules.
- Black List User: users can be set to be permanently denied, by adding
appropriate <ExtraSet> sections to the config file.
- White List User: users can be set to be permanently accepted, by adding appropriate
<ExtraSet> sections in the config file.
However, this is not considered to be safe practice, since the userid can easily be found out.
- User History, Network-user Status, Blocking IP:
- Syslogd logs the user history.
- The command "ps ax" shows the network user status.
- Blocking specific destination IP/port can be set by ipfw rules.
Also default passing destination IP/port can also be set by ipfw rules.
- Stopping the usage of some user is done by "kill" command,
after processes listing by "ps ax".
- That said, a more "easy-to-use" interface is under development.
Q: When I open the browser, no authentication page appears, just the text below :
URI: /cgi-bin/opengate/opengatefwd.cgi?en Content-language: en Content-type:
text/html URI: /cgi-bin/opengate/opengatefwd.cgi?ja Content-language: ja
Content-type: text/html URI: /cgi-bin/opengate/opengatefwd.cgi?en
Content-type: text/html
Check the Apache configuration file "httpd.conf". Look for a line that says:
----
AddHandler type-map var
----
If the line is commented out, remove the comment mark (#).
If the line is not there, you can add it.
Q: When I open the browser, no authentication page appears, just the text below :
can't establish a connection to the server at www.xxxxxx.com
# The site could be temporarily unavailable or too busy. Try
again in a few moments.
Perhaps the error is caused by one of the following reasons.
a. The domain name cannot be resolved.
b. Address setting is mistaken.
c. Some firewall rule interupt the packet.
Please check the following.
1. Do you set up /etc/hosts?
2. Can you use DNS in the network?
3. Recheck the address setting in rc.firewall and others.
4. Recheck the firewall rules.
Q: I cannot get access to the outside network.
The following message is returned: "Error: Please contact your administrator".
Syslog shows the following:
opengatesrv.cgi[18089]: DEBUG:=>getListenPort( )
opengatesrv.cgi[18089]: socket error
opengatesrv.cgi[18089]: DEBUG:(-1)<=getListenPort( )
opengatesrv.cgi[18089]: ERR at main.c#155: cannot get unused listen port
The API "socket()" to get the IPv6 socket has failed. IPv6 may be disabled in your system.
Opengate has been tested mainly in an IPv6 environment.
No option to disable IPv6 exists in Opengate versions prior to 1.4.14.
You can try adding the following in /etc/rc.conf:
----------------
ipv6_enable="YES"
----------------
To avoid getting the error, switch to Opengate version 1.4.14 or later.
Q: What is the best of authentication protocols? Is it pop3s?
If you already have a pop server setup for your users, "pop3s" is an easy and secure solution to use.
We, ourselves, have changed the authentication to a ldap server for the following reasons:
(1) Our user information is being integrated to the ldap server.
(2) The pop server gets overloaded with processing of huge mails.
Radius is also used for many sites.
Q: Can i add a transparent proxy if the user passed the authentication ?
This can be realized by editing the ipfw TAG rules. Please change the default TAG rule "60000 allow ip from any to any tagged 123". The revised rules might be the "forward" rules for http/https protocol and the "pass" rules for other protocol. Or you can change the insert rule as follows. A Perl script "/etc/opengate/ipfwctrl.pl.sample" is prepared for modification of insert rules. By default, this script is disabled. To enable the script, change the flag in the configuration file as follows: <IpfwScript> <Enable>1</Enable> <Path>/etc/opengate/ipfwctrl.pl</Path> </IpfwScript> Or if you can modify the C source, edit the Systeml() call in "comm-ipfw.c/comm-ip6fw.c". A more straightforward solution would be to stack the servers for Opengate and proxy forwarding.
Q: Wouldn't it be better if ldap could query user information in Windows Active Directory?
Opengate can authenticate with LDAP/LDAPS (bottom of configuration file).
This has been tested only with OpenLDAP server.
We have not tested this with Windows Active Directory.
Q: What kind of information is the JavaScript sending out from my PC? Is it secure?
The only information sent is the "Hello" message and the temporary session ID.
Communication is restricted to the server, from which the page is acquired.
Q: I entered a custom URL in httpkeep.html. However, it doesn't work properly.
Please use the full URL, including the server name, in httpkeep.html.
The variable %%OPENGATESERVERNAME%% can also be used for server name.
Q: The network closes occasionally when using IE7 on Windows Vista PCs. Is this a bug?
We fixed this bug in opengate1.4.16 and refined the fix in opengate1.4.17.
Q: How should I configure Opengate for a radius server that works as follows?
ogsrv# radtest user1 pass1 localhost 1812 test
.....
rad_recv: Access-Accept....
