The other day I decided I wanted to use Linux on my primary school laptop mainly because I can’t stand using Windows and its awful performance and awful battery performance.
I installed endeavouros, mainly because I didn’t have time to do an arch install and was planning to do one later.
I, a couple of weeks ago, decided to boot up Linux at school and try to use it but I found that after half an hour I wasn’t able to access the internet anymore, so I decided to boot up windows again since I hadn’t committed to it yet so I was just dual-booting until I realised that I couldn’t access the WIFI from windows either now. Thought it was weird so I decided to go to the IT department to try to let them figure it out and their network had auto blocked me cause it detected I connected from Linux. I managed to convince them that it must’ve been from grub that made it detect Linux and auto-blocked me.
The system was able to detect that I was running both Linux and Windows, so based on what I’ve been reading it probably wasn’t from the MAC address, I also don’t think it was from the TTL since the TTL on Linux is the same as macOS, which are able to connect fine, and also that it was able to specifically discern that it was Linux and not any other operating system. I haven’t managed to figure out a way to adjust the user-agent systemwide yet, but also haven’t seemed to find anyone else who also has experienced this before. If it helps anyway whatsoever when I’m connecting from Linux when I’m blacklisted it doesn’t get past configuring interfaces and on windows it just says cannot connect to the network. I’m just wanting to know all of the ways I could be able to bypass it before I try again, cause I have at max maybe one or two more attempts before they’ll get suspicious that its happening so often.
Any help with this would be very appreciated,
Thanks!
EDIT: apologies, forgot to mention that this is a BYOD laptop.
EDIT 2: just thought mentioning that you can connect a nintendo switch to the school internet and have full functionality, you can connect a PS4 to the school network and do game updates and system updates, you can connect an oculus quest 2 to the network and do whatever you do on that perfectly fine (others may work but these are the only ones that i know have been tested), but i can’t use linux. makes sense.
EDIT 3: Thanks for all of the help! I’ve pretty much narrowed it down to them constantly running nmap scans over all devices on the network and then blacklisting via MAC, I’m going to try some ways that hopefully will stop nmap from detecting my OS automatically, although I’m not sure how successful it’ll be seeing as most articles I’ve seen are very old.
Normally, I would remove this thread as we strictly only support arch linux itself.
However, I think you’ve gotten all the answers you’re going to get.
You might also benefit from asking this in /r/linuxquestions.
My own opinion - you mentioned that after using Linux on the network, your windows install wouldn’t work either. They have likely blacklisted your MAC address.
I would always advise to stick to IT dept policy in schools and workplaces, and not attempt to forge workarounds or hacks. I know its your personal machine, but there is likely something you’ve had to sign somewhere that says you agreed to let the IT dept monitor your connections whilst on school premises.
I accept thats its a VPN with some kind of Spyware installed, but that doesnt change my main point - its school policy. You either play by the rules or you don’t play at all. Make your choice.
Many (but not all) network interfaces let you set the MAC address. If it is blacklisting based on MAC (as opposed to pre-approved whitelisting of MACs), then you could use this as a safety net while you figure it out.
The DHCP client also sends an identifier, which could be the trigger for any blocking. Manually assigning an IP address (with the risk of collisions) might help, or forcing a different identifier.
As a general note, some less enlightened institutions might interpret this as a form of unauthorised network access (and crazy ones might involve the authorities), and it is usually up to the institute to decide what is acceptable use or not.
In this light, it might be better to say that you also dual boot or run a Linux VM for a legitimate reason (with a teacher’s backing, ideally), and just get them to whitelist you.
Why did you use an excuse with the IT person? And why would Linux be suspicious? It’s not. Just tell them you’d like to use Linux for educational purposes or whatever other reason’s you’re using it and see if they can help you. I can’t see any logical reason a school would block Linux.
As far as I know, no network device is able to read your grub information or any other OS info. Only thing I can think of to allow them auto-detectiong OS, is from your browser’s user agent string.
Edit: Mainly commented on OP’s lie about grub (which IT most likely knew was a lie) for discussion’ sake.
Thanks guys for the links, I learnt some new things about the network layer
Is it eduroam? I’ve been through this before. Your device’s MAC address is already associated with a Windows PC, so they deny service to any non-windows device with that MAC address for security reasons or something. Thankfully, spoofing a MAC address is easy, I was able to do it with a 3-line bash script that I had run on startup. Let me know if you would like me to share it.
Look… as a IT person from a school I do not honestly care two craps what you do. However. I am REQUIRED to have all school device go through a web filter at a minimum regardless and if your school uses any e-rate money then website logging and a few other “tracking” type things are REQUIRED. When you “bypass” the VPN it only takes one f wade kid to go around showing porn on a school device to open up the wchool to all kinds of fun lawsuits and federal funding problems.
I encourage students to play on their OWN devices but not the school issued one! Stop making my life hard
My Linux laptop don’t connect to my Uni wifi because their routers are utterly crap, so I connect my phone to the wifi, and start a hidden hot-spot for my laptop
I would just point out that while that laptop is yours, and you can do what you want with it, the network and internet bandwidth belongs to the school. If you want to use said network, you have to follow their rules, which are there to protect the school and the other people using their network (it only takes one idiot with bad browser security settings to start a botnet). If you can’t agree to use the software they require, then you need to find some other network to connect to. Maybe they made a bad choice of security software but it’s their choice to make.
Since it’s your laptop, you should be able to do what you want. Reading through the comments I noticed that you said you have a negative history with them. There are fair reasons they want you on windows. However, in my experience IT people generally like messing with tech, and might be willing to help you out with Linux on the network if you are willing to try and make amends with them
(Not lying about it for starters). The vpn software they require could be possible to access via some third party software, if not their concern is fair, and since it’s their network they can block you. If you don’t mind me asking, what was the nature of the incident that made them dislike you? I have had similar experiences myself.
Don’t ever bother playing nice with them. Unless you are officially forbidden to use the network, you risk nothing.
Use a randomized rotating hardware address (good excuse: privacy, you don’t like being tracked) + a DNS tunnel like the 1.1.1.1 WRAP client (good excuse: always work and you had problem with their client!).
Then assign yourself an address from an unused part of the DHCP range (good excuse: they never said it was mandatory to do DHCP requests) and only send DNS request to the DNS server they advertise in the DHCP offer (good excuse: you are not doing any connection, just DNS queries! if they didn’t want to answer them, they should blacklist IP until they are given a DHCP lease!)
It will be undetectable except if they try REALLY hard. And that won’t happen in a school - it’s way above the school admin paygrade!
FYI I used a similar setup in uni, except it was right before 1.1.1.1 WRAP so I had to do it myself with Linux tools
Carry a wireless network bridge with you, like in your pocket. You could profi probably even get one that also had the ability to display a small window and allow voice communications.
I’m not sure where you’d pick something like that up though. Unless you live near literally any corner store of any city in the entire country.
Thank you for not removing it, I realised about an hour or two ago when someone pointed out this definitely breaks rule #1, but if you do remove it i completely understand why
as i mentioned in this comment the school has a client which is ‘required’ (easily bypassed with any tcp openvpn connection), which is one of the reasons why it’s blocked.
I might try manually assigning the network configuration an IP plus any of the other stuff required to connect tonight plus having a spoofed MAC address to see if I still get blocked from the network, hopefully it’ll work.
The extra part you added about unauthorised access is a very good point, fortunately i don’t think my school will see it that way, although they wouldn’t be particularly happy with me on Linux trying to bypass their security.
in the end i think i might end up using windows or Linux in a VM if this doesn’t work
