War Story: Tunneling a WiFi only device thru VPN
- 5 minutes read - 1019 wordsThis was an interesting problem that I have encountered a couple of times so far when using some devices that had only a WiFi connection.
We wanted these devices to use a VPN so that we would be able to access resources that are limited only to certain geographical regions, or some that are only limited to the internal VPN.
The problem was the fact that we were dealing with devices like TVs and set-top boxes that we didn’t have access to to their OS, so running a VPN directly from the system was not possible.
Also for devices that had an ethernet port, we already had a solution for it by setting up the VPN on the machine and sharing the connection through the ethernet cable to the devices, as it is nicely described in https://www.cesariogarcia.com/?p=611
A router with a VPN set on it probably would’ve solved our problems, but in some cases, we didn’t know if it would work. We had a case where we weren’t sure if the TV’s smart panel was geo-restricted to the US only and if that was the reason why we were unable to log in. Also, even if we were certain that it was a geo-restriction issue that we were facing, we weren’t sure if certain VPN providers might not be blocked.
It would’ve been hard for us to justify the expense unless we were sure that it would work so we needed to find a way to reproduce this with only the equipment that we had.
First failed attempt: Hotspot from the phone
First, we decided to use a VPN on the phone and after that use a hotspot, once the device was connected, the assumption was that the TV would be tunneled through the VPN service. Unfortunately, we were still not getting any service. I decided to connect my laptop to the phone hotspot and after checking on the IPLocation page, it was true, my geolocation was still showing my city instead of New Jersey, US as I had it set on my phone. Checking the same page from my phone the geolocation was displaying New Jersey, US…
This got me confused. What is going on here? The phone that is in the middle, already has access to the internet through the VPN with the correct geo-location, if sharing the network through a hotspot with another device it should be tunneled in such a way that those devices will be using the same geo-location right?
I thought it must be some phone-specific behavior that I was unaware of…
I was wrong.
Second failed attempt: Hotspot from the laptop
As my first assumption was that it must be some phone-specific problem that the VPN through the hotspot wasn’t correctly redirecting, I wanted to check the same setup but this time instead of a phone, I will use a laptop.
I connected the laptop using an ethernet cable to the network, turned on the VPN, turned on the hotspot, and connected the TV with the hotspot of the device.
I checked the geolocation on my laptop and it is looking good, New Jersey, US!
Unfortunately, my dream of having the TV connected to the US was quickly shattered again…
The TV was still not loading and after connecting my phone to the hotspot I could confirm the geolocation was not pointing me to the location that I had previously set…
So this didn’t look like an only issue related to mobile hotspot, nor an issue with the source of the network as both ethernet and wifi were giving me the same result with my setup.
It meant only one thing…
I needed to learn what was going on.
On a search for the problem
While I was on a search for my issue, I stumbled on this ExpressVPN page saying:
If you’re connected to a phone that’s been turned into a hotspot, use a VPN on both the phone and the device you’re connecting to it
So this has concluded my previous failed attempts, the VPN will not work out of the box for the devices connected to the hotspot.
After a long search, I was able to understand a bit why my issue was happening. This is a very simplified version of what was happening, as I lack the technical knowledge to explain in depth the establishment of the hotspot network and VPN on a deeper level.
When starting the hotspot, it acts as a WiFi router (surprise, surprise), and a local network is created to which devices can connect to.
But when a VPN is started, the device that initializes the connection is the phone and not the hotspot network. So even though both live on the same physical device, only the traffic from the phone will be tunneled through and not the one from the hotspot network.
In the image below we can see the visualization where the red lines are displaying the not tunneled connection, while the blue lines display the tunneled connection
So with that being said, I decided to do one final test.
Success at last
With the newfound information, it was time to build the probably the most over-engineered setup for this problem.
What I have done was:
- I have taken one laptop that was connected to the WiFi and was connected to the VPN as well
- Shared the network connection over to a second laptop using an ethernet cable
- On the second laptop I switched on the hotspot. Now the hotspot will connect to the device that is tunneling the network traffic through the VPN
- Connect the TV to the hotspot of the second laptop
In the image below we can see the visualization where the blue lines display the tunneled connection.
After struggling all day to have the TV connect to the geo-restricted region, finally seeing it working, filled me with a sense of accomplishment and relief, knowing that my persistence paid off.
With that, I was certain that a router with the specific type of VPN provider would handle our needs.