No VPN at coffee house

[ng4ever]

I only experience this once. Not a big deal but still like to use a VPN when on public WiFi if cellular data signal sucks. For some odd reason they would not allow a VPN no matter what I tried.

This is not the point of the story. The question is what is the service that lets you still kinda use a like a VPN even at coffee shops like these ? I know it exist I seen it before. Just can't remember the name of the site or service.

 

[SamirD]

If you have an enterprise router, you can set up a login just like corporate networks so you don't have to worry about most anything trying to block since enterprise stuff 'just works' for this type of application.

As long as your service is running on port 80, there's nothing that should be blocking it at all.

 

[Nicklebon]

To be clear there is no VPN that cannot be blocked. It is just a matter of how dedicated the owner of the firewall is to doing so. IPSec based VPNs are the easiest to block and as such frequently are. Many hotels offer two levels of Internet service where the free or cheaper version blocks IPSec. That said, a TLS/SSL based VPN is the least likely to be blocked as it uses the same ports and protocols most websites use. I'll add that there is zero reason to pay for a "vpn service" for this use case. Build your own and use it.

 

[SamirD]

I think IPsec when used part of something like SSL, L2TP, etc doesn't have any issues with blocking since most companies implement vpn this way. But defniitely host your own--if it's openvpn on consumer, an enterprise router, pfsense, etc.

 

[Dopamin3]

To be clear there is no VPN that cannot be blocked. It is just a matter of how dedicated the owner of the firewall is to doing so. IPSec based VPNs are the easiest to block and as such frequently are. Many hotels offer two levels of Internet service where the free or cheaper version blocks IPSec. That said, a TLS/SSL based VPN is the least likely to be blocked as it uses the same ports and protocols most websites use. I'll add that there is zero reason to pay for a "vpn service" for this use case. Build your own and use it.

Playing devil's advocate here. Wouldn't a VPN operating on TCP 80 or 443 be unblockable essentially? I know VPNs work best (or sometimes only available) on UDP but I'd imagine you could use a service like this and bypass even severely restrictive networks assuming they let you get on the Internet.

 

[Nicklebon]

Playing devil's advocate here. Wouldn't a VPN operating on TCP 80 or 443 be unblockable essentially? I know VPNs work best (or sometimes only available) on UDP but I'd imagine you could use a service like this and bypass even severely restrictive networks assuming they let you get on the Internet.

A TLS/SSL vpn generally does work on 443 and would be preferred choice for such a thing. TCP 80 not so much a concern as plaintext http is generally dead and flat blocking 80 would have little impact to end users. As previosuly stated most of this depends on the firewall admin's determination. Off the bat I would, read do, block most of this by

1. Turn on web filtering
2. Blocking proxy avoidance classified sites to block all known vpn endpoints
3. Block unclassified websites
4. Block newly registered websites.

That would easily prevent the vast majority.

 

[Valnar]

Playing devil's advocate here. Wouldn't a VPN operating on TCP 80 or 443 be unblockable essentially? I know VPNs work best (or sometimes only available) on UDP but I'd imagine you could use a service like this and bypass even severely restrictive networks assuming they let you get on the Internet.

Well it's unlikely that a coffee shop is sporting a Palo Alto or Fortinet firewall, but those can block VPN's over common ports. That's pretty much the whole point why they can charge more $$ than your average firewall.

 

[Nicklebon]

Well it's unlikely that a coffee shop is sporting a Palo Alto or Fortinet firewall, but those can block VPN's over common ports. That's pretty much the whole point why they can charge more $$ than your average firewall.

Don't be so sure. PA sells a whole lot of Prisma Access. Fortinet does the same with their FortiSASE. Both of those are targeted heavily on small business and retail branch locations. They are both, highly effective and with very little or no upfront hardware cost.

 

[Valnar]

Don't be so sure. PA sells a whole lot of Prisma Access. Fortinet does the same with their FortiSASE. Both of those are targeted heavily on small business and retail branch locations. They are both, highly effective and with very little or no upfront hardware cost.

I'd say for a coffee shop that's unlikely, but I don't mind being proven wrong. I AM very curious though what they're running that blocks VPN over 443.

 

[pendragon1]

theres reasons for them to block it so just dl your porn at home...

 

[Vengance_01]

they blocked ipsec traffic. SSL/TLS is less secure than ipsec tunnels but look for a VPN that offers this as a fallback

 

[MrGuvernment]

I'd say for a coffee shop that's unlikely, but I don't mind being proven wrong. I AM very curious though what they're running that blocks VPN over 443.

Is this a single shop mom and pop place or maybe a chain that might even have an MSP behind it supporting its networks, you never know, Sometimes small business can surprise you cause they "know someone" who hooked them up good.

 

[Valnar]

I've never seen anyone but an enterprise level company sporting Palo Alto firewalls, and I manage several myself, but I suppose it's possible. I assume Fortinet and Cisco Firepower can do the same, but I don't believe any SOHO firewall can filter VPN from 443, if that is indeed what the OP was using. And unlikely without a certificate installed on the endpoint for SSL decryption. I'm guessing it was IPSEC protocol 50, or NAT-T (500,4500) or maybe OpenVPN or such that uses its own port.

 

[Nicklebon]

I've never seen anyone but an enterprise level company sporting Palo Alto firewalls, and I manage several myself, but I suppose it's possible. I assume Fortinet and Cisco Firepower can do the same, but I don't believe any SOHO firewall can filter VPN from 443, if that is indeed what the OP was using. And unlikely without a certificate installed on the endpoint for SSL decryption. I'm guessing it was IPSEC protocol 50, or NAT-T (500,4500) or maybe OpenVPN or such that uses its own port.

As I said earlier in this the easiest way to block most would be:

1. Turn on web filtering
2. Blocking proxy avoidance classified sites to block all known vpn endpoints
3. Block unclassified websites
4. Block newly registered websites.

Any firewall that can do web filtering would block 90% of TLS/SSL/443 vpn traffic with that. This requires cert inspection only ie no decrypt. As for small shops sporting non-crap firewalls. PA has a product called Prisma Access that is specifically targeted to small businesses especially retail branch shops. The basics of how it works is all local is tunneled to a cloud based PA firewall and processed there. The other major players have similar services. The beauty of these services is that you get the same features/protection of a local firewall with zero or near zero upfront capital costs. The recurring expense costs are very competitive. All of them were reacting to Zscaler which is huge player in that market. Honestly, it sounds like you've not been keeping up with security trends as these are not new services and have been trending for some time. The firewall is dead, long live the firewall.

 

[Valnar]

I'm familiar with Prisma and Zscaler. We use Zscaler for remote users. I question a coffee shop using it. And I've been doing this since the 1990's.

1. Turn on web filtering
2. Blocking proxy avoidance classified sites to block all known vpn endpoints
3. Block unclassified websites
4. Block newly registered websites.

Nobody said it was a public VPN.