banner
miaoer

miaoer

喵二の小博客 https://www.miaoer.net xLog 分站
tg_channel
telegram
bilibili
HomeArchives

OpenWrt Cracking Campus Network: Misconceptions and General Direction Interpretation

#CatWrt#Openwrt#校园网1045
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses how to share campus network access, addressing common questions about bypassing restrictions imposed by educational institutions. It highlights that many schools limit network access to specific devices, making it challenging for students with multiple devices. The author emphasizes that solutions like OpenWrt are not foolproof due to frequent changes in network policies and configurations. Different connection methods (PPPoE, DHCP, VPN) and verification methods (mobile apps, web login, software) are outlined, along with potential detection techniques used by schools to identify shared networks. The author suggests using tools like CatWrt firmware and provides guidance on setting up and configuring network settings, including MAC address cloning and NTP synchronization. Additionally, the article mentions various tools and scripts that can assist in bypassing network restrictions and encourages students to seek out existing resources or peers who have successfully implemented similar solutions. Overall, it serves as a guide for students looking to navigate their campus network challenges.

Many people ask me how to crack the campus network. As the new semester approaches, many are starting to consider this issue. What is meant by "cracking" here is actually sharing the network.

Many schools restrict access to either mobile devices or only computers & mobile devices. This is unreasonable; not to mention using smart home devices in dorms, even having an extra iPad makes it difficult to get online.

Why do I say OpenWrt is not a panacea? Firstly, there are many domestic versions of OpenWrt.

Secondly, the technical competition is very intense; if you find a method today, it might be blocked tomorrow. Moreover, configuring the software can leave many novice users confused.

To tackle this so-called cracking, whether in terms of cost or opportunity cost, it is hard to estimate. What works this year might not work next year if the school changes equipment or service providers, so while experimenting, one should be aware of this. Additionally, if you want to achieve automated verification, you can first search if anyone at your institution has attempted this before; if so, you can directly reuse it for testing. If it doesn’t work, you can ask a friend to help you write a script using ChatGPT.

If you have questions about using CatWrt for the entire campus network, you can join our group. I hope my tutorials and experiences can help many students.

Connection Methods#

Let's start with connection methods.

  • PPPoE, which is dial-up internet
  • DHCP, which is automatic IP address acquisition, this might be more common
  • VPN
  • Private dial-up protocols, which are rare and have few solutions based on modified PPPoE

Schools using PPPoE dial-up are quite rare, and those that do are generally good.

Verification Methods#

Each school is different, and the service providers vary as well.

  • Mobile APP (not accessible via browser)
  • WEB verification (accessible via browser and requires login)
  • Computer software

Verification can be done on OpenWrt by copying the MAC address and writing a verification script in Python3. If you want to write one, you can refer to my previous blog.

If it’s a mobile APP verification, you can try using a packet sniffer like Xiao Huang Niao, then capture the content and hand it over to ChatGPT to help you write a script. If it’s simple, a sh script or bash script can solve it.

Detection Methods#

Common methods for detecting shared networks, especially the first three, can be easily resolved on OpenWrt.

  • TTL field (can determine if you are using Windows or the commonly used Linux system)
  • HTTP browser User-Agent (HTTPS will not be affected due to TLS encryption)
  • Clock offset
  • Flash Cookie detection
  • IPv4 packet header
  • DPI deep packet inspection

Reference: Research and Solutions on Shared Internet Detection Mechanisms at a Certain University

There are also some basics like IP address and MAC address; detection methods vary by school.

Getting Started#

Before installing components, be sure to update the index file with opkg update to avoid issues with opkg install!

1

Here I can openly recommend my CatWrt firmware, which encompasses all the content of this blog.

I have created many methods for using software sources in my historical blogs.

Including:

The following is a collection link to download CatWrt firmware👇

2

Of course, CatWrt is not a perfect solution; for example, software installation requires internet access. If the router can temporarily access the software source after verification, it can be installed normally.

If offline, you might want to find a way to manually install our tools (Cattools) and IPK files, and then connect to the internet after setting up the environment!

Cloning#

If your network requires it, such as Ruijie verification, you may need to clone the IP address/MAC hardware address for OpenWrt to avoid being blocked due to the router manufacturer during MAC scanning or issues caused by uncommon devices.

  • Windows: Settings - Network - Ethernet/Wi-Fi

  • OpenWrt (CatWrt): Network - Interfaces - wan (modify) - General Settings - Advanced Settings - Reset MAC Address

Tip: Every legitimate manufacturer’s device has a unique MAC address; you can open a mobile APP with wireless MAC scanning to see what brand of routers are nearby.

NTP#

CatWrt has NTP enabled by default; if you are using other firmware, you may need to enable it to avoid time offset detection.

System - System - Time Synchronization

  • Enable NTP client

  • Provide service as NTP server

  • Candidate NTP servers

ntp1.aliyun.com
ntp.tencent.com
ntp.ntsc.ac.cn
time.ustc.edu.cn

UA2F#

You can handle unencrypted HTTP traffic UA in OpenWrt to avoid detection.

image

opkg install ua2f luci-app-ua2f

Tip: The UA2F luci here is newly released.

3

TTL Hop Count#

You need to install the following components.

opkg install iptables-mod-ipopt kmod-ipt-ipopt

System - Firewall - Custom, insert this, and restart the firewall to modify TTL.

⚠️ Some systems do not include custom firewalls; related solutions can be searched independently. This blog follows Lean's OpenWrt operations (LEDE/CatWrt/QWRT).

iptables -t mangle -A POSTROUTING -j TTL --ttl-set 64

Here, 64 is commonly used by Windows, while 128 is commonly used by Linux and MAC.

Reference: Bypassing Campus Network Multi-Device Detection

UA3F#

This method relies on SOCK5 proxy software, such as 😺 Clash, which has performance requirements for the machine. If only using SOCK5, the requirements may be lower; if UA2F is implemented, this may not be necessary.

opkg install curl libcurl luci-compat
export url='https://blog.sunbk201.site/cdn' && sh -c "$(curl -kfsSl $url/install.sh)"
service ua3f reload

image

Recommended reading: https://blog.sunbk201.site/posts/ua3f

mentohust#

Ruijie campus network connection tool.

opkg install mentohust

It is worth mentioning that it seems every school has some Ruijie tools; you don’t necessarily have to use mentohust.

Networking Resources#

You can search for your school + OpenWrt to see if there are related tutorials, or find a senior who has already set up OpenWrt; this has proven effective.

This blog cannot cover everything; there are too many schools, and the solutions vary!

If you have the tools mentioned in our text, you can use our firmware to deploy verification or bypass detection to achieve network sharing.

This article was synchronized and updated to xLog by Mix Space. The original link is https://www.miaoer.net/posts/network/college_network_sharing

Footnotes#

  1. https://www.miaoer.net/posts/blog/ssh-connection-to-openwrt

  2. https://www.miaoer.net/network/catwrt

  3. https://www.miaoer.net/posts/network/openwrt-ua2f

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.