---
Set up /etc/opengate/opengatesrv.conf as follows:
---
<AuthServer>
<Protocol>radius</Protocol>
</AuthServer>
---
And /etc/radius.conf:
---
auth localhost:1812 "test" 5 3
---
If you use default values for port-number, timeout-seconds and retry-counts:
---
auth localhost "test"
---
Currently, Opengate does not support RADIUS accounting.
Q: I have a share from a samba server mounted on Windows XP.
However, I can still access the share after closing the Opengate web page.
I want to disconnect the share when closing the page. How can I fix this problem?
The established TCP connection is kept alive by the following firewall rule.
Please remove the following rule from /etc/opengate/rc.firewall and rc.firewall6:
### Allow TCP through if setup succeeded
$fwcmd add 60100 pass tcp from any to any established
And insert the following rules into rc.firewall.
$fwcmd add 60100 pass tcp from any 80 to any out
$fwcmd add 60100 pass tcp from any 443 to any out
As of Opengate ver.1.4.22, this is the default.
Q: I'm trying to set up an Opengate server. But the computer running it,
is connected via DSL and gets a dynamic IP every day.
How do I adjust the firewall config (rc.firewall) accordingly?
Set the outer interface and IP address to:
oif="tun0"
oip="me"
and remove the stop-spoofing rule containing ${onet}:${omask}.
Q: Is it possible to modify the firewall rules for better security control?
This item describes the rules in old versions. See How to use ipfw tag rule.
Opengate controls the firewall as follows:
1. The low priority rule intercepts the web access and forwards it to the authentication page:
ipfw add 60000 fwd localhost tcp from LOCAL_NET to any http
Where "LOCAL_NET" is your local network.
2. When authentication is passed, Opengate inserts allow rules with higher priority
than the forward rule but lower than many rules:
ipfw add RULE_NUM allow ip from CLI_ADDR to any
ipfw add RULE_NUM allow ip from any to CLI_ADDR
Where "RULE_NUM" is a rule number (default: between 10000-40000)
selected individually for each client.
"CLI_ADDR" is the client IP address used during authentication.
3. When the browser or the OS of the client is closed, Opengate removes the inserted rules:
ipfw del RULE_NUM
Make sure your added rules do not conflict with the rules described above. Other than
that you can use any rule set.
In our service, we add higher priority rules for denying insecure services and rules
for logging in rc.firewall.
Also, you can modify the rules inserted when authentication is passed. If you want
to do so, consult the Perl script "ipfwctrl.pl.sample".
By default, the firewall is controlled directly by the C program.
Q: The captive computer shows the "Login Page",
but the button on the page that starts the CGI doesn't work.
Please check the following to identify the problem:
1. Has the configuration file "/etc/opengate/opengatesrv.conf" been modified?
Your authentication server must be set at the beginning of the file.
To eliminate authentication errors, please try the following setting first:
(all users will pass the authentication check... use this for debugging
purposes only!).
<AuthServer>
<Protocol>accept</Protocol>
</AuthServer>
2. What response is shown when accessing the CGI directly with the following URL:
https://xxxx/cgi-bin/opengate/opengateauth.cgi
where "xxxx" means your Opengate server domain name or IP address.
(When the CGI works normally, the error page with message
"Retry from external site" is shown.)
3. Does the Opengate-log dump any information?
In a standard installation, this file is located in "/var/log/opengate.log"
4. Does the Apache-log dump any information?
This file usually resides in "/var/log/httpd-error.log",
but the path can vary depending on your apache configuration.
Q: Can I set the default time of any connection without doing it manually for each user?
Duration time can be set up in "opengatesrv.conf" as follows :
<!-- Allowable duration for users to use network(seconds) -->
<!-- If no connection with java/http, network is closed after this. -->
<Duration>
<Default>300</Default>
<Max>3600</Max>
</Duration>
The value <Default> is the open time duration(sec) at no input.
The value <Max> is the maximum limit of the input value.
A larger value than this turns into this value.
The max value is provided, because we think the time limit mode has less security.
If you don't care about that, set greater value.
Using the above settings, Opengate works as follows:
- If the Duration values are set:
The user can use the network for a time period of up to 1 hour(3600sec).
- If the Duration values are not set:
If java or ajax work (normally):
The user can use the network until he/she closes the browser.
If java or ajax do not work (normally):
The user can only use the network for 5 minutes(300sec).
Usually, it is not necessary to set the time.
A TCP connection with the terminal(running java or ajax code) is watched by the server process,
and the network is closed when the connection is cut off.
Without the input, the network can be used as long as the user wishes.
And it is closed when the user closes his/her web browser or OS.
