←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1308 points rickybule | 10 comments | 28 Aug 25 16:43 UTC | HN request time: 1.183s | source | bottom

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
1. Arubis ◴[28 Aug 25 18:39 UTC] No.45055488[source]
If you can still get SSH access and can establish an account with a VPS provider with endpoints outside your country of origin, https://github.com/StreisandEffect/streisand is a little long in the tooth but may still be viable.
replies(2): >>45055528 #>>45055636 #
2. bsimpson ◴[28 Aug 25 18:42 UTC] No.45055528[source]
15 years ago, I was using EC2 at work, and realized it was surprisingly easy to SSH into it in a way where all my traffic went through EC2. I could watch local Netflix when traveling. It was a de facto VPN.

Details are not at the top of my mind these years later, but you can probably rig something up yourself that looks like regular web dev shit and not a known commercial VPN. I think there was a preference in Firefox or something.

replies(2): >>45055666 #>>45055957 #
3. kccqzy ◴[28 Aug 25 18:51 UTC] No.45055636[source]
Tunneling via SSH (ssh -D) is super easy to detect. The government doesn't need any sophisticated analysis to tell SSH connections for tunneling from SSH connections where a human is typing into a terminal.

Countries like China have blocked SSH-based tunneling for years.

It can also block sessions based on packet sizes: a typical web browsing session involves a short HTTP request and a long HTTP response, during which the receiving end sends TCP ACKs; but if the traffic traffic mimics the above except these "ACKs" are a few dozen bytes larger than a real ACK, it knows you are tunneling over a different protocol. This is how it detects the vast majority of VPNs.

replies(3): >>45055897 #>>45059399 #>>45063772 #
4. hinkley ◴[28 Aug 25 18:54 UTC] No.45055666[source]
I watched a season of Doctor Who that way back when the BBC were being precious about it. But Digital Ocean, so $5.
5. mnw21cam ◴[28 Aug 25 19:15 UTC] No.45055897[source]
One alternative would be to set up a VPS, run VNC on it, run your browser on that to access the various web sites, and connect over an SSH tunnel to the VNC instance. Then it actually is an interactive ssh session.
replies(1): >>45056825 #
6. mikestorrent ◴[28 Aug 25 19:21 UTC] No.45055957[source]
The issue these days is that all of the EC2 IP ranges are well known, and are usually not very high-reputation IPs, so a lot of services will block them, or at least aggressively require CAPTCHAs to prevent botting.

Source: used to work for a shady SEO company that searched Google 6,000,000 times a day on a huge farm of IPs from every provider we could find

7. galaxy_gas ◴[28 Aug 25 20:44 UTC] No.45056825{3}[source]
Anything more then small text bandwidth use is also detected . Not about interactivity instead this case
8. beeflet ◴[29 Aug 25 02:28 UTC] No.45059399[source]
You could just run links or some text-based browser on the other side.

Perhaps you could also write a script that would mimic typing over the link.

9. Havoc ◴[29 Aug 25 13:20 UTC] No.45063772[source]
>Tunneling via SSH (ssh -D) is super easy to detect.

Mind elaborating on a how level how they'd distinguish? Just volume of it?

replies(1): >>45066481 #
10. kccqzy ◴[29 Aug 25 16:51 UTC] No.45066481{3}[source]
More like ML classification based on packet sizes and time deltas.