Most active commenters
  • immibis(3)

←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 47 comments | 28 Aug 25 16:43 UTC | HN request time: 0.388s | source | bottom

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
_verandaguy ◴[28 Aug 25 18:48 UTC] No.45055604[source]
Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).

- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.

- Once you've got the software, you should try to use it with an obfuscation layer.

Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.

Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.

In both cases, the VPN provider must provide support for these protocols.

- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.

I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).

replies(13): >>45055852 #>>45055945 #>>45056233 #>>45056299 #>>45056618 #>>45056673 #>>45057320 #>>45057400 #>>45057422 #>>45058880 #>>45061563 #>>45073976 #>>45074923 #
1. teeray ◴[28 Aug 25 20:27 UTC] No.45056673[source]
> First things first, you have to get your hands on actual VPN software and configs.

It would be nice if one of the big shortwave operators could datacast these packages to the world as a public service.

replies(5): >>45056874 #>>45057270 #>>45057776 #>>45058196 #>>45059764 #
2. downrightmike ◴[28 Aug 25 20:49 UTC] No.45056874[source]
https://github.com/StreisandEffect/streisand
replies(1): >>45057937 #
3. mfiro ◴[28 Aug 25 21:31 UTC] No.45057270[source]
The problem is the countries, which censor Internet and block VPNs, also jam shortwave radio signals.
replies(3): >>45057864 #>>45058217 #>>45059212 #
4. SahAssar ◴[28 Aug 25 22:42 UTC] No.45057864[source]
Could I ask for a source on that and how common it is?

Seems like it was used way back in the cold war (and even then not blocked/jammed) and I'd guess that current authoritarian regimes would perhaps not bother considering how few could use it.

replies(4): >>45058143 #>>45058348 #>>45058405 #>>45089926 #
5. NamTaf ◴[28 Aug 25 22:52 UTC] No.45057937[source]
Streisand is extremely out of date and wouldn’t last long in China, but I don’t know how sophisticated Indonesia’s firewall is
replies(1): >>45060068 #
6. asimovfan ◴[28 Aug 25 23:23 UTC] No.45058143{3}[source]
if it became a widespread practice, wouldnt even the countries that yet dont do it probably start doing it?
7. ianburrell ◴[28 Aug 25 23:31 UTC] No.45058196[source]
There isn't enough bandwidth in HF to transmit data. Digital HF audio is 20 kHz wide so maybe 50kbps. The entire HF band is only 3-30 MHz.
replies(4): >>45058527 #>>45058633 #>>45059168 #>>45067499 #
8. DrAwdeOccarim ◴[28 Aug 25 23:33 UTC] No.45058217[source]
I’m not sure that’s super feasible any longer with the advent of cheap SDRs. Over-the-horizon HF broadcast can be heard with a simple speaker wire antenna inside your house. If anyone is interested in trying to deploy such an idea, I’d love to participate as an avid ham.
9. bragr ◴[28 Aug 25 23:52 UTC] No.45058348{3}[source]
Source: trust me bro, but you can find HF jamming pretty easily on Internet connected SDRs, especially near "sensitive" countries.
10. Marsymars ◴[29 Aug 25 00:01 UTC] No.45058405{3}[source]
The USSR had an extensive shortwave radio jamming program!
replies(2): >>45061280 #>>45061693 #
11. transcriptase ◴[29 Aug 25 00:18 UTC] No.45058527[source]
Wait until you find out what people used to do with phone lines!
replies(1): >>45058720 #
12. zack6849 ◴[29 Aug 25 00:35 UTC] No.45058633[source]
sure there is, you can send files over HF, it may not be FAST, but once you get it into the country, you can just copy the file with a faster method (eg: usb drive), WINLINK supports attachments, so you could absolutely send these files over HF
replies(2): >>45058717 #>>45061347 #
13. smallnamespace ◴[29 Aug 25 00:47 UTC] No.45058717{3}[source]
If you're going to be using USB drives anyway, then using them to move files into the country would be faster.
replies(1): >>45058956 #
14. ◴[29 Aug 25 00:49 UTC] No.45058720{3}[source]
15. nine_k ◴[29 Aug 25 01:23 UTC] No.45058956{4}[source]
More dangerous though. You'd need something like truecrypt, too.
replies(2): >>45059840 #>>45060220 #
16. tzs ◴[29 Aug 25 01:56 UTC] No.45059168[source]
50 kb/s x 1000 bits/kb x 3600 s/hr x 24 hr/day x 1 byte/8 bits x 1 MB / 1000000 bytes = 540 MB/day. That's enough to download VPN software and a Linux distribution to run it on in a day.

