Skip Navigation

I'm interested to hear possible reasons a public Wi-Fi network at a state building might block specifically lemmy.ml and not other instances.

I don't need help, it's just too implausible for me not to be curious.

Aside, it's been fascinating anonymously watching this network evolve over the past decade as a citizen-user who has business in the building. I've been battling with the faceless network admins trying to find ways to access my home lab year-after-year.

First they blocked my personal domain because I tried to reach vpn.mydomain.com. Then I couldn't use OpenVPN at all (or I was too green at the time to bypass). Next, Wireguard worked for a while until it didn't. Now tailscale is working but I'm forced to use the slow DERP servers to reach home. I might try Headscale with a different personal domain next.

My next project is a little more radical - hiding an old pi 3B on the network as an exit node on that network. Then I can use the state-owned IP instead of my home one when websites are dicks about third-party VPN IPs.

10

You're viewing a single thread.

10 comments
  • I work IT professionally.

    For the love of all that is still sane in this world, PLEASE STOP. If you are in a building under ANY kind of professional IT organization (government or corporate), there probably is a network access terms of use. If you violate that, many of these ToS have teeth to at minimum ban you from the network. I hope you can get your job done without a computer or on cellular reception (if you still have a job after they find out). Since it's a government site, there may be additional legal penalties for fussing with a government network without authorization. If you think you need us to help you bypass this, you may be needing a lawyer.

    If IT is blocking something, they probably have a reason. It might not be a good reason, but it's a reason. Doesn't matter if it is right, it matters what they set in the policy. If you believe the policy is wrong, the correct answer is ALWAYS to submit an IT ticket, then raise an escalation with your supervisor/point of contact with the building if that doesn't work, or HR if neither of the first two options work. In that order. Do not skip processes, do not pass go, do not collect $200. There is a minor exception where you can skip steps of the management chain in certain situations (like going to your boss's boss etc) if such an individual is open to such communication.

    Probably the easiest one is to ask IT about the Lemmy instance. It might have gotten blocked by accident, or it didn't show up in whatever domain reputation database they're using. I know my own personal homelab domain got hit with that - reason screen said "potential malware", and when I filled out the lil request exception form with my personal email asking why the domain was blocked for malware and saying I owned the server, turns out that didn't go to our third party network vendor (despite the logo) it went straight to IT and I got called into my boss's office to confirm my story. I confirmed it was me, indicated why I did what I did, and what the domain was used for - it was a subdomain hosting a Minecraft server control panel. Site was unblocked in a manner of hours. The worst thing they can say is no. And if they block reddit or other Lemmy instances afterwards, well, I guess that was against policy. See earlier remarks about policy.

    Lastly, and I cannot say this in loud enough text

    DO NOT HIDE A PHYSICAL DEVICE ON A NETWORK YOU DO NOT HAVE AUTHORITY TO DEPLOY TO

    See paragraph 1 about network access policies. Most forbid this kind of thing. <3 Plus you're just going to get yourself into an arms race between detection and hiding. Please do not the cat network. They will find you. It's not an if it's a when. And the longer it hides there the worse your consequences will likely be when it is found.

    • If there are no TOS though, wouldn't OP be in the clear? I was an intern at a state capitol a couple years and while we had secured user/print/PSK networks, the public network was just an unprotected SSID without a captive portal - you just join.

      I didn't think about it at the time, but it seems wild to have that setup in 2024. Piqued, I just looked it up and unless they've added a captive portal with a TOS to agree to, it looks like this is the only governing statement:

      Wireless Internet access is provided for the public at the Connecticut General Assembly (CGA) campus. This includes the State Capitol Building, the Legislative Office Building (LOB), and the Old State House (OSH). This wireless service is protected by virus and malware protection systems. Objectionable advertising, pornography, spyware, viruses, and other inappropriate content is blocked. To utilize the Internet, simply connect your device to the CGA_Guest wireless network.

      It reads to me like In that increasingly rare scenario that a raspberry pi advertising an exit node isn't considered different from Joe's laptop or Jane's phone.

      • ToS I'm using as a bit of a nebulous phrase. If there is filtering involved, there exists a list of dos and donts - in your example, that base filtering case seems to have a lot of leeway in defining what "objectionable advertising and content" is. They could (not a great move but could) say "VPNs are objectionable".

        I still stand by that the correct move to contact IT - if the network isn't showing it's ToS on launch, either as the flyer with the password, captive portal, or equivalent, they could request the network terms from IT (or equivalent service desk/management). If there is not in fact a ToS,...... Then it's really become a lawyer matter. I am not a lawyer - I'll defer that discussion of a network that enforces a policy without showing a ToS to the experts in the field.

        I hesitate to say if OP has the green light if they're not advertising terms. Clearly there is some policy the network is enforcing against OP, and a (as they put it) a faceless network admin making the changes. Even if it's not a formal legalese policy, it could be just a simple list of what not to do. Communication between OP and their faceless network admin is going to be the key to successful resolution.

        Guest networks are in a bit of a different category for that because we (collectively as IT in general) expect people to be placing tunneling protocols to protect themselves on a guest network, but a company may object to and block any non-standardized VPN that isn't run by corporate on their internal network.

You've viewed 10 comments.