
# The options available here are an adaptation of the settings used in opennds.conf.
# See https://github.com/opennds/opennds/blob/master/resources/opennds.conf

config opennds
	# Set to 0 to disable opennds
	option enabled 1
	###########################################################################################

	# Use plain configuration file (not recommended)
	#option config '/etc/opennds/opennds.conf'
	###########################################################################################

	# Enable debug output (0-3)
	# Default: 1
	# 0 : Silent (only LOG_ERR and LOG_EMERG messages will be seen, otherwise there will be no logging.)
	# 1 : LOG_ERR, LOG_EMERG, LOG_WARNING and LOG_NOTICE (this is the default level).
	# 2 : debuglevel 1  + LOG_INFO
	# 3 : debuglevel 2 + LOG_DEBUG
	#option debuglevel '1'
	###########################################################################################

	# Firewall Restart hook
	# Set to 0 to disable hook that makes opennds restart when the firewall restarts.
	# This hook is needed as a restart of Firewall overwrites opennds iptables entries.
	option fwhook_enabled '1'
	###########################################################################################

	# Login Option
	# Default: 0
	#
	# opennds comes preconfigured for two basic modes of operation
	# A default preauth login script, requiring username and email address to be entered.
	# and
	# A default static splash page (splash.html) with template variables and click to continue
	#
	# 0: Use static splash page or FAS config options
	# 1: Use default preauth login script
	#
	# The default preauth login script is installed as part of the openNDS package providing
	# username/emailaddress login as an alternative to the basic splash page.
	#
	# It generates a login page asking for username and email address.
	# User logins are recorded in the log file /tmp/ndslog.log
	# Details of how the script works are contained in comments in the script itself.
	#
	# Both modes may be customised or a full custom system can be developed using FAS and BinAuth
	# See documentation at: https://openndsdocs.readthedocs.io/
	#
	option login_option_enabled '0'
	###########################################################################################

	# Use outdated libmicrohttpd (MHD)
	# Older versions of MHD convert & and + characters to spaces when present in form data
	# This can make a PreAuth or BinAuth impossible to use for a client if form data contains either of these characters
	# eg. in username or password
	# MHD versions earlier than 0.9.69 are detected.
	# If this option is set to 0 (default), NDS will terminate if MHD is earlier than 0.9.69
	# If this option is set to 1, NDS will start but log an error.
	option use_outdated_mhd '1'
	###########################################################################################

	# MHD Unescape callback
	# MHD has a built in unescape function that urldecodes incoming queries from browsers
	# This option allows an external unescape script to be enabled
	# The script must be named unescape.sh, be present in /usr/lib/opennds/ and be executable.
	# A standard unescape.sh script is installed by default
	# Set to 1 to enable this option, 0 to disable
	# default is disabled
	option unescape_callback_enabled '0'
	###########################################################################################

	# WebRoot
	# Default: /etc/opennds/htdocs
	#
	# The local path where the splash page content resides.
	# ie. Serve the file splash.html from this directory
	#option webroot '/etc/opennds/htdocs'
	###########################################################################################

	# statuspage
	# Default: status.html
	#
	# The page the client is show if the client is already authenticated but navigates to the captive portal.
	#
	# option statuspage 'status.html'
	###########################################################################################


	# splashpage
	# Default: /etc/opennds/splash.html
	#
	# The html page used for templated splash page generation (if FAS/PreAuth is not enabled)
	#
	# splash.html displays a simplistic click to continue button.
	#
	# splash_sitewide.html displays a client login page asking for username and password.
	#
	# The BinAuth script binauth_sitewide.sh must be enabled for splash_sitewide to verify the
	# entered credentials from the userlist.dat database file.
	# The following two lines enable splash_sitewide templated authentication:
	#option splashpage 'splash_sitewide.html'
	#option binauth '/usr/lib/opennds/binauth_sitewide.sh'
	###########################################################################################

	# Interface to use
	# Use this option to set the device opennds will bind to.
	# The value may be an interface section in /etc/config/network or a device name such as br-lan.
	option gatewayinterface 'br-lan'
	###########################################################################################

	# GatewayPort
	# Default: 2050
	#
	# openNDS's own http server uses gateway address as its IP address.
	# The port it listens to at that IP can be set here; default is 2050.
	#
	#option gatewayport '2050'
	###########################################################################################

