On train wifi with different Train Operating Companies (TOCs)

[whole diary]

[BerkshireBugsy]

Ok this is more of an IT question rather than anything else but I wondered if anyone here has ever used on board wifi (particularly on east coast and virgin) enough to make a comparison of the service they offer.

I know that to a large degree the quality in terms of performance will vary according to factors which may mean a comparison is invalid.

If anyone knows details of how this service is delivered I would be curious to know how it works. For example is there a local proxy server on board that manages authentication and charging or is there effectively nothing on the train apart from wifi hotspots which call home via a VPN?

I'm not trying to hack this...I am looking at a problem with VPN access whilst on board

I can think of at least two members who may use these services

[ChrisB]

As far as I am aware, it's the latter - hotspots on board calling home (via mobile networks) via VPN.

Use East Coast & Virgin enough to compare against Chiltern whom I use daily. And Chiltern are the worst - but it's not really their fault. Being more of a rural trundle between towns, rather than through built up areas like Virgin particularly, the mobile signal coverage is patchy once outside London. No 3G signal, no wifi bandwidth.

But why TOCs^▸ (Train Operating Company) don't provide this info which explains why it's patchy, I really don't know.

More info than you could ever need here as to why it'll never improve too.

[SandTEngineer]

A few months ago I used both EC and VTWC and had very little trouble (even when passing through tunnels).  In my (non IT) eyes they both seemed acceptable to a general user.

[Southern Stag]

The East Coast wifi used to be very slow when it was free, but I guess it may have improved now there is a charge for it. I've used the EMT^» (East Midlands Trains - about) wifi several times and found that to be generally pretty fast.

[thetrout]

* Long and Technical Post Alert *

They block VPN services BB. There is one way around it which is perfectly "legal" however it is using OpenVPN and requires very specific configuration on the server you're setting up. However this still may be susceptible to being blocked.

They also block media streaming services such as YouTube and Grooveshark. The latter being a music streaming service and can in theory run at 64KB/s

I'm not 100% sure how the differential works between First and Standard Class. I believe it is to do with the MAC Address of the associated access point you're using. I joined my Mobile Phone to the XC^▸ (Cross Country Trains (franchise)) WiFi in First Class (Free) and found it worked reasonably well for e-mails. But some of my Apps didn't work. I went to the toilet during the journey and had to use a toilet in coach F as the others were all broken Whilst queuing I noticed I was still receiving e-mails. However that may have been the secondary 3G signal. It appeared my phone was still connected to WiFi however.

The system in my eyes is open to abuse if you know exactly what you're doing. There is nothing stopping you sitting in Standard Class next to a First Class carriage and forcing association with an Access Point in First Class. That does require a very specific piece of software and skill set to do, of which for obvious reasons I won't post here!

Personally I have used various TOC^▸ (Train Operating Company) WiFi Services and have always argued in detail on this forum that it should be provided, however my views now as technology has evolved have changed considerably. Personally even if WiFi is available, I tend to use my own 3G built-in modem in my laptop. No restrictions in terms of VPN and although I have had alot of problems with Three Mobile customer service lately, I cannot fault the coverage when it works.

I am also not sharing a small handful of 3G modems with an 8, 9 or 11 carriage train. I am using my own which is shared with, err, no-one. (Unless Ladyfriend trout and/or coolsecretspy are leeching off my laptop... ) Of course I am sharing a mast with hundreds of others. But not say 20 laptops/cell phones on 1 connection.

Just to give you an idea of a typical journey between Bath Spa and Frome. Drops out normally in 2 places in the 40 minute journey. 1 place just after Avoncliff where it drops for any network. The other being the Bradford Tunnel. There are places where it can occasionally drop out. But if reading posts say on the Coffeeshop, chances are I won't notice it.

Also using the Three Mobile on the same journey, I have successfully managed to use Remote Desktop Connection to do administration on servers. Drops out and lags occasionally, but it is more than usable

BB if you want my advice, invest in a built in 3G Modem and whack a SIM Card inside and use Windows 8. Windows 8 keeps a consistent connection and when it drops and then finds the signal again, automatically reconnects. If using OpenVPN or Hamachi that'll automatically reconnect too! Alot of people have frowned upon Windows 8, it takes a while to get used to but personally I have found it brilliant.

Also next time you use Virgin Trains WiFi, take a look at Terms and Conditions of use. They set a fair usage limit of 40MB (Yes, fourty!) and also state several rules which are actually unenforceable based on their wording.


As an aside, I have used McDonalds Free WiFi before which has an awful content filtering system provided by Mumsnet. The insane thing about it is I was unable to read an article about Train WiFi nor access a PDF document on OfCOM's website.

