How to circumvent the free Wi-Fi content filter, for fame & profit

I’m very grateful for the free Wi-Fi on the train, the coffee shop or the municipal free Wi-Fi, but the content filter they have on their proxies is sometimes really weird – for example it may blocks one of my favorite podcasts website (the Jupiter Broadcasting network) under the category “streaming media” even though they don’t actually host their video files, but they do let through YouTube and Facebook (where most cat videos are posted these days). So apparently Israeli Rail has an aversion to streaming media so they won’t let me send an email to a small podcast, but I can watch all the cat videos I want. Weird. Also, most VPN services are blocked by default, so no help will be coming from that way1.

So, to fix that, here’s a small workaround using an external proxy – this is rather simple, but it does assume you have all kinds of tools that most users won’t have just lying around – but if you’re a Linux geek you should do just fine.


  • A remote server you have access to over SSH. Best to connect to your home DMZ server, which is on your residential broadband, as from there you can do all your “gray area” browsing, but any server you don’t mind abusing for proxying your browsing will do.
  • A local SSH client that supports SOCKS proxying. I’m using OpenSSH in the examples below, but if you *have* to run MS-Windows, then PuTTY also supports this, though they call it “Dynamic Tunneling” – see this blog post for details.
  • A browser plugin to help jump from standard configuration to the proxying mode – otherwise you’d have to manually update the browser settings each time you go on the train, and that is a hassle. I use Toggle Proxy for Firefox.


If you have your SSH server and have credentials to, nothing more needs to be done before you get on the free Wi-Fi. Everything else can be gotten online once your ready to go2.

Firefox setup:

This is how I do it on my main browser, if you use Chrome or something else and want to submit instructions for that – the comment area is open for you 🙂 . This is basically the most difficult part of the setup, and I mostly complicate it by using an extension for ease of management. If you just want to see if it works, just go to Firefox Network Connection Settings and set your SOCKS proxy as “localhost:1080”, and skip to the next section.

  1. Installing Toggle Proxy (the link above should have an “Add To Firefox” button)
  2. From the Firefox Add-Ons screen, select Toggle Proxy and click “Preferences”: Toggle Proxy Add-On
  3. In the preferences dialog, make sure to have the first toggle as “Manual Proxy configuration”. The second toggle can be useful for “automatic detection” if you ever go into a network that uses that:
    Toggle Proxy Preferences
  4. Select “Customize” from Firefox’s menu, and drag the Toggle Proxy button to somewhere where it is accessible. I like to put it to the right of the “Add Tab” button, so it is out of the way of my other extensions but is still easily found – though the icon for “No Proxy override used” is a generic “close” icon, so that’s a bit confusing:
    Toggle Proxy Add-On Button
  5. Open Firefox Preferences dialog, and select “Advanced”, then the “Network” tab, and click on “Settings” under “Connection”:
    Firefox Network Preferences
  6. In the Connection Settings dialog, select “Manual Proxy Configuration”, then leave all settings empty except the last – “SOCKS Proxy” and set it up as “localhost” and port “1080”:
    Firefox Connection Settings

Get it working

When you are fed up with the free Wi-Fi content filter, open a terminal and run:

ssh -D 1080

Go to Firefox and enable using the SOCKS proxy by clicking the Toggle Proxy button. That should be it – now when you try to access a website, Firefox will route the request through your SSH server and completely circumvent the Wi-Fi proxy.

When you are done, log out from the ssh session and disable the Firefox proxy override. Note that Toggle Proxy has two override settings, so to enable the first “toggle” you click the button once, and to go back to the original settings you have to click twice.

  1. I’ve checked the OpenVPN ports are blocked, as well as all web-based proxies I could find, such as FoxyProxy and Hola. I’ve encountered in the past a weird VPN software that does not use standard UDP or TCP sockets, but instead using GRE packets and I have no idea if that would work, but I’m assuming it won’t as well. []
  2. assuming the free Wi-Fi you are on is not blocking software download sites such as your Linux distro’s repositories or Mozilla’s Add-Ons website []

5 Responses to “How to circumvent the free Wi-Fi content filter, for fame & profit”

  1. Amir:

    For those of us who use 018 Xfone or otherwise don’t have a public IPv4 address for their SSH server, Tor is the answer.

  2. Oded:

    The free Wi-Fi networks I’m on usually block standard VPNs and most anything that they can’t proxy (notable exceptions are HTTPS and surprisingly – SSH, which is required by this hack, but its now more and more commonly used by data workers so it kind of make sense).

    I haven’t tried TOR, but to my understanding it relies on non-HTTPS ports 9001 and 9030 for some traffic and will not work well (or at all) if those ports are blocked.

    You really don’t have a publicly routed IPv4 when using Xfone? I wouldn’t accept that from a carrier. Do you at least get a public IPv6?

    • Amir:

      Yeah, I was shocked to discover that as well. They implement the NAT444 model, so I do get a public IPv6 /60 subnet for all the “internet of things” in the house. But they had to do it wrong in some way, so it’s dynamically allocated and keeps changing. (I tried to ask for static, reply was I need to pay for static IPv4 to get static IPv6 as well – stupid, but I did not have the patience to argue.)

      As for Tor, it has many different ways to connect, that are designed to circumvent many different ways to block users, and both are constantly evolving. I find it hard to believe that a bus company is ahead of the Chinese government on this front. 🙂

      • Oded:

        Good point :-p

        A. Good on them to provide IPv6. I think that’s the model all ISPs should move to (though I like my static IPv4 and I cannot lie)
        B. But the whole point of IPv6 is that there are so many IPs that they are cheap enough to assign them statically by default.

  3. Oded:

    Update: the main captive-portal censoring Wi-Fi that I use – Israel Railways – has stopped allowing SSH access through their network (could their admins be reading my blog?).

    The workaround I use now, is to set up SSH through an Apache proxy running on my web server using TLS (because you can’t directly proxy through the plain HTTP transparent proxy run by the railways free Wi-Fi – if only life could be that easy). This is mostly based on the article here: , but I’ve had to change a few things and jump through a few additional hoops so I’ve documented the process in my own article here:

Leave a Reply