Captive Portal Bypass Howto
As described in CaptivePortalInsecurities, you can bypass a captive portal by tunneling IP over UDP/53 which almost always is open. This page will give you step-by-step instructions on how to do this using OpenVPN.
First, some assumptions:
- You want to use 10.11.254.0/24 as your "tunnel network"
- Your server runs some sort of sane *nix variant and is accessible from the internet and isn't using UDP/53 for something else
- Your client has the "ip route" command
- You know how to get openvpn mostly working (I'm not going to walk you through creating certificates, for instance)
- The captive portal you are bypassing has UDP/53 open (check by doing: $ dig google.com @126.96.36.199)
You need a *nix box somewhere that is internet accessible and is running OpenVPN. Create your keys with ids like client100, client101, ..., client199. Then some configuration like the following should work. Remember to replace w.x.y.z with your server's external IP.
You'll need to make the tap0 interface. If you use a debian derivative, that means adding a clause to /etc/network/interfaces like this:
auto tap0 iface tap0 inet static address 10.11.254.1 netmask 255.255.255.0 broadcast 10.11.254.255 network 10.11.254.0
local w.x.y.z port 53 proto udp dev tap0 ca /etc/openvpn/crypto/ca.crt cert /etc/openvpn/crypto/server.crt key /etc/openvpn/crypto/server.key dh /etc/openvpn/crypto/dh1024.pem server-bridge 10.11.254.1 255.255.255.0 10.11.254.100 10.11.254.200 ifconfig-pool-persist /etc/openvpn/ipp.txt client-to-client keepalive 10 120 max-clients 100 comp-lzo up /etc/openvpn/route.up
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F POSTROUTING -t nat iptables -A POSTROUTING -t nat -s 10.11.254.0/24 -o eth0 -j SNAT --to-source 188.8.131.52
On the client side, you'll need to copy over the certificates and use a config like this:
client remote w.x.y.z dev tap ca /etc/openvpn/ca.crt cert /etc/openvpn/client100.crt key /etc/openvpn/client100.key comp-lzo port 53
And, you'll need to fix your routing table to pass all traffic besides the openvpn traffic itself through the tunnel. First, look at your current routing table, maybe it looks like this:
$ ip route
10.11.49.192/26 dev eth1 proto kernel scope link src 10.11.49.228 10.11.254.0/24 dev tap0 proto kernel scope link src 10.11.254.100 default via 10.11.49.193 dev eth1
We can see that our default route is 10.11.49.193. So, we can do:
$ ip route add w.x.y.z via 10.11.49.193 $ ip route del default $ ip route add default via 10.11.254.1
This accomplishes our goal, and now, we can access the internet, satisfied that all of our traffic is being encapsulated in an encrypted tunnel and then emitted at our remote server. Yay.
Add client-side instructions for silly people who don't use linux and friends.