Fedora Captive Portal Issue

Today a small blog Post about a real-world headache I had with Fedora and public WiFi hotspots as in Hotels or Vernues. If you’re someone who work remote a lot like me you find your self hopping from wifi to wifi; Hotels, airports, event locations; basically anywhere but your regular desk. Connect to Wi-Fi, get dumped onto a Portal page, accept the policy (or sign in), and only then can you actually get online.

Except, with Fedora, thi walled garden Portal page *never* appears. You sit there staring at the connection icon like it owes you money, but nothing pops up, and you can’t get on the internet. Been there? I sure have. Simple Workaround which works most time is open a Browser and go to a random non http page like http://example.com.

It took me some digging to figure out what was going on, so let me break down what’s happening and how you can fix it.
 

Why Is Fedora Stumbling on Captive Portals?


It's actually not only Fedora, many distros changing the network manager config to use their own Domain for online Detection. Most modern Linux distros do captive portal detection for you. They check a simple webpage (the so-called hotspot detection URL), expecting specific content.

Fedora, for example, fetches http://fedoraproject.org/static/hotspot.txt and expects to see just:  OK as replied content with a HTTP Status code of 200. If the Network Manager gets anything else, or gets redirected, it figures you’re behind a captive portal and prompts you to sign in.

In the ideal world, this “probe” works smoothly. But out in the wild, walled garden Portals on Wi-Fi are anything but ideal. The *real* snag comes from security tech called HSTS (HTTP Strict Transport Security). The Fedora detection lives on a domain with HSTS enabled.

* Host fedoraproject.org was resolved.
> GET /static/hotspot.txt
> Host: fedoraproject.org
< HTTP/2 200
< strict-transport-security: max-age=31536000; includeSubDomains; preload
HSTS is good for security under normal conditions: it forces you onto HTTPS, the above rule will be interpreted as: “Don’t ever visit this unencrypted, including my Subdomains, store this info for 1yr

The Issue is that Captive Portals can only intercept HTTP not HTTPS because of the nature of SSL/TLS a injection or code delivered by somebody else who is not the certificate owner is strictly forbidden. They rely on you browsing some insecure page so they can "hijack" your connection, deliver their login screen, and only then allow full internet access. Since modern browsers know about HSTS, they refuse to even *try* HTTP if the site is in an HSTS “preload” list, even before your system asks for it.

This means My Fedora tries to probe `http://fedoraproject.org/static/hotspot.txt`, but is instantly blocked from ever using HTTP at all. And here’s where HSTS really wrecks your day: Once your system has learned “this domain is HTTPS only,” it remembers that. No matter what network you’re on, Fedora’s captive portal detection URL becomes useless for all that time, no sign-in page for you.
 

Making Fedora’s Captive Portal Work Again

You can get around this by making Fedora query a different URL that isn’t locked into HTTPS by HSTS. Ideally, one you control, something simple, on plain old HTTP (no S).

Here’s what worked for me:
  1. Don’t Touch System Files in `/usr/lib/`
    Fedora puts the config for NetworkManager’s connectivity check in `/usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf`.
    But editing files here is asking for trouble: upgrades may wipe out your changes.
     
  2. Copy the Config to NetworkManagers `/etc`
    Keep changes where upgrades won’t nuke them.
    Make a copy like so:
    sudo cp /usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf /etc/NetworkManager/conf.d/20-connectivity.conf
    Now edit the new created one.
     
  3. Edit the Config and Point to Your Own HTTP-Only Page
    Open in your favorite editor:
    sudo vim /etc/NetworkManager/conf.d/20-connectivity.conf
    and change the url to your own host or feel free to use my workaround host.
    My finale file looks like this:
    [connectivity]
enabled=true
uri=http://http.mgz.de/hotspot.txt
response=OK
interval=300
    What matters: that file should return just `OK`, nothing else (no HTML wrappers). If you need a different response string, edit the `response` field too. If you don’t have your own public server, host a basic site somewhere cheap, DigitalOcean, Linode, Hetzner cloud, whatever floats your boat. Upload a plain text file with just `OK` and make sure it’s reachable on HTTP without HTTPS or HSTS.
     
  4. Restart NetworkManager
    For Fedora to pick up your changes:  sudo systemctl restart NetworkManager 
    You’re done! Next time you connect to a sketchy Portaled Wi-Fi, NetworkManager will probe your custom HTTP site instead, see if it gets back “OK”, and act accordingly. If it gets redirected or something else, you'll see the sign-in page again.


Stay connected out there.

✉ MG//2025-06-01T13:40:00+00:00


Comments



Follow Icon
Don’t miss out and subscribe by email:
Don't worry! NO Spam and FREE; Receive a summarizing email for new posts, easy to unsubscribe at any time.

← Other Blog Posts