this post was submitted on 21 Aug 2024
83 points (96.6% liked)

Selfhosted

39584 readers
323 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm travelling for the moment, and usually I just access my home network with tailscale and it has always worked flawlessly. But the hotel I'm staying at apparently blocks VPN connections, I can't use my regular VPN for work on their network either and I've tried obfuscation,different ports etc. nothing seems to work and it never connects.

How can I circumvent this, if at all? I'm staying for several weeks, so this is a pretty bug issue.

top 44 comments
sorted by: hot top controversial new old
[–] [email protected] 49 points 1 month ago (1 children)

Best bet is probably going to be using something like OpenVPN on port 443 in TCP mode, which basically looks like regular HTTPS. It's a hotel, I doubt they're going to be doing deep analysis to detect signs it's OpenVPN. It's detectable easily but they wouldn't spend the money on that advanced of a firewall.

My guess is they went for an allowed list of ports rather than blocked, so it lets DNS (53), HTTP (80), HTTPS (443), probably also POP/IMAP/SMTP (110, 995, 143, 993, 465)

[–] [email protected] 10 points 1 month ago (1 children)

Yeah this actually works, but only specifically for openvpn on 443 in TCP mode...anything wireguard is blocked regardless of port.

[–] [email protected] 11 points 1 month ago

Yep there's a reason I reached directly for that configuration. WireGuard uses UDP, that's one of the first things that gets blocked.

Turns out that's also the kind of protocol corporate VPNs use, reusing port 443 over TCP. They call those "SSL VPN". They get to weed out all commercial VPNs used to bypass their firewalls as well as most torrent/game activity while still mostly catering to their business guests.

[–] [email protected] 26 points 1 month ago (1 children)

I mean, while they can block most things, to give people a usable experience they're going to allow http and https traffic through, and they can't really proxy https because of the TLS layer.

So for universal chance of success, running openvpn tcp over port 443 is the most likely to get past this level of bad. I guess they could block suspicious traffic in the session before TLS is established (in order to block certain domains). OpenVPN does support traversing a proxy, but it might only work if you specify it. If their network sets a proxy via DHCP, maybe you could see that and work around it.

I did have fun working around an ex gf's university network many years ago to get a VPN running over it. They were very, very serious about blocking non-standard services. A similar "through" the proxy method was the last resort they didn't seem to bother trying to stop.

[–] [email protected] 0 points 1 month ago (1 children)

What can you do if the school has a whitelist of domains they accept HTTPS (443) connections for?

[–] [email protected] 1 points 1 month ago (1 children)

That's got to be extremely rare. Not much you can do in that case. But they will hit many problems with that approach.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

I will try to investigate further, but for instance if you go to duckduckgo.com, it says something like "this website is not on our whitelist, let us know if you think you need access." It's very annoying, so I avoid the WiFi when I can.

[–] [email protected] 21 points 1 month ago (1 children)

Try mullvad use different ports, use their circumvention approaches.

Use your cell phone mobile data

Talk to the hotel, tell them you cannot connect to your corporate vpn, ask if they have a workaround

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (1 children)

I've used mullvad but that can't punch through either no matter what. Unfortunately I don't have enough mobile data abroad to fuel my streaming needs for the entire duration of my trip.

I'll talk to the reception when I get back to the hotel I guess...it's really frustrating and I hate using hotel WiFi without a VPN.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago) (3 children)

What country are you in? China?

Go to mullvad settings and choose random ports

Try 53, 80, 443 etc

[–] [email protected] 5 points 1 month ago (1 children)

Just Czech republic, I've already tried this in mullvad, it never connects.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago)

It would be absolutely bizarre if you couldn't connect with WireGuard port and Wireguard obfuscation set to Automatic. Things to try first:

  1. Connect without your VPN and try to access a single website like the theguardian.com
  2. Once that's working, enable your VPN and that should do it.
  3. If you still can't get connected, try switching out different countries. Each country listed corresponds to an IP to which your machine will try to connect over a benign port like 443 -- so blocking that sort of traffic would be mad unless the IP is explicitly blocked. Therefore, driving to different country targets offers a different IP every time. They'd have to know Mulvad's whole list and block them all.

If the above somehow doesn't work, Mulvad offers support through which you can get a temporary Server IP override. You can enter that in the bottom portion of your app's settings.

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago)

They probably are likely using DPI

[–] [email protected] 0 points 1 month ago

Not OP, but my ISP blocks those :)

[–] [email protected] 18 points 1 month ago

I had the same situation, my hotel used fortinet and they blocked almost everything

Even VPNs that used to work in China were blocked

I used my phone 4g hotspot to initialize the tailscale connection, which was blocked, I chose my server as an exit point, then I switched back to the WiFi. Amazingly, once logged in to tailscale, it kept connected to my server.

Then for added safety I used my kasm install to stream a Firefox browser running on my server

I don't really understand this, why would a hotel pay thousands and thousands of euro for a "Chinese internet experience" that is going to piss off every single customer

[–] [email protected] 13 points 1 month ago (2 children)

Contact support and tell them you need VPN access on the WiFi you are paying for.

