Raspberry Pi, CoovaChilli and Freeradius for a Wifi Hotspot with captive portal

For an automatic install of the hotspot, read this post.


I told you there is a time how to create a WiFi access point with PHP and control connections. Only if the principle was simple, so was the result was simple too. So today we will install a much more powerful tool : CoovaChilli.

WiFI-Hotspot-Raspberry Pi

Attention : this article is long, really long…

What is CoovaChilli ?

CoovaChilli is the OpenSource version of the project ChilliSpot. It offers a user interface to authenticate users who connect to a hotspot (not necessarily Wifi). It has the advantage of not requiring specific modules at kernel level, AAA management is delegated to a RADIUS server (local or not) and OAuth authentication (not tested by yours truly).

In short it makes everything you need to manage your hotspot (including 802.1x authentication or with MAC address) !

What is FreeRadius ?

FreeRadius (OpenSource version of RADIUS protocol) allows to have on their server/machine a network protocol that is used to manage authentication and user accounts. It controls access (authentication) but also to monitor usage and to apply rules of authorization or rejection based on attributes such as time, the duration, the volume of data, etc.. The famous AAA : authentication, authorization, and accounting


What you'll need :

  • One Raspberry Pi with its SD card (minimum 2Gb)
  • One Wifi adapter. Remember to check its compatibility with the Raspberry at the time of purchase ! Moreover, the dongle size will play on its range and the rates. It could take you Wifi dongle with integrated antenna. In this case un hub USB alimenté may be useful.
  • An Ethernet cable to connect to your router Raspberry. It is through this connection that the Raspberry must have Internet access (and the SSH must be available)

The connection to the hotspot is the Wifi interface. The Raspberry must be connected to the Internet via Ethernet cable. Moreover, it is through it that I will connect via SSH to the installation and configuration.

About the operating system, I installed a minimalist Raspbian by the network to be updated. You will find all the steps here.

The Wifi

This is to set up your wifi hotspot dongle to be able to office. I use a Ralink RT5370 key:

Ralink Technology, Corp. RT5370 Wireless Adapter

Using an unsupported component by default it was therefore necessary to add a kernel module :

  1. Download the module to support the RT2870 (if you need it !)
    wget "http://git.kernel.org/?p=linux/kernel/git/firmware/linux-firmware.git;a=blob_plain;f=rt2870.bin" -O /lib/firmware/rt2870.bin
  2. Disable turbo mode which poses problems of stability (if you use a key with a RT2870 chipset)
    bash -c "echo options smsc95xx turbo_mode=N > /etc/modprobe.d/smscnonturbo.conf"
  3. You can restart the Raspberry for the module fully loaded. The command “ifconfig -a” will list your new interface.
  4. Remember to check that this key can be used as an access point (it's still the goal !) :
    • Download tools iw for information on your key Wifi
      wget https://www.kernel.org/pub/software/network/iw/iw-3.14.tar.gz
      tar zxvf iw-3.14.tar.gz
      cd iw-3.14
    • Now you can test if your key supports WiFi Access Point mode with the control iw list

      If you have "AP" (Access Point) in the modes supported, It won !
  5. For now configure this interface, you have to edit the file /etc/network/interfaces and add the following configuration at the end of file :
    auto wlan0
    allow-hotplug wlan0
    iface wlan0 inet static
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

    You set the network as that linked to WiFi interface. Your key will be the network router. And you activate the IP forwarding to link the wireless interface with the Ethernet interface.

  6. Finally, we must enable the IP Forwarding system level. I think it duplicates the post-up of the interface, but better to be safe. Remove character # on line 29 file /etc/sysctl.conf :

    For immediate support, run the command

    /etc/init.d/networking restart


  1. Preparing to package installation. Mysql password is set at “raspbian”. Of course you can put whatever you want but remember to change the value in different directions on the database.
    apt-get install -y debconf-utils
    debconf-set-selections <<< 'mysql-server mysql-server/root_password password raspbian'
    debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password raspbian'
    apt-get install -y debhelper libssl-dev libcurl4-gnutls-dev mysql-server freeradius freeradius-mysql gcc make libnl1 libnl-dev pkg-config iptables
  2. Configuration de FreeRadius :
    1. Creating the database in MySQL dedicated to FreeRadius. You will need to enter the password when requested MySQL installation.
      echo "create database radius;" | mysql -u root -praspbian
    2. Installing the database schema radius that we just created
      mysql -u root -praspbian radius < /etc/freeradius/sql/mysql/schema.sql
    3. Installing the part of directors. This will create an administrative user and give him all necessary rights.
      mysql -u root -praspbian radius < /etc/freeradius/sql/mysql/admin.sql
    4. Installing additional tables for NAS
      mysql -u root -praspbian radius < /etc/freeradius/sql/mysql/nas.sql
    5. Edit the file /etc/freeradius/radiusd.conf to load the SQL Module. We must uncomment the line 700 :
      freeradius sql module
    6. You must enable authentication MySQL Database. Why edit the file /etc/freeradius/sites-enabled/default and look for lines where sql is commented. At home I found three times in lines 177, 406 and 454. You remove the commented out by removing # the beginning of each line.
    7. You can now test your configuration by stopping and restarting the FreeRadius mode debug.
      service freeradius stop


      freeradius -X

      If you do not have it champagne error !
      freeradius ready

    8. We will make a connection test. For this, we will create a test user usertest with his password passwd
      echo "insert into radcheck (username, attribute, op, value) values ('usertest', 'Cleartext-Password', ':=', 'passwd');" | mysql -u root -praspbian radius

