←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 8 comments | 28 Aug 25 16:43 UTC | HN request time: 0s | source | bottom

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
Humorist2290 ◴[28 Aug 25 17:04 UTC] No.45054496[source]
- Tor. Pros: Reasonably user friendly and easy to get online, strong anonymity, free. Cons: a common target for censorship, not very fast, exit nodes are basically universally distrusted by websites.

- Tailscale with Mullvad exit nodes. Pros: little setup but not more than installing and configuring a program, faster than Got, very versatile. Cons: deep packet inspection can probably identify your traffic is using Mullvad, costs some money.

- Your own VPSs with Wireguard/Tailscale. Pros: max control, you control how fast you want it, you can share with people you care about (and are willing to support). Cons: the admin effort isn't huge but requires some skill, cost is flexible but probably 20-30$ per month minimum in hosting.

replies(12): >>45054512 #>>45054517 #>>45054567 #>>45054628 #>>45054699 #>>45054720 #>>45055029 #>>45055389 #>>45055401 #>>45055431 #>>45056362 #>>45059374 #
1. akho ◴[28 Aug 25 19:57 UTC] No.45056362[source]
Wireguard is not censorship-resistant, and most VPN-averse countries block cross-border Wireguard. Why reply a practical question in an area in which you have no experience?
replies(2): >>45056505 #>>45056516 #
2. more_corn ◴[28 Aug 25 20:09 UTC] No.45056505[source]
Because Indonesia is new to the game and might still be catching up. They’re probably playing whackamole with the most common public VPN providers and might not be doing deep packet inspection yet. I worked with someone getting traffic out of Hong Kong a year ago and there was a lot trial and error figuring out what was blocked and what was not. Wireguard was one that worked.
replies(1): >>45056729 #
3. LeoPanthera ◴[28 Aug 25 20:10 UTC] No.45056516[source]
Is it possible to identify wireguard traffic that isn't on a common port?
replies(1): >>45056586 #
4. akho ◴[28 Aug 25 20:18 UTC] No.45056586[source]
Yes. Fixed packet headers, predictable packet sizes. I don't know what "a common port" means in relation to wg.
replies(2): >>45057307 #>>45057416 #
5. akho ◴[28 Aug 25 20:33 UTC] No.45056729[source]
They recommend Tailscale in particular. Tailscale control plane and DERPs (which are functionally required on mobile) will be among the first to go.

Outline (shadowsocks-based) and amnezia (obfuscated wg and xray) both offer few-click install on your own VPS, which is easier than setting up headscale or static wg infrastructure, and will last you longer.

Also, you did not answer my "why" question. I'm not sure what question you were answering.

6. kube-system ◴[28 Aug 25 21:34 UTC] No.45057307{3}[source]
They mean UDP port 51820
replies(1): >>45057391 #
7. akho ◴[28 Aug 25 21:42 UTC] No.45057391{4}[source]
Yeah. Tailscale uses 41641, and you can generally use whatever. I don't think there's any consensus, or majority.
8. ItsHarper ◴[28 Aug 25 21:45 UTC] No.45057416{3}[source]
51820 is the one they use in the docs, that's probably the most common one.