Just for a laugh I visited thepiratebay. It let me onto that straight away without a problem

OpenVPN when set in certain ways will completely bypass those restrictions though... In fact in Subway in Bridgewater which blocked access to Facebook, I was using my VPN to do some work and of course checked my Facebook in a spare 5 minutes. The staff were less than impressed that I had overridden their restriction and demanded to know what I had done so they could "report me" Unknowing it was blocked as I was using that very VPN connection to do some work on my at the time employers server, I told a white lie to save an argument and stated I was tethered through my phone... Fortunately the staff member took the bait


Mods if you feel my post is touching on the rules and good nature of the forum, please move to FP or let me know if you want me to edit/remove anything.

[Red Squirrel]

BB if you want my advice, invest in a built in 3G Modem and whack a SIM Card inside and use Windows 8. Windows 8 keeps a consistent connection and when it drops and then finds the signal again, automatically reconnects. If using OpenVPN or Hamachi that'll automatically reconnect too! Alot of people have frowned upon Windows 8, it takes a while to get used to but personally I have found it brilliant.

...or 4G of course! I don't bother with public access points, I just tether my laptop or iPad to the S3 and Bob's my uncle... then again, I spend most of my time in 4G-enabled areas; YMMV^▸ (Your Method/Mileage May Vary).

MicroApple products do seem better than droids at access point handover; droids hang on like grim death to the first AP they find.

[thetrout]

...or 4G of course! I don't bother with public access points, I just tether my laptop or iPad to the S3 and Bob's my uncle... then again, I spend most of my time in 4G-enabled areas; YMMV^▸ (Your Method/Mileage May Vary).

Indeed. This was the speedtest I acheived in East Croydon Station on 4G a week or two ago. My closest 4G area is Bristol, so I normally benefit from HSPA+ (Essentially glorified 3G) at most. Trouble with EE is that if you end up in the legacy area of GRPS, you'll drop to that and then the data is practically useless for anything more than a text based e-mail. GPRS^▸ (General Packet Radio Service) was good when it was born but is now way beyond it's usable life.



Admittedly the mast was on top of this big tall building however, I had line of sight to the darn thing and you can see where I was stood on Platform 1 in relation to the mast.



I found tethering to be quite restrictive on my i Devices and sometimes it was a faff to set up. I certainly would not advise doing it on Vodafone! If you're tethering and somebody calls you, it drops the Data Connection to receive the call. (My experience anyway).

I occasionally use Public AP's purely to save on my Data, (Being an IT Tech I use alot!) I normally only use a select few that I know are going to work and are of acceptable speeds.

MicroApple products do seem better than droids at access point handover; droids hang on like grim death to the first AP they find.

Thats very true. Droids are better at distinguishing between stronger signals and knowing when to use 3G instead of 4G for example. I found this particularly useful if you were just between a 3G and 4G mast range. In some respects when on a phone call and swapping between cell masts, that is no bad thing and can occasionally keep a call going that would otherwise drop.

Also Three Mobile are eventually launching 4G. They share alot of masts with EE. I'd be interested to see how well it works after launch, Three also plan not to charge for 4G upgrades and will process them automatically whilst keeping their unlimited data plans in service!

However bear in mind these masts are only as good as the backhaul fibre optic links behind them and how many are using the same mast.

Cell Data in Somerset has recently been rather poor. Not unusual when Glastonbury Festival is being set up and it gets worse when all the thousands of punters turn up. Even though the Mobile Companies erect temporary masts, it still jams up the cell networks to the point where it can cause calls, SMS or Data connections to fail or suffer substantial delays and/or latency!

[BerkshireBugsy]

Many thanks to you all for taking time to reply . I must admit as I have a reasonable usage allowance on my separate mobile and iPad contracts I don't bother with on board wifi and really this post was triggered by an issue at work with some IT illiterate users having problems connecting through a VPN tunnel (no pun intended) back to the office.

TT are you aware of which TOCs^▸ (Train Operating Company) block VPN access through their on board wifi? I'm not sure I understand how they differentiate between hhtps and VPN traffic given that they are both and they both hit the on board wifi on TCP port 443.

Once against thanks guys - you've delivered the goods again !

[Worcester_Passenger]

I'm not as tech-savvy as The Trout, but I do travel around a lot and use wifi on Virgin West Coast, on East Midlands Trains and on FGW^▸ (First Great Western)'s own 180s.

I use a laptop which has a Wifi connection plus a SIM card inside it that connects me to Orange's mobile network. The laptop is used for software development, so a lot of the time I don't need to talk to the outside world - I can just sit there working away in my own bubble. But ... the software involves processing quite a lot of data  and I need to read files which can range from 5MB to 500MB. Some of those can turn up as attachments to emails; the bigger ones are difficult to access when I'm on the move. OK, they can be zipped to a smaller size (there's often a lot of redundancy in the data) and accessed via a VPN link to the company that I often work with - but I try to avoid doing that with the big files when I'm on the train.

