Today a small blog Post about a real-world headache I had with Fedora and public WiFi hotspots as in Hotels or Vernues. If you’re someone who work remote a lot like me you find your self hopping from wifi to wifi; Hotels, airports, event locations; basically anywhere but your regular desk. Connect to Wi-Fi, get dumped onto a Portal page, accept the policy (or sign in), and only then can you actually get online.
Except, with Fedora, thi walled garden Portal page *never* appears. You sit there staring at the connection icon like it owes you money, but nothing pops up, and you can’t get on the internet. Been there? I sure have. Simple Workaround which works most time is open a Browser and go to a random non http page like http://example.com.
It took me some digging to figure out what was going on, so let me break down what’s happening and how you can fix it.
Why Is Fedora Stumbling on Captive Portals?
It's actually not only Fedora, many distros changing the network manager config to use their own Domain for online Detection. Most modern Linux distros do captive portal detection for you. They check a simple webpage (the so-called hotspot detection URL), expecting specific content.
Fedora, for example, fetches http://fedoraproject.org/static/hotspot.txt and expects to see just: OK as replied content with a HTTP Status code of 200. If the Network Manager gets anything else, or gets redirected, it figures you’re behind a captive portal and prompts you to sign in.
In the ideal world, this “probe” works smoothly. But out in the wild, walled garden Portals on Wi-Fi are anything but ideal. The *real* snag comes from security tech called HSTS (HTTP Strict Transport Security). The Fedora detection lives on a domain with HSTS enabled.
* Host fedoraproject.org was resolved.
> GET /static/hotspot.txt
> Host: fedoraproject.org
< HTTP/2 200
< strict-transport-security: max-age=31536000; includeSubDomains; preload
HSTS is good for security under normal conditions: it forces you onto HTTPS, the above rule will be interpreted as: “Don’t ever visit this unencrypted, including my Subdomains, store this info for 1yr”The Issue is that Captive Portals can only intercept HTTP not HTTPS because of the nature of SSL/TLS a injection or code delivered by somebody else who is not the certificate owner is strictly forbidden. They rely on you browsing some insecure page so they can "hijack" your connection, deliver their login screen, and only then allow full internet access. Since modern browsers know about HSTS, they refuse to even *try* HTTP if the site is in an HSTS “preload” list, even before your system asks for it.
This means My Fedora tries to probe `http://fedoraproject.org/static/hotspot.txt`, but is instantly blocked from ever using HTTP at all. And here’s where HSTS really wrecks your day: Once your system has learned “this domain is HTTPS only,” it remembers that. No matter what network you’re on, Fedora’s captive portal detection URL becomes useless for all that time, no sign-in page for you.
Making Fedora’s Captive Portal Work Again
You can get around this by making Fedora query a different URL that isn’t locked into HTTPS by HSTS. Ideally, one you control, something simple, on plain old HTTP (no S).Here’s what worked for me:
- Don’t Touch System Files in `/usr/lib/`
Fedora puts the config for NetworkManager’s connectivity check in `/usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf`.
But editing files here is asking for trouble: upgrades may wipe out your changes.
- Copy the Config to NetworkManagers `/etc`
Keep changes where upgrades won’t nuke them.
Make a copy like so:
sudo cp /usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf /etc/NetworkManager/conf.d/20-connectivity.conf
Now edit the new created one.
- Edit the Config and Point to Your Own HTTP-Only Page
Open in your favorite editor:
sudo vim /etc/NetworkManager/conf.d/20-connectivity.conf
and change the url to your own host or feel free to use my workaround host.
My finale file looks like this:[connectivity] enabled=true uri=http://http.mgz.de/hotspot.txt response=OK interval=300
- Restart NetworkManager
For Fedora to pick up your changes: sudo systemctl restart NetworkManager
You’re done! Next time you connect to a sketchy Portaled Wi-Fi, NetworkManager will probe your custom HTTP site instead, see if it gets back “OK”, and act accordingly. If it gets redirected or something else, you'll see the sign-in page again.
Stay connected out there.
Comments