Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).
- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.
- Once you've got the software, you should try to use it with an obfuscation layer.
Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.
Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.
In both cases, the VPN provider must provide support for these protocols.
- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.
I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).
Thank you very much for a detailed answer. Might I rudely ask -- as you're knowledgeable in this space, what do you think of Mullvad's DAITA, which specifically aims to defeat traffic analysis by moving to a more pulsed constant bandwidth model?
DAITA was introduced after my time in the industry, but this isn't a new idea (though as far as I know, it's the first time this kind of thing's been commercialized).
It's clever. It tries to defeat attacks against one of the tougher parts of VPN connections to reliably obfuscate, and the effort's commendable, but I'll stop short of saying it's a good solution for one big reason: with VPNs and censorship circumvention, the data often speaks for itself.
A VPN provider working in this space will often have aggregate (and obviously anonymized, if they're working in good faith) stats about success rates and failure classes encountered from clients connecting to their nodes. Where I worked, we didn't publish this information. I'm not sure where Mullvad stands on this right now.
In any case -- some VPN providers deploying new technology like this will partner with the research community (because there's a small, but passionate formal research community in this space!) and publish papers, studies, and other digests of their findings. Keep an eye out for this sort of stuff. UMD's Breakerspace in the US in particular had some extremely clever people working on this stuff when I was involved in the industry.
I’m curious about what makes it difficult to block a vpn provider long term. You said getting the software is difficult, but can a country not block known vpn ingress points?
A country can and absolutely will block known VPN ingress points. There are two tricks that we can use to circumvent this:
- Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc). Bonus points if you can leverage something like ECH (ex-ESNI) to make it harder to identify a single bucket or subdomain.
- Keep spawning new domains and subdomains to distribute your binaries.
There are complications with both approaches. Some countries block ECH outright. Some have no problem shutting the internet down wholesale for a little bit. The domain-hopping approach presents challenges w/r/t establishing trust (though not insurmountable ones, much of the time).
These are thing that have to be judged and balanced on a case-by-case basis, and having partners on the ground in these places really helps reduce risk to users trying to connect from these places, but then you have to be very careful talking to then since they could themselves get in trouble for trying to organize a VPN distribution network with you. It's layers on layers, and at some point it helps to just have someone on the team with a background in working with people in vulnerable sectors and someone else from a global affairs and policy background to try and keep things as safe as they can be for people living under these regimes.
You've come to a wrong place to ask. Most people here (judging by recommendations of own VPN instances, Tor, Tailscale/other Wireguard-based VPNs, and Mullvad) don't have any experience with censorship circumvention.
Just look for any VPNs that are advertised specifically for China, Russia, or Iran. These are the cutting edge tech, they may not be so privacy-friendly as Mullvad, but they will certainly work.
Hmm. People who recommend widely used approaches, and well-known, well-established providers, "don't have any experience with cenorship circumvention".
So the solution is no-name providers using random ad-hoc hackery, chosen according to a criterion more or less custom designed to lead you into watering hole attacks.
Right.
> Just look for any VPNs that are advertised specifically for China, Russia, or Iran.
If I was working for a secret service for these countries, I would set up many "VPNs that are advertised specifically for x" as honeypots to gather data about any dissidents.
It doesn't matter, he should look into the open source protocols that these services use. He doesn't have to use them.
VLESS / v2ray works in Russia, as far as I know.
Yeah, I'm using v2less on rented VPS, it's been workin for almost 2 years already (Russia)
Mr. Kafka, suspicion is healthy. However, abstraction provides no way forward when faced with practicalities instead of theory. Creates a Kafka-esque situation - anything suitable is by definition unsuitable. Better to focus on practical technical advice.
Furthermore, you can always run another VPN on top of that if you don’t trust the outer one with the actual plaintext traffic.
VPNs that are advertised are for-profit products, which means:
1. They are in most cases run by national spy agencies.
2. They will at least appear to work, i.e., they will provide you with access to websites that are blocked by the country you are in. Depending on which country's spies run the system, they may actually work in the sense of hiding your traffic from that country's spies, or they may mark you as a specific target and save all your traffic for later analysis.
