←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 3 comments | 28 Aug 25 16:43 UTC | HN request time: 0.498s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
joshryandavis ◴[28 Aug 25 20:57 UTC] No.45056956[source]
I lived in China for a while and there were several waves of VPN blocks. Also very few VPN services even try to actively support VPN-blocking nations anymore. Any commercial offering will be blocked eventually.

What I settled on for decent reliability and speeds was a free-tier EC2 hosted in an international region. I then setup a SOCKS5 server and connected my devices to it. You mentioned Cloudflare so whatever their VM service is might also work.

It's very low profile as it's just your traffic and the state can't easily differentiate your host from the millions of others in that cloud region.

LPT for surviving the unfree internet: GitHub won't be blocked and you'll find all the resources and downloads you need for this method and others posted by Chinese engineers.

Edit: If you're worried about being too identifiable because of your static IP, well it's just a computer, you can use a VPN on there too if you want to!

replies(6): >>45057189 #>>45057355 #>>45057549 #>>45058594 #>>45059564 #>>45063710 #
wulfstan ◴[28 Aug 25 21:22 UTC] No.45057189[source]
When I worked in China (not for long periods but frequently enough that the Great Firewall became an irritant) I hosted an OpenVPN server on port 443 and/or port 22 of a server I owned. That worked sufficiently well most of the time.
replies(2): >>45057360 #>>45057444 #
1. 77pt77 ◴[28 Aug 25 21:49 UTC] No.45057444[source]
Which is ridiculous because OpenVPN is trivial to identify, even when over TCP since it's different from "regular" HTTPS/SSL traffic.

Why they chose this I have no idea.

You can even port share.

443 -> Web server for HTTPS traffic 443 -> OpenVPN for OpenVPN traffic

Still trivial to identify and not uncommon for even public WiFi to do so.

Since I changed to tailscale+headscale with my own derp server all these issues have disappeared (for now).

replies(2): >>45059416 #>>45077161 #
2. moduspol ◴[29 Aug 25 02:31 UTC] No.45059416[source]
It’s basically the same as the UDP mode, except wrapped into TCP. Presumably because that’s simpler than redesigning it from the ground up for TCP.

So the handshake and such will not look like a normal TLS handshake.

3. ranger_danger ◴[30 Aug 25 19:05 UTC] No.45077161[source]
SoftEther works over "regular" TLS at least, you can even reverse-proxy it.