[–] [email protected] 3 points 1 month ago

Seriously, lots of employees depend on VPNs to access their work computers. VPNs are also a great way to ensure the hotel isn't snooping your internet traffic.

[–] [email protected] 0 points 1 month ago (1 children)

unless you are important they'll tell you to pound sand.

[–] [email protected] 2 points 1 month ago (1 children)

That's not a good way to keep customers. I would leave a bad review and maybe even find a different hotel. You could ask for a refund for your remaining stay you could argue they are engaging in false advertising.

[–] [email protected] 1 points 1 month ago (1 children)

Let's be real the type of hotel I can afford doesn't want customers that care about the Wi-Fi

[–] [email protected] 2 points 1 month ago

Then don't offer WiFi. It costs them more to ruin your experience

[–] [email protected] 11 points 1 month ago

I found my works wifi blocks most ports outbound, but switching my my vpn to a more 'standard' port like 80, 443, 22, etc gets through just fine.

Now I've got a couple port forwarding rules I can switch on, as needed, that take one of those and route it to my vpn host.

[–] [email protected] 11 points 1 month ago (1 children)

I've had this issue many times as well. I've found changing the MTU would help since it seems some filter specific ranges. Doesn't always work but I've had more success than failure doing so

[–] [email protected] 2 points 1 month ago (1 children)
[–] [email protected] 6 points 1 month ago

MTU 1280 fixes all MTU problems, at a cost to performance.

[–] [email protected] 10 points 1 month ago (1 children)

This advice is what it is, but I work in a school and Tailscale also seems to be (unintentionally) blocked. After a while I realized it was only the login server that was blocked. If I login using my phone data I can go back to the regular network and it works.

[–] [email protected] 10 points 1 month ago

This did the trick, ingot my tailscale to stay connected by using my phone AP to log on and then switched to hotel WiFi...thanks

[–] [email protected] 10 points 1 month ago (1 children)

Have you passed their captive portal before turning on the VPN?

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago) (1 children)

I haven't encountered a captive portal at all. I can use the internet just fine without VPN.

[–] [email protected] 4 points 1 month ago
[–] [email protected] 9 points 1 month ago

This was years ago, but I had a similar issue of not being able to SSH in a hotel. I talked to the front desk and they were able to grant me access to a different network that didn't have that blocked. I can't remember whether I had to pay for it or not...

[–] [email protected] 6 points 1 month ago

That is why i have everything that needs to be accessible, is reasonably secure and is not critical like management interfaces exposed.

You could try to http proxy your connection. As soon as the connection is then encrypted with https no firewall can block it.

The firewall probably blocks everything except port 80 and 443 and every protocol except tcp and udp.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
AP WiFi Access Point
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IMAP Internet Message Access Protocol for email
IP Internet Protocol
SMTP Simple Mail Transfer Protocol
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #930 for this sub, first seen 21st Aug 2024, 06:45] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 5 points 1 month ago

It's a headache most of the time so you might consider purchasing a local SIM card for 4/5G connection instead (and share connection via mobile phone) in the future.

[–] [email protected] 4 points 1 month ago

You could try using a relay somewhere in your process; while I was on a travel gig I had to do some finicky work with a travel router (though this may not work, since you need a VPN for your work, but maybe it'll give you an idea: https://ideatrash.net/2022/05/howto-secure-and-share-your-internet-on-free-wireless-wifi.html

Also if you have your DNS resolvers manually put in, you may not encounter their portal. Had that problem when on hotel wifi as well.

All that said, I ended up using phone data a lot.

[–] [email protected] 4 points 1 month ago

Several weeks... might just be worth it to take a walk and find another hotel. Then cancel the rest of your nights at hotel#1 and cite their internet blocking policy of VPNs for the reason for cancelling the remainder of your stay, as it prevents you and many other professionals from working.

[–] [email protected] 3 points 1 month ago

I'm surprised that Tailscale can't get through, cleaver routing is one of Tailsacle's features. Though I do sometimes have connection issues with Tailscale when running DNS-over-HTTPS on my laptop.

[–] [email protected] 3 points 1 month ago (2 children)

Usually it can be solved by talking to hotel stuff. you are paying for that service and can expect it be suitable for any legal use.

[–] [email protected] 18 points 1 month ago

Talking to hotel staff. About networking. Yeah.. uh.. Good luck!

[–] [email protected] 8 points 1 month ago

This will never be "solved" by hotel staff.

[–] [email protected] 2 points 1 month ago (1 children)

If all you want is ssh the easiest and cheapest way might be to hire a VPS, connect to it and connect to tailscale there. Just ensure you have very strict rules on ssh and you should be safe enough.

Exposing web services in this manner is also easy using Caddy, but be careful since the services would then be publicly available.

[–] [email protected] 2 points 1 month ago

No I want full access to my home media server for streaming, I have very little use for SSH only in this case.

[–] [email protected] 1 points 1 month ago

When you use someone else's internet, there's nothing you can really do. Maybe rent a VPS and set it up as relay.

[–] [email protected] 1 points 1 month ago

Most hotels are terrible and even block any DNS configurations that aren't controlled by them. If you do figure out a way, can you update your original post?