[jesprenj]

I was on a ferry ship from Italy to Greece where they had paid sattelite Internet via WiFi. The WiFi AP was at first a captive portal. You could buy Internet access with cash at the reception or you could pay online. For that they had to enable access to stripe.com. But stripe uses fastly CDN, so they enabled one specific fastly endpoint that stripe uses. You had direct IP traffic to this specific IP address. reddit also uses fastly CDN. So with a /etc/hosts hack I could load reddit pages for free. Not images though, as they are hosted by imgur.

I assume one could also create a tunnel over reddit chat connect to the Internet, but I never did that.

By default, reddit did not work though, as their fastly CDN endpoint is different from stripe's, also the stripe's endpoint did not correctly sign TLS for reddit.com. But setting a Host header of old.reddit.com on that fastly IP successfully downloaded the page.

When I still had phone network by the coast, I set up iodine IP over DNS tunnel, but it did not work, even though DNS requests worked on that WiFi. Maybe they had some sort of protection specifically for iodine.

[nibbleshifter]

There's a trick called "Domain fronting" (ab)using CDN's like that which is useful.

Tor's "meek" pluggable transport uses it, but only supports a couple of cdns as you need to run infra behind the CDN which costs money.

As for Iodine, I used to run a few public DNS tunnel servers with it for people. Its a pain in the ass to get working reliably.

[bythckr]

Pls explain how you did that. I would like to try it for myself.

[jesprenj]

First of all I was doing all of this on my touchscreen phone, which made me give up soon, as my laptop was packed in the garage.

I used a program called Packet capture that registers as a VPN connection in Android and routes all traffic trough itself. I saw some external IPs with TLS data when visiting the captive portal: http://upload.4a.si/pcap.jpg

When I sent a request to one IP address, I learned from the response that I've reached a fastly endpoint. The response was an error page, claiming they host no one with this domain. I knew from a talk by reddit sysadmins that they use the fastly CDN, so I added a Host header with a value of old.reddit.com:

curl -ikH Host:\ old.reddit.com https://151.101.0.176/r/Slovenia.json

Then I added a rule in software AdAway for Android (this one is used for DNS blacklisting to remove ads based on DNS queries and requires root access - changes /etc/hosts AFAIK) to overwrite old.reddit.com to this IP address.

I can't remember how I tricked the web browser into ignoring invalid certs.