Ask HN: The government of my country blocked VPN access. What should I use?

You've come to a wrong place to ask. Most people here (judging by recommendations of own VPN instances, Tor, Tailscale/other Wireguard-based VPNs, and Mullvad) don't have any experience with censorship circumvention.

Just look for any VPNs that are advertised specifically for China, Russia, or Iran. These are the cutting edge tech, they may not be so privacy-friendly as Mullvad, but they will certainly work.

Mullvad worked OK in China for me recently. Sometimes I'd have to try a few different endpoints before it worked. Something built specifically to work in those places would probably be better, but it wasn't too much trouble. Not necessarily a recommendation, just sharing one data point.

OP: look into VLESS (and similar). And read up on ntc.party (through Google translate). There are certain VPN providers that offer the protocol.

[flagged]

I think REALITY is the newer protocol. I remember VLESS being somewhat more detectable

You can always do v2ray -> Mullvad in a docker container routed with gluetun for censorship avoidance and privacy

I have a little, maybe enough to be dangerous. SSH won’t be sufficient to avoid all traffic analysis. Everyone can see how much traffic and the pattern of that traffic, which can leak info about the sort of things you’re doing.

If you’re worried about ending up on a list, using things that look like VPNs while the VPNs are locked down is likely to do so.

Also… your neighbors in Myanmar didn’t do a lockdown during the genocide and things got pretty fucking dire as a result. People have taken different lessons from this. I’m not sure what the right answer is, and which is the greater evil. Deplatforming and arresting people for inciting riots and hate speech is probably the best you can do to maintain life and liberty for the most people.

I remember always needing obfuscation enabled in Mullvad, but it would work in the end (as you said, after trying a few endpoints).

VPNs that are advertised are for-profit products, which means:

1. They are in most cases run by national spy agencies.

2. They will at least appear to work, i.e., they will provide you with access to websites that are blocked by the country you are in. Depending on which country's spies run the system, they may actually work in the sense of hiding your traffic from that country's spies, or they may mark you as a specific target and save all your traffic for later analysis.

My inclination is to prefer free (open-source) software that isn't controlled by a company which can use that control against its users.

what's wrong with those solutions?

Do you have any evidence for either of these claims?

It is absolutely self-evident that VPNs are considered high-value targets and that all spy agencies invest a chunk of resources to go after high-value targets.

For 99% of use cases - piracy and porn, does that matter?

> Just look for any VPNs that are advertised specifically for China, Russia, or Iran.

If I was working for a secret service for these countries, I would set up many "VPNs that are advertised specifically for x" as honeypots to gather data about any dissidents.

It doesn't matter, he should look into the open source protocols that these services use. He doesn't have to use them.

VLESS / v2ray works in Russia, as far as I know.

nah, vless is the protocol, reality is a newer obfuscation method that works over vless

edit: op, protonvpn has a free tier that works in russia, so likely works everywhere, or if you're comfortable with buying a vps, sshing into it and running some commands, look up x-ray, and use on of their gui panels

Mr. Kafka, suspicion is healthy. However, abstraction provides no way forward when faced with practicalities instead of theory. Creates a Kafka-esque situation - anything suitable is by definition unsuitable. Better to focus on practical technical advice.

I would invite you to read again the two claims made, and consider whether your statement actually addresses the veracity of either.

To be a little trite: we all agree that chickens like grain, but it does not follow that a majority of grain producers are secretly controlled by a cabal of poultry.

Well, you have to host your free open-source VPN software somewhere. And then, (N. B.: technical and usability stuff aside, I'm talking only about privacy bits here) everything boils down to two equally nightmarish options.

First, you use well-known cloud or dedicated hoster. All your traffic is now tied to the single IP address of that hoster. It may be linked to you by visiting two different sites from the same IP address. Furthermore, this hoster is legally required to do anything with your VPN machine on demand of corresponding state actors (this is not a speculative scenario; i. e. Linode literally silently MitMed one of their customers on German request). Going ever further, residential and company IPs have quite different rules when it comes to law enforcement. Seeding Linux ISOs from your residential IP will be overlooked almost everywhere (sorry, Germany again), but seeding Linux ISOs from AWS can easily be a criminal offense.