      And now to test you use the command

      radtest usertest passwd localhost 0 testing123

      The value testing123 comes from the configuration file /etc/freeradius/clients.conf. That's the word “secret” which will be used to secure the connection between FreeRadius and what is called the NAS, which will capture the connections.
      You will need to change this value when you install your hotspot “production” !
      freeradius radtest


  1. Compilation and installation of CoovaChilli
    1. Download the archive
      cd /usr/src
      wget https://coova.github.io/Download/coova-chilli-1.3.0.tar.gz
      tar zxvf coova-chilli-1.3.0.tar.gz
      cd coova-chilli-1.3.0
    2. Start the configuration for compilation
      export CFLAGS="-Wno-error"
      ./configure  --prefix=/usr --mandir=$${prefix}/share/man \
      --infodir =  $${prefix}/share/info \
      --sysconfdir=/etc --localstatedir=/var --enable-largelimits \
      --enable-binstatusfile --enable-statusfile --enable-chilliproxy \
      --enable-chilliradsec --enable-chilliredir --with-openssl --with-curl \
      --with-poll --enable-dhcpopt --enable-sessgarden --enable-dnslog \
      --enable-ipwhitelist --enable-redirdnsreq --enable-miniconfig \
      --enable-libjson --enable-layer3 --enable-proxyvsa --enable-miniportal \
      --enable-chilliscript --enable-eapol --enable-uamdomainfile \
      --enable-modules --enable-multiroute
    3. Change the compatibility level for the compilation
      echo 9 > debian/compat
    4. Change to the directory where the package will be created by changing the line 54 file /usr/src/coova-chilli-1.3.0/debian/rules :
      $(MAKE) DESTDIR=/ install
    5. Start the compilation
      dpkg-buildpackage -us -uc

      You should get a package ready for installation (after 15 minutes on a model B 512Mb)!

    6. Install the package
      cd ..
      dpkg -i coova-chilli_1.3.0_armhf.deb

      Use option Y when will ask you. The error in the end is normal because we have not set CoovaChilli and does not exist (i hope)
      Screenshot 2015-07-15 from 21.00.48

  2. Compilation and installation of Haserl. This is a tool from UNIX or LUA scripts will generate CGI scripts. It is necessary for the operation of CoovaChilli.
    1. Download haserl
      cd /usr/src
      wget http://downloads.sourceforge.net/project/haserl/haserl-devel/haserl-0.9.35.tar.gz
      tar zxvf haserl-0.9.35.tar.gz
      cd haserl-0.9.35
    2. Compile and install haserl
      ./configure && make && make install
  3. Configure CoovaChilli
    1. At the end of /etc/chilli/up.sh file add the line
      iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE

      It will allow to transfer what happens by WiFi to Ethernet

    2. In the file /etc/default/chilli replacing



      This allows the boot CoovaChilli

    3. In the file /etc/chilli/wwwsh must give the exact location of the line haserl 9
    4. In the /etc/chilli/config is the main configuration Chilli. Where you will be able to define which interfaces are used, which network, etc. Some of the following values ​​are commented by default, it will therefore remove # beginning of the line if necessary. And these values ​​are not grouped in the same place.

      The details of the configured settings :
      HS_WANIF is the interface connected to the Internet
      HS_LANIF est l’interface du Wifi/Hotspot
      HS_NETWORK the hotspot network
      HS_UAMLISTEN the hotspot network gateway
      HS_UAMALLOW IP hotspot network allowed to connect
      HS_SSID le SSID (does not seem to have any effect)

    5. Making the final start
      update-rc.d chilli start 99 2 3 4 5 . stop 20 0 1 6 .
  4. Start the service
    service chilli start

    With the command ifconfig you should see an interface tun0 confirming that is well executed CoovaChilli.
    Screenshot 2015-07-15 from 21.29.18


  1. To make your visible WiFi access point, we will install hostapd who will do all the work
    apt-get install -y hostapd
  2. Edit the file /etc/default/hostapd and add at the end :
  3. Edit the file /etc/hostapd/hostapd.conf (that does not exist yet) and copy the following lines :
    # interface wlan du Wi-Fi
    # nl80211 avec tous les drivers Linux mac80211
    # Nom du spot Wi-Fi ssid = PiHomeServerAP
    # mode Wi-Fi (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.1g)
    # canal de fréquence Wi-Fi (1-14)
    # Wi-Fi ouvert, pas d'authentification !
    # Beacon interval in kus (1.024 ms)
    # DTIM (delivery traffic information message)
    # Maximum number of stations allowed in station table max_num_sta = 255
    # RTS/CTS threshold; 2347 = disabled (default)
    # Fragmentation threshold; 2346 = disabled (default)
  4. You can manually start the service
    service hostapd start

