The computer that runs OpenVoucher acts as a (NAT) router. The routing-functionality is provided by the operating system (OpenVoucher is designed for debian but works on other linux based systems, too). NAT is done by iptables.
OpenVoucher needs two ethernet interfaces – one internal (that the clients are connected to) and one external (for the internet connection). All clients on the internal interface have to authenticate, otherwise their traffic is blocked by iptables. If an unknown (unauthenticated) client tries to surf the www via port 80, it will be redirected to the landing page of OpenVoucher. On this page, the user has to enter his unique voucher ID. If the entered ID is valid, the user will be granted access. It will be registered in the mysql database and an iptables rule will be created. The user is online.
You can configure how OpenVoucher should authenticate clients. The three options are:
- MAC based only (recommended)
OpenVoucher will try to get the mac address of the client. This is only possible if the clients are in the same subnet as the internal interface of OpenVoucher. If the system fails to get the MAC address, the client is access denied. This is the most secure way as MAC addresses are difficult to fake for unexperienced users.
- MAC based, IPv4 fallback
If a connecting client is behind a router, the MAC address will not be visible for OpenVoucher. In this case, OpenVoucher will use the IP address of the client to authenticate it. This might be needed for mixed environments when the clients are both directly connected and routed.
- IPv4 only
This is less secure because a client can change it’s IP address easily but it is the only way to authenticate clients that are behind a router.
If the clients are behind a router that does masquerading SNAT, it is not possible to authenticate using OpenVoucher. Every client will communicate using the same source IP, OpenVoucher will not be able to differentiate between them.
On the admin area, you are able to configure the system and to manage vouchers. You can create users and set their permissions on the admin interface. For example, you might want to create a user that is allowed to add vouchers only, but not to delete them.
Once you’re logged in, you can see all created vouchers and the devices that have access. If you create a new voucher, you can tell OpenVoucher how many devices may be uses with this one. It is possible to create multiple vouchers at the same time as well.
If the maximum amount of devices has been reached and the user tries to register another one, he will be noticed that he’s not allowed to connect more devices. The user then has the ability to delete a device from the list.
If a client is authenticated or dropped manually, the iptables rules will be updated immediately. Also OpenVoucher will run a cronjob every five minutes that looks for expired vouchers. It will delete these from the database and then rebuild the iptables ruleset.
The central database is an ordinary MySQL database. This makes it very easy to implement distributed systems on multiple locations. Just configure your OpenVoucher instances to use one central MySQL server. If you do so, an authenticated client will be known on all site systems within five minutes (when the iptables ruleset is refreshed by the cronjob).