OpenVoucher is an open source voucher / hotspot management system for authenticating guests in your wifi or cable network.
From the beginning, the main focus was on a simple design. OpenVoucher is easy to use and doesn’t need any external services. In the simpliest way, you could just use your desktop pc and run a virtual OpenVoucher server – this is all you need for authenticating your guests with vouchers.
For larger networks or more users, you can install OpenVoucher on a dedicated machine – the software is very scalable and flexible.
The project has just started and the system is still in beta phase. If you would like to contribute your own ideas or programming skills to the project, you are welcome to do so. Any support is appreciated.
There are plenty of different open source tools available, providing AAA-functionality and vouchers for guests. But most of them need a RADIUS-service or special configuration on your access points (which is not supported by all APs). You could use an open source firewall indeed, but these systems are often very complex and provide a lot of functions that you don’t need – a perfect source of errors.
OpenVoucher neither need a RADIUS server nor a special software on your APs. The whole magic is done with PHP that generates iptables-rules. A MySQL-database keeps your vouchers and an apache webserver serves the webscripts for managing the system and the landing page for the users. For the internet access, we use the operating system’s routing-functionality (OpenVoucher is designed for debain, but works on other systems too) which is very fast and stable, iptables provides a masquerading NAT if needed.
Even if no RADIUS server is needed, the system can be distributed and deployed on multiple locations. This can be done by configuring one central MySQL server on all systems. The access list will be stored on that central server and all OpenVoucher instances will know which users are allowed to go online.
OpenVoucher supports authenticating based on the client’s MAC address and based on the IPv4 address. It is recommended to use MAC addresses only because a MAC address is very difficult to fake for a user with no or less IT skills. MAC based filtering only works if the clients are in the same subnet / broadcast domain as the internal interface of OpenVoucher, of course. If you want, you can configure OpenVoucher to prefer MAC addresses and, if that fails, to fall back to the client’s IP address.
The system will NOT be able to authenticate the clients if they are behind a router performing SNAT / masquerading. This is because OpenVoucher will neither be able to get a unique MAC address from the client (because of routing), neither an IP address (because of NAT).
If you authenticate using IP addresses only, you should configure a convenient lease time on your DHCP server.