Reporting/fixing broken airport/hotel/etc wifi?

Christopher_Morrow · July 14, 2017, 8:33pm

Was there a list of folks collecting to provide fix actions for
hotel/airport/etc?

Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the
internet? 173.194.205.129

for instance, ping, traceroute, http but no https
https works just fine from lots of other places on the tubes... just not
the dulles wifi.

-chris

Eric_Kuhnke · July 14, 2017, 8:43pm

I've found many times it's the other way around, with highly restrictive
captive portals that only allow traffic to 80 and 443. This is exactly the
reason why I have an OpenVPN server running in tcp mode (not udp) on 443.

Christopher_Morrow · July 14, 2017, 8:52pm

Yea, I was able to get around the broken-ness with openvpn, but.. that's
sad and not everyone has that capability.

Bandy_Rush1 · July 14, 2017, 8:54pm

some years back, narita blocked 443 not 80, blocked 465 & 587 not 25,
etc. i actually found a clue receptacle and it was fixed some weeks
later.

i suspect the number of things they can do wrongly may be bounded but is
quite large.

randy

Ken_Chase1 · July 14, 2017, 9:04pm

This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once
I got SSH sky's the limit on what I can fix/setup/tunnel.

/kc

Alain_Hebert · July 14, 2017, 9:18pm

Could also do: OpenVPN, with a proxy in front, that listen to all the ports in case they're using a gateway that transparent proxy some protocol.

2017 version of wack-a-mole.

Eric_Tykwinski · July 14, 2017, 10:02pm

This is my usual workaround as well.
Props to Avery Pennarun: http://sshuttle.readthedocs.io/en/stable/index.html
for making my life even easier.

Guillaume_Tournat · July 14, 2017, 10:10pm

Using sshd on port 443, I can ssh my box with a tunnel to a local squid. My browser then use this tunneled proxy to go to internet.

Private and secure.

Ken_Chase1 · July 14, 2017, 10:13pm

port 53 seems to be the biggest hole available, no one figures that anyone
will send actual data over port 53, other than DNS! (and they [have to] leave
TCP open, because of the nice handywavy implimentations of dns lookups

some captive portals intercept all IP traffic regardless of dns, others
intercept the DNS first and give some captive IP target instead for your cnn.com
lookup. The former are easy to send data over.

(the latter sometimes you can put your targets into your HOSTS[.txt] file and
get there, though today most webpages are 250 urls from 45 different domains,
so have fun.)

$ apt-cache search iodine
iodine - tool for tunneling IPv4 data through a DNS server

http://code.kryo.se/iodine/

Sshuttle looks great thanks

/kc

Christopher_Morrow · July 15, 2017, 8:05am

there are a lot of options for techsavvy folk with an ip they control,
but... for the rest of the rubles, fixing the wifi to be sane really is the
only path forward.