Dutch railroad wifi ("WiFi in de trein") does not work with nixos

raboof · November 16, 2019, 8:47pm

The Dutch railroads provide free WiFi in intercity trains.

Unfortunately, their DNS proxy has a bug that causes it to always respond with “no results” when it sees a query that uses the DNS extension mechanism.

NixOS by default uses the DNS extension mechanism, so if you want to sue “WiFi in de Trein” you need to set:

networking.resolvconf.dnsExtensionMechanism = false

layus · November 16, 2019, 9:20pm

Oh, that’s good to know. I had no issue with wifi on ICE trains on y trip to NixCon, I guess they are different from intercity trains ?

volth · November 16, 2019, 10:48pm

does captive-browser work there?

rnhmjoj · November 17, 2019, 10:07am

It may be just a bug but that’s essentially asking for DNS spoofing, given you’re also turning off DNSSEC. I’d setup DNSCrypt if I were you.

qyliss · November 17, 2019, 4:18pm

They are. ICEs are Deutsche Bahn (they all go through Germany), so everything will be different.

raboof · November 18, 2019, 12:29pm

Yeah or perhaps a full VPN might be even better…

I’ll try it next time I travel by train - though IIRC they fail to respond to eDNS queries even after you’ve successfully logged into their terms-and-conditions page, so it wouldn’t help much I guess?

raboof · November 21, 2019, 6:40am

[aengelen@rigter:~]$ captive-browser
2019/11/21 07:33:24 Failed to read config: open /home/aengelen/.config/captive-browser.toml: no such file or directory

[aengelen@rigter:~]$ touch .config/captive-browser.toml

[aengelen@rigter:~]$ captive-browser
2019/11/21 07:33:54 Obtaining DHCP DNS server...
2019/11/21 07:33:54 IPs not found in dhcp-dns output.

[aengelen@rigter:~]$

Do I have to configure something? (it behaves the same on ‘regular’ wifi)

volth · November 21, 2019, 8:51pm

It should just work
Probably some cases are not covered here:

github.com

NixOS/nixpkgs/blob/8c14a6f641b7f3baa57e55e784a0d8626325446b/nixos/modules/programs/captive-browser.nix#L84


      
                  with private subnets.
                '';
              };
            };
          };
          
          
###### implementation
          
          
config = mkIf cfg.enable {
          
          
  programs.captive-browser.dhcp-dns = mkOptionDefault (
              if config.networking.networkmanager.enable then
                "${pkgs.networkmanager}/bin/nmcli dev show ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS"
              else if config.networking.dhcpcd.enable then
                "${pkgs.dhcpcd}/bin/dhcpcd -U ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers"
              else if config.networking.useNetworkd then
                "${cfg.package}/bin/systemd-networkd-dns ${escapeShellArg cfg.interface}"
              else
                "${config.security.wrapperDir}/udhcpc --quit --now -f -i ${escapeShellArg cfg.interface} -O dns --script ${
                    pkgs.writeScript "udhcp-script" ''
                      #!/bin/sh

raboof · November 22, 2019, 9:45am

I have config.networking.networkmanager.enable and nmcli dev show | fgrep IP4.DNS does show a result. I haven’t explicitly set cfg.interface AFAICS.

volth · November 23, 2019, 12:21am

I haven’t explicitly set cfg.interface AFAICS

Ah, yes. It is to be configured

raboof · November 28, 2019, 10:28pm

After setting programs.captive-browser.enable = true; and programs.captive-browser.interface = "wlp59s0"; indeed I can use that to browse without disabling dnsExtensionMechanism (and without even accepting the terms and conditions) - which seems impressive.