My inclination is to prefer free (open-source) software that isn't controlled by a company which can use that control against its users.
Well, you have to host your free open-source VPN software somewhere. And then, (N. B.: technical and usability stuff aside, I'm talking only about privacy bits here) everything boils down to two equally nightmarish options.
First, you use well-known cloud or dedicated hoster. All your traffic is now tied to the single IP address of that hoster. It may be linked to you by visiting two different sites from the same IP address. Furthermore, this hoster is legally required to do anything with your VPN machine on demand of corresponding state actors (this is not a speculative scenario; i. e. Linode literally silently MitMed one of their customers on German request). Going ever further, residential and company IPs have quite different rules when it comes to law enforcement. Seeding Linux ISOs from your residential IP will be overlooked almost everywhere (sorry, Germany again), but seeding Linux ISOs from AWS can easily be a criminal offense.
Second, you use some shady abuse-proof hosting company, which keeps no logs (or at least says that) and accepts payments in XMR. Now you're logging in to your bank account from an IP address that is used to seedbox pirate content or something even more illegal, and you still don't know if anyone meddles with your VPN instance looking for crypto wallet keys in your traffic.
VPN services have a lot of "good" customers for a small amount of IP addresses, so even if they have some "bad" actors, their IPs as a whole remain "good enough". And, as the number of customers is big, each IP cannot be reliably tied to a specific customer without access logs.
Do you have any evidence for either of these claims?
It is absolutely self-evident that VPNs are considered high-value targets and that all spy agencies invest a chunk of resources to go after high-value targets.
I would invite you to read again the two claims made, and consider whether your statement actually addresses the veracity of either.
To be a little trite: we all agree that chickens like grain, but it does not follow that a majority of grain producers are secretly controlled by a cabal of poultry.
For 99% of use cases - piracy and porn, does that matter?
This thread's not about that 99% use case.
You can always do v2ray -> Mullvad in a docker container routed with gluetun for censorship avoidance and privacy
what's wrong with those solutions?
I have a little, maybe enough to be dangerous. SSH won’t be sufficient to avoid all traffic analysis. Everyone can see how much traffic and the pattern of that traffic, which can leak info about the sort of things you’re doing.
If you’re worried about ending up on a list, using things that look like VPNs while the VPNs are locked down is likely to do so.
Also… your neighbors in Myanmar didn’t do a lockdown during the genocide and things got pretty fucking dire as a result. People have taken different lessons from this. I’m not sure what the right answer is, and which is the greater evil. Deplatforming and arresting people for inciting riots and hate speech is probably the best you can do to maintain life and liberty for the most people.
OP: look into VLESS (and similar). And read up on ntc.party (through Google translate). There are certain VPN providers that offer the protocol.
I think REALITY is the newer protocol. I remember VLESS being somewhat more detectable
nah, vless is the protocol, reality is a newer obfuscation method that works over vless
Mullvad worked OK in China for me recently. Sometimes I'd have to try a few different endpoints before it worked. Something built specifically to work in those places would probably be better, but it wasn't too much trouble. Not necessarily a recommendation, just sharing one data point.
I remember always needing obfuscation enabled in Mullvad, but it would work in the end (as you said, after trying a few endpoints).
[dead]
Personally, I like Amnezia VPN, it has some ways to work around blocks: https://amnezia.org/en You can very easily self-host it, their installer automatically works on major cloud platforms.
Though if Indonesia has blocked VPNs only now, possibly they only block major providers and don't try to detect the VPN protocol itself, which would make self-hosting any VPN possible.
- Tor. Pros: Reasonably user friendly and easy to get online, strong anonymity, free. Cons: a common target for censorship, not very fast, exit nodes are basically universally distrusted by websites.
- Tailscale with Mullvad exit nodes. Pros: little setup but not more than installing and configuring a program, faster than Got, very versatile. Cons: deep packet inspection can probably identify your traffic is using Mullvad, costs some money.
- Your own VPSs with Wireguard/Tailscale. Pros: max control, you control how fast you want it, you can share with people you care about (and are willing to support). Cons: the admin effort isn't huge but requires some skill, cost is flexible but probably 20-30$ per month minimum in hosting.
