• October 18, 2024
• in wifi, network, lan
• 6 min read

StudNET Studentenwohnheim Leipzig

Why is it worth to talk about a student dormitory in Leipzig, Germany. My sister was accepted to study Veterinary Medicine in Leipzig, and she got a room in a dormitory. They call their network studNET. There are good news: It's free, but the bad news are their authentication is complete nonsense.

Authentication

The administrators' idea is to connect a device to the network outlet and then have a ssh connection constantly open to a server to keep authenticated. For Windows they offer a software which does this for you. This software runs as daemon and connects to their server and keeps the connection open. For Linux Johannes Matschke wrote a tool that does this, its a 15 year old unmaintained PHP cli tool. Somethin similar has beed implemented for Linux as Daemon. Nothing I can hand to a medicine student without deeper technical knowledge.

Note after the ssh connection is establish, instead of a shell a script is executed that shows some information and takes your IP to authenticate against their so-called firewall. As long as the connection is open, the script is running and internet access is granted. If a second connection is established with the same credentials, the first one is killed.

In 1997 their ssh authentication might have been state of the art but in 2024 it is definitely not. But since WiFi is a thing now, and no one is using their old EATX Tower PC wired to a wall socket to ssh authenticate with their firewall server a better solution must be found. The Studentenwerk sais that you can hook up a WiFi Router connect via ssh and use the sweet sweet WiFi. The router is functioning as a better access point, all DHCP is done on the device based on their DHCP server set up. This is also possible via an Android App Android App. And probably also via an iOS Terminal Emulator App.

Ok fine. An old AVM FritzBox hooked up to the network outlet and connected to the WiFi, authenticated via ssh on her MacBook. It worked. Yay. But after some minutes the connection timeouted and she had to reauthenticate. Also authenticating on every device is a pain in the ... you know. Every device every time. Ever. Updates overnight? Push Notifications? No way. Answer a FaceTime call on the iPhone? Mobile data is used until you authenticate again.

No proper subnet, no cloud sync, no local network, no handover, no local anything. Can't give access to a friend. You get the idea.

How does their Firewall Thingy work?

My understanding is that if you follow their Tutorial and set up DHCP settings for your device is that your device joins their LAN network. Through the ssh call ssh your_rent_number@their_firewall_thing they get the IP that is authenticating against their server and grant access to the internet.

What could be done?

My Criteria:

• no manual ssh authentication#
• automatic authentication on device start/first connect/wifi logon
• automatic reauthentication
• no setup on every device
• WiFi
• closed local area network
• easy access (for friends)

It's basically everything what you would expect from a modern home network. Nothing fancy just a standard functional and convenient network.

It is possible to build fancy stuff with a Raspberry Pi running in access point mode and so on. Every cheap mini PC could do the job. But it needs to be reliable and also understandable for a non-technical person and should have better WiFi than a Raspberry Pi or cheap dongle. The FritzBox used earlier would work, but then a second LAN Card would be needed. She does not pay for power so if they only provide stupid Internet Access why should I bother. But I do. Because this seems error-prone to me and I need to buy a USB Ethernet Adapter for the access point, which will be around €15.

What I will do

My sister will receive my cheap Chinese WiFi Router with OpenWRT support, a Gl.Inet GL-A1300.gog.com Their cheapest GL-SFT1200 can always be found on the internet for around for around €30. I got the one off Amazon because it is shipped faster, so she does not need to wait that long and easier to send back if my ideas don't work. Then I will use the Linux as Daemon tool to authenticate the router. Because it is a Linux device it should work. I can easily connect to their DHCP stuff, run the authentication daemon and create a subnet.

How to do it yourself

Log into the WiFi and hook up the routers WAN Port to the network outlet. Make sure to use the left outlet if a multi outlet is provided in your room. Configure the external WAN of OpenWRT via the UI or CLI and connect to router via ssh.

Then on your system ssh onto the router. Use the password you set up and use for the UI.

ssh root@192.168.8.1

On the router install the ssh sshpass for programmatic ssh password input. We also install the OpenSSH Client to replace dropbear client, because dropbear lacks some functionality we need (proper forced pty/tty allocation). I used nano as an editor, so my sister is able to edit the files herself.

opkg install sshpass nano openssh-client

Put the bash script into /usr/bin/studnetauth so it is on path:

#!/bin/sh

echo "studnetauth started"
SSHPASS=PASSWORT sshpass -e ssh -t -t -o StrictHostKeyChecking=no -o ServerAliveInterval=30 RENT_NUMBER@FIREWALL_IP
echo "studnetauth exited"

Make sure to replace PASSWORT, RENT_NUMBER and FIREWALL_IP with the proper values. You need to look up here.

Security Notice: Your password is stored in clear text within the router. Everyone with physical or authenticated network access to the device will be able to read it. We also accept any remote host key without any questions asked.

You can check the logs with

logread | grep studnetauth

and reload the config with

service studnetauth reload

and restart the service with

service studnetauth restart

Make sure the script is executable:

chmod +x /usr/bin/studnetauth

And test if the authentication works. The first time you need to accept the ssh key. Just type yes and return to accept the key. The SSH key will be added to your known hosts.

If ssh RENT_NUMBER@FIREWALL_IP goes through (and put your key into the known_hosts file) and you now can use internet on your device test once again with the script on path.

studnetauth

If this also works you can put the script into the startup of the router.

Put the service config into /etc/init.d/studnetauth

#!/bin/sh /etc/rc.common

START=95

USE_PROCD=1

start_service() {
    procd_open_instance
    procd_set_param command /usr/bin/studnetauth  # Path to your executable
    procd_set_param respawn 1 1 0  # Test every 1sec if failed, delay before restart
    procd_set_param stdout 1
    procd_set_param stderr 1
    procd_close_instance
}

Make it executable

chmod +x /etc/init.d/studnetauth

Then start and enable the service

service studnetauth enable
service studnetauth start

To make sure we do not run into a timeout because no packages are sent we ping 1.1.1.1 every 10 seconds:

Put the bash script into /usr/bin/studnetping so it is on path:

#!/bin/sh

echo "studnetping exited"
ping -W 2 -i 10 1.1.1.1
echo "studnetping exited"

chmod +x /usr/bin/studnetping

Test it with:

studnetping

If this also works you can put the script into the startup of the router.

Put the service config into /etc/init.d/studnetping

#!/bin/sh /etc/rc.common

START=95

USE_PROCD=1

start_service() {
    procd_open_instance
    procd_set_param command /usr/bin/studnetping  # Path to your executable
    procd_set_param respawn 1 1 0  # Test every 1sec if failed, delay before restart
    procd_set_param stdout 1
    procd_set_param stderr 1
    procd_close_instance
}

Make it executable

chmod +x /etc/init.d/studnetping

Then start and enable the service

service studnetping enable
service studnetping start

Make sure both services are started correctly and internet is working. Now the router should authenticate itself and should try reauthentication on failure. Unplug the router and plug it back in to test if the service authenticates after startup.

Have fun with your new home network.

OpenWRT in VirtualBox

Use VBoxManage convertfromraw --format VDI openwrt.img openwrt.vdi to convert an img to vdi. Within network settings select Adapter 1 attach to Bridged Adapter and name to your network device. Enable Adapter 2 and do the same. Add created openwrt.vdi as storage and reboot.