Second, you use some shady abuse-proof hosting company, which keeps no logs (or at least says that) and accepts payments in XMR. Now you're logging in to your bank account from an IP address that is used to seedbox pirate content or something even more illegal, and you still don't know if anyone meddles with your VPN instance looking for crypto wallet keys in your traffic.

VPN services have a lot of "good" customers for a small amount of IP addresses, so even if they have some "bad" actors, their IPs as a whole remain "good enough". And, as the number of customers is big, each IP cannot be reliably tied to a specific customer without access logs.

Yeah, I'm using v2less on rented VPS, it's been workin for almost 2 years already (Russia)

This thread's not about that 99% use case.

Hmm. People who recommend widely used approaches, and well-known, well-established providers, "don't have any experience with cenorship circumvention".

So the solution is no-name providers using random ad-hoc hackery, chosen according to a criterion more or less custom designed to lead you into watering hole attacks.

Right.

Tor is a third option, at least as one layer, and seeding Linux ISOs is not, to my knowledge, a criminal offense in any jurisdiction, not even in China. I don't know where you got that idea.

None of the things I listed are "widely used approaches, and well-known, well-established providers" in the parts of the world where it does matter.

Yeah, maybe V* and derivatives are random ad-hoc hackery, but they also are the well-known standard now.

I read that as a euphemism for piracy.

^ this comment is right on. The cutting edge of VPN circumvention is the one marketed to people in China. Last I poked at this there were a lot of options.

From gemini.. (edited for brevity)

Kape Technologies Owns: ExpressVPN, CyberGhost, Private Internet Access, Zenmate

> is there any suspicion that Kape Technologies is influenced or has ties to the Mossad?

Yes, there is significant suspicion and public discussion about Kape Technologies having ties to former Israeli intelligence personnel. While a direct operational link to Mossad has not been proven, the concerns stem from the company's history, its key figures, and their backgrounds.

...

Kape Technologies is owned by Israeli billionaire Teddy Sagi. While Sagi himself does not have a documented intelligence background, his business history, which includes a conviction for insider trading in the 1990s, has been a point of concern for some privacy advocates. The consolidation of several major VPN providers under his ownership has raised questions about the potential for centralized data access.

----

Sure there isn't direct proof but there wasn't any proof the CIA was driving drug trade while it was happening. Proof materializes when the dust settles on such matters.

> Yeah, maybe V* and derivatives are random ad-hoc hackery, but they also are the well-known standard now.

A lot of people use Telegram and think it's private, too.

What about the part about choosing your VPN provider in the way most likely to get you an untrustworthy one who's after you personally?

Can I have a list of these options?

Actually I do, we sell a lot of proxy types designed specifically to circumvent such filters. Trojan works great for our Iran and China users: https://www.anonymous-proxies.net/products/residential-troja...

>Also… your neighbors in Myanmar didn’t do a lockdown during the genocide and things got pretty fucking dire as a result

The genocide in Myanmar was incited _by_ the government there; giving it more power to censor it's citizens' communications would have done absolutely nothing to help the people being genocided. Genocides don't just suddenly happen; the vast majority of genocide over the past century (including Indonesian genocides against ethnically Chinese Indonesians) had the support of the state.

I don't see parent abstracting. They are simply pointing out a very real risk, which you don't provide any counter points to. Instead you seem to dismiss their point based on a strawman

Mullvad worked okay in China in June for me. I imagine it will be better in Indonesia with their less sophisticated blocking.

v2/Vless

Pirating Linux ISOs is legal, though.

@reisse is 100% right. Most people outside of heavily censored regions have no clue what technology is actually used in those countries. The well-known, well-established providers don't actually work in censored regions because:

1) The problem is very difficult and requires a lot of engineering resources 2) It's very hard to make money in these countries for many reasons, including sanctions or the government restricting payments (Alipay, WeChatPay, etc)

The immediate response would be: "If the problem is so difficult, how can it be solved if not be well-known, well-established providers?"