> - Tailscale with Mullvad exit nodes
Tailscale is completely unnecessary here, unless OP can't connect to Mullvad.net in the first place to sign up. But if the Indonesian government blocks Mullvad nodes, they'll be out of luck either way.
> - Your own VPSs with Wireguard/Tailscale
Keep in mind that from the POV of any websites you visit, you will be easily identifiable due to your static IP.
My suggestion would be to rent a VPS outside Indonesia, set up Mullvad or Tor on the VPS and route all traffic through that VPS (and thereby through Mullvad/Tor). The fastest way to set up the latter across devices is probably to use the VPS as Tailscale exit node.
And using another VPN like NordVPN or ProtonVPN is probably in the same category as Mullvad, but worth being cautious. If it's free, you are the product. If you pay, you're still sending your traffic to a publicly (usually) known server of a VPN. That metadata alone in some jurisdictions can still put you in danger.
Stay safe
> 20-30$ per month minimum in hosting
Typo? Wireguard-capable VPSes are available for $20-$30 per year. (https://vpspricetracker.com/ is a good site for finding them.)
I mean multiple VPSs for redundancy. Contabo is maybe the cheapest I've seen and it's like 3$ mtl for the smallest?
This is good overview, I just wanted to add that a VPS IP is not a residential IP. You will encounter roadblocks when you try to access services if you appear to be coming from a VPS. Not that I had a better solution, just to clarify what you can expect.
Tor also has anti-censorship mechanisms (snowflakes, ...). Depending on how aggressive the blocking is, Tor might be the most effective solution.
IMO most people should have a VPS even if you don't need it for tunneling. Living without having a place to just leave services/files is very hard and often "free" services will hold your data hostage to manipulate your behavior which is annoying on a good day.
Thank you so much for this. It is very helpful.
Minimums for a VPS should be closer to $5-10 a month, no?
Yeah they can be cheap, but I would definitely recommend having at least 3 for redundancy. If one get shut down or it's IP blacklisted you still hopefully have a backup line to create a replacement.
No, unless you pay month to month. If you wait till BF you can find some really good deals on sites like lowendspirit
> cost is flexible but probably 20-30$ per month minimum in hosting.
$4/month VPS from DigitalOcean is more than enough to handle a few users as per my experience. I have a Wireguard setup like this for more than a year. Didn't notice any issues.
or simply RDP into a windows VPS.
Australia and UK might soon go down this path.
Something quite depressing is if we (HN crowd) find workarounds, most regular folks won't have the budget/expertise to do so, so citizen journalism will have been successfully muted by government / big media.
I would have laughed in your face if you wrote this comment merely 6 months ago. Now I'm just depressed. (UK)
Don't worry, you shouldn't underestimate the capability of society.
I grew up in a pretty deprived area of the UK, and we all knew "a guy" who could get you access to free cable, or shim your electric line to bypass the meter, or get you pirated CD's and VHS' and whatever.
There will always be "that guy down the pub" selling raspberry pi's with some deranged outdated firmware that runs a proxy for everything in the house or whatever. To be honest with you, I might end up being that guy for a bunch of people once I'm laid off from tech like the rest. :)
Normally I would agree with you, but the ability to pull this kind of thing off hinges on there being enough shadows that the Eye doesn't look at for prolonged periods of time. And the overall trajectory of technological advance lately is such that those shadows are rapidly shrinking. First it was the street cameras (and UK is already one of the most enthusiastic adopters in the world). And now comes AI which can automatically sift through all the mined data, performing sentiment analysis etc. I feel that the time will come pretty soon when "a guy" will need to be so adept at concealing the tracks in order to avoid detection that most people wouldn't have access to one.
Don't worry, you shouldn't underestimate the capability of society.
You should be worried. Don't underestimate the capabilities of the government bureaucrats. That "guys down the pub" will quickly disappear once they start getting jail time for their activities.
I think you really overestimate the capability of the UK to enforce laws. Yes, they can write them and yes they can fine large corporations, that's basically it.
They cannot enforce laws against such "petty" crimes, the reason society mostly functions in the UK is because most people don't try to break the law.
Pretty sure the local punters would kick the cops out if they came for one of their own, especially if he got them their porn back.