The time input is used as a security measure should something malfunction.
Q: Can I add web pages in languages other than English and Japanese?
The following steps show how to add pages in Italian.
When completed, you browser can display the Italian, English,... content,
in correspondence of your browser locale settings.
1. Copy "javahtml/en/*" to "javahtml/it/"
2. Translate the files in "javahtml/it/*".
3. Add Italian language settings in "javahtml/index.html.var" as follows:
==
URI: /cgi-bin/opengate/opengatefwd.cgi?it
Content-language: it
Content-type: text/html
==
Note: The code for "Content-language:" is found in the documentation of the Web standard.
4. Add Italian language settings in opengatesrv.conf:
==
<!-- Available HTML languages (first language is used as default) -->
<HtmlLangs>en it ja</HtmlLangs>
==
Q: I have the following error when running "make install". Is the Makefile correct?
==
make install
***missing separator***
==
The Opengate software works only on FreeBSD.
Q: I want to personalize the pages to include more graphics and links.
Do not remove descriptions like %%XX%%.
These strings are variables used and modified by the cgi programs.
If you add an URL in "httpkeep.html", use the full URLdescription.
i.e. do NOT use <img src="image1.jpg">
instead use <img src="http://some.site/images/image1.jpg">
Q: I tried to close the page with "TERMINATE", but the network is still accessible without a new AUTH!
Please exit your browser or OS to close the network properly.
The terminate link should be used only in special circumstances!
Q: The button in httpkeep page does not work.
The button is programmed to pop up a browsing window,
because the httpkeep page must keep its state between browsing.
If you use a system that does not support multi-windows,
use a tab browser or set usage time in auth page.
Q: Can you recommend some PAM settings? I couldn't get PAM auth to work.
Please use opengate1.4.28 or above. There is a bug in the earlier versions.
The following is a sample setting:
/etc/opengate/opengatesrv.conf:
======
<AuthServer>
<Protocol>pam</Protocol>
</AuthServer>
======
/etc/pam.d/opengate:
======
auth required pam_unix.so
account required pam_permit.so
======
Q: When I use the network with Safari3,
I get disconnected after a while. What should I do?
Try setting a larger ReconnectTimeout value in conf file.
The default value has been changed from 10 to 180 in version 1.4.31 and above.
Q: All I need is to forward any web request to my "home page" (informative web page)
from my client to another web page just ONCE (i.e. just the initial HTTP request).
Opengate does not support such action.
Perhaps open-mode of NoCatAuth or NoCatSplash is the proper solution for you (http://nocat.net/)
If you want to use Opengate, try the following settings:
1. Modify javahtml/en/index.html and javahtml/en/index-ssl.html.
1.1 Remove auth request message and set AUP in these pages.
1.2 Replace [SEND] to [ACCEPT].
1.3 Replace userid and password field to "hidden".
<INPUT TYPE="HIDDEN" NAME="userid" VALUE="any">
<INPUT TYPE="HIDDEN" NAME="password" VALUE="any">
1.4 The duration field also can be hidden, if you do not need it.
<INPUT TYPE="HIDDEN" NAME="duration" VALUE="any">
2. Modify acceptXX.html according to your needs.
3. Modify /etc/opengateserv.conf as follows:
3.1 Configure a "free-pass" for authentication:
<AuthServer>
<Protocol>accept</Protocol>
</AuthServer>
3.2 If you do not need strict close-control,
set watch-mode to "Time" and extend the checking interval:
<WatchMode>Time</WatchMode>
<Duration>
<Default>86400</Default> <==one day(60*60*24sec)
<Max>604800</Max> <==one week
</Duration>
<ActiveCheckInterval>3600</ActiveCheckInterval> <==one hour
<NoPacketInterval>86400</NoPacketInterval> <==one day
Q: I want to permit for the authenticated user to use the network freely as long as one day. How?
Use the following settings.
set watch-mode to "Time" and extend the checking interval:
<WatchMode>Time</WatchMode>
<Duration>
<Default>86400</Default> <==one day(60*60*24sec)
<Max>86400</Max> <==one day
</Duration>
<ActiveCheckInterval>86400</ActiveCheckInterval> <==one day
<NoPacketInterval>86400</NoPacketInterval> <==one day
Q: When I initially access the network, the content of the index.html.var file is displayed in my browser.
The authentication page is not shown. Why?
Remove the comment-mark(=#) in httpd.conf:
AddHandler type-map var
Q: I added the "#" mark in conf file to change a line to a comment, but it doesn't work. Is this a bug?
No this is not a bug!
The conf file is a XML-formatted document. Use XML comments such as <!-- comment string -->
Q: Firefox2 hangs when closing a browser window.
