Ask HN: The government of my country blocked VPN access. What should I use?

- Tor. Pros: Reasonably user friendly and easy to get online, strong anonymity, free. Cons: a common target for censorship, not very fast, exit nodes are basically universally distrusted by websites.

- Tailscale with Mullvad exit nodes. Pros: little setup but not more than installing and configuring a program, faster than Got, very versatile. Cons: deep packet inspection can probably identify your traffic is using Mullvad, costs some money.

- Your own VPSs with Wireguard/Tailscale. Pros: max control, you control how fast you want it, you can share with people you care about (and are willing to support). Cons: the admin effort isn't huge but requires some skill, cost is flexible but probably 20-30$ per month minimum in hosting.

IMO most people should have a VPS even if you don't need it for tunneling. Living without having a place to just leave services/files is very hard and often "free" services will hold your data hostage to manipulate your behavior which is annoying on a good day.

Minimums for a VPS should be closer to $5-10 a month, no?

And using another VPN like NordVPN or ProtonVPN is probably in the same category as Mullvad, but worth being cautious. If it's free, you are the product. If you pay, you're still sending your traffic to a publicly (usually) known server of a VPN. That metadata alone in some jurisdictions can still put you in danger.

Stay safe

Yeah they can be cheap, but I would definitely recommend having at least 3 for redundancy. If one get shut down or it's IP blacklisted you still hopefully have a backup line to create a replacement.

> 20-30$ per month minimum in hosting

Typo? Wireguard-capable VPSes are available for $20-$30 per year. (https://vpspricetracker.com/ is a good site for finding them.)

I mean multiple VPSs for redundancy. Contabo is maybe the cheapest I've seen and it's like 3$ mtl for the smallest?

Tor also has anti-censorship mechanisms (snowflakes, ...). Depending on how aggressive the blocking is, Tor might be the most effective solution.

or simply RDP into a windows VPS.

Thank you so much for this. It is very helpful.

This is good overview, I just wanted to add that a VPS IP is not a residential IP. You will encounter roadblocks when you try to access services if you appear to be coming from a VPS. Not that I had a better solution, just to clarify what you can expect.

> - Tailscale with Mullvad exit nodes

Tailscale is completely unnecessary here, unless OP can't connect to Mullvad.net in the first place to sign up. But if the Indonesian government blocks Mullvad nodes, they'll be out of luck either way.

> - Your own VPSs with Wireguard/Tailscale

Keep in mind that from the POV of any websites you visit, you will be easily identifiable due to your static IP.

My suggestion would be to rent a VPS outside Indonesia, set up Mullvad or Tor on the VPS and route all traffic through that VPS (and thereby through Mullvad/Tor). The fastest way to set up the latter across devices is probably to use the VPS as Tailscale exit node.

> cost is flexible but probably 20-30$ per month minimum in hosting.

$4/month VPS from DigitalOcean is more than enough to handle a few users as per my experience. I have a Wireguard setup like this for more than a year. Didn't notice any issues.

No, unless you pay month to month. If you wait till BF you can find some really good deals on sites like lowendspirit

Wireguard is not censorship-resistant, and most VPN-averse countries block cross-border Wireguard. Why reply a practical question in an area in which you have no experience?

Tailscale + Mullvad does have a privacy advantage over either one by itself: the party that could potentially spy on the VPN traffic (Mullvad) doesn’t know whose traffic it is beyond that it’s a Tailscale customer. Any government who wanted to trace specific traffic back to OP would need to get the cooperation of both Mullvad and Tailscale, which is a lot less likely than even the quite unlikely event of getting Mullvad to cooperate.

Because Indonesia is new to the game and might still be catching up. They’re probably playing whackamole with the most common public VPN providers and might not be doing deep packet inspection yet. I worked with someone getting traffic out of Hong Kong a year ago and there was a lot trial and error figuring out what was blocked and what was not. Wireguard was one that worked.

Is it possible to identify wireguard traffic that isn't on a common port?

Yes. Fixed packet headers, predictable packet sizes. I don't know what "a common port" means in relation to wg.

They recommend Tailscale in particular. Tailscale control plane and DERPs (which are functionally required on mobile) will be among the first to go.

Outline (shadowsocks-based) and amnezia (obfuscated wg and xray) both offer few-click install on your own VPS, which is easier than setting up headscale or static wg infrastructure, and will last you longer.

Also, you did not answer my "why" question. I'm not sure what question you were answering.

They mean UDP port 51820

Yeah. Tailscale uses 41641, and you can generally use whatever. I don't think there's any consensus, or majority.

51820 is the one they use in the docs, that's probably the most common one.

True, but OP's threat model doesn't involve state actors outside Indonesia, so traffic analysis of the "last mile" between Mullvad node and whatever non-Indonesian service OP is trying to use (Twitter, Discord, …) is not really relevant here. (Assuming Indonesia doesn't have capabilities we don't know of.)

What might be more interesting is the case where the Indonesian government forces Twitter/Discord to give up IP addresses (which I find hard to believe but it's certainly not impossible). But then they'd still have to overcome Mullvad. It's much more likely that if OP has an account on Twitter/Discord, it is already tied to their person in many ways, and this would probably be the main risk here.

> cost is flexible but probably 20-30$ per month minimum in hosting

Like I've written here.

VPS in EU with 2GB RAM, 40 GB disk and >1TB a month of traffic go for $10 PER YEAR!

https://billing.chunkserve.com/cart.php?a=confproduct&i=0

https://my.servitro.com/cart.php?a=view

https://manager.ouiheberg.com/cart.php?a=confproduct&i=0

Sure, but ten servers is a bit too much redundancy, no? Depending on how many people you want to share it with it might make sense though.

You don't need multiple vps at all time and can start them dynamically using the vps provider api.

I regularly spawn temporary vps for a few hours to use as socks proxy and view sporting event from my country of origin. There is no reason one couldn't write a script that can spin a VPS choosing a provider and country randomly from a list of supported providers.

The cheapest AWS EC2 instance is $3/mo

In my experience, not only do a lot of sites block access from datacenter/cloud IPs, but you will routinely encounter captcha loops.

This is true, keeps getting worse, but depends heavily on the datacenter/IP.

I've also had online shopping orders flagged or unable to buy at all by doing this. They seem to consider traffic as automatically suspicious when it's not through a residential ISP.

Although with the amount of "compromised" residential hosts these days that are for hire through grey-market proxy dealers, I don't know what to think anymore.

Also true, but also happens in workplaces.

It will be even worse using a normal VPN so no solution there.

Also, if you're signed in it will be fine.