Hi everyone,

I’m currently facing some frustrating restrictions with the public Wi-Fi at my school. It’s an open Wi-Fi network without a password, but the school has implemented a firewall (Fortinet) that blocks access to certain websites and services, including VPNs like Mullvad and ProtonVPN. This makes it difficult for me to maintain my privacy online, especially since I don’t want the school to monitor me excessively.

After uninstalling Mullvad, I tried to download it again, but I found that even a search engine (Startpage) is blocked, which is incredibly frustrating! Here’s what happened:

  • The Wi-Fi stopped working when I had the VPN enabled.
  • I disabled the VPN, but still couldn’t connect.
  • I forgot the Wi-Fi network and reset the driver, but still no luck.
  • I uninstalled the Mullvad, and then the Wi-Fi worked again.
  • I tried to access Startpage to search for an up-to-date package for Mullvad, but it was blocked.
  • I used my phone to get the software file and sent it over, but couldn’t connect.
  • I searched for different VPNs using DuckDuckGo, but the whole site was blocked.
  • I tried searching for Mullvad, but that was blocked too.
  • I attempted to use Tor with various bridges, but couldn’t connect for some unknown reason.
  • I finally settled for Onionfruit Connect, but it doesn’t have a kill switch, which makes me uneasy.

Ironically, websites that could be considered harmful, like adult content, gambling sites and online gaming sites, are still accessible, while privacy-tools are blocked.

I’m looking for advice on how to bypass these firewall restrictions while ensuring my online safety and privacy. Any suggestions or alternative methods would be greatly appreciated! (If any advice is something about Linux, it could be a Problem, since my school enforces Windows 11 only PC’s which is really really igngamblingThanks in advance for your help

edit: did some formatting

edit2: It is my device, which I own and bought with my own money. I also have gotten in trouble for connecting to tor and searching for tor, but I stated that I only used it to protect my privacy. Honestly I will do everything to protect my privacy so I don’t care if I will get in trouble.

edit 3: Thanks for the suggestions, if I haven’t responded yet, that’s because I don’t know what will happen.

  • AmbiguousProps@lemmy.today
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Have you tried wireguard on a non-standard port? OVPN can also go over 443 which might help.

    Really though, it depends on how they’re blocking them. They could be blocking the protocol based on port or deep packet inspection, or they could just be blocking a list of VPN hosts. They could be doing both.

    If they’re just blocking hosts, you could set up a vpn relay on a host somewhere else, but that won’t help if they’re blocking the protocol.

    • fmstrat@lemmy.nowsci.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Putting this here,too:

      Highly identifiable. Do not do this. Will it get you through the firewall? Yes. Will it get you in trouble when they see all your traffic going to one place? Also yes.

      • sturlabragason@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        4 months ago

        Yeah I wasn’t really thinking about obfuscating that he was using a VPN. Just assumed this was not breaking rules, and only thinking about getting around the blocks and having a working VPN.

  • Mr. Camel999@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    I’m aware of a network that blocks Mullvad as well, but found a way around it. It went through just fine if I was using a custom DNS server. I used NextDNS for this, but I imagine it would work with Cloudflare or something as well (but I highly recommend NextDNS anyways). Hope this helps!

  • Steve@communick.news
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Have you tried the “Stealth” protocol option ProtonVPN has?
    It’s intended to bypass VPN blocks. Sometimes it works.

    • scarilog@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      Windscribe has a Websocket tunnel option. Haven’t been on a network that’s been able to block this mode yet.

  • eco_game@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    What worked for me at my old school was using a ShadowSocks proxy. Basically what this does, is it takes all your traffic and just makes it look like random https traffic (AFAIK).

    I believe multiple VPNs support this, for me with PIA VPN it’s in the settings under the name “Multi-Hop” (PIA only supports this on the Desktop App, not on mobile).

    This technique is pretty much impossible to block, unless you ban every single VPN ShadowSocks Proxy IP. If that is the case for you (chances are practically 0), you could also selfhost ShadowSocks in combination with the Cloak module, however this method is a lot more complicated.

    • hperrin@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      4 months ago

      Shadowsocks doesn’t look anything like HTTPS traffic. It looks like a bare stream cipher over TCP connections to one host with bursts of traffic. HTTPS starts off with a TLS handshake (a client hello, a server hello, the server certificate, then a cipher negotiation and key exchange) before any ciphertext is exchanged. Shadowsocks just starts blasting a ciphertext stream. Even if you run it on port 443, it looks nothing like HTTPS.

      Without any sort of cipher negotiation and key exchange, it’s obvious that it’s a stream cipher with a pre shared key, so this would be automatically suspicious. There’s also not really any plausible deniability here. If they probe your Shadowsocks host and see it running there, that’s all the proof they need that you’re breaking their rules. With a VPN, you could at least say it’s for a project, and with SSH, you could say you’re just transferring files to your own machine.