Please disable Java in your browser settings.
This was fixed in Ver.1.4.35 by modifying httpkeep.js.
Q: When I use Safari3, an error message is shown in the httpkeep page,
and access is denied one minute after authentication.
To avoid this, please change <ActiveCheckInterval> in opengatesrv.conf from 100 to 50.
This was fixed in Ver.1.4.36.
Q: We have put a Squid proxy between the Opengate gateway and the external network.
However, the Squid log shows only the Opengate gateway external IP instead of the different user IPs.
How can we log the various user IPs?
Please disable NAT in the Opengate gateway!
The IP addresses of the user PCs will then be used/logged by the (Squid) Proxy.
Q: New version uses ipfw tag rule, but I don't know how to use it.
Opengate system inserts tag rules after authentication.
For example,
10000 count tag 123 ip from 10.10.10.250 to any
10000 count tag 123 ip from any to 10.10.10.250
where [123] is the tag-number indicated in opengatesrv.conf,
and [10.10.10.250] is the ip-address of the client.
Thus when you set up tagged rule having same tag-number rules in rc.firewall as follows
60000 allow ip from any to any tagged 123
the firewall allows all packets from/to the client after authentication.
This is a simple setting. You can set up more complicated rules.
Q: I want to control multiple user groups using a different policy. How to realize this?
Use ExtraSet defined in opengatesrv.conf.
You can define different authentication server, log, ipfw tag-number, and etc.
Groups are indicated with userID pattern (described with regular expression such as [^guest]) or with
extraID (described after userID such as [user1@guest]).
Q: When I use the network with Apple iPhone, the network is closed soon. How to fix it?
If the web browser is closed soon and the TCP connection for HTTP-watch cannot hold,
modify config file 'opengatesrv.conf' as follows to skip the HTTP-watch mode.
The item <SkipAgentPattern> indicates the regular expression of the User Agents that
is not compatible with HTTP-watch mode.
<HttpWatch>
<!-- HTTP_USER_AGENT that is not compatible with http watch mode -->
<!-- defined by "POSIX Extended Regular Expression" -->
<SkipAgentPattern>^$</SkipAgentPattern>
</HttpWatch>
Q: The network for some users is closed after 5 minutes. How to fix it?
Opengate closes the network when the Ajax request cannot be received in 5 minutes(default). Perhaps the users use the Ajax page for browsing. Please hold the Ajax page (displaying yellow bar) and browse with other window/tab. If the user uses the single process/window environment, use the time mode. Users can use time mode by entering time value in auth page. Administrator can set specific terminals to use the time mode. See previous QA [How to control iPhone].
Perhaps the proxy communication port is not 80 but 8080.
We use ipfw forward rule for port 80 to put authentication page.
Try to use forward rule for port 8080 also (If you use other port, modify the number).
Insert following rule into /etc/opengate/rc.firewall.
$fwcmd add 60100 fwd localhost,80 tcp from ${inet}:${imask} to any 8080
And in browser proxy setting, set opengate url as the site without proxy.
CHANGE IPFW DEFAULT RULES FROM
--
$fwcmd add 60000 allow ip from any to any tagged 123
--
TO
--
$fwcmd add 60000 allow ip from any to any 80 tagged 123
$fwcmd add 60000 allow ip from any to any 443 tagged 123
$fwcmd add 60000 allow ip from any to any 110 tagged 123
............................
--
Try to use absolute path in URL. Write as <img src="http://foo.bar.com/opengate/img/img0.jpg"> Not Write as <img src="../img/img0.jpg">
1) If you cancel the first authentication request and then use browsers, normal
authentication page and the accept page are shown.
2) If you reply to the first authentication, Opengate does not use HTTP-watch
mode but uses time mode to determine the usage end.
In the time mode, the network is closed after following value (seconds)
shown in opengatesrv.conf.
<Duration>
<Default>300</Default>
<Max>3600</Max>
</Duration>
Upper value is the seconds used at no time entered in authentication page.
If the user enters the required time in authentication page, the time is used
for usage limit but is restricted to the lower value.
To allow longer time, modify these values (e.g., 10800 to allow 3 hours).
3) The OS seems to show the authentication page, when the following page cannot be accessed.
http://www.apple.com/library/test/success.html
If you set a forward dummy file ('DocumentRoot'/library/test/success.html)
having the same content, the first authentication page is not shown.
At closing the tcp connection between the browser and the opengate process, opengate judges it as usage end and closes the network. But the tcp connection was interupted by some accidents. Thus, opengate waits the reconnection about 10 seconds and then closes the network.
The button may be disabled by the pop-up blocking of Google tool bar or similar tools.
Please try Ctrl+Click or Shift+Click.