If you've already got a Linux system, the Debian openvpn package is under 1 MB and at 50 kb/s would take under 3 minutes to download. I don't know if openvpn in particular is suitable for people who are trying to evade their government, but would whatever features it is missing add substantially more size?

replies(5): >>45059217 #>>45059946 #>>45060048 #>>45060418 #>>45089948 #
17. godelski ◴[29 Aug 25 02:02 UTC] No.45059212[source]
It's possible but also difficult to jam radio. That's part of why programs like Radio Free Asia[0,1] exist. Even if you can't broadcast from inside a territory you can broadcast from outside. It can be jammed but it is a tough cat and mouse game and jamming isn't precise. So when you jam there are causalities. Not to mention that jamming can be quite expensive.

I'm not saying that makes the problem easy, but I'll say that jamming isn't a very strong defense.

Though the bigger issue here is probably bandwith. It's hard to be both long range and data dense. There's probably easier ways to distribute this. Hell, both Koreas are known to transport different things via balloons.

[0] https://en.wikipedia.org/wiki/Radio_Free_Asia

[1] It is also why projects like Tor and Signal get funding from RFA. Maybe the US doesn't want encrypted services here, but if anything, it's for the same reason they do want encrypted services in other countries.

18. jdkdbrnrnrb ◴[29 Aug 25 02:03 UTC] No.45059217{3}[source]
You never used dialup did you?
replies(3): >>45059337 #>>45060165 #>>45068395 #
19. kingforaday ◴[29 Aug 25 02:20 UTC] No.45059337{4}[source]
zmodem to the rescue!
20. hattmall ◴[29 Aug 25 03:18 UTC] No.45059764[source]
But then couldn't the authorities just intercept it too and then block those ips?
21. youainti ◴[29 Aug 25 03:32 UTC] No.45059840{5}[source]
btw, veracrypt is the name if the follow up project. truecrypt shut down over a decade ago rather abruptly, so anything labeled truecrypt today is suspect as either out of date or potential malware.
replies(1): >>45064077 #
22. ◴[29 Aug 25 03:49 UTC] No.45059946{3}[source]
23. mrdomino- ◴[29 Aug 25 04:04 UTC] No.45060048{3}[source]
Yeah, you could use forward error correction too, so any n bits would be enough to reconstruct the input.

Of course then you get into needing software to decode the more advanced encodings; maybe start with a voice transmission explaining in plain language how to decode the first layer, which gives you a program that can decode the second layer, or something.

Starting to sound like an interesting project.

24. fsckboy ◴[29 Aug 25 04:08 UTC] No.45060068{3}[source]
i have a few chinese friends and they say it's always easy to get a working vpn. that might not be true in a Tien An Minh type crisis, i dunno, but month in month out year upon year they surf western sites, exchange winnie the pooh pictures, etc. i suppose the people i know could be relatively upper class, i have no idea what type difference that could make. i had a chinese gf in LA who would send... my >cough< pictures... to her mother in china because she enjoyed them
replies(1): >>45082422 #
25. anonzzzies ◴[29 Aug 25 04:23 UTC] No.45060165{4}[source]
300 baud. Was enough to download grainy porn pics. With a proper download tool that continues after hangups etc you can just leave it on for a week and I have when downloading software end 70s. No problem. Also via the airwaves: we had software via the radio every sunday. Works fine. Modern software is shitty large: it would be nice if a VPN provider would just release the driver and a cli which should not weigh over a mega (far less but outside mr Whitney i am not sure if that type of software dev still exists) for this type of transfer.
26. estimator7292 ◴[29 Aug 25 04:31 UTC] No.45060220{5}[source]
Nah, just drop a few thousand 1GB flash drives from a plane. Load them with a tor browser, a wireguard client, and instructions on finding a remote exit. Only one copy needs to survive and it can spread very quickly and irreversibly by foot.
replies(2): >>45060566 #>>45061435 #
27. jchook ◴[29 Aug 25 05:06 UTC] No.45060418{3}[source]
Wireguard ships with the Linux kernel so you only need to receive ~60 bytes of configuration information.
replies(2): >>45060584 #>>45064972 #
28. ZaoLahma ◴[29 Aug 25 05:31 UTC] No.45060566{6}[source]
Yeah, this is a great approach if you're already at war with a country.

If you're not and they're still allowing your planes to fly through their airspace then this is a great way to ensure that they lock your (and your friends') planes out.

replies(1): >>45079668 #
29. teiferer ◴[29 Aug 25 05:34 UTC] No.45060584{4}[source]
The user-facing software is not included in the kernel, but you need that to configure wireguard.
replies(1): >>45061314 #
30. spwa4 ◴[29 Aug 25 07:38 UTC] No.45061280{4}[source]
... to block BBC and Voice of America, RFE and RL.

