How to Use a VPN at Hotels

Hotel Wi-Fi has two moods: weirdly permissive or allergic to VPNs. I've slept in both kinds of rooms. Here's the workflow I use to make sure my VPN stays connected—from budget hostels with captive portals to five-star hotels with aggressive firewall rules.

Photo: Unsplash / NASA

Gear Prep

• Travel router: GL.iNet Slate AX (recommended) or Beryl. Preload WireGuard and OpenVPN configs before the trip.
• VPN providers: Keep at least two (Mullvad + Proton) in case one is blocked.
• Backup: Cloudflare WARP app on phone and laptop for stealthy fallback.
• Captive portal credentials: A stash of burner emails/phone numbers.

Step 1: Authenticate Without the VPN First

1. Connect phone to hotel Wi-Fi, complete captive portal login.
2. Clone the MAC address to your travel router (GL.iNet > More Settings > MAC Clone).
3. Connect router to hotel Wi-Fi using the cloned MAC.
4. Once connected, enable the VPN on the router.

This sequence prevents captive portals from repeatedly breaking your tunnel.

Step 2: Choose the Right Protocol

| Scenario | Protocol | Notes | | --- | --- | --- | | Hotel allows UDP | WireGuard | Fast, efficient. Use ports 53, 123, or 51820. | | UDP blocked, TCP open | OpenVPN TCP 443 | Looks like regular HTTPS traffic. | | Both blocked | Cloudflare WARP or Outline VPN | Uses proprietary obfuscation, often slips through. | | Captive portal won’t release | Temporarily disable VPN, login, re-enable with auto-connect. |

Step 3: Configure Split Tunneling (Optional)

If the hotel streaming service needs local IP while work apps need VPN, use policy-based routing.

• On GL.iNet, go to VPN > Policy.
• Enable “VPN Policy Mode.”
• Add MAC address of your Apple TV/Chromecast to bypass VPN.
• Keep work laptop routed through VPN.

Step 4: Handle Throttling

Some hotels throttle VPN traffic to dial-up speeds. Countermeasures:

• Enable MSS Fix (OpenVPN) set to 1450.
• Limit MTU on WireGuard to 1300 (MTU = 1300 in config).
• Schedule heavy uploads between 2 a.m. and 6 a.m.
• Use compression sparingly; modern VPNs usually disable it to avoid VORACLE attacks.

Step 5: Stay Connected

• Turn on Auto Connect on Boot for your VPN client.
• On GL.iNet, enable Block Non-VPN Traffic to prevent leaks if the tunnel drops.
• Add a health check cron job:

*/10 * * * * ping -c 3 1.1.1.1 > /dev/null || /etc/init.d/wireguard restart

• Keep router powered by a battery pack during room cleanings so staff unplugging outlets doesn’t kill your session.

Real Example: Marriott Singapore

• Captive portal required room + last name.
• Cloned phone’s MAC to GL.iNet.
• Logged in once, then re-enabled WireGuard (Mullvad, port 123 UDP).
• Speed held at 80 Mbps for two Zoom calls.
• Apple TV bypassed VPN for Netflix using policy routing.

Troubleshooting Cheat Sheet

| Symptom | Fix | | --- | --- | | VPN connects but no internet | Check DNS settings, ensure “Use VPN for all clients” enabled. | | Captive portal keeps appearing | Disable VPN, log in, clear cookies, re-enable VPN. | | Tunnel drops every hour | Increase keep-alive (PersistentKeepalive = 25 in WireGuard). | | Hotel blocks router | Use phone hotspot + USB tether to router, or switch to Ethernet if available. |

Security Bonus Tips

• Change Wi-Fi password daily; hotel staff sometimes share login with other guests.
• Disable UPnP on router to avoid unsolicited inbound connections.
• Log router events (System > Log) and review for anomalies.

Final Thoughts

VPNs and hotels can coexist peacefully with a little rehearsal. Bring your own router, know multiple protocol tricks, and treat captive portals as hurdles—not brick walls. Once everything is dialed in, you get to enjoy a secure connection while the rest of the floor argues with the front desk about their “broken Internet.”