How to get free, unsurveilled internet at Turkish airports and public spaces

Have you noticed how many WiFi access points in Turkey require ID or phone numbers? The Turkish Internet Law (Law No. 5651) makes every public Wi-Fi spot (airports, coffee shops, hotels) a mandatory surveillance point. The law requires these places to keep detailed logs of your internet activity, linked to your ID, for up to two years. However it is shown again and again in court cases that the providers have retained logs for over a decade! Essentially, if you use public Wi-Fi in Turkey, your browsing history and identity are recorded and can be accessed by the government, allowing authorities to easily trace a person’s identity and their specific online activity, which leads to a chilling effect on free expression and association due to the constant threat of monitoring.

Apart from the privacy nightmare, it is simply backwards to extort travelers and tourists like this. Luckily, there is often a way to bypass these captive portals without supplying PII and it’s through DNS.

Businesses and municipalities invest into proprietary solutions like the one above whose whole selling point is that they run tcpdump and save the output in a centralized repository. Oh gee, I wonder what would happen if they got hacked… Sometimes these solutions allow traffic to other DNS servers such as Cloudflare. In this instance, only traffic to the default DNS server distributed via DHCP was permitted.

[siren@susasus ~]$ dig TXT rastersec.com +short @4.4.4.4
;; communications error to 4.4.4.4#53: connection refused
;; communications error to 4.4.4.4#53: connection refused
;; communications error to 4.4.4.4#53: connection refused

; <<>> DiG 9.20.13 <<>> TXT rastersec.com +short @4.4.4.4
;; global options: +cmd
;; no servers could be reached
[siren@susasus ~]$ dig TXT rastersec.com +short @1.1.1.1
;; communications error to 1.1.1.1#53: connection refused
;; communications error to 1.1.1.1#53: connection refused
;; communications error to 1.1.1.1#53: connection refused

; <<>> DiG 9.20.13 <<>> TXT rastersec.com +short @1.1.1.1
;; global options: +cmd
;; no servers could be reached
[siren@susasus ~]$ dig TXT rastersec.com +short
"google-site-verification=Gn1oiQHbDuYQ-lcSqDDrZlrcxKfW1VJ89QK1ZPKDkVU"
"v=spf1 mx -all"
[siren@susasus ~]$

Set up a DNS tunneling server (Iodine)

Before your travels, set up Iodine and save any credentials you need to connect to it. The steps may look like this if you’re on a RedHat Linux variant:

#!/bin/sh
dnf group install 'Development Tools' -y
dnf install net-tools -y
git clone https://github.com/yarrick/iodine.git
cd iodine
git checkout tags/v0.8.0
make -j
make install
mkdir -p /usr/local/lib/systemd/system
install doc/iodine-server.service /usr/local/lib/systemd/system/iodine-server.service
sed -i 's/syslog/journal/' /usr/local/lib/systemd/system/iodine-server.service
sed -i 's/\/bin\//\/sbin\//' /usr/local/lib/systemd/system/iodine-server.service
install doc/iodine-server.socket /usr/local/lib/systemd/system/iodine-server.socket
systemctl daemon-reload
cat > /etc/sysconfig/iodine-server << EOF
OPTIONS='-P password 10.6.0.1 your.domain.tld'
EOF
systemctl enable --now iodine-server.socket

It’ll be funny as fuck if we find out ssh.gay is banned by the gov/providers as a duct tape fix. Fear not, we have more GAY!

Find an AP and connect for free

You can connect to the Iodine server and access SSH on the same server, which has unlimited internet.

The latency might be a problem, try Mosh. You can go one step forward and deploy a VPN/proxy on the server. So you can route all of your traffic through it over Iodine. Or simply create a good old SOCKS5 proxy by using the ssh -D (dynamic tunnel) option. I recommend choosing no encryption (HTTP proxy) or light encryption (SOCKS) if you go with the VPN/proxy route as Iodine can be slow and it has some limitations.