Hotel Wi-Fi Blocks Everything?

Last month in Panama City I checked into a business hotel whose Wi-Fi portal looked respectable. Ten minutes later I realized it blocked VPN tunnels, SSH, and half the sites I needed for work. I spent the next hour turning my room into a miniature network operations center. If you've ever stared at a captive portal that says "access denied" after you've already paid, here's the troubleshooting playbook that now lives in my head.

Photo: Unsplash / Kari Shea

Step 1: Identify What's Being Blocked

Before panicking, figure out whether the hotel is blocking specific ports, protocols, or high-bandwidth destinations.

1. Run a quick port scan using nmap -Pn --top-ports 20 captive.portal.ip. If you only see ports 80 and 443 open, assume a strict firewall.
2. Test your VPN. Try WireGuard, then OpenVPN (TCP/443). If both fail, some hotspot managers like Nomadix or Cisco Meraki are intercepting.
3. Check DNS leakage. Visit https://browserleaks.com/dns. If queries resolve through the hotel’s DNS server, they might be hijacking upstream responses.
4. Ping a known IP (e.g., 1.1.1.1). If it works but cloudflare.com doesn’t, DNS blocking is the culprit.

Step 2: Clone the Captive Portal

Hotel portals often whitelist the first MAC address that authenticates. Bypass that by cloning the connection to your own router.

• Connect your phone to the Wi-Fi, complete the captive portal login.
• Open your phone’s network settings, record the MAC address and session cookie.
• Log into your GL.iNet router (or similar) and clone the MAC address under More Settings > MAC Clone.
• Paste any session cookie into the router’s captive portal helper (GL.iNet calls this “GoodCloud Portal Bypass”).

Now every device behind your router looks like the authorized phone.

Step 3: Tunnel Through Allowed Ports

If the firewall still crushes VPNs, use alternative transports.

• TLS Tunneling: Run Outline VPN or use Cloudflare WARP. Both masquerade as normal HTTPS traffic.
• SSH over WebSocket: Services like sshreach.me wrap SSH in WebSocket frames that pass through port 443.
• Simple TLS proxies: stunnel can wrap an OpenVPN connection inside TLS. Configure your server to listen on 443 with a legit certificate.

In Panama, Cloudflare WARP connected immediately while WireGuard failed. I kept WARP as my “control plane” to reach my own servers, then switched to my private WireGuard once I tethered to LTE.

Step 4: Switch DNS Strategically

Hotel DNS often blocks streaming domains. Change DNS on your router to 1.1.1.1 or 9.9.9.9. If they intercept that, run your own resolver over HTTPS using dnscrypt-proxy or cloudflared for DoH.

Example cloudflared config snippet:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
  - https://cloudflare-dns.com/dns-query
  - https://dns.google/dns-query

Point your router’s DNS to 127.0.0.1:5053, and you’re cruising.

Step 5: Fall Back to LTE or Local SIM

Sometimes the faster move is to skip hotel Wi-Fi entirely. I carry:

• Airalo eSIM (regional plans) for instant LTE.
• Netgear Nighthawk M6 hotspot if I need 5G speeds.
• TP-Link MR6400 travel router that accepts physical SIM cards. Pop in a local prepaid SIM, share Wi-Fi to all devices.

In Hong Kong, my hostel throttled VPNs heavily. I bought a CSL prepaid SIM for HK$100, stuck it in the MR6400, and walked around with consistent 40 Mbps down.

Step 6: Ask Politely (Sometimes Works)

When all else fails, contact the hotel IT vendor. In Lima, the Nomadix portal had a “request business access” link buried in the fine print. I submitted a ticket explaining I needed ports 1194 and 51820 open for work. Two hours later, they granted a “premium access” profile at no extra charge.

Talking points when you call the front desk:

• “I host secure video calls for clients. Can you enable VPN pass-through?”
• “Could you whitelist my MAC address ending in :A4?”
• “Is there a wired Ethernet jack? I can use that instead of Wi-Fi.”

Troubleshooting Matrix

| Symptom | Likely Cause | Fix | | --- | --- | --- | | VPN connects but no traffic | Split tunneling misconfigured | Force all traffic through tunnel or disable split | | Speed drops to 1 Mbps exactly | Bandwidth shaping after x MB | Change MAC, reconnect, or tether to LTE | | Netflix works, Google doesn’t | Hotel DNS filtering | Switch to DoH/DoT, clear DNS cache | | Captive portal repeats every hour | Session timeout | Clone MAC, keep a device pinging 8.8.8.8 |

Tools Worth Keeping Handy

• TripMode blocks background app updates, saving bandwidth.
• Speedtest CLI for quick latency measurements.
• Little Snitch to monitor unexpected outbound connections.
• WiFi Explorer Lite (macOS) to analyze channel congestion.

Resilience Checklist for Next Trip

1. Pack a travel router and preconfigure VPN + DoH.
2. Keep multiple VPN protocols ready (WireGuard, OpenVPN, IKEv2, WARP).
3. Carry a USB-C Ethernet adapter—some hotels still offer faster wired ports.
4. Preload local SIM/eSIM for backup connectivity.
5. Store boilerplate support emails in Notes so you can request firewall changes quickly.

Final Word

Hotel Wi-Fi is a lottery. Some nights you’ll stream 4K, others you’ll fight to load Gmail. With the right toolkit—router cloning, smart tunneling, backup LTE—you can stay productive without begging for IT support. The next time a captive portal sneers “access denied,” smile, flip open your router, and show it who’s really checking in.