←back to thread

Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 2 comments | 28 Aug 25 16:43 UTC | HN request time: 0.653s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Show context
joshryandavis ◴[28 Aug 25 20:57 UTC] No.45056956[source]
I lived in China for a while and there were several waves of VPN blocks. Also very few VPN services even try to actively support VPN-blocking nations anymore. Any commercial offering will be blocked eventually.

What I settled on for decent reliability and speeds was a free-tier EC2 hosted in an international region. I then setup a SOCKS5 server and connected my devices to it. You mentioned Cloudflare so whatever their VM service is might also work.

It's very low profile as it's just your traffic and the state can't easily differentiate your host from the millions of others in that cloud region.

LPT for surviving the unfree internet: GitHub won't be blocked and you'll find all the resources and downloads you need for this method and others posted by Chinese engineers.

Edit: If you're worried about being too identifiable because of your static IP, well it's just a computer, you can use a VPN on there too if you want to!

replies(6): >>45057189 #>>45057355 #>>45057549 #>>45058594 #>>45059564 #>>45063710 #
wulfstan ◴[28 Aug 25 21:22 UTC] No.45057189[source]
When I worked in China (not for long periods but frequently enough that the Great Firewall became an irritant) I hosted an OpenVPN server on port 443 and/or port 22 of a server I owned. That worked sufficiently well most of the time.
replies(2): >>45057360 #>>45057444 #
ykl ◴[28 Aug 25 21:40 UTC] No.45057360[source]
This doesn't work anymore; the GFW no longer detects VPN connections by port but instead by performing deep packet inspection to characterize the type of traffic going over every connection. Using this technique in combination with some advanced ML systems, they're able to detect any encrypted VPN connection and cut it off; it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore, and it's usually not even possible to _tunnel_ a VPN connection through some other protocol because the GFW now detects that too.

Stepping back and looking at it from a purely technical perspective, it's actually insanely impressive.

Here's a USENIX paper from a few years ago on how it is done: https://gfw.report/publications/usenixsecurity23/en/

replies(8): >>45057486 #>>45057492 #>>45057500 #>>45057557 #>>45057581 #>>45058367 #>>45060232 #>>45077140 #
rglynn ◴[28 Aug 25 23:56 UTC] No.45058367[source]
So there's a disconnect between what you're saying and what others and myself have experienced in China even recently. You appear to be saying that it's not possible to use a VPN to bypass the GFW, but I apologise if I have misunderstood.

The comments have multiple examples of people successfully bypassing the firewall. I personally just used Mullvad with wireguard + obfuscation (possibly also DAITA) and it just worked. No issues whatsoever.

replies(2): >>45059292 #>>45061163 #
1. ikurei ◴[29 Aug 25 07:17 UTC] No.45061163[source]
This changes, not only over time, but also from region to region.

A close friend of mine travels to China often, and they use Mullvad because of my recommendation. Last year it worked great for them, but earlier this year they went back to China, and it really didn't work.

What I found most interesting is that they had different results in different places. Apparently, in the business areas of Shanghai and Beijing, were they had meetings and events, they could get Whatsapp and Slack messages; when they went back to the hotel, in a residential area where there were almost no offices or tourists, it didn't. In Chongqing even less stuff worked.

I was very skeptical of this when they told me, but they could replicate this consistently over a couple of weeks. It wasn't related to hotel Wifi (that's a different can of worms), this was on mobile data.

Everything worked when they switched to using https://letsvpn.world, at the recommendation of some chinese colleagues of them.

This was with a basic Mullvad install on iOS and Mac, they're not technical enough to harden their VPN connection further; may be they could've easily obfuscated it more and it would've worked.

replies(1): >>45063006 #
2. hnfong ◴[29 Aug 25 12:10 UTC] No.45063006[source]
The GFW being more lenient for tourists (esp. their foreign mobile plan) checks out with the stories I hear too. I'm guessing the less touristy places don't have "support" for these "exceptions" so they get a degraded experience there.