Most active commenters
  • commandersaki(3)

←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1308 points rickybule | 18 comments | 28 Aug 25 16:43 UTC | HN request time: 0.435s | source | bottom

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
_verandaguy ◴[28 Aug 25 18:48 UTC] No.45055604[source]
Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).

- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.

- Once you've got the software, you should try to use it with an obfuscation layer.

Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.

Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.

In both cases, the VPN provider must provide support for these protocols.

- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.

I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).

replies(13): >>45055852 #>>45055945 #>>45056233 #>>45056299 #>>45056618 #>>45056673 #>>45057320 #>>45057400 #>>45057422 #>>45058880 #>>45061563 #>>45073976 #>>45074923 #
1. ivanstepanovftw ◴[28 Aug 25 21:46 UTC] No.45057422[source]
This is no 'nothing special' with Obfs4proxy. DPI sees it as random byte stream, thus your government can decide to block unknown protocols. Instead, you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPS.
replies(7): >>45057848 #>>45058119 #>>45058400 #>>45058475 #>>45058593 #>>45060641 #>>45061103 #
2. rafram ◴[28 Aug 25 22:40 UTC] No.45057848[source]
> your government can decide to block unknown protocols

Has any government ever done that? Seems like it would just break everything (because the world is full of devices that use custom protocols!) at great computational expense.

replies(2): >>45059427 #>>45068837 #
3. commandersaki ◴[28 Aug 25 23:19 UTC] No.45058119[source]
The only VPN technology I see that blends as HTTPS is MASQUE IP Proxying, and the only implementation I know that does this is iCloud Private Relay. It is also trivial to block because blocking 443/udp doesn't really affect accessing the Internet.
replies(2): >>45058178 #>>45061136 #
4. artdigital ◴[28 Aug 25 23:28 UTC] No.45058178[source]
Cloudflare WARP (1.1.1.1 tunnel or Zero Trust) run by default on MASQUE
replies(1): >>45060043 #
5. conradev ◴[29 Aug 25 00:01 UTC] No.45058400[source]
WebRTC is another great option: https://snowflake.torproject.org

It's used for a lot of legitimate traffic as well, so a bit harder to block.

6. tiberious726 ◴[29 Aug 25 00:13 UTC] No.45058475[source]
Exactly this. Hell, for OP's use case of accessing things like twitter, a good old fashioned https proxy would be entirely fine, and likely not even illegal.
replies(1): >>45061583 #
7. userbinator ◴[29 Aug 25 00:27 UTC] No.45058593[source]
Unless your government decides to block HTTPS.

In which case you use stenography, but I believe even the Great Firewall of China doesn't block HTTPS completely.

replies(2): >>45060534 #>>45060666 #
8. thenthenthen ◴[29 Aug 25 02:33 UTC] No.45059427[source]
China blocked https last week: https://www.tomshardware.com/tech-industry/cyber-security/ch...

Discussion: https://news.ycombinator.com/item?id=44958621

replies(1): >>45060001 #
9. rafram ◴[29 Aug 25 03:57 UTC] No.45060001{3}[source]
They blanket blocked connections to port 443 for an hour. There was no protocol sniffing.
10. commandersaki ◴[29 Aug 25 04:03 UTC] No.45060043{3}[source]
Ah that's true, they originally started off with a rust implementation of Wireguard but have since moved to MASQUE.
11. widforss ◴[29 Aug 25 05:26 UTC] No.45060534[source]
https://en.m.wikipedia.org/wiki/Kazakhstan_man-in-the-middle...
12. verandaguy ◴[29 Aug 25 05:44 UTC] No.45060641[source]
Hi, posting from my main account (I'm also the poster of the GP comment).

"Nothing special" in this case was meant to describe the fact that it's random data with no identifiable patterns inherent to the data; you're absolutely right that that's what obfs4 does. I understand the confusion though, this phrasing could be better.

    > your government can decide to block unknown protocols
This does happen, though when I worked in the industry it wasn't common. Blocking of specific protocols was much more of an obstacle.

    > you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPS
HTTPS blocking (typically based on either the presence of a specific SNI field value, or based on the use of the ESNI/ECH TLS extension) was prolific. I won't comment on whether this was effective or not in impeding efforts to get people in these places connected.

I will say though, Operator's Replicant does something similar to what you're describing in that it can mimic unrelated protocols. It's a clever approach, unfortunately it was a bit immature when I was working in that area so the team didn't adopt it while I was around.

13. verandaguy ◴[29 Aug 25 05:50 UTC] No.45060666[source]
Nit: you likely mean steganography, stenography is what court reporters do :)

I encourage you and anyone else here to read into the GFW if you're interested. It's more like the Great Firewalls -- there's regional fragmentation with different vendors, operators, implementations and rules between different parts of the country.

Predictably this means there's no one-size-fits-all solution to circumventing censorship on the Chinese internet, and research into this area's difficult since China has both the technical means to identify violations very efficiently as well as the bureaucratic infrastructure to carry out enforcement actions against a considerable portion of those people who violate the GFW rules (with enforcement action being anything from a "cooldown period" on your internet connection where you can't make any connections for some amount of time between minutes and days, fines, or imprisonment depending on the type of content you were trying to access).

So, the ethics of digging into this get very muddy, very fast.

14. mrs6969 ◴[29 Aug 25 07:08 UTC] No.45061103[source]
How can you do that exactly ?
15. drdaeman ◴[29 Aug 25 07:13 UTC] No.45061136[source]
Not the only, AFAIK Shadowsocks with xray-core can pretend to be a 443/tcp HTTPS server.
replies(1): >>45069354 #
16. sim7c00 ◴[29 Aug 25 08:26 UTC] No.45061583[source]
what i was thinking. DPI might pick up on proxy headers. alternatively, idk how far one would get just slapping wireguard or openvpn on a VPS somewhere on port 443. that used to work fairly well but i suppose my experience there is like 10+ years out of date by now.

i know a US based tech firm i worked for around 2020 had a simple HTTPS proxy for chinese clients to download content updates. worked really well. it was hosted on some cloud provider and accessible via DNS name. so its not like it wasn't easy to block it. they just didn't bother or it was lost in a sea of other similar activities.

that all being said, regarding oppressive regimes and political turmoil situations: if your health or freedom is at risk, don't rely on internet people's 'guesswork' (hard to tell where ppl get their info from, and what its based on etc.). be careful. if you are not confident, don't go forward with it. Try to get advice from local experts instead, who are familiar in the specific context you are dealing with.

17. ivanstepanovftw ◴[29 Aug 25 20:10 UTC] No.45068837[source]
Russia tested this in production by blocking Shadowsocks https://habr.com/ru/news/770840/
18. commandersaki ◴[29 Aug 25 21:03 UTC] No.45069354{3}[source]
Thanks for this, really couldn't find any English explanation of xray-core though.