But they recently switched to a much cheaper and more effective jamming program: Trump [1].

[1] https://apnews.com/article/voa-radio-trump-media-cuts-5f87df...

31. jchook ◴[29 Aug 25 07:44 UTC] No.45061314{5}[source]
Is that true? I thought wg-quick etc were just convenience functions and that it's relatively trivial to use iproute2 to configure a VPN link
replies(1): >>45077183 #
32. GoblinSlayer ◴[29 Aug 25 07:49 UTC] No.45061347{3}[source]
Or just google drive.
replies(1): >>45077186 #
33. GJim ◴[29 Aug 25 08:01 UTC] No.45061435{6}[source]
Plugging in a strange USB drive?

What could go wrong.

replies(1): >>45062729 #
34. BoxOfRain ◴[29 Aug 25 08:43 UTC] No.45061693{4}[source]
The UK used to get around this with very powerful medium-wave signals, the site at Orfordness could put out the BBC World Service at 2 MW towards the USSR and the Eastern Bloc. This site was built on the remains of a 1960s UK/US over-the-horizon radar installation that never worked properly.

These broadcasts were shut down in the early '10s but ironically one of the masts is still in use by Radio Caroline, the former pirate who broke the BBC's radio monopoly by putting their station just outside of UK territorial waters. Their 4 kW goes pretty far given the site's previous role, heard them as far away as the Lake District.

35. ForOldHack ◴[29 Aug 25 11:38 UTC] No.45062729{7}[source]
Would you like a short list, a long list or ...
36. cheeseomlit ◴[29 Aug 25 13:47 UTC] No.45064077{6}[source]
Wasn't the conspiracy theory that truecrypt got shut down because it was 'too effective', and the successor projects presumably have intentional backdoors or something?
replies(1): >>45076942 #
37. immibis ◴[29 Aug 25 14:56 UTC] No.45064972{4}[source]
Wireguard is also easily censored and is already censored in the places that censor VPNs.
38. pythonguython ◴[29 Aug 25 18:10 UTC] No.45067499[source]
I’m not familiar with any HF comms channels other than military or broadcasting that get 20 kHz of bandwidth. Most HF modes get 3 kHz. You might be able to get 5 kbps at 3 kHz BW with some modern modes that can adapt to the frequency selective non stationary channel.
39. tzs ◴[29 Aug 25 19:33 UTC] No.45068395{4}[source]
9600 bps dialup using the protocols commonly used back then such as ZMODEM could do file transfers at 3 MB/hour. That would be fine for grabbing VPN software.
40. rOOb85 ◴[30 Aug 25 18:30 UTC] No.45076942{7}[source]
Truecrypt was likely developed by only 1 man, Paul le roux, who likely shut it down because he was on the run for being an international drug/human smuggler/cartel member. It’s kind of a crazy story.

But either way both truecrypt and veracrypt were independently audited and no major flaws were found. Not sure when the last veracrypt audit was done.

41. immibis ◴[30 Aug 25 19:08 UTC] No.45077183{6}[source]
You don't need wg-quick. You do need the "wg" command.
42. immibis ◴[30 Aug 25 19:09 UTC] No.45077186{4}[source]
Banned in places that ban VPNs.
43. chipsrafferty ◴[31 Aug 25 02:01 UTC] No.45079668{7}[source]
Drop them from commercial planes via the toilet?
replies(1): >>45081003 #
44. daflip ◴[31 Aug 25 07:02 UTC] No.45081003{8}[source]
When you flush the toilet in an airplane the contents is normally vacuumed in to a holding tank which gets emptied after the plane lands.
45. akk0 ◴[31 Aug 25 11:41 UTC] No.45082422{4}[source]
The way you phrased this makes it sound like your ex was sending your dick pics to her mom, which I'm not sure is the intended reading (but more power to them...?)
46. lormayna ◴[01 Sep 25 06:12 UTC] No.45089926{3}[source]
If you are in Europe you can easily listen Dengle Welat (1) or other Kurdish radios jammed by Turkey government with the anthem or other patriotic songs. Or the Buzzer, the Russian military UVB-76 transmission (2), jammed frequently by Ukrainian ham radio operators

(1) It's usually around 11500Khz

(2) 4625 Khz

47. lormayna ◴[01 Sep 25 06:15 UTC] No.45089948{3}[source]
HF are really noisy. You need a lot of error correction to ensure that the package is consistent and without any error. This will drastically decrease the real bit rate.