Here we reach the end of the configuration ! Phew ! It's time to test the connection (with the user created above : usertest / passwd) :

  1. Connect to access point
    raspberry pi hotspot SSID selection
  2. You will automatically have a redirection window (on my Mac. IPhone / iPad / Windows you have to try to access the Internet via the browser)
    raspberry pi hotspot redirection
  3. Enter your login (usertest / passwd)
    raspberry pi hotspot login
  4. You will then have displays confirming the connection
    raspberry pi hotspot success raspberry pi hotspot success end
  5. To you the joys of the Internet by your hotspot !
    raspberry pi hotspot wifi coovachilli freeradius internet

Bonus : daloRADIUS

Ok but some of you will ask me : “yes but how I manage users ?”, “I have to make a SQL query every time ?”. In theory yes ! There is no default interface for FreeRadius. Except that … there are software to help you. And daloRadius is one of them ! Through a web interface you will be able to manage users, manage their rights, Logon Hours, authorized debits, etc.

  1. Install a web server. My favorite remains Nginx.
    apt-get install -y php5-mysql php-pear php5-gd php-db php5-fpm libgd2-xpm-dev libpcrecpp0 libxpm4 nginx php5-xcache
    apt-get remove -y apache2.2-bin apache2-utils apache2.2-common
  2. Download daloRadius
    cd /usr/src
    wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
    takes -zxvf daloradius-0.9-9.tar.gz -C /usr/share/nginx/www/
    mv /usr/share/nginx/www/daloradius-0.9-9 /usr/share/nginx/www/daloradius
    cd /usr/share/nginx/www/daloradius
  3. Add the information used by daloRadius in FreeRadius database
    mysql -u root -praspbian radius < /usr/share/nginx/www/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
    mysql -u root -praspbian
    GRANT ALL ON radius.* to 'radius'@'localhost';
    GRANT ALL ON radius.* to 'radius'@'127.0.01';
  4. In the file /usr/share/nginx/www/daloradius/library/daloradius.conf.php you define the access rights to the database (Here defaults)
    $configValues['CONFIG_DB_USER'] = 'radius';
    $configValues['CONFIG_DB_PASS'] = 'radpass';
    $configValues['CONFIG_DB_NAME'] = 'radius';
  5. Update the default site configuration by enabling PHP support. The information is to be added (or remove comments) in the section server.
    At the line 25 (always default)
index index.php index.html index.htm;

And enable PHP support

location ~ .php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/PHP5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
  • Redémarrez Nginx
    service nginx restart
  • You can now log on http://<ip of your raspberry>/daloradius
    Login : administrator / Password : radius

So now how to create a user ? Nothing simpler than that :

  1. Login and go to the tab Management
    raspberry pi daloradius management hotspot
  2. Enter the Username then Password and click on Apply. You can of course choose the password encryption type, enter information about the user and … attributes. We will come back later on that (yes it is not finished yet !)
    raspberry pi daloradius management hotspot create user

You can now use this identifier. It appears in the list of users with a beautiful green flag to inform you that the user is enabled.raspberry pi daloradius management hotspot list users

Double bonus : attributes

We have a Wifi hotspot, an authentication service, a user management interface. But how do you define connections hours ? A connection time ? A maximum data volume ? In short it is not all inclusive open bar !

Everything happens at the attributes associated with a user. In the interface of daloRadius, you can edit a user and add attributes.

hotspot raspberry pi coovachilli daloradius attributes

Above, I add to the user pi, the attribute Login-Time with the value Wk1800-2100. The user can connect 18:00 from 21:00 Monday to Friday. You can go further : “Wk0855-2355,Sa,Su1655-2305”, days of the week 08:55 from 23:55, Saturday and Sunday 16:55 from 23:05.

You can find more details on certain attributes here. The most common : Login-Time, Simultaneous-Use, Expiration. Unfortunately I have not found a place where all attributes are detailed with their meanings and possible values. If you have a link please share in the comments.

If you come to the end of this article you deserve a medal ! But you now have a hotspot with raspberry inside !

Next step : integrate Squid as a transparent proxy ?

Sources :

  • https://www.raspberrypi.org/forums/viewtopic.php?t=24105&p=224789
  • http://doc.ubuntu-fr.org/coovachilli
  • http://ehc.ac/p/radiusdesk/wiki/install_ubuntu_nginx/?version=14#install-radiusdesk
  • http://www.binaryheartbeat.net/2013/12/raspberry-pi-based-freeradius-server.html
  • google, bing, duckduck, etc.

You may also like...