Ask HN: The government of my country blocked VPN access. What should I use?

1308 points rickybule | 1 comments | 28 Aug 25 16:43 UTC | HN request time: 0.239s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?

Show context

_verandaguy ◴[28 Aug 25 18:48 UTC] No.45055604[source]▶

>>45054260 (OP) #

Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).

- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.

- Once you've got the software, you should try to use it with an obfuscation layer.

Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.

Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.

In both cases, the VPN provider must provide support for these protocols.

- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.

I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).

replies(13): >>45055852 #>>45055945 #>>45056233 #>>45056299 #>>45056618 #>>45056673 #>>45057320 #>>45057400 #>>45057422 #>>45058880 #>>45061563 #>>45073976 #>>45074923 #

btown ◴[28 Aug 25 19:43 UTC] No.45056233[source]▶

>>45055604 #

This makes me wonder: are there "cloud drive virtual sneakernet" systems that will communicate e.g. by a client uploading URL request(s) as documents via OneDrive/SharePoint/Google Drive/Baidu etc., a server reacting to this via webhook and uploading (say) a PDF version of the rendered site, then allowing the client to download that PDF? You effectively use the CDN of that service as a (very slow) proxy.

Of course, https://xkcd.com/538/ applies in full force, and I don't have any background in the space to make this a recommendation!

replies(2): >>45056402 #>>45057410 #

1. jack_pp ◴[28 Aug 25 20:00 UTC] No.45056402[source]▶

>>45056233 #

It doesn't apply imo as OP is probably not a high value target of the govt, he just wants to bypass his govt restrictions and I doubt the situation is so bad that the govt will send people physically to deal with people circumventing the block.

Your solution could technically work over any kind of open connection / data transfer protocol that isn't blocked by the provider but it would be an absolute pain to browse the web that way and there are probably better solutions out there.

↑