  • RegalPotoo@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Obligatory “read your schools’ computer use policy before you get yourself in trouble for evading the firewall”

    • Decency8401@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      I don’t know where to find the policy regarding the network. The computer isn’t school property, I own it which is more frustrating because I have to uninstall (Just disabeling it and the Killswitch won’t work) any VPN to start using the network.

    • subignition@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      Yeah, you probably don’t want to risk getting caught for that. There is a possibility you could be criminally charged (regardless of how stupid you might think that is, it happens) when the school finds out what you’re doing. And if you’re using school-issued hardware they’re very likely to find out what you’re doing.

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    4 months ago
    1. Sign up for Digital Ocean.
    2. Get the cheapest VM (called Droplets on DO) you can get.
    3. Install Ubuntu on it.
    4. SSH into it with a SOCKS proxy (ssh -D 8080 <yourdropletip> on Linux, PuTTY on Windows).
    5. Configure Firefox to use localhost:8080 as a SOCKS5 proxy.
    6. Win.

    Bonus points if you set up Cockpit to manage everything over the web, that way you don’t need to learn all about sudo apt whatever.

    • fmstrat@lemmy.nowsci.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Highly identifiable. Do not do this. Will it get you through the firewall? Yes. Will it get you in trouble when they see all your traffic going to one place? Also yes.

      • hperrin@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        4 months ago

        It’s an open WiFi network. They’re probably not even able to identify which device is used by which person. Even if they could, why would they be monitoring everyone’s traffic looking for users who only visit one resource? That’s an extremely unlikely scenario.

        The worst they’d see is that this device is using a lot of SSH traffic. There’s nothing suspicious about that. SSH is perfectly normal.

        • 0x0@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          4 months ago

          There’s nothing suspicious about that. SSH is perfectly normal.

          In a business? Sure.

          In a school? Not so much.

        • fmstrat@lemmy.nowsci.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          Again these are all assumptions. These are risks that do not need to be taken when there are better methods.

          • hperrin@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            4 months ago

            These aren’t assumptions. OP states it’s an open WiFi network in their post, and unless you name your computer after yourself, all the network admins can see is your MAC address. And what is suspicious about SSH traffic? And what better way is there? VPN traffic will look more suspicious.

            What do you do for a living? I’m a software and network engineer, so this is in my realm of expertise. All the network admins will see is OP’s MAC and that they’re sending a lot of SSH traffic to a Digital Ocean IP (if they even bother to sniff their traffic). This is how I, as a network engineer, have personally bypassed content filters.

            • fmstrat@lemmy.nowsci.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              You, as a network engineer, at a business, where SSH is normal. This is not your realm, as schools look for very different signals. They are rarely actively monitored, but when they are, SSH will 100% look suspicious, and this individual already has a flag on them for tor, so yes they go beyond MAC and can identify them. You haven’t even asked what kind of school it is, how they access school content when on the network that could identify their machine, or what the risks are for getting caught, yet you want to push a method when others have provided better8 options for obscurity. I am looking out for this kid’s (or adult’s) well being.

              Yes, your method works to bypass a firewall, I have even used it myself many times. But it is absolutely not the best option here. And before you ask for credentials again, yes, I have network security experience in multiple domains, including corporate provided POC exploits for software you would know the names of, threat modeling for highly sensitive data, and organization and management of certified systems, along with knowledge of school network infrastructure.

              • hperrin@lemmy.world
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                4 months ago

                I helped out with my high school network and SSH absolutely would not have looked suspicious. I can’t say for this school, but that was a regular part of the curriculum in mine. Even if it wasn’t, what are you gonna do as a net admin? You have zero evidence that a student is doing something malicious.

                I feel like you’re a script kiddy who got called out for being overly confident online, and now you’re grasping at straws. I literally gave you two outs, and you doubled down every time. There is nothing suspicious about SSH traffic, even in a high school network, let alone a college network, and if you think there is, you’re 100% brand new to the industry.

                You still haven’t given any alternative that would look any less suspicious than SSH traffic, and you still haven’t given any method a net admin could use to identify your machine from the countless others that connect to an open WiFi network.

                In fact, let’s test you. There’s something that old versions of Firefox will expose, even through a SOCKS proxy. What is it, and what did Firefox introduce to prevent that?

        • ⲇⲅⲇ@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          4 months ago

          That’s nice, for 0,50 monthly less you have more hard drive (14GB more) but you lose 2GB of RAM compared to Hetzner.

          EDIT: For VPN over HTTP, you don’t need more than this.

  • refalo@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    4 months ago

    If it’s any school like mine was, where people actively look at all the traffic going through their network, it’s a losing battle. And I say this as both a huge privacy advocate and a long-time network engineer.

    Anything even remotely resembling a tunnel, VPN or proxy is going to make you stand out in their monitoring, because they will see constant traffic between you and the same host on the other end… traffic that practically never stops. In my day the school even force-reset SSH and RDP sessions after a while (or maybe it was actually ALL tcp sessions, not sure).

