I’m travelling for the moment, and usually I just access my home network with tailscale and it has always worked flawlessly. But the hotel I’m staying at apparently blocks VPN connections, I can’t use my regular VPN for work on their network either and I’ve tried obfuscation,different ports etc. nothing seems to work and it never connects.
How can I circumvent this, if at all? I’m staying for several weeks, so this is a pretty bug issue.
Best bet is probably going to be using something like OpenVPN on port 443 in TCP mode, which basically looks like regular HTTPS. It’s a hotel, I doubt they’re going to be doing deep analysis to detect signs it’s OpenVPN. It’s detectable easily but they wouldn’t spend the money on that advanced of a firewall.
My guess is they went for an allowed list of ports rather than blocked, so it lets DNS (53), HTTP (80), HTTPS (443), probably also POP/IMAP/SMTP (110, 995, 143, 993, 465)
Yeah this actually works, but only specifically for openvpn on 443 in TCP mode…anything wireguard is blocked regardless of port.
Yep there’s a reason I reached directly for that configuration. WireGuard uses UDP, that’s one of the first things that gets blocked.
Turns out that’s also the kind of protocol corporate VPNs use, reusing port 443 over TCP. They call those “SSL VPN”. They get to weed out all commercial VPNs used to bypass their firewalls as well as most torrent/game activity while still mostly catering to their business guests.
I mean, while they can block most things, to give people a usable experience they’re going to allow http and https traffic through, and they can’t really proxy https because of the TLS layer.
So for universal chance of success, running openvpn tcp over port 443 is the most likely to get past this level of bad. I guess they could block suspicious traffic in the session before TLS is established (in order to block certain domains). OpenVPN does support traversing a proxy, but it might only work if you specify it. If their network sets a proxy via DHCP, maybe you could see that and work around it.
I did have fun working around an ex gf’s university network many years ago to get a VPN running over it. They were very, very serious about blocking non-standard services. A similar “through” the proxy method was the last resort they didn’t seem to bother trying to stop.
What can you do if the school has a whitelist of domains they accept HTTPS (443) connections for?
That’s got to be extremely rare. Not much you can do in that case. But they will hit many problems with that approach.
I will try to investigate further, but for instance if you go to duckduckgo.com, it says something like “this website is not on our whitelist, let us know if you think you need access.” It’s very annoying, so I avoid the WiFi when I can.
Try mullvad use different ports, use their circumvention approaches.
Use your cell phone mobile data
Talk to the hotel, tell them you cannot connect to your corporate vpn, ask if they have a workaround
I’ve used mullvad but that can’t punch through either no matter what. Unfortunately I don’t have enough mobile data abroad to fuel my streaming needs for the entire duration of my trip.
I’ll talk to the reception when I get back to the hotel I guess…it’s really frustrating and I hate using hotel WiFi without a VPN.
What country are you in? China?
Go to mullvad settings and choose random ports
Try 53, 80, 443 etc
Just Czech republic, I’ve already tried this in mullvad, it never connects.
I had the same situation, my hotel used fortinet and they blocked almost everything
Even VPNs that used to work in China were blocked
I used my phone 4g hotspot to initialize the tailscale connection, which was blocked, I chose my server as an exit point, then I switched back to the WiFi. Amazingly, once logged in to tailscale, it kept connected to my server.
Then for added safety I used my kasm install to stream a Firefox browser running on my server
I don’t really understand this, why would a hotel pay thousands and thousands of euro for a “Chinese internet experience” that is going to piss off every single customer
Contact support and tell them you need VPN access on the WiFi you are paying for.
That’s not a good way to keep customers. I would leave a bad review and maybe even find a different hotel. You could ask for a refund for your remaining stay you could argue they are engaging in false advertising.
Let’s be real the type of hotel I can afford doesn’t want customers that care about the Wi-Fi