Personally...I run a Linode VPN with openvpn on it listening on port 443.
Anytime I am on an public wifi or untrusted network (including the occaisonal time at my job with a personal device), i connect to that. Since its 443, its generally not blocked, even through the TLS connection is not "standard" because it uses a 2048 bit PSK to as a pre-cursor to start a connection, then a certificate based auth to establish the tunnel.
Its a full tunnel as well so all traffic runs through it. Google/Youtube will sometimes pitch fits and make me do captchas but otherwise its an easier way to shield from stuff like that.
All the wifi provider sees in that case is a single connection to my linode.
Admittedly this is a pretty technical solution though and requires some configuring. Mullvad would probably be an easier option with plenty of endpoints to jump through. Or you can run Tailscale and use SSH/socks proxies, though things like DNS leakage can still occur there.
I will use SSH tunnels and socks proxies for certain browsers that are configured to not store any data locally as well (ie: Firefox). I justify it easily in that I am constantly testing services and sometimes its best to rule out routing, BGP or other low level network issues and using ssh -D 12345 somethign@someplace allows me to do just that in isolated circumstances.
The thing is though, im not trying to hide the fact I am on OpenVPN. Simple inspection of the handshake tells you EXACTLY what it is. But thats generally not the issue.
The issue is many will simply block UDP or the default port 1194 or basically anything other than a handful of outbound ports, of which 443 outbound is almost never actually blocked for obvious reasons. In fact I cant think of a single time I havent been able to use that VPN, even when my normal road-warrior profile to my house IS blocked.
Either way there are ways are ways to mask the fact that its clearly OpenVPN that if your issue is nation-states or things like the Great Firewall like Obfsproxy, but even then, something like Mullvad would be called for since you are likely going to need an array of endpoints.
Im just trying to ensure my traffic is running through a trusted source until the point that its supposed to him the open internet. Things like DNS filtering are getting more pervasive. For me that means I want to know the endpoint until I am ready for it to egress.
I have also had this setup for years at this point. Before tailscale or even hearing of things like mullvad. But I work in IT, so its one of those things that makes others that dont work in tech look at me funny if they see it.
Anytime I am on an public wifi or untrusted network (including the occaisonal time at my job with a personal device), i connect to that. Since its 443, its generally not blocked, even through the TLS connection is not "standard" because it uses a 2048 bit PSK to as a pre-cursor to start a connection, then a certificate based auth to establish the tunnel.
Its a full tunnel as well so all traffic runs through it. Google/Youtube will sometimes pitch fits and make me do captchas but otherwise its an easier way to shield from stuff like that.
All the wifi provider sees in that case is a single connection to my linode.
Admittedly this is a pretty technical solution though and requires some configuring. Mullvad would probably be an easier option with plenty of endpoints to jump through. Or you can run Tailscale and use SSH/socks proxies, though things like DNS leakage can still occur there.
I will use SSH tunnels and socks proxies for certain browsers that are configured to not store any data locally as well (ie: Firefox). I justify it easily in that I am constantly testing services and sometimes its best to rule out routing, BGP or other low level network issues and using ssh -D 12345 somethign@someplace allows me to do just that in isolated circumstances.