VPN Over XFINITYWIFI Hotspots - OpenVPN, WireGuard, Others

Ran into this problem at an xfinitywifi hotspot recently. These are the public hotspots Xfinity runs in many locations, typically off of Xfinity wireless routers (if you're here though, you probably already know that).

My OpenVPN client would connect, and access to non-https websites worked, access to local IPs on the server side of the VPN worked too, but https websites, SSL connections, and some other things would fail. The client worked fine on all other networks/connections I tried it on. Went down a bit of an internet rabbit hole on this one with several folks suggesting DPI or other attempts by Xfinity to block VPNs on their public hotspots were the cause. As it turns out, at least for me, this was a frame size issue. OpenVPN doesn't like some packets to be fragmented and that was happening. My guess is that Xfinity implemented vLANs on public hotspots that is consuming additional overhead in the packets, but whether it's that or something else doesn't really matter. The solution was reducing the frame size in OpenVPN.

If you know your VPN works because it works on other connections, give this a try. For OpenVPN, you set it in your client side profile with "mssfix nnnn". For me, the magic number was 1376. If you can get the VPN connected, you can test and verify the maximum packet size with “ping <server_addr> -f -l 1376” for a 1376 byte test using one of your server side addresses. Move up or down until you find the maximum size that doesn’t fail or report that the packet had to be fragmented. Other VPNs have this same functionality but settings are in different places. You can Google those. Good luck!