Yes, it's also dystopian to pin one's future on such hopes. People need to stick it to the government and demand their freedoms. Far too many things are being forced on us in the West that go against fundamental values that have been established for centuries.
Somehow, things that could be unifying protests where the working class of every political stripe are able to overlook their differences and push back against government never seem to happen. It is always polarized so that it's only ever one side at a time, and the other side is against them. How does that work?
That absolutely sounds like a world I should be worried about, where our only choices are dodgy ones
I am just waiting for red states in the US to try this too since their current laws requiring ID verification for porn sites aren’t effective.
> red states
Well you'd be surprised to find out that this stupid policy (and many more) have been brought forward by Labour (Left).
At this point, anyone who has been watching politics for a few decades understands that the left/right dichotomy is primarily one designed to keep the majority of people within a certain set of bounds. We see it revealed when politicians and ideologies that should be in opposition to one another still cooperate on the same strategies, like this one.
The goal right now is to make online anonymity impossible. Adult content is the wedge issue being used to make defending it unpalatable for any elected official, but nobody actually has it as a goal to prevent teenagers from looking at porn - if they did, they would be using more direct and efficient strategies. No, it's very clear that anonymous online commentary is hurting politicians and they are striking back against it.
It has been my impression that in UK, both parties are strongly authoritarian, with the sole difference being what kinds of speech and expression, precisely, they want to police.
Both the major Australian parties (Liberal and Labor) seem as spineless as each other.
They're being pushed by News Corp and Nine Entertainment [0] to crush competition (social media apps). With the soon-to-be-introduced 'internet licence' (euphemism: 'age verification'), and it's working. If they ban VPN's, it will make social media apps even more burdensome to access and use.
[0] Conglomerates News Corp and Nine Entertainment together own 90% of Australian print media, and are hugely influential in radio, digital and paid and free-to-air TV. They have a lot to gain by removing access to social media apps, where many (especially young) people get their information now days.
90% of “citizen journalism” is nothing of the sort. Just like “citizen science” researching vaccines.
> 90% of “citizen journalism” is (trash)
You're right. But compared to what?
I guess 99% of mainstream "journalism" is irrelevant and/or inaccurate, hence citizen journalism is a 10x improvement in accuracy and relevancy! Not 10% better, 900% better! This makes a huge difference to our society as a whole and in our daily lives!
But this misses the most important point which is that the user should have the right to choose for themselves what they say and read. Making citizen journalism unduly burdensome deprives everyone of that choice.
Preach comrade!
Those citizen journalists with their primary sources, disgusting.
Thats nothing but propaganda.
Remember it doesnt matter what the video shows, it only matters who showed it to you.
>Remember it doesnt matter what the video shows, it only matters who showed it to you
In an age of mass media (where there's a video for anything) or now one step further synthetic media knowing who makes something is much more important than the content, given that what's being shown can be created on demand. Propaganda in the modern world is taking something that actually happened, and then framing it as an authentic piece of information found "on the street", twisting its context.
"what's in the video" is now largely pointless, and anyone who isn't gullible will obviously always focus on where the promoter of any material wants to direct the audiences attention to, or what they want to deflect from.
I'm currently traveling in Uzbekistan and am surprised that wireguard as a protocol is just blocked. I use wireguard with my own server, because usually governments just block well known VPN providers and a small individual server is fine.
It's the first time I've encountered where the entire protocol is just blocked. Worth checking what is blocked and how before deciding which VPN provider to use.
We've had success using wireguard over wstunnel in places where wireguard is blocked.
WireGuard by itself has a pretty noticeable network pattern and I don't think they make obfuscating it a goal.
There are some solutions that mimic the traffic and, say, route it through 443/TCP.
A year ago I was traveling through Uzbekistan while also partly working remotely. IKEv2 VPN was blocked but thankfully I was able to switch to SSL VPN which worked fine. I didn't expect that, everything else (people, culture) in the country seemed quite open.
Wow, kinda crazy to think about a government blocking a protocol that just simply lets two computers talk securely over a tunnel.