I studiously avoid using EMT^» (East Midlands Trains - about)'s wifi - my usual journey with them is from Leicester to Bedford and I don't think it's worthwhile to pay their access price. I think that's something like ^4 per journey.

On Virgin West Coast, I'm usually travelling with them from Birmingham to Preston on a Voyager. During school holidays I'll bite the bullet and pay for First Class (I've got an incredibly complicated ticket split that involves five tickets from Worcester to Preston), which gives me free access. The rest of the time it's best to aim for coach D, which is the standard one with tables in it (question - why weren't the Voyagers designed like this to begin with?). Since Virgin sometimes designate this coach as First, the Wifi is free in this coach.

The Wifi in FGW's 180s is fine (and free). And there's tables and sockets.

The only problem that I do have is sending emails over the Wifi - depending on who is running it, I get grumpy messages about not being able to forward emails over their network. It is possible to make this work if you resort to a webmail page, but do I find this quite a faff by comparison with simply opening Outlook. So sometimes it's better not to connect to the on-train Wifi and just rely on the SIM connection. If The Trout came back to me and told me a better way of doing this, then (1) I'd not be surprised and (2) I'd be grateful! 



I can do the VPN link reasonably happily over train's

[thetrout]

The only problem that I do have is sending emails over the Wifi - depending on who is running it, I get grumpy messages about not being able to forward emails over their network. It is possible to make this work if you resort to a webmail page, but do I find this quite a faff by comparison with simply opening Outlook. So sometimes it's better not to connect to the on-train Wifi and just rely on the SIM connection. If The Trout came back to me and told me a better way of doing this, then (1) I'd not be surprised and (2) I'd be grateful! 

Easy one that one

Not exclusive to On-Train WiFi either. Some major ISPs do this too.

Outbound E-Mail runs over port 25 (SMTP). Which is blocked by some ISPs including On-Train WiFi providers. This is for a variety of reasons but the main one being the Spam related issue from Dynamic IP Address pools.  I can explain the technicalities of this. However it's probably best to explain the fix.

If you send outbound e-mail to your ISP via SMTPS (Secure SMTP) or SMTP with TLS (Another Secured SMTP service) this uses a different point, normally 465 and 587 retrospectively. These ports are not restricted by the ISP and you can send e-mails via this method anywhere you are.

I have a customer who needed to send e-mails via a Broadband Connection and also via 3G but they found one or t'other work work, never both. A provided a solution which allowed them to route e-mails via port 587 on one of my Microsoft Exchange servers.

I don't know who your provider is for e-mail. However if you want to post it or PM me I can post the fact sheet showing how it's done. Here is the GMail article for example. https://support.google.com/mail/troubleshooter/1668960?hl=en&rd=2#ts=1665119,1665162

I've also seen an employee (I know them personally) in an EE Mobile store tell a customer that sending e-mail via SMTP was not possible and there was no way to allow this. Very, very ambiguous advice that one. If customer was using VPN on their phone then it *may* work. The look on her face when I told her there was a fix and showed her the GMail article was a picture. Her comment next was "Well that's not in the training" Needless to say I opened a tin of worms for myself on that one. She asked me to find the articles for all the major ISPs so she can help future customers. EE block port 25!!

TT are you aware of which TOCs^▸ (Train Operating Company) block VPN access through their on board wifi? I'm not sure I understand how they differentiate between hhtps and VPN traffic given that they are both and they both hit the on board wifi on TCP port 443.

I'll come back to you on that one... I need to dash and that one will take a while to explain.

TTSTTFN

(thetrout says ta ta for now)

[BerkshireBugsy]

TT I think I may know why VPN tunnels can be blocked - I think is because they use additional ports tat are not used in pure SSL^▸ (Short Swing Link bogies (125))/HTTPS - I can't remember what they are now but think that is how it is done

Once again thanks to everyone for your input.

[thetrout]

TT I think I may know why VPN tunnels can be blocked - I think is because they use additional ports tat are not used in pure SSL^▸ (Short Swing Link bogies (125))/HTTPS - I can't remember what they are now but think that is how it is done

Once again thanks to everyone for your input.

That is true, but not quite true if using OpenVPN like I do. There is an article here: http://community.spiceworks.com/topic/172990-how-users-bypass-your-content-filtering-solution which covers the method used to exploit the HTTPS port by non HTTP over SSL traffic. OpenVPN by default uses port UDP: 1194. However you can configure it to use TCP: 443. In my rebellious teenage years at college, I used this very exploit to get around the Content Filter at college. But the content filter was so restrictive I could not access my e-mail account (They did not provide one either) nor could I book rail tickets which was a disaster for me. When I discovered I couldn't load the pictures in the Cisco CCNA Exams I decided enough was enough and VPN'd my way around.