The answer is simple: the crowdsourcing power of open source combined with billions of people with a huge incentive to get around government blocking.

This makes no sense.

On the one hand they do DPI with ML.

On the other hand a major player is open!

Something is not right here...

Wrong threat model. Solutions like mullvad/proton focus on privacy not breaking the blockade. They have well known entry points and therefore easily blocked. You can play cat and mouse game switching servers faster than censorship agency blocks them (e.g. Telegram vs Roskomnadzor circa 2018 [1]) but that gets expensive and not really focus of these companies.

What you need is open protocols and hundreds of thousands of small servers only known to their owners and their family/friends

1: https://archive.is/sxiha

I think you might want to read about the Anom phone [0], supposedly encrypting messages for drug dealers to avoid law enforcement, which was actually sold by... the FBI.

[0]: https://www.inc.com/jennifer-conrad/the-fbi-created-its-own-...

This has been simmering for a very long time. The first I heard of it was violence that broke out after the defacement of a Buddhist temple statue. That would have been almost 20 years ago. Buddhists murdering people tends to lead one to ask a lot of questions.

At that time I think the government was hands off, let it happen rather than tried to stop it.

Regardless of who was behind the violence, the whole region has thought about what to do in such situations and they aren’t the same answers the West would choose.

Despite its silly name, the reddit forum r/dumbclub is probably the place to start, they are focused on GFW-related discussions.

https://old.reddit.com/r/dumbclub/

Piracy is by definitin illegal, no?

Sir Night: may I ask, what should it mean to me that some businesses are fronts?

I hope I do not present the presence of a dullard unfamiliar with this.

It's very sad that every sane and informed comment (like reisse's) has to meet this kind of snarky comment whose only purpose is being snarky on HN.

Perhaps you should stop and think about why people living in countries where governments actually censor a lot hardly use these "well-established providers" to circumvent censorship. Tip: it's not because they're stupid.

> It's very hard to make money in these countries for many reasons

Tor and I2P, for example, don't actually make money anywhere. Which is not to say that they work for any of the users in all of these places, or for all of the users in any of these places.

> The answer is simple: the crowdsourcing power of open source combined with billions of people with a huge incentive to get around government blocking.

The actual answer is that (a) they're using so many different weird approaches that the censors and/or secret police can't easily keep up with the whack-a-mole, and (b) they're relying on folklore and survivorship bias to tell them what "works", without really knowing when or how it might fail, or even whether it's already failing.

Oh, and most of them are playing for the limited stakes of being blocked, rather than for the larger stakes of being arrested. Or at least they think they are.

Maybe that's "solving" it, maybe not.

Just run second VPN inside the honeypotted VPN

>... but it does not follow that a majority of grain producers are secretly controlled by a cabal of poultry.

That's precisely what someone who's in on it would say.

Spell out your argument more. Find some hard evidence. Even “major player” needs to be backed up.

Do you even know how many users Mullvad has in CN? I don’t. Searching says the whole company apparently has ~500k users. I don’t think that’s enough to be a significant presence in China.

Actually, my main original purpose was to call (more) attention to the fact that looking for somebody specifically advertising a VPN to your particular country, for a censorship-resistance purpose, has a vastly greater chance of getting you a honey pot than almost any other possible way of looking for a relay. Honey pots are particularly dangerous in one-hop protocols with cleartext exit.

The part about the unreliable ad-hockery is also true, albeit less critical. The fact is that you don't know what your adversary is doing now, and you definitely don't know what they're going to to roll out next. You don't have to be stupid to decide to take that risk, but you also don't have to be particularly stupid to not think about that risk in the first place, especially when people are egging you on to take it.

The greater purpose underlying both is to keep people from unknowingly getting in over their heads. I have seen lots of people do actually stupid things, up close and personal, especially when given instructions without the appropriate cautions.

And "services and providers" doesn't necessarily mean commercial VPNs. In fact those were way down the list of what I had in mind. Your own VPS is a "provider". So is Tor or I2P (not that those won't usually run into problems). So is your personal friend in another country.