Well, think about it - almost every other interaction you can have with an individual in another country is mediated by government. Physical interaction? You need to get through a border and customs. Phone call? Going through their exchanges, could be blocked, easy to spy on with wiretaps. Letter mail? Many cases historically of all letters being opened before being forwarded along.
We lived through the golden age of the Internet where anyone was allowed to open a raw socket connection to anyone else, anywhere. That age is fading, now, and time may come where even sending an email to someone in Russia or China will be fraught with difficulty. Certainly encryption will be blocked.
We're going to need steganographic tech that uses AI-hallucinated content as a carrier, or something.
That is how you know they haven't got a clue on what they're doing.
> surprised that wireguard as a protocol is just blocked.
Honestly this is the route I'm sure the UK will decide upon in the not too distant future.
The job of us hackers is going to become even more important...
XRay protocol based VPN worked for me in Uzbekistan when I were travelling there.
Wireguard is indeed blocked.
Same in Egypt.
Same in Russia
how can they detect it is wireguard, I thought the traffic is encrypted?
how does it differ from regular TLS 1.3 traffic?
It's UDP, not TCP (like TLS) and has a distinguishable handshake. Wireguard is not designed as a censorship prevention tool, it's purely a networking solution.
The tunnel itself is encrypted, but the tunnel creation and existence is not obfuscated.
If you can still get SSH access and can establish an account with a VPS provider with endpoints outside your country of origin, https://github.com/StreisandEffect/streisand is a little long in the tooth but may still be viable.
Tunneling via SSH (ssh -D) is super easy to detect. The government doesn't need any sophisticated analysis to tell SSH connections for tunneling from SSH connections where a human is typing into a terminal.
Countries like China have blocked SSH-based tunneling for years.
It can also block sessions based on packet sizes: a typical web browsing session involves a short HTTP request and a long HTTP response, during which the receiving end sends TCP ACKs; but if the traffic traffic mimics the above except these "ACKs" are a few dozen bytes larger than a real ACK, it knows you are tunneling over a different protocol. This is how it detects the vast majority of VPNs.
One alternative would be to set up a VPS, run VNC on it, run your browser on that to access the various web sites, and connect over an SSH tunnel to the VNC instance. Then it actually is an interactive ssh session.
15 years ago, I was using EC2 at work, and realized it was surprisingly easy to SSH into it in a way where all my traffic went through EC2. I could watch local Netflix when traveling. It was a de facto VPN.
Details are not at the top of my mind these years later, but you can probably rig something up yourself that looks like regular web dev shit and not a known commercial VPN. I think there was a preference in Firefox or something.
The issue these days is that all of the EC2 IP ranges are well known, and are usually not very high-reputation IPs, so a lot of services will block them, or at least aggressively require CAPTCHAs to prevent botting.
Source: used to work for a shady SEO company that searched Google 6,000,000 times a day on a huge farm of IPs from every provider we could find
I watched a season of Doctor Who that way back when the BBC were being precious about it. But Digital Ocean, so $5.
The most effective solution is to use X-ray/V2ray with VLESS, or VMESS, or Trojan as a protocol.
Another obfuscated solution is Amnezia
If you are not ready to set up your own VPN server and need any kind of connection right now, try Psiphon, but it's a proprietary centralized service and it's not the best solution.
What is going on if you don’t mind my asking? Our local news does not mention anything. Nor does ddging help? Any sources?
Mastodon is not easy for regimes to completely block, and most instances won't block you for using Tor. Mastodon saw a huge migration from Brazil when X was blocked there.
It would be easy to block on protocol level. Countries that block VPNs usually progress to that level pretty fast once they discover that simple IP blocks don't work.
Wouldn't it be easy to block the individual servers, e.g. https://mastodon.social?
There are many instances of Mastodon, and due to its federated nature, you can use any of them to access it, and even host your own.
What's stopping them from just blocking them all and continuing to block new ones?
Nothing is stopping them, but like most things in blocking free speech, it’s a game of cat and mouse.
Sure, but if you have an account on a different server, you can still see things posted on mastodon.social if you have followed someone there.
Give Obscura a try, we get around internet restrictions by using QUIC as transport, which looks like HTTP/3 and doesn't suffer from TCP-over-TCP meltdown: https://obscura.net/
Technical details: https://obscura.net/blog/bootstrapping-trust/
Let us know what you think!
