H

Contributor

 • 

76 Messages

Friday, December 8th, 2023 11:45 AM

Xfinity hotspot is blocking Tailscale VPN?

Weird issue, and only began happening today.

At work, I often connect my phone to the xfinitywifi hotspot that we have. My phone runs Tailscale so I can access stuff on my home network without exposing said stuff to the internet.

Well, today (12/8/2023), that seems to no longer work. Trying to use Tailscale results in zero connectivity, but turning it off restores full internet. I tested with both my phone and my laptop, on the hotspot, on mobile data, and on the normal office wifi. Mobile data and Office wifi both allow Tailscale to work, but once I get on the Xfinity hotspot, the connectivity completely dies. Since I also use this for DNS (Pi-Hole FTW!), this completely stops me from even accessing the internet.

This tells me that Xfinity is blocking Tailscale on their public hotspots now.

Call me crazy, but isn't the point of using a VPN (Besides my use case) on a public hotspot supposed to be a safety measure?

EDIT: Solved. Turns out the hotspot at work is messed up. Tried it on the one at a local Chinese restaurant, and it worked perfectly as expected.

Problem Solver

 • 

1.5K Messages

3 months ago

Connecting to the hotspot -- your gateway's public hotspot when at home, or when you are offsite and connected to another public hotspot and trying to get to your house?

It might not do local loopback (local gateway public hotspot to your gateway's external IP address), and you probably wouldn't want it to for security reasons (local attacker amplification attacks).  

Contributor

 • 

76 Messages

@flatlander3​ Definitely offsite. I'm at my office.

My home firewall (pfSense) doesn't have WAN loopback configured as I don't really need it. Office WiFi (which is Xfinity) works fine, as does Verizon. Completely dead on the hotspot though.

Problem Solver

 • 

1.5K Messages

@Hemingray42​  You can port scan it with nmap, but you'll get mixed results on a port running a VPN.  It will either say closed or filtered because the scan doesn't have a valid HMAC (openvpn) or the encryption key (wireguard). 

Not sure what the unencrypted hotspot "xfinitywifi" will allow or if there are any port restrictions besides the normal ones.  Perhaps try the encrypted one "XFINITY" and see if that behaves differently.

Problem Solver

 • 

1.5K Messages

Oh.  And if you're running snort on your pfsense, maybe snort hates xfinitywifi hotspots.  Might want to check the log and see.  

Contributor

 • 

76 Messages

@flatlander3​ Would try that, but it requires an app that the only thing it does well is crash. The unsecured hotspot never had any restrictions that I knew of. Never had trouble with it until today.

Contributor

 • 

76 Messages

3 months ago

And now the hotspot suddenly wants me to log in, but doesn't even load the page. May be some other weird issue. I'll check it later in the day or something.

forum icon

New to the Community?

Start Here