*Sigh*
I’m here to ask the question that has a plain and obvious answer, but for the sake of trying to appease higher ups, what is the solution to VPN being bad / not working on airplane wifi?
Context: we recently went to an “Always-on” configuration for contract requirements and filtering requirements. This always-on basically removes internet access from a machine if they aren’t connected to VPN. We have Prisma access for our gateways. As is expected, the VPN on airlines doesn’t really work that well and sometimes doesn’t work at all.
What is the best way around this, if at all? I’m told VPN not working on airlines is a non-starter and we need to figure out how to make it work. My response was typical, we can’t control their wifi and airlines have been known to deprioritize or break VPNs altogether. Does anyone have any experience or tips / tricks on making this less painful? I’ve seen some recommendations to drop MTU sizes, as the overhead with VPN can cause issues with negotiation, but figured I’d start here.
Same issue as VPNs on mobile hotspots but x100 worse. It could work, but often won’t because of bandwidth/throttling/timeout issues. As you mentioned, VPNs add significant overhead and the extra time it takes to encrypt/decrypt/route traffic differently layered on top of the plane’s naturally low bandwidth causes sites to break and act up. We have similar issues with Netskope’s SASE and it’s just how things are with VPNs 
Split tunnelling high-bandwidth apps like messaging and video might help, but ultimately those will be throttled by the network so they might not have much luck even off the VPN.
Users and management should accept that they won’t be able to do online work on planes. They should enjoy being disconnected from work, or they’ll have to avoid flying on company time if management really hates the lack of productivity.
This thread helped me out with that issue. I had to add a lot of these, and then things worked for always on.
Look at Prisma Access Browser. Allow them to use it with their BYOD and reduce the scope of what they can access when using Browser vs VPN. Removes VPN as an obstacle, ensures least privilege User based access, controls behaviour at browser level, inherently resolves decryption headache. 
You can reduce the laptop’s MTU.
netsh interface ipv4 set interface "Ethernet" mtu=1400
Drop it all the way down to 1000 for good measure. No guarantee it’ll do any good.
This may not be a technical issue you can solve. High latency and network performance is controlled by physics as much as the airplane’s wifi quality. As others have mentioned, MTU reductions (or path mtu adjustments) can help, maybe try something like 1360. Best option would be a latency friendly option like prisma browser or similar.
Look into Prisma Access Browser (as the only browser on the machine) for the traveling folk versus always-on. Allows them to use plane native, with the hook I to Prisma for on net, without the VPN+Planes challenges that exist today.
Hm. Either get them a PA-410 with a small UPS as a backpack + WiFi AP solution or install a virtual PA on Hyper-V or VMware Player on their device. That way you could do filtering without a need for VPN (Just kidding of course).
One serious workaround would either be an endpoint agent that allows webfiltering or some sort of HTML RDP VDI like Citrix or its competitors. Citrix always has heavy exploits in their software though.
Or you can try and use something like this to hide your VPN from the airlines WiFi Deep Packet Inspection. This brings other issues though.
https://github.com/wangyu-/udp2raw
We set out mtu to 1300 because hotspots, free wifi and airplanes sometimes use 1426 or something. Most airlines work since we set this.
You don’t tell us where in the world this is. There is good technical input here, and I figured I’d add my two cents from being a network body that flies a lot in Europe/Africa/Asia.
From the airlines I fly with the answer is: this is not something that is workable with all airlines/aircraft.
- Many airlines have different communication systems per type of aircraft, there is no one system for all aircraft in a given airline.
- Every airline does things different.
From my experience is that many airlines filter heavily on what is allowed and not at the various hubs they downlink the traffic via on the ground. Some airlines explicitly disallow VPNs. One airline might use a brand of firewalls that don’t recognise DTLS as VPN, some don’t, some allow IPSec. Thats before you start talking about Qos. Some will heavily limit bandwidth for certain apps and some don’t. I will be flying Europe-Africa later this week and I know on the first leg there will be very usable internet access, the second leg has somewhat usable but I know VPNs won’t have a chance with that system’s firewalls, and on the third leg the system used is so badly limited on bandwidth that barely messages without graphics in iMessage will work.
The only bright spot I know is that Panasonic/Inmarsat uses a good system for me (hello Cathay Pacific), and more airlines are moving to Starlink and is basically unfiltered (for now).
YMMW.
Have you already tried allowing the TLS VPN instead of IPSec?
We have not had good luck with vpn on airlines. Enabling the captive portal detection can help but it has its issues. Also make sure you have the SSL fall back enabled. That way if they get it the way of the IPSec it will still work on SSL. Also enable to option to let the user force it to SSL.
But as others have mentioned. Your VPN is only as good as your internet and the speed of light is an issue here.
Sad to say this may be more of a “what is your use case” question that the technical issues. And TBH it will never work well.
Yeah, we already split-tunnel all of our critical communication applications, so that isn’t really the issue. I have tried to explain that moving towards this setup, while more secure, will cause issues to user experience that we simply can’t fix. At this point, I’m just trying to collect all the information and data I can to say “See, there’s nothing we can do”. Airplane wifi is just not conducive to anything more than checking email or basic stuff even when not on VPN.
I’d also be thrilled to find there are things we can do to make it better, but yeah, its an airplane…its not going to be a great experience even without VPN. Adding VPN just makes it damn near unusable…which was 100% expected.
Yep this is the best answer. If VPN has to be on, exempt the access to get on the wifi portals. You could also exempt certain traffic from inspection egressing from starlink or Viasat IPs presuming they’re using in air wifi but that’s higher risk than portal exemptions IMO
Yeah, we are moving towards enterprise browser, but with the current tools we have, VPN was our only solution. This implementation was given to us around 6 months ago and we had to stagger our deployment, so we didn’t really have any way of vetting other options. Enterprise browser also doesn’t solve for locally application installs that we would need to block.
I don’t have a use case honestly. My CIO is expecting a good experience on airplanes and claims its unacceptable for it to not really work well. I told him that’s the nature of the beast. I said we should be recommending to all users to not rely on network connectivity while working on an airplane. Things like saving documents for offline work and using your phone’s wifi for Slack messaging etc.
He has an unrealistic expectation that VPN will work the same as if we didn’t have VPN on airplanes. I’m simply here to gather data and information. I’m collecting it from a bunch of different sources (reddit, sales engineer, industry documentation) so I can present it to him and say “look, there’s no way we can have VPN enforced and still expect it to work well on airlines, that is an unrealistic expectation”. That way he can’t claim its just me saying it and not an industry standard expectation.
Yeah, I wish there was more that could be done, but the physical limitations of airplane wifi make it hard enough to work with as it is. It’s a miracle to me that it works at all. Good luck talking with management!
A possible negotiation vector is to have a user who’s flying do some testing for you. Disable their VPN (or use their personal computer) and do some traceroutes and pings to numerically see how awful the experience is. Compare those stats to on the ground access on/off the VPN.
Maybe screen/phone record how slow everything is. Make it a point that “this slowness is with no VPN. Imagine how much slower it’ll be when VPN is on. Sites flat out won’t work any more because of how slow it is”
The hard part is verifying. Our CEO flies Delta, so that is good. I fly American, and know that works. I can’t tell if the others work. The whole thread has good info and helped me immensely.
We are starting to look at an enterprise browser also.
I use Prisma access browser - it’s made work on the plane much simpler. And to be honest - airplane WiFi is horrible even without VPN.
