Ask HN: The government of my country blocked VPN access. What should I use?

Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).

- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.

- Once you've got the software, you should try to use it with an obfuscation layer.

Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.

Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.

In both cases, the VPN provider must provide support for these protocols.

- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.

I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).

Obfs4proxy and Shapeshifter are an absolute PITA to install.

Get your own VPS server (VPS in EU/US with 2GB of ram, 40GB of disk space and TBs/month of traffic go for $10 a year, it's that cheap). Never get anything in the UK and even USA is weird. I'd stick with EU.

Install your software (wireguard + obsfuscation or even tailscale with your own DERP server)

Another simpler alternative is just `ssh -D port` and use it as a SOCKS server. It's usually not blocked but very obvious.

In my experience, in China as of 2016, "ssh -D" vasn't reliable at all, I wrote more details at https://blog.zorinaq.com/my-experience-with-the-great-firewa... (see "idea 1")

I just spent 3 months in China this summer. The GFW has become much more sophisticated than I remember. I found only one method that reliably worked. That was to use Holafly (an international eSIM provider) and use its built-in VPN. China largely doesn’t care if foreigners get around the GFW, I guess.

Another method that usually worked was ProtonVPN with protocol set to Wireguard. Not sure why this worked, it’s definitely a lot more detectable than other methods I tried. But as long as I rotated which US server I used every few days, this worked fine.

No luck with shadowsocks, ProtonVPN “stealth” mode, Outline+Digital Ocean, or even Jump / Remote Desktop. Jump worked the longest at several hours before it became unbearably slow, I’m still not sure if I was actually throttled or my home computer started misbehaving.

I didn’t get around to setting up a pure TLS proxy, or proxying traffic through a domain that serves “legitimate” traffic, so no idea if that still works.