←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1308 points rickybule | 2 comments | 28 Aug 25 16:43 UTC | HN request time: 0s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
joshryandavis ◴[28 Aug 25 20:57 UTC] No.45056956[source]
I lived in China for a while and there were several waves of VPN blocks. Also very few VPN services even try to actively support VPN-blocking nations anymore. Any commercial offering will be blocked eventually.

What I settled on for decent reliability and speeds was a free-tier EC2 hosted in an international region. I then setup a SOCKS5 server and connected my devices to it. You mentioned Cloudflare so whatever their VM service is might also work.

It's very low profile as it's just your traffic and the state can't easily differentiate your host from the millions of others in that cloud region.

LPT for surviving the unfree internet: GitHub won't be blocked and you'll find all the resources and downloads you need for this method and others posted by Chinese engineers.

Edit: If you're worried about being too identifiable because of your static IP, well it's just a computer, you can use a VPN on there too if you want to!

replies(6): >>45057189 #>>45057355 #>>45057549 #>>45058594 #>>45059564 #>>45063710 #
wulfstan ◴[28 Aug 25 21:22 UTC] No.45057189[source]
When I worked in China (not for long periods but frequently enough that the Great Firewall became an irritant) I hosted an OpenVPN server on port 443 and/or port 22 of a server I owned. That worked sufficiently well most of the time.
replies(2): >>45057360 #>>45057444 #
ykl ◴[28 Aug 25 21:40 UTC] No.45057360[source]
This doesn't work anymore; the GFW no longer detects VPN connections by port but instead by performing deep packet inspection to characterize the type of traffic going over every connection. Using this technique in combination with some advanced ML systems, they're able to detect any encrypted VPN connection and cut it off; it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore, and it's usually not even possible to _tunnel_ a VPN connection through some other protocol because the GFW now detects that too.

Stepping back and looking at it from a purely technical perspective, it's actually insanely impressive.

Here's a USENIX paper from a few years ago on how it is done: https://gfw.report/publications/usenixsecurity23/en/

replies(8): >>45057486 #>>45057492 #>>45057500 #>>45057557 #>>45057581 #>>45058367 #>>45060232 #>>45077140 #
eqvinox ◴[28 Aug 25 22:04 UTC] No.45057581[source]
This is what IPsec TFS is for [https://datatracker.ietf.org/doc/rfc9347/]

> the focus in this document is to enhance IP Traffic Flow Security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP-encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-size, constant-send-rate IPsec tunnel

(If they block a constant rate stream, that'll hit a whole ton of audio/video streaming setups)

replies(2): >>45058333 #>>45058458 #
1. kimixa ◴[28 Aug 25 23:49 UTC] No.45058333{3}[source]
So they'll just block any constant rate stream that isn't containing AV data or a whilelisted streaming service.
replies(1): >>45061252 #
2. drdaeman ◴[29 Aug 25 07:33 UTC] No.45061252[source]
I don’t think that’s possible. AV data is behind the TLS layer, all the DPI can see is a CBR stream that matches HTTPS signature. Unless it can do a MitM (Kyrgyzstan-style) they can’t really tell anything about the payload content save from what the TLS handshake may expose. Past it, observability stops at packet sizes and timings.

As I understand it, modern DPIs try to fingerprint TLS traffic through feeding data that passed some pattern matching to ML models that try to predict how likely it’s between a genuine commonplace browser and a “normal” webserver (or a video streaming server or game server - whatever they trained it on). And in turn modern obfuscation software tries to match the behavior and be seen exactly as it’s your Chrome user watching some cat videos or something equally innocuous.