Suramya's Blog : Welcome to my crazy life…

February 27, 2010

How to use UDP Tunneling to avoid hotspot or firewall restrictions

Filed under: Computer Security,Knowledgebase,Tech Related — Suramya @ 11:59 PM

A lot of times when you connect to a wireless hotspot or a network there are restrictions in place which prevent you from accessing the web without some sort of authentication or restrict the kind of connections allowed. Usually that’s not a problem but at times you need to be able to bypass the restrictions.

In normal cases the firewalls in place usually allow outgoing connections to pass through but in some cases even outbound connections are blocked or you need to pay for access. In such cases you can use UDP Tunneling to bypass any restrictions.

Keep in mind that using such methods on a network will not endear you to your network administrator and if caught might cause you trouble. You might even end up in Jail. So don’t try to use this for anything illegal or to browse porn at work.

The way it works is that when you try to browse to a website your system sends a request to a name server on UDP Port 53. On a lot of hotspots/firewalls/proxies the system waits for the Name server to respond and when it gets a response it redirects you to a login page or redirects you to a web proxy. What allows us to do a UDP tunnel is the fact that all port 53 UDP traffic is allowed out to anywhere on the web, without any kind of authentication.

So if you have a VPN configured to connect over UDP port 53 instead of the default port 1194 then you should be able to bypass the restrictions.

Basically what you have to do is setup a OpenVPN server on a public server and then configure it to use port 53 instead of the default 1194. Once you do that you can configure your VPN client on a laptop to connect to the server on port 53. Once connected all new connections will go over the VPN connection and you should be able to browser the web without issues or blocks.

Thanks to Adam Palmer for the tip.

[Update 11/26/2014] Please use the updated link iodigitalsec.com as the original one is broken.

I think I am going to set up a VPN server on my desktop so when I am away from home and need web access I can use this technique to get access.

– Suramya

6 Comments »

  1. Question. I have a server running Openvpn on Port 53, but use the TCP port. Will this make a difference?

    Comment by Steven — March 13, 2011 @ 4:13 AM

  2. I *think* TCP port 53 might be blocked in some places, but UDP ports are usually not so that might make a difference.

    – Suramya

    Comment by Suramya — September 5, 2011 @ 4:33 PM

  3. Please note, the link in this article is broken – please replace with http://www.iodigitalsec.com/udp-tunneling-to-avoid-hotspot-or-firewall-restrictions/

    Comment by Adam Palmer — November 25, 2014 @ 3:00 AM

  4. Hi Adam,

    Thanks for the heads up. I have updated the post with the new link.

    – Suramya

    Comment by Suramya — November 26, 2014 @ 1:31 AM

  5. I’m the operator of a network of hotspots, this method wont work on our system as we have iptables rules in our firewalls to forward all dns requests on port 53 tcp or udp to a predefined dns server. Ie you try and make a request to an ip address on port 53 tcp or udp before authenticating on the hotspot, the requests is redirected to our own dns.

    We use the following to forward connections on port 53 for all unauthenticated “unknown” users/clients
    iptables -t nat -A Hotspot_Unknown -p tcp –dport 53 -j DNAT –to x.x.x.x
    iptables -t nat -A Hotspot_Unknown -p udp –dport 53 -j DNAT –to x.x.x.x
    where x.x.x.x is our dns server

    So even if you put alternative dns servers in your network settings, they still wouldn’t work and requests would come to our server.

    Comment by Gareth — September 1, 2016 @ 5:59 AM

  6. Interesting, good to know this. Thanks for sharing your config.

    – Suramya

    Comment by Suramya — September 27, 2016 @ 11:57 PM

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress