←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 1 comments | 28 Aug 25 16:43 UTC | HN request time: 0.001s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
_verandaguy ◴[28 Aug 25 18:48 UTC] No.45055604[source]
Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).

- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.

- Once you've got the software, you should try to use it with an obfuscation layer.

Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.

Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.

In both cases, the VPN provider must provide support for these protocols.

- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.

I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).

replies(13): >>45055852 #>>45055945 #>>45056233 #>>45056299 #>>45056618 #>>45056673 #>>45057320 #>>45057400 #>>45057422 #>>45058880 #>>45061563 #>>45073976 #>>45074923 #
hsbauauvhabzb ◴[28 Aug 25 19:20 UTC] No.45055945[source]
I’m curious about what makes it difficult to block a vpn provider long term. You said getting the software is difficult, but can a country not block known vpn ingress points?
replies(1): >>45056139 #
_verandaguy ◴[28 Aug 25 19:34 UTC] No.45056139[source]
A country can and absolutely will block known VPN ingress points. There are two tricks that we can use to circumvent this:

- Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc). Bonus points if you can leverage something like ECH (ex-ESNI) to make it harder to identify a single bucket or subdomain.

- Keep spawning new domains and subdomains to distribute your binaries.

There are complications with both approaches. Some countries block ECH outright. Some have no problem shutting the internet down wholesale for a little bit. The domain-hopping approach presents challenges w/r/t establishing trust (though not insurmountable ones, much of the time).

These are thing that have to be judged and balanced on a case-by-case basis, and having partners on the ground in these places really helps reduce risk to users trying to connect from these places, but then you have to be very careful talking to then since they could themselves get in trouble for trying to organize a VPN distribution network with you. It's layers on layers, and at some point it helps to just have someone on the team with a background in working with people in vulnerable sectors and someone else from a global affairs and policy background to try and keep things as safe as they can be for people living under these regimes.

replies(3): >>45056238 #>>45056532 #>>45060645 #
shawa_a_a ◴[28 Aug 25 19:44 UTC] No.45056238[source]
I've heard of domain fronting, where you host something on a subdomain of a large provider like Azure or Amazon. Is this what you're talking about when you say

> - Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc).

How can one bounce VPN traffic through S3? Or are you just talking about hosting client software, ingress IP address lists, etc?

replies(2): >>45056304 #>>45057668 #
_verandaguy ◴[28 Aug 25 19:51 UTC] No.45056304[source]
That's generally for distribution, but yeah, it's a form of domain fronting.

There are some more niche techniques that are _really_ cool but haven't gained widespread adoption, too, like refractive routing. The logistics of getting that working are particularly challenging since you need a willing partner who'll undermine some of their trustworthiness with some actors to support (what is, normally, to them) your project.

replies(1): >>45058328 #
1. jart ◴[28 Aug 25 23:49 UTC] No.45058328{3}[source]
If I understand correctly, refractive routing basically just gets big trustworthy cloud providers to host the VPNs so that third world governments can't block them without blocking the cloud too. It's an unfortunate solution since tech platforms are international entities that should be neutral. When America asks them to take sides and prevent other countries from implementing their desired policies, America is spending the political capital and trust that tech companies worked hard to earn. It's also really foolish of those countries to just block things outright. They could probably achieve their policy goals simply by slowing down access to VPN endpoints.