Selfhosting @ home & staying online - at all costs

... cause there is no fun with unreachable hosts!

Initial writeup: 2024-12-26

The Situation

Regular readers of this gemlog (are there any?) have probably already stumbled accross my other post

=> Selfhosting - a retrospective

where I describe the reasons why I choose to self-host at home.

In the meantime, a new challenge has popped up:

Staying online.

Without trying too hard to doxx myself, I'll have you know that my apartment comes with "bundled internet". That is: I need not (and should not) care about my internet connection, because there already is a router present in my apartment that I can use.

Any john or jane doe would not care - after all, they "just need internet", sometimes. I do not consider myself to be part of that demographic though; I need internet all the time for previously mentioned reasons.

Now, my landlord does not manage all that spooky networking stuff by themselves. Of course: they have some external provider that also provides the routers / access points that the tenants are obliged to connect to. Ironically, this provider's main business are hotel networks (side note: I do not live in a hotel) and thus, the network authentication is implemented hotel-style:

using a captive portal.

A captive portal! YIKES! For my home internet. Yeah. I am planning to move out sometime, but in the meantime, I need internet.

Breaching captivity

Now of course, captive portals are designed for "manual", in-person authentication. Who am I to do this? I can't just teleport myself home any time I am not to quickly type my 6-letter&digit code into that dumb fucking captive portal. (As you can figure from my apparent anger, I have banged my head against my unreachable @home server many times already (remotely).)

I have to rummage in my toolbox!
... what do I find?
CURL!

An easy way to authenticate in an "automatic" way is to "record" the authentication process when done in a browser via the developer console to then replay all HTTP headers and whatnot via CURL. In my case, the provider implements "authentication" via a HTTP POST where my passphrase is added to the URL, via application/x-www-form-urlencoded.

For instance: 

curl -L -X POST "http://example.captive.portal/login" \
    -H "Host: example.captive.portal" \
    -H "User-Agent: Mozilla/5.0 (Windows NT 6.1) Firefox/110.0" \ # Probably wise to look like Firefox on Windows. Maybe Chrome is better though?
    ... more generic browser headers ...
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Content-Length: " \
    -H "Origin: http://example.captive.portal" \
    -H "Connection: keep-alive" \
    -H "Referer: http://example.captive.portal/login" \
    -H "X-Fuck: You" \ # no, don't use that in production.
    --data "username=myuser&password=supersecret"

Now, this is only a toy example, and this is not exactly what I use. But it should get the idea accross. Given that we pass the -L flag to follow redirects, a standard captive portal should accept this attempt at authentication, and as a result, our MAC-address should get whitelisted. Hooray! MAC-based authentication...

Speaking of MAC-addresses: it is probably wise to start rotating them once you (or your computer) detects that the sacred provider has deemed you unworthy of further access to the interwebz, for that extra pinch of obfuscation. This is relatively straightforward, it just depends on what kind of NetworkManager you use on your system. It is out of scope of this post.

For checking whether or not there is "internet access", the answer is not as straight forward as any layman might think. After all, the internet is only the sum of interconnecting, independent entities, that just happen to agree on IP addresses. (Or the IANA makes them agree?) For starters, it probably makes sense to ping 8.8.8.8 or 1.1.1.1 or 4.2.2.2, and if neither of those work, continue pinging your gateway. In my case, the gateway just drops my pings once I am deauthenticated (how rude!), which then gives a clear indication that captivity needs breaching by curl-ing a browser User-Agent.

Last step: put everything into a shell script (try not to be too messy) and add a cronjob to your system. Step after last step: hope that your provider isn't smart enough to notice!

Happy holidays everyone!

=> View comments | Home

Proxy Information
Original URL
gemini://shtrophic.net/selfhosting-staying-online.gmi
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
124.026525 milliseconds
Gemini-to-HTML Time
1.001225 milliseconds

This content has been proxied by September (ba2dc).