Disclaimer: I'm the creator of Obscura.
> suffer from TCP-over-TCP meltdown
"Meltdown"... When my network goes into failover mode, I run TCP over TCP-OpenVPN over Wireguard (over LTE).
With a Raspberry Pi 1st Gen (single core 700 MHz, 512MB RAM) as the OpenVPN server, I get 9-10 mbit/s, which should be more than enough for using Twitter and Discord.
No suffering would exist in this scenario.
If they're blocking other protocols then likely they're blocking quic also.
Very possible, though many of our users are saying that in network environments where WireGuard is blocked they were able to use Obscura.
Hey, I went to take a look at Obscura and I like the ideas but I can't find the source code.
You are making some bold claims but without the source I can't verify those claims.
Any plans to open-source it?
Nations severing peoples connections to the world is awful. I'm so sorry for the chaos in general, and the state doing awful things both.
Go on https://lowendbox.com and get a cheap cheap cheap VPS. Use ssh SOCKS proxy in your browser to send web traffic through it.
Very unfancy, a 30+ year old solution, but uses such primitive internet basics that it will almost certainly never fail. Builtin to everything but Windows (which afaik doesn't have an ssh client built-in).
Tailscale is also super fantastic.
Windows has had both ssh client/server for years
WireGuard should still work. Tons of different providers. I trust Mullvad but ProtonVPN has a free tier. If they start blocking WireGuard, check out v2ray and xray-core. If those get blocked... that means somehow they're restricting all HTTPS traffic going out of the country
Folks who are looking to bypass censorship, and those who live in countries where their internet connection is not currently censored who would like to help, can look to https://snowflake.torproject.org/
AmneziaWG client worked just fine with normal Wireguard servers in Egypt where official Wireguard clients doesn't, WGTunnel app on android support both protocols.
https://github.com/amnezia-vpn/amneziawg-go https://github.com/wgtunnel/wgtunnel
In case known VPN providers are blocked you can pick a small VPS from a hoster like Hetzner and setup your own VPN.
AmneziaVPN has censorship circumvention options and makes it easy to set up a self hosted instance of that's what you prefer, or use their hosted service.
You could use something like https://github.com/database64128/swgp-go to obfuscate WireGuard traffic.
Using full-blown VPNs under such environments has the disadvantage of affecting your use of domestic web services. You might want to try something like https://github.com/database64128/shadowsocks-go, which allows you to route traffic based on domain and IP geolocation rules.
I'd recommend using Outline - it's a one click setup that lets you provision your own VPN on a cloud provider (or your own hardware).
Since you get to pick where the hardware is located and it is just you (or you and a small group of friends & family) using the VPN, blocking is more difficult.
If you don't want the hassle of using your own hardware you can rent a Digital Ocean droplet for <$5 per month.
In this scenario, Chinese have very rich experience. you need to use the advance proxy tool like clash ,v2ray, shadowsocks etc.
shadowsocks was the winner of the state of the art I had to do at work. It address the "long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a stat)" comment.
AmneziaWG is a decent option for censorship resistance, and it can be installed as a container on your own server.
AmneziaWG clients works just fine with normal Wireguard servers by the way.
Usually when countries block websites they don't block major cloud providers, like AWS and Google Cloud. Because most websites are hosted on them. So you can get a cheap VPS from AWS or GCP (always free VM is available) and host OpenVPN on it.
Just curious: Anyone know if things like Starlink are viable?
[deleted]
I'd recommend Obscura because it uses Wireguard over QUIC and it pretty good at avoiding these blocks. It's also open source.
Your first option until you get settled is to use an SSH reverse proxy:
ssh -R 9999 user@my.server
This gets you a temporarily usable system and if you can tunnel this way successfully installing some WireGuard or OpenVPN stuff will likely work.
It’s -D, -R is for forwarding specific ports.
Use the Tor browser window in Brave. It's nowhere near as anonymous as the Tor browser, but the built in ad blocking makes browsing via Tor usable. And that's what you and your compatriots are interested in.
