Today, a small blog post about a real-world headache I had with Fedora and public WiFi hotspots in hotels or venues. If you work remotely a lot like me, you find yourself hopping from Wi-Fi to Wi-Fi: hotels, airports, event locations; basically anywhere but your regular desk. Connect to Wi-Fi, get dumped onto a portal page, accept the policy (or sign in), and only then can you actually get online.

Except, with Fedora, this walled garden portal page never appears. You sit there staring at the connection icon like it owes you money, but nothing pops up, and you can’t get on the internet. Been there? I sure have. A simple workaround that works most of the time is to open a browser and go to a random non-HTTP page like http://example.com.

It took me some digging to figure out what was going on, so let me break down what’s happening and how you can fix it.

Why Is Fedora Stumbling on Captive Portals?

It’s not only Fedora; many distros are changing the network manager config to use their own domain for online detection. Most modern Linux distros do captive portal detection for you. They check a simple webpage (the so-called hotspot detection URL), expecting specific content.

Fedora, for example, fetches http://fedoraproject.org/static/hotspot.txt and expects to see just OK as the replied content with an HTTP Status code of 200. If the Network Manager gets anything else, or gets redirected, it figures you’re behind a captive portal and prompts you to sign in.

In an ideal world, this “probe” works smoothly. But out in the wild, walled garden portals on Wi-Fi are anything but ideal. The real snag comes from security tech called HSTS (HTTP Strict Transport Security). The Fedora detection lives on a domain with HSTS enabled.

- Host fedoraproject.org was resolved.
> GET /static/hotspot.txt
> Host: fedoraproject.org
< HTTP/2 200
< strict-transport-security: max-age=31536000; includeSubDomains; preload

The issue is often HSTS

HSTS is good for security under normal conditions: it forces you onto HTTPS. The above rule will be interpreted as: “Don’t ever visit this unencrypted, including my subdomains. Store this info for 1yr.

The issue is that captive portals can only intercept HTTP, not HTTPS, because of the nature of SSL/TLS. Injection or code delivered by somebody else who is not the certificate owner is strictly forbidden. They rely on you browsing some insecure page so they can “hijack” your connection, deliver their login screen, and only then allow full internet access. Since modern browsers know about HSTS, they refuse to even try HTTP if the site is in an HSTS “preload” list, even before your system asks for it.

This means my Fedora tries to probe http://fedoraproject.org/static/hotspot.txt, but is instantly blocked from ever using HTTP at all. And here’s where HSTS really wrecks your day: Once your system has learned “this domain is HTTPS only,” it remembers that. No matter what network you’re on, Fedora’s captive portal detection URL becomes useless for all that time, meaning no sign-in page for you.

Making Fedora’s Captive Portal Work Again

You can get around this by making Fedora query a different URL that isn’t locked into HTTPS by HSTS. Ideally, one you control, something simple, on plain old HTTP (no S).

Here’s what worked for me:

  1. Don’t Touch System Files in /usr/lib/

    Fedora puts the config for NetworkManager’s connectivity check in /usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf.

    But editing files here is asking for trouble: upgrades may wipe out your changes.

  2. Copy the Config to NetworkManager’s /etc

    Keep changes where upgrades won’t nuke them.

    Make a copy like so:

    sudo cp /usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf /etc/NetworkManager/conf.d/20-connectivity.conf

    Now edit the newly created one.

  3. Edit the Config and Point to Your Own HTTP-Only Page

    Open it in your favorite editor:

    sudo vim /etc/NetworkManager/conf.d/20-connectivity.conf

    And change the uri to your own host or feel free to use my workaround host.

    My final file looks like this:

    [connectivity]
enabled=true
uri=http://http.mgz.de/hotspot.txt
response=OK
interval=300

    What matters: that file should return just OK, nothing else (no HTML wrappers). If you need a different response string, edit the response field too. If you don’t have your own public server, host a basic site somewhere cheap (DigitalOcean, Linode, Hetzner cloud, whatever floats your boat). Upload a plain text file with just OK and make sure it’s reachable on HTTP without HTTPS or HSTS.

  4. Restart NetworkManager

    For Fedora to pick up your changes:

    sudo systemctl restart NetworkManager

    You’re done! Next time you connect to a sketchy portaled Wi-Fi, NetworkManager will probe your custom HTTP site instead, see if it gets back “OK”, and act accordingly. If it gets redirected or something else, you’ll see the sign-in page again.

Stay connected out there.