Captive Portal Bypass Howto

As described in CaptivePortalInsecurities, you can bypass a captive portal by tunneling IP over UDP/53 which almost always is open. This page will give you step-by-step instructions on how to do this using OpenVPN.

First, some assumptions:

OpenVPN Server

You need a *nix box somewhere that is internet accessible and is running OpenVPN. Create your keys with ids like client100, client101, ..., client199. Then some configuration like the following should work. Remember to replace w.x.y.z with your server's external IP.

You'll need to make the tap0 interface. If you use a debian derivative, that means adding a clause to /etc/network/interfaces like this:

auto tap0
iface tap0 inet static


local w.x.y.z
port 53
proto udp
dev tap0
ca /etc/openvpn/crypto/ca.crt
cert /etc/openvpn/crypto/server.crt
key /etc/openvpn/crypto/server.key
dh /etc/openvpn/crypto/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
max-clients 100
up /etc/openvpn/route.up


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F POSTROUTING -t nat
iptables -A POSTROUTING -t nat -s -o eth0 -j SNAT --to-source

OpenVPN Client

On the client side, you'll need to copy over the certificates and use a config like this:


remote w.x.y.z
dev tap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client100.crt
key /etc/openvpn/client100.key
port 53

And, you'll need to fix your routing table to pass all traffic besides the openvpn traffic itself through the tunnel. First, look at your current routing table, maybe it looks like this:

$ ip route dev eth1  proto kernel  scope link  src dev tap0  proto kernel  scope link  src 
default via dev eth1 

We can see that our default route is So, we can do:

$ ip route add w.x.y.z via
$ ip route del default
$ ip route add default via

This accomplishes our goal, and now, we can access the internet, satisfied that all of our traffic is being encapsulated in an encrypted tunnel and then emitted at our remote server. Yay.

Fix Me

Add client-side instructions for silly people who don't use linux and friends.

CaptivePortalBypassHowto (last edited 2007-11-23 18:01:22 by localhost)