Reporting/fixing broken airport/hotel/etc wifi?
Was there a list of folks collecting to provide fix actions for hotel/airport/etc? Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129 for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi. -chris
I've found many times it's the other way around, with highly restrictive captive portals that only allow traffic to 80 and 443. This is exactly the reason why I have an OpenVPN server running in tcp mode (not udp) on 443. On Fri, Jul 14, 2017 at 1:33 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
Was there a list of folks collecting to provide fix actions for hotel/airport/etc?
Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129
for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi.
-chris
Yea, I was able to get around the broken-ness with openvpn, but.. that's sad :( and not everyone has that capability. On Fri, Jul 14, 2017 at 4:43 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
I've found many times it's the other way around, with highly restrictive captive portals that only allow traffic to 80 and 443. This is exactly the reason why I have an OpenVPN server running in tcp mode (not udp) on 443.
On Fri, Jul 14, 2017 at 1:33 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
Was there a list of folks collecting to provide fix actions for hotel/airport/etc?
Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129
for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi.
-chris
This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once I got SSH sky's the limit on what I can fix/setup/tunnel. /kc On Fri, Jul 14, 2017 at 01:43:21PM -0700, Eric Kuhnke said:
I've found many times it's the other way around, with highly restrictive captive portals that only allow traffic to 80 and 443. This is exactly the reason why I have an OpenVPN server running in tcp mode (not udp) on 443.
On Fri, Jul 14, 2017 at 1:33 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
Was there a list of folks collecting to provide fix actions for hotel/airport/etc?
Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129
for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi.
-chris
-- Ken Chase - math@sizone.org Guelph Canada
Could also do: OpenVPN, with a proxy in front, that listen to all the ports in case they're using a gateway that transparent proxy some protocol. 2017 version of wack-a-mole. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 07/14/17 17:04, Ken Chase wrote:
This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once I got SSH sky's the limit on what I can fix/setup/tunnel.
/kc
On Fri, Jul 14, 2017 at 01:43:21PM -0700, Eric Kuhnke said:
I've found many times it's the other way around, with highly restrictive captive portals that only allow traffic to 80 and 443. This is exactly the reason why I have an OpenVPN server running in tcp mode (not udp) on 443.
On Fri, Jul 14, 2017 at 1:33 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
Was there a list of folks collecting to provide fix actions for hotel/airport/etc?
Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129
for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi.
-chris
-- Ken Chase - math@sizone.org Guelph Canada
On Jul 14, 2017, at 5:04 PM, Ken Chase <math@sizone.org> wrote:
This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once I got SSH sky's the limit on what I can fix/setup/tunnel.
/kc -- Ken Chase - math@sizone.org Guelph Canada
This is my usual workaround as well. Props to Avery Pennarun: http://sshuttle.readthedocs.io/en/stable/index.html for making my life even easier.
port 53 seems to be the biggest hole available, no one figures that anyone will send actual data over port 53, other than DNS! (and they [have to] leave TCP open, because of the nice handywavy implimentations of dns lookups :) some captive portals intercept all IP traffic regardless of dns, others intercept the DNS first and give some captive IP target instead for your cnn.com lookup. The former are easy to send data over. (the latter sometimes you can put your targets into your HOSTS[.txt] file and get there, though today most webpages are 250 urls from 45 different domains, so have fun.) $ apt-cache search iodine iodine - tool for tunneling IPv4 data through a DNS server http://code.kryo.se/iodine/ Sshuttle looks great thanks /kc On Fri, Jul 14, 2017 at 06:02:10PM -0400, Eric Tykwinski said:
On Jul 14, 2017, at 5:04 PM, Ken Chase <math@sizone.org> wrote:
This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once I got SSH sky's the limit on what I can fix/setup/tunnel.
/kc -- Ken Chase - math@sizone.org Guelph Canada
This is my usual workaround as well. Props to Avery Pennarun: http://sshuttle.readthedocs.io/en/stable/index.html for making my life even easier.
-- Ken Chase - math@sizone.org Guelph Canada
there are a lot of options for techsavvy folk with an ip they control, but... for the rest of the rubles, fixing the wifi to be sane really is the only path forward. On Fri, Jul 14, 2017 at 6:13 PM, Ken Chase <math@sizone.org> wrote:
port 53 seems to be the biggest hole available, no one figures that anyone will send actual data over port 53, other than DNS! (and they [have to] leave TCP open, because of the nice handywavy implimentations of dns lookups :)
some captive portals intercept all IP traffic regardless of dns, others intercept the DNS first and give some captive IP target instead for your cnn.com lookup. The former are easy to send data over.
(the latter sometimes you can put your targets into your HOSTS[.txt] file and get there, though today most webpages are 250 urls from 45 different domains, so have fun.)
$ apt-cache search iodine iodine - tool for tunneling IPv4 data through a DNS server
Sshuttle looks great thanks
/kc
On Fri, Jul 14, 2017 at 06:02:10PM -0400, Eric Tykwinski said:
On Jul 14, 2017, at 5:04 PM, Ken Chase <math@sizone.org> wrote:
This is exactly why i have SSHd on port 443 and 53 on one of my
boxes/IPs. Once
I got SSH sky's the limit on what I can fix/setup/tunnel.
/kc -- Ken Chase - math@sizone.org Guelph Canada
This is my usual workaround as well. Props to Avery Pennarun: http://sshuttle.readthedocs. io/en/stable/index.html for making my life even easier.
-- Ken Chase - math@sizone.org Guelph Canada
Using sshd on port 443, I can ssh my box with a tunnel to a local squid. My browser then use this tunneled proxy to go to internet. Private and secure.
Le 14 juil. 2017 à 23:04, Ken Chase <math@sizone.org> a écrit :
This is exactly why i have SSHd on port 443 and 53 on one of my boxes/IPs. Once I got SSH sky's the limit on what I can fix/setup/tunnel.
/kc
On Fri, Jul 14, 2017 at 01:43:21PM -0700, Eric Kuhnke said:
I've found many times it's the other way around, with highly restrictive captive portals that only allow traffic to 80 and 443. This is exactly the reason why I have an OpenVPN server running in tcp mode (not udp) on 443.
On Fri, Jul 14, 2017 at 1:33 PM, Christopher Morrow <morrowc.lists@gmail.com
wrote:
Was there a list of folks collecting to provide fix actions for hotel/airport/etc?
Seems that IAD / Washington Dulles don't like "random" tcp/443 sites on the internet? 173.194.205.129
for instance, ping, traceroute, http but no https :( https works just fine from lots of other places on the tubes... just not the dulles wifi.
-chris
-- Ken Chase - math@sizone.org Guelph Canada
some years back, narita blocked 443 not 80, blocked 465 & 587 not 25, etc. i actually found a clue receptacle and it was fixed some weeks later. i suspect the number of things they can do wrongly may be bounded but is quite large. randy
participants (7)
-
Alain Hebert -
Christopher Morrow -
Eric Kuhnke -
Eric Tykwinski -
Guillaume Tournat -
Ken Chase -
Randy Bush