I had a need to create a captive portal at a customer site without installing a new piece of hardware.

I decided to create a OpenBSD VM with the following configuration to make users authenticate on the gateway before being allowed internet access.

The OpenBSD VM needs two virtual NIC’s. I configured my networking in OpenBSD as follows:

1
2

pcn0 - 192.168.0.100
pcn1 - 192.168.0.101

The file /etc/mygate needs to have the IP of the current working gateway. Mine was:

1

192.168.0.10

The file /etc/resolv.conf must have the correct DNS server in it. Mine was:

1
2

lookup file bind
nameserver 192.168.0.1

First I setup pf and ip forwarding. Then I setup /etc/pf.conf with the following configuration:

1
2
3
4
5
6
7
8
9
10
11

ext_if="pcn0"
int_if="pcn1"
lan_net="192.168.0.0/24"

#DEFAULT DENY
block in all
block out all

anchor "authpf/*"

pass in quick on $int_if inet proto tcp from any to $int_if port ssh flags S/SA keep state

This configuration blocks everything except ssh and inserts the authpf rules once a user validates on the firewall.

Once you have pf.conf set properly it’s time to configure authpf. Create the following files:

1
2
3
4
5
6
7

#touch /etc/authpf/authpf.conf
#touch /etc/authpf/authpf.rules

The file permissions should be:

-rw-r--r--   1 root wheel  authpf.conf  (644)
-rwxr-xr-x  1 root wheel  authpf.rules (755)

Add the following to authpf.rules:

1
2

pass in all
pass out all

Once this is all setup restart the VM. Change the gateway on the client computers to point to 192.168.0.101 initially they wont be allowed any internet access.

To get internet access they will need to ssh to the captive portal (192.168.0.101) and login. Once they login as long as they keep the window open they will be allowed unrestricted access.