Ask HN: The government of my country blocked VPN access. What should I use?

1309 points rickybule | 1 comments | 28 Aug 25 16:43 UTC | HN request time: 0.2s | source

Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?

Show context

bdd8f1df777b ◴[29 Aug 25 09:00 UTC] No.45061811[source]▶

>>45054260 (OP) #

If you need to bypass censorship, you'll need a tool specifically designed for anti-censorship, rather than any one repurposed for that.

Since China has the most advanced network censorship, the Chinese have also invented the most advanced anti-censorship tools.

The first generation is shadowsocks. It basically encrypts the traffic from the beginning without any handshakes, so DPI cannot find out its nature. This is very simple and fast and should suffice in most places.

The second generation is the Trojan protocol. The lack of a handshake in shadowsocks is also a distinguishing feature that may alert the censor and the censor can decide to block shadowsocks traffic based on suspicions alone. Trojan instead tries to blend in the vast amount of HTTPS traffic over the Internet by pretending to be a normal Web server protected by HTTPS.

After Trojan, a plethora of protocol based on TLS camouflaging have been invented.

1. Add padding to avoid the TLS-in-TLS traffic characteristics in the original Trojan protocol. Protocols: XTLS-VLESS-VISION.

2. Use QUIC instead of TCP+TLS for better performance (very visible if your latency to your tunnel server is high). Protocols: Hysteria2 and TUIC.

3. Multiplex multiple proxy sessions in one TCP connection. Protocols: h2mux, smux, yamux.

4. Steal other websites' certificates. Protocols: ShadowTLS, ShadowQUIC, XTLS-REALITY.

Oh, and there is masking UDP traffic as ICMP traffic or TCP traffic to bypass ISP's QoS if you are proxying traffic through QUIC. Example: phantun.

replies(7): >>45061881 #>>45062023 #>>45062220 #>>45062335 #>>45062348 #>>45063468 #>>45063689 #

arethuza ◴[29 Aug 25 13:14 UTC] No.45063689[source]▶

>>45061811 #

Apologies for the rampant paranoia but that all sounds great - but how do I know that advice like this can be trusted, after all you could be an agent of a state security service directing people towards services they want people to use.

NB Just to be clear, I'm not doubting you, but if I was in a situation where my life or liberty was at threat I would be very worried about whose advice to take.

replies(3): >>45064026 #>>45064179 #>>45065733 #

1. bdd8f1df777b ◴[29 Aug 25 13:54 UTC] No.45064179[source]▶

>>45063689 #

If you have the technical knowledge, you can just read the protocols, find out if they make sense, and then implement them yourself. Most of them are quite straight forward so it's not possible to hide a backdoor like Dual_EC_DRBG in the protocol.

If you are not so technical then you have to decide who to trust. For example, you may trust that open source software has been vetted enough and build one from source. Or trust that the built artefacts downloaded from github is good enough. Or trust that the software downloaded from a website not marked as fraud by Google Chrome is good enough. Etc.

In any case, the more technical knowledge you have, the more confidence you can have by doing due diligence yourself.

↑