Connecting Slate/Beryl AX to Starbucks with VPN on

Morning gang!!!

I’m preparing and testing the slate ax for travel. In my local Starbucks, the only method that works is the MAC address cloning method. I must keep the VPN on while connecting to wifi. No turning it off. I’m glad this is working however!! Means game on for travel.

Anyone else test their beryl or slate with Starbucks and had results doing a different method? Will this method likely be sufficient during my travels?

Normally I go to Southeast Asia and I have a shortlist of hotels and airbnbs with amazing wifi etc but now I might do Portugal and Spain with my friend and I’m not seeing “good wifi” in the reviews of most airbnbs so I might have to go to a coworking space and the worst thing that could happen would be my router not getting past the captive portal.

How do you expect to have the VPN working before the device has internet access? Whether you are talking about router-based or client-based VPN, internet access will need to be established before it can connect.

Bump

What you’re saying sounds sensible.

Not a guru but so far it

  • works fine connecting with vpn if there is no captive portal
  • works fine connecting with vpn for captive portals if I do MAC address cloning

Any sure successes on this with another solution?

The sites that “trigger” the captive portal aren’t working for me. Is the idea I just visit the site and poof, the captive might be triggered?

A list of ones I’ve collected
http://detectportal.firefox.com/canonical.html,
Success
http://neverssl.com, http://neverssl.com/,
http://p.ox.cx/, or http://notls.ox.cx/

It works fine with MAC cloning because you probably already acknowledged the captive portal with that same mac address. One of the problems with triggering captive portals is that so many sites are https now, and browsers are increasingly redirecting themselves to the https site when http is not explicitly part of the address. For a test, you can see if http://neverssl.com (or http://www.mit.edu ) triggers a captive portal session.

In my experience you have to turn off the VPN to connect to an open AP with a captive portal or initially to an AP with a password. Once you’ve connected then you can have the VPN start immediately. I can’t say I’ve stayed at every Airbnb in the world, but I’ve never been at one with a captive portal or that wasn’t secured. I wouldn’t be using the travel router at a Starbucks.

I can’t speak to Spain, but in PT you should have excellent internet access in ALs (Airbnbs). The three main ISPs are all mostly fiber with tiers starting at 100/100 and going to 1g/500, for a lot less money than in the US. Heck, symmetric 10G is available for 150E.

Using my much smaller, less obvious, gl.inet USB150 I have connected at Starbucks inside and outside the US, at a couple libraries that only allow captive portal logins, on airplanes on several different airlines, at hotels/AirBNBs that have a captive portal, and at other sites with various restrictions. My normal procedure is:

  • Turn off VPN
  • Turn off the Internet Kill Switch
  • Turn off all DNS settings including:
    • DNS Rebinding Attack Protection
    • Override DNS Settings for All Clients
    • DNS over TLS (Cloudflare or NextDNS)
    • Dnscrypt-Proxy Settings
    • Manual DNS Server Settings
  • Connect and log into the captive portal.
  • After getting the connection working I can normally go back to my standard DNS and VPN setting.

NOTE: Some remote sites limit what ports they allow you to go out to only ports 80 and 443 using TCP, and they supply their own local DNS server on port 53. Although I prefer and normally use Wireguard, to get around these restrictions, I have my travel routers and remote VPN sites setup in addition to supporting Wireguard, they are also configured to support both OpenVPN and SoftEther VPN protocols over TCP on ports 80 and 443, which has saved me more than once.

I have not been able to try this on 4.x firmware, as I’m still waiting on gl.inet to update the USB150 Firmware to 4.x.

I thought of another setting you might need to toggle - dns rebinding.