	# GatewayName
	# Default: openNDS
	#
	# gatewayname is used as an identifier for the instance of openNDS
	#
	# It is displayed on the default static splash page and the default preauth login script.
	#
	# It is particularly useful in the case of a single remote FAS server that serves multiple
	# openNDS sites, allowing the FAS to customise its response for each site.
	#
	# Note: The single quote (or apostrophe) character ('), cannot be used in the gatewayname.
	# If it is required, use the htmlentity &#39; instead.
	#
	# For example:
	# option gatewayname 'Bill's WiFi' is invalid.
	# Instead use:
	# option gatewayname 'Bill&#39;s WiFi'
	#
	option gatewayname 'OpenWrt openNDS'
	###########################################################################################

	# MaxClients
	# Default 20
	# The maximum number of clients allowed to connect
	# This should be less than or equal to the number of allowed DHCP leases
	# For example:
	option maxclients '250'
	###########################################################################################

	# Client timeouts in minutes
	option preauthidletimeout '30'
	option authidletimeout '120'
	# Session Timeout is the interval after which clients are forced out (a value of 0 means never)
	option sessiontimeout '1200'
	###########################################################################################

	# The interval in seconds at which opennds checks client timeout status
	option checkinterval '60'
	###########################################################################################

	# Quotas and Rates
	# Note: upload means to the Internet, download means from the Internet
	# Defaults 0
	# Integer values only
	#
	# If the client average data rate exceeds the value set here, the client will be blocked
	# Values are in kb/s
	# If set to 0, there is no limit
	#
	# Quotas and rates can also be set by FAS via Authmon Daemon, by BinAuth, and by ndsctl auth.
	# Values set by these methods, will be override values set in this config file.
	#
	option uploadrate '0'
	option downloadrate '0'
	###########################################################################################
	# The client data rate is calculated using a moving average.
	# This allows clients to burst at maximum possible rate, only blocking if the moving average
	# exceeds the specified upload or download rate.
	# The moving average window size is equal to ratecheckwindow times checkinterval (seconds)
	# Default 2
	option ratecheckwindow '2'
	###########################################################################################
	# If the client data quota exceeds the value set here, the client will be forced out
	# Values are in kB
	# If set to 0, there is no limit
	#
	option uploadquota '0'
	option downloadquota '0'
	###########################################################################################

	# Enable BinAuth Support.
	# Default disabled
	#
	# If set, a BinAuth program or script is triggered by several possible methods
	# and is called with several arguments on both authentication and deauthentication:
	#
	# $<BinAuth> <method> <arg1> <arg2> .... <argN>
	#
	# The Binauth script will issue an exit code:
	# 0 Authentication allowed
	# 1 Authentication denied
	#
	# Possible methods
	#
	# Authentication:
	# "auth_client": Request for authentication received from the captive portal splash page.
	# "client_auth": Acknowledgement that Client was authenticated via this script.
	# "ndsctl_auth": Client was authenticated by ndsctl auth command.
	#
	# Deauthentication:
	# "client_deauth": Client deauthenticated by the client via captive portal splash page.
	# "idle_deauth": Client was deauthenticated because of inactivity.
	# "timeout_deauth": Client was deauthenticated because the session timed out.
	# "ndsctl_deauth": Client was deauthenticated by ndsctl deauth command.
	# "uprate_deauth": Client was deauthenticated because its average upload rate exceeded the allowed value
	# "downrate_deauth": Client was deauthenticated because its average download rate exceeded the allowed value
	# "upquota_deauth": Client was deauthenticated because its upload quota exceeded the allowed value
	# "downquota_deauth": Client was deauthenticated because its download quota exceeded the allowed value
	# "shutdown_deauth": Client was deauthenticated by openNDS terminating.
	#
	# A fully functional BinAuth script is pre-installed and provides local logging
	# of client activity if enabled by uncommenting the following line:
	#option binauth '/usr/lib/opennds/binauth_log.sh'
	###########################################################################################

	# Enable Forwarding Authentication Service (FAS)
	# If set redirection is changed from splash.html to a FAS (provided by the system administrator)
	# The value is the IP port number of the FAS
	# Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used.
	#
	# Typical Remote Shared Hosting Example:
	#option fasport '80'
	#
	# Typical Locally Hosted example (ie fasremoteip not set):
	#option fasport '2080'
	###########################################################################################

	# Option: fasremotefqdn
	# Default: Not set
	# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
	# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
	# To prevent CPD or browser security errors NDS prepends the required http:// or https://
	# before redirection, depending upon the fas_secure_enabled option.
	# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
	# Typical Remote Shared Hosting Example:
	#option fasremotefqdn 'onboard-wifi.net'
	###########################################################################################

	# Option: fasremoteip
	# Default: GatewayAddress (the IP of NDS)
	# If set, this is the remote ip address of the FAS.
	#
	# Typical Remote Shared Hosting Example:
	#option fasremoteip '46.32.240.41'
	###########################################################################################

	# Option: faspath
	# Default: /
	# This is the path from the FAS Web Root to the FAS login page
	# (not the file system root).
	#
	# Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
	#option faspath '/onboard-wifi.net/nodog/fas.php'
	#
	# Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
	#option faspath '/nodog/fas.php'
	#
	# Typical Locally Hosted Example (ie fasremoteip not set):
	#option faspath '/nodog/fas.php'
	###########################################################################################

	# Option: faskey
	# Default: not set
	# A key phrase for NDS to encrypt the query string sent to FAS
	# Can be any combination of A-Z, a-z and 0-9, up to 32 characters with no white space
	#
	# Option faskey must be pre-shared with FAS.
	#
	#option faskey '1234567890'
	###########################################################################################

	# Option: fas_secure_enabled
	# Default: 1

	# ****If set to "0"****
	# The FAS is enforced by NDS to use http protocol.
	# The client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.

	# ****If set to "1"****
	# The FAS is enforced by NDS to use http protocol.
	# When the sha256sum command is available AND faskey is set, the client token will be hashed and sent to the FAS,
	# identified as "hid" in the query string.
	# The gatewayaddress is also sent on the query string, allowing the FAS to construct the authaction parameter.
	# FAS must return the sha256sum of the concatenation of the original hid and faskey to be used by NDS for client authentication.
	# This is returned in the normal way in the query string identified as “tok”.
	# NDS will automatically detect whether hid mode is active or the raw token is being returned.
	#
	# Should sha256sum not be available or faskey is not set, then it is the responsibility of the FAS to request the token from NDSCTL.

	# ****If set to "2"****
	# The FAS is enforced by NDS to use http protocol.
	#
	# The parameters clientip, clientmac, gatewayname, client token, gatewayaddress, authdir, originurl and clientif
	# are encrypted using faskey and passed to FAS in the query string.
	#
	# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
	#
	# The cipher used is "AES-256-CBC".
	#
	# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2 and 3.
	#
	# openNDS does not depend on this package and module, but will exit gracefully
	# if this package and module are not installed when this level is set.
	#
	# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
	# An example FAS level 2 php script (fas-aes.php) is included in the /etc/opennds directory and also supplied in the source code.

	# ****If set to "3"****
	# The FAS is enforced by NDS to use https protocol.
	#
	# Level 3 is the same as level 2 except the use of https protocol is enforced for FAS.
	#
	# In addition, the "authmon" daemon is loaded.
	# This allows the external FAS, after client verification, to effectively traverse inbound firewalls and address translation
	# to achieve NDS authentication without generating browser security warnings or errors.
	# An example FAS level 3 php script (fas-aes-https.php) is included in the /etc/opennds directory and also supplied in the source code.
	#
	# Note: Option faskey must be set if fas secure is set to levels 2 and 3 but is optional for level 1.
	#option fas_secure_enabled '0'
	###########################################################################################

	# PreAuth
	# PreAuth support allows FAS to call a local program or script with html served by the built in NDS web server
	# If the option is set, it points to a program/script that is called by the NDS FAS handler
	# All other FAS settings will be overidden.
	# Initially FAS appends its query string to faspath.
	# The Preauth program will output html code that will be served to the client by NDS
	# Using html GET the Preauth program may call:
	# /opennds_preauth/ to ask the client for more information
	# or
	# /opennds_auth/ to authenticate the client
	#
	# The Preauth program should append at least the client ip to the query string
	# (using html input type hidden) for all calls to /opennds_preauth/
	# It must also obtain the client token (using ndsctl), for NDS authentication when calling /opennds_auth/
	#
	#option preauth '/path/to/myscript/myscript.sh'
	###########################################################################################

	# Your router may have several interfaces, and you
	# probably want to keep them private from the gatewayinterface.
	# If so, you should block the entire subnets on those interfaces, e.g.:
	#list authenticated_users 'block to 192.168.0.0/16'
	#list authenticated_users 'block to 10.0.0.0/8'
	###########################################################################################