At DefCon 26 (25?) I attended two presentations that scared me:

1. there was a presentation about several admins in a hostile country who had been arrested because someone from Harvard pinged a server they ran as part of IPv4 measurement. The suggestion was to avoid measuring countries with strong censorship laws to prevent accidental imprisonment of innocent IT.

2. similar presentation about ToR project struggling to find fresh egress/ingress addresses. Authoritarian countries were making lists of any IP addresses that were known ToR IPs and prosecuting/imprisoning users associated with them as a result of traffic on those addresses.

I would be extremely careful trying to bypass authoritarian restrictions unless I was 110% confident what I was doing.

> Actually, my main original purpose was to call (more) attention to the fact that looking for somebody specifically advertising a VPN to your particular country, for a censorship-resistance purpose

Please re-read my post then. I do not call to look for VPN for your or anyone's particular country, I call to look for VPNs for these specific countries because they have the current bleeding edge blocking tech, and if VPN works there now, it will 100% work in every other country. If you're in China, you don't have to look for Chinese VPNs, some of Russian ones will work there too.

[flagged]

Yeah. If an authoritarian government controls the network infrastructure, there's no way to use that network infra without risk.

To actually bypass this, you need your own network. Does anyone know of any sneakernet protocols that would be useful here?

Scuttlebut, Briar and NNCP come to mind.

FWIW, Mullvad did not work for me in June in China :)

Please don't do this here.

Sir: you have written my comment better than I ever could.

Thank you, - Refulgentis

You're dramatically underestimating the sophistication of these groups. Think about it: these people are risking their freedom by working on this technology in any capacity. They are not naive to the risks of the work nor are they naive to the technical threats facing the software. In fact, the opposite is true. Western VPN companies are very much naive because the risks their users face are much less severe, and at a technical level they don't require anywhere near the same level of sophistication. They're primarily just WireGuard and OpenVPN, which are trivial for censors to block.

Tor is great, and they do great research on censorship circumvention, but it isn't used at any significant scale in these countries.

Yeah obviously, do you think that's evidence that every single one is a honeypot?

Israel has universal conscription and anyone smart enough to get out of hauling a rifle around in the hot sun is going to leap at any chance to do so. So some kind of intel background among tech people in Israel isn't nearly as meaningful as it is in other countries where joining the IC is a very deliberate choice.

But more importantly, you can't just make grandiose claims (especially about privacy tools!) then just say "Proof materializes when the dust settles on such matters". You can claim that about literally anything.

It's not actually Linux ISOs that they're pirating.

If you have a threat model, then having both 1. no reassurance of safety in using a tool, and 2. valid reason to believe that such tools can be suspect, is equivalent to certainty that the tool should be avoided.

To give an analogy, this is similar to why "security by obscurity" isn't a valid option if you're serious about security.

Let's say that admin access is open on my server on a certain port and: 1. I have done nothing specific to secure it, and 2. it has been shown that there are adversary actors scanning for vulnerable ports on the network.

I can either take your apparent stance that "this means nothing to me", or I can consider the situation equivalent to "this server is already compromised, I just don't know it yet".

In the current conversation, the combination of: 1. no reasonable reason to believe ExampleVPN keeps your data private and 2. high incentives for adversaries to create fronts plus proof they've done so in the past, means that for people such as myself and GP, the situation is equivalent to "ExampleVPN is a front" until we have a reason to believe otherwise.

Edit: Telegram's not-really-end-to-end-E2EE would be another such example.

No. You don't need to compromise every single VPN, just enough that the investment makes sense.

It sounds like you're in the habit of deciding what to believe based on evidence. This will serve you well. But it also sounds like you're in the habit of getting that evidence from people who stand to gain from changing your mind—people like subordinates, entrepreneurs, marketers, politicians, and influencers. In time, you will find that this will serve you less well, because selective choices of evidence can make a fairly convincing case for most things that aren't true.

Probably if you investigate the question you will come to the same conclusion I did; I don't have any special access to non-public evidence. Maybe you won't, which is fine with me. I don't have anything to sell you, so your opinion doesn't really affect me.