    It doesn’t matter what protocol or technique you use at that point because they can either block whatever IP/ports you use, every time you change it, or threaten/shut off your service.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      4 months ago

      There are tools that can reasonably get around that technically. You just need to make it look like https traffic.

      I say this as it is possible to bypass the great firewall in China which was likely build on a much bigger budget

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          4 months ago

          It wouldn’t be that much traffic. It would just be https going to random IPs which looks like regular browsing. If you start blocking thing you will create lots and lots of issues plus angry users.

          I also doubt they have some guy watching every connection for an entire school.

  • fuckwit_mcbumcrumble@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    Is this a school issued computer or your own on their network? Never assume you have any privacy on a computer that isn’t your own. Even if you do get a VPN on there they probably have software on the laptop to monitor your actual screen which is far more privacy invasive than seeing that you accessed lemmy 500 times in an hour.

    • bdonvr@thelemmy.club
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      Seriously, ever heard of Intel AMT? It gives administrators such deep access to the computer that they can view and control your screen (regardless of OS you’re using), power the device on remotely, etc.

  • The 8232 Project@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Hi! Back in high school, me and a few close friends formed a small hacking group aimed at hacking the school WiFi. We succeeded, and reported the vulnerabilities we found along the way to the school. Our school had a policy where students who managed to hack something would be let off the hook if they reported exactly how they did it. I managed to land a job for the school district as a result of our fiasco. I don’t recommend anyone do that, but I managed to get lucky.

    Anyways, once we had access to the WiFi we wanted to get around the network wide filter. Proton VPN worked for a while, but quickly got blocked. Dual booting into Tails on school computers didn’t work until the 6.0 update. To my knowledge, it still works.

    However, for our phones, the thing that worked was changing the DNS. We found out the network wide filter the school boasted so highly about was only a DNS filter that resolved hostnames to a “blocked” page. Find a good PRNS and change your device’s DNS to match. If you want a search engine, try to find an unblocked SearXNG instance.

    Good luck!

    P.S. Don’t forget: Tor is portable on Windows devices :)

    • InputZero@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      This is the best answer. You didn’t go charging through their system with complete disregard. You made the IT staff like you first, then broke through their system. That’s social engineering at it finest here people, and is the first skill any great hacker needs to learn. Please do good with this skill.

  • sovietknuckles [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    If your school blocks VPN connections, that usually means that they’re specifically blocking OpenVPN traffic and/or WireGuard traffic. So if you use a VPN provider that supports OpenConnect (which looks like regular HTTPS traffic over port 443 to your school, there’s a good chance that it will not be blocked.

    That’s what I do when I’m on open Wi-Fi networks that block everything but HTTP or HTTPS traffic. It’s not as fast as UDP OpenVPN, let alone WireGuard, but it frees me from the restrictions of whatever Wi-Fi network I’m on.

  • brainw0rms [they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    At the risk of sounding contrarian/lame, you should probably not be doing any of this especially if you don’t own the hardware you’re using (as mentioned by another commenter).

    You don’t specify if this is university or middle/high school, but either way you are not entitled to and should not expect any privacy on a network you don’t control. Regardless of if you use a VPN, your school’s network administrators can almost certainly tell that you are using a VPN, which itself sounds like it would be a violation of your school’s network policy and will most likely land you in trouble. Indeed, your repeated attempts to access blocked sites have likely already raised some flags.

    I would quit while you’re ahead until you can afford your own hardware/internet connection, and then maybe worry about any notion of privacy. Use your school’s internet for what it was intended.

    • Decency8401@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      I have gotten in trouble for using a VPN I’m the past but it was just a little talk and then they were cool with it. The thing is, that it is my device and at the school I don’t have a strong enough signal for my phone. So I can’t just make a hotspot and use that as WiFi. I need to use the WiFi to get my things done but I will not use the WiFi if I can’t protect my privacy. I know that this sounds pretty stupid but I won’t comply with my school.

  • ResoluteCatnap@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    4 months ago

    Here are some good rule of thumbs for work and schools:

    • do not connect to their networks with your personal devices, ever.

    • Only use work/ school devices on their own network.

    • Do not do anything personal on those networks. only do work/school related tasks. This means don’t log into any non school/work accounts.

    • If for some reason they don’t have a device for you but require you to use their network, then leave your personal devices at home claiming you don’t own one and make them accommodate you.

    You cannot expect privacy in these situations, and by going to the extreme lengths to try to get it then you will ironically just paint a bigger target on your back if any network admin cares. In some cases this can cost you your job or get you in trouble with the school.

    • Decency8401@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      0
      ·
      4 months ago

      I tried this but my signal isn’t strong enough to get thorugh the walls. In some classrooms it works, but it’s more like a 50/50 chance to stay connected.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Which means the mobile data plan, which doesn’t sound that easy anymore. Where I live (EU) mobile data plans are either quite limited in data cap or expensive, and for a lot of years now they are just shutting it down when yours ran out, instead of slowing it down.