	# For authenticated users:
	# Typical ports you will probably want to open up.
	#list authenticated_users 'allow tcp port 22'
	#list authenticated_users 'allow tcp port 53'
	#list authenticated_users 'allow udp port 53'
	#list authenticated_users 'allow tcp port 80'
	#list authenticated_users 'allow tcp port 443'
	# Or for happy customers allow all
	list authenticated_users 'allow all'
	###########################################################################################

	# For preauthenticated users:
	#
	# *****IMPORTANT*****
	#
	# To help prevent DNS tunnelling, DNS Hijacking and generally improve security,
	# DO NOT UNCOMMENT THE FOLLOWING TWO LINES:
	#list preauthenticated_users 'allow tcp port 53'
	#list preauthenticated_users 'allow udp port 53'
	###########################################################################################

	# Walled Garden
	# Allow preauthenticated users to access an external IP address
	# This is commonly referred to as a Walled Garden.
	# Only IPv4 addresses can be used (not domain names)
	# (Hint: use an ipset populated with resolved ip addresses if you have a list of domains)
	#
	#list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
	#list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'
	#
	# Alternatively, a preconfigured ipset can be used:
	#list preauthenticated_users 'allow tcp port [port number] ipset [ipset rule name]'
	###########################################################################################

	# Setting up an automated Walled Garden ipset.
	#
	# This requires the ipset and dnsmasq-full packages
	# Install by running the following commands:
	# opkg update
	# opkg install ipset
	# opkg remove dnsmasq
	# opkg install dnsmasq-full
	#
	# Configure as follows:
	# ipset create openndsset hash:ip
	#
	# Configure dnsmasq:
	# uci add_list dhcp.@dnsmasq[0].ipset='/<fqdn1>/<fqdn2>/<fqdn3>/<fqdn...>/<fqdnN>/openndsset'
	#	where <fqdn1> to <fqdnN> are the fully qualified domain names
	# 	of the URLs you want to use to populate the ipset.
	#	eg. For Facebook use facebook.com and fbcdn.net as fqdn1 and fqdn2
	# uci add_list dhcp.@dnsmasq[0].ipset='/facebook.com/fbcdn.net/openndsset'
	# uci commit dhcp
	#
	# Configure opennds by uncommenting the following two lines:
	#list preauthenticated_users 'allow tcp port 80 ipset openndsset'
	#list preauthenticated_users 'allow tcp port 443 ipset openndsset'


	###########################################################################################

	# User access to the router
	#
	# Essential - Allow ports for DNS and DHCP:
	list users_to_router 'allow tcp port 53'
	list users_to_router 'allow udp port 53'
	list users_to_router 'allow udp port 67'

	# Optional - Allow ports for SSH/Telnet/HTTP/HTTPS:
	list users_to_router 'allow tcp port 22'
	list users_to_router 'allow tcp port 23'
	list users_to_router 'allow tcp port 80'
	list users_to_router 'allow tcp port 443'
	###########################################################################################

	# MAC addresses that are / are not allowed to access the splash page
	# Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
	#
	# Examples:
	#
	#option macmechanism 'allow'
	#list allowedmac '00:00:C0:01:D0:0D'
	#list allowedmac '00:00:C0:01:D0:1D'
	#
	# or
	#
	#option macmechanism 'allow'
	#list blockedmac '00:00:C0:01:D0:2D'
	###########################################################################################

	# MAC addresses that do not need to authenticate
	#list trustedmac '00:00:C0:01:D0:1D'
	###########################################################################################

	# openNDS uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
	# This mask can conflict with the requirements of other packages.
	#
	# However the defaults are fully compatible with the defaults used in mwan3 and sqm
	#
	# Any values set here are interpreted as in hex format.
	#
	# Option: fw_mark_authenticated
	# Default: 30000 (0011|0000|0000|0000|0000 binary)
	#
	# Option: fw_mark_trusted
	# Default: 20000 (0010|0000|0000|0000|0000 binary)
	#
	# Option: fw_mark_blocked
	# Default: 10000 (0001|0000|0000|0000|0000 binary)
	#
	#option fw_mark_authenticated '30000'
	#option fw_mark_trusted '20000'
	#option fw_mark_blocked '10000'
	###########################################################################################