This 'exploit' still works today, but some systems have got much better at detecting it and preventing. This in it's own right allowed further exploits. However that is NOT something I am going to cover here. Because the methods are "questionable" at best...

[Worcester_Passenger]

Outbound E-Mail runs over port 25 (SMTP). Which is blocked by some ISPs including On-Train WiFi providers. This is for a variety of reasons but the main one being the Spam related issue from Dynamic IP Address pools.  I can explain the technicalities of this. However it's probably best to explain the fix.

I don't know who your provider is for e-mail. However if you want to post it or PM me I can post the fact sheet showing how it's done.

I use BT Connect. Outbound email for this uses port 25 and no encryption.

I've also got an EE account (for the laptop's SIM card). The outbound email for this uses port 587 and TLS encryption.

[thetrout]

Just to summarise this post. I PM'd Worcester_Passenger and we exchanged PM's rather than turn the thread into a Tech Support Desk

Their were 2 problems, 1 which was a show stopper, the other a minor inconvenience.

Problem 1 was most on-train WiFi providers and some other ISPs (Be UnLimited being one) block SMTP from going out of their networks and must be routed through their own SMTP Mail Relay systems instead.

So I explained how W_P could change their Mail Server to run with TLS Encryption which 99% of the time is unrestricted. You also have to authenticate and be authorised to use the 'relay' mail server.

In this case we changed the outbound e-mail to the correct mail server on TCP Port 587 with TLS (SMTP with TLS Encryption) and entered the appropriate username and passwords. We exchanged further test emails which were received with success


The second problem which is easily resolved but has a less than obvious cause is based on how you connect to the WiFi.

When you join an on-train WiFi provider or any other public hotspot for that matter, you'll need to login at a 'spash screen' which is normally (or at least should be...!!) secured by HTTPS.

Some E-Mail Systems (Microsoft Exchange Accounts certainly being one of them!) use SSL^▸ (Short Swing Link bogies (125)) Certificates to exchange data between client and server to make sure the server is really who it says it is (Kind of like showing a Passport in the Airport)

When you join the public wifi, the WiFi system tries to redirect the HTTPS connection of your mail client to the splash screen. Inadvertantly this causes the WiFi System to pretend it's your mail server when of course, it isn't! This immediately invalidates the SSL Certificate and you'll either get lots of warnings which won't go away or your mail client (Outlook for example) will not connect and remain in a "Disconnected" state.

This is easily resolved by not opening your mail client BEFORE authenticating and logging into the WiFi Splash Screen, or if your client was already open before you logged in at the splash screen, simply completely close your E-Mail Client (Make sure it has and is not just running in the background or minimized in the taskbar), make sure you can get onto the Internet and then open your mail client again. It should then work.


Whilst this isn't an IT Forum, considering the nature under which the topic was asked, I felt it was work explaining the reasoning behind it all.

Mods feel free to move this to the Assistance Thread if you think it's better placed there

[BerkshireBugsy]

Just to summarise this post. I PM'd Worcester_Passenger and we exchanged PM's rather than turn the thread into a Tech Support Desk

Their were 2 problems, 1 which was a show stopper, the other a minor inconvenience.

The second problem which is easily resolved but has a less than obvious cause is based on how you connect to the WiFi.

When you join an on-train WiFi provider or any other public hotspot for that matter, you'll need to login at a 'spash screen' which is normally (or at least should be...!!) secured by HTTPS.

Some E-Mail Systems (Microsoft Exchange Accounts certainly being one of them!) use SSL^▸ (Short Swing Link bogies (125)) Certificates to exchange data between client and server to make sure the server is really who it says it is (Kind of like showing a Passport in the Airport)

When you join the public wifi, the WiFi system tries to redirect the HTTPS connection of your mail client to the splash screen. Inadvertantly this causes the WiFi System to pretend it's your mail server when of course, it isn't! This immediately invalidates the SSL Certificate and you'll either get lots of warnings which won't go away or your mail client (Outlook for example) will not connect and remain in a "Disconnected" state.

This is easily resolved by not opening your mail client BEFORE authenticating and logging into the WiFi Splash Screen, or if your client was already open before you logged in at the splash screen, simply completely close your E-Mail Client (Make sure it has and is not just running in the background or minimized in the taskbar), make sure you can get onto the Internet and then open your mail client again. It should then work.

Many thanks everyone. I am now alot wiser about on-board Wifi than when I posted the original question.

Sadly, the original question was bourne out of the scenario that (in this case) the users in question were senior execs who were not tolerant of using different processes to connect in different scenarios. What your collective answers has confirmed is that this isn't possible.

THanks again.

Dave