Sneak past pay-for WiFi with DNS tunneling for Bitcoin

Concept: Many Cisco wireless routers ship with ESSID-Guest networks which are unencrypted and public networks where you are forced to enter a password on a website to be granted full Internet access (also known as a captive portal). Additionally, Starbucks, airports, cruise ships, and many places have pay-for open wireless. The majority of them, however, do not stop a very simple means of utilizing their Internet connection if you have a server on the other side.

The common flaw is that DNS requests are allowed on through to the Internet. And even worse, some allow all port 53 traffic and don't even forward it on to their own local DNS resolvers. One can simply uses the UDP port 53 traffic to encapsulate an IP tunnel, one can VPN out onto the Internet from any of these networks. And of the more restrictive networks enforcing true DNS traffic, some crafty DNS requests/responses can sufficiently create a tunnel of their own, though of course slower.

The fix: If you are designing or have one of these router configurations, deny all traffic and forward UDP port 53 traffic to your resolver. Only let the resolver resolve to set IP addresses to allow for HTTP redirection and what not (assuming you're not handling redirection through your IP stack already). Absolutely do not forward the requests onto the intended DNS servers, unless you are okay with the potential of users bypassing your restrictions altogether. Other blocks are possible, but this is generally believed to be the simplest way. If you have a -Guest network, disable it if possible.

Convenience: These unencrypted open wireless networks are very plentiful. Cracking encrypted wireless networks takes time and often, connecting out through such a DNS tunnel service is simply the fastest way to get online if no truly public/free networks are available.

Disclaimer: does not condone any illegal activity. The information and services provided herein are only to be used within the bounds of law. Illegal activity over this service is strictly prohibited. is not responsibile for the actions of users using this service. All users on a server can currently ping, scan, and do pretty much whatever to other concurrent users of the service. This is prohibited of course, but you must be prudent and trust the security of your machine. The Internet is not a friendly place. Utilizes Iodine as a means of tunneling through such networks to reach the Internet. The traffic is completely visible and unencrypted through the VPN. administrators can see the traffic as well as any routers between, or users snooping on wireless networks. If you require anonitomy and encryption, you will have to utilize another VPN service through this one (which is quite possible if you are handy with networking).

In summary: This service is ideal for power users who want to experiment with this weakness in networks which they own. If you have a server already and port 53 is not in use, your best bet is to setup Iodine on your own. But if you want the simplicity of a ready-made service or port 53 is already in use by an authoritive DNS daemon on your server, this may be a good option.

Signups currently disabled

How to use on Mac OS X 10.8 and 10.7

  • 10.8: Download the Mac OS X 10.8 connection package and follow the instructions in README.txt.
  • 10.7: (Currently untested. Please let me know if it works!) Download the Mac OS X 10.7 connection package and follow the instructions in README.txt.

  • How to use on Linux/BSD

  • ssh Play around in the menu. Generate a 2048 bit RSA SSH key (ssh-keygen) if you don't already have one. Feed it the key.
  • apt-get/yum/pacman/whatever install iodine.
  • Review (meaning, it might not work, might destroy the universe, etc.) and possibly run the bash connection script (uses iproute2; let me know if you want a ifconfig/route/netstat version like in the OS X package above). Proceed once you're connected with Iodine and can ping
  • ssh dns@ If it doesn't work, make sure you're using the key you gave before (ssh -i .ssh/id_rsa, generally). Accounts are given 5MB free bandwidth. After that, bandwidth is 0.001 Bitcoins per GB paid to the Bitcoin address on the account.
  • Reload this page (ctrl+shift+r, bypassing cache), and see if you see both cats at the bottom of the page. If you do, welcome to the Internet! Note that you can see both cats even if you haven't changed your default route and are connected via Iodine, if on a network that does not block such traffic normally. Review your routing table to be sure (ip ro/route).

  • More detailed steps for Linux if you haven't read enough already:

  • To register your account, ssh As the username implies, no password is required. Play around with the interface for a bit. You will need to generate a 2048 bit RSA SSH key (may already have one as your default, it's a pretty common default key standard). This can be done with ssh-keygen. DSA and keys of other bit lengths will not work. In the register section of the menu, paste in the key *after* the "ssh-rsa " bit, up until the end before the optional user@host comment section. This is exactly 372 characters/bytes long if you've done it properly. If it's not perfect, it probably won't work. The key input code is pretty picky.
  • Download Iodine. You can install this through your distribution's package repository, or compile it from source from Iodine's website.
  • Download and review (do not run!) this bash connection script. Make sure you understand it fully. It may conflict with DHCP clients, Network Manager, and a plethora of other services (although it'll probably be fine). You'll need to be root to utilize the script.
  • If you understand what you have done so far, you know that you can connect without overriding your default route to the Internet ( Once connected by running Iodine, try to ping and make sure you can reach it. Check out this webpage via the server's internal IP address: If you can see the grey cat at the bottom of the page, you should have the potential of reaching the Internet through the service.
  • Once you've sorted out your key, SSH with to dns@ You'll see some text that refreshes every 15 seconds. Press q or ctrl+c to quit. Most important is the Bitcoin address. The service charges by the byte sent to your IP addresses, with some iptables magic. Approximately, the rate is 0.001BTC per GB. This means 1BTC is 1TB of transfer. Thus, you may have the best bet starting your own server with Iodine if you intend on running over 50GB or so a month (at least, for cost effectiveness). Minimum suggested payment is 0.2 BTC. New accounts start with 5MB free transfer, so you don't even need to touch Bitcoin until you've used up your 5MB.
  • When you're ready (and keep ssh dns@ open!) change your default route to go through You should have full IPv4 Internet connectivity. Checkout Google and your favorite sites. Also verify with canhazip (unrelated), that your IP address is Refresh this page (being sure to bypass cache) and make sure you can see both of the cat pictures.
  • Now, hopefully all of this will work as planned in the "wild" on a real network where you really need it. Save the script and follow about the same order. You can always view this webpage from inside the tunnel via its IP address.

  • Downloads and specifics

  • Iodine source: MD5: a15bb4faba020d217016fde6e231074a
  • Iodine for Windows (untested, let me know if it works!): MD5: a201bc3c2d47775b39cd90b32eb390e7
  • Connection script in bash.
  • Mac OS X 10.8 connection package.
  • Mac OS X 10.7 connection package.
  • Bandwidth is 0.001 BTC per GB. Accounts start with 5MB for free.
  • No IPv6 connectivity through the VPN at present.
  • Shameless plug for listing things for sale accepting Bitcoin.
  • If you're new to Bitcoins.
  • For more details on how Iodine works.
  • source code

    Iodine has been updated to 0.7 on the server. May not be backwards compatible. Send me an email at sega01 & if you have any problems, questions, or feedback.

    Bitcoin address to QR code for phones

    Use a Bitcoin app on your phone? Enter your Bitcoin address (the one shown by ssh here and then scan it via your phone's camera.

  • Not on the VPN. No grey cat for you!

    Not on the Internet. No black cat for you!