Prepare to fill in Cloudflare captchas all day, but that's what it takes to have a bit of privacy nowadays.
On a related note, does anyone have insight into *why* the Indonesian government is doing this?
If it helps, here's some recent coverage:
https://www.theguardian.com/world/2025/aug/26/indonesia-prot...
there is a major protest currently happening due to the legislative body representative just giving themselves a monthly domicile stipend of ~$3300 on top of their salaries (yes, multiple), while the average people earned ~$330 monthly. the information about the protest are not broadcasted on local TVs, so the only spread of information is through social media. i guess since a lot of people went around it using VPN, the gov decided to block it too.
The official word is to counter gambling. Lately the government is not really popular after some decisions that could be interpreted as authoritative, and as citizens have spoken out about it online, causing more voices to join and protests erupting..
So well, my guess is they're trying to control it.
Depending on the circumstances, maybe ditch the landline local ISP for a satellite connection with a foreign ISP?
Set up a VM on AWS/azure/gcp/... in the desired cell, install a VPN server and done. Once you have automation in place it takes ~2 minutes to start, you can run it on demand so you can pay per minute.
I'm reading posts that indicate (at least some of) the blocking is at the DNS level.
https://old-reddit-com.translate.goog/r/WkwkwkLand/comments/...
Cloudflare says some issue affecting Jakarta has been resolved. They aren't saying what the issue was.
What I'm worried most are that most people are not even aware of what is DNS and how to change it.
I can't imagine those who are caught in the chaos with only their phone and unable to access information that could help them to be safe.
Generally speaking, the general population that wants to use blocked services will develop enough technical know-how to circumvent it. The biggest risk is that there are bad actors giving malicious advice and to such learners, looking to defraud or otherwise exploit them.
In this case the blockage will probably just be up for a few days, until the protests calmed down.
Other than that: tor
All the various proxy solutions offered are good (although the simplest ones - like squid - haven't been mentioned yet). You can also use a remote desktop or even just ssh -Y me@remote-server "firefox"
I was wondering something like this but in a different capacity.
What with certain countries (they know who they are) and their hatred for encryption, it got me wondering how people would communicate securely if - for example - Signal/WhatsApp/etc. pulled out and the country wound up disconnecting the submarine cables to "keep $MORAL_PANIC_OF_THE_DAY safe."
How would people communicate securely and privately in a domestic situation like that?
In person or not at all.
At that point you've essentially lost.
You either hope another country sees value in spreading you some democracy, or you rise up and hope others join you.
Or not and you accept the protection the state is graciously providing to you.
SneakerNet or bust, eh? That sucks.
Encrypted hand written notes tied to pigeons
Make your own VPN using a VPS and something like openvpn.
Not every website will allow it, but it should get you access to more than you have now.
Grab a VPS and use SOCKS5 tunneling via SSH.
SSH is often targeted by deep packet inspection and protocol binding filters.
i.e. One is better off tunneling over https://www.praise-the-glorious-leader.google.com.facebook.c...
include SSH traffic protocol auto-swapping on your server (i.e. no way to tell the apparent web page differs between clients), as some corporate networks are infamously invasive. People can do this all day long, and they do... =3
lolwut
At least it isn't goatse...
It is not a real URI... lol
The point was to include something clowns can't filter without incurring collateral costs, and wrapping the ssh protocol in standard web traffic. =3
tangent: what is the significance of the "=3" you sign your messages with?
Don't worry about it... =3
A proxy service like shadow socks works. There are thousands of providers for $X/month for a decent amount of traffic
Aren't there local (online or print) newspapers to get news from, as an alternative to Discord? Hope I'm not asking a dumb question
In countries where it comes to government blocking/censoring internet traffic, traditional media is cleared of all dissent and fully controlled long before. Last stages of that are happening in my country, Serbia, currently.
Right, that makes sense. Did some looking up and nonfree press seems to be indeed the case for Indonesia: https://rsf.org/en/country/indonesia
It's a mixed bag apparently, free press is technically legal since 1998 but selective prosecution and harassment of those actually uncovering issues (mainly becomes clear in the last section, "Safety")
Tried looking up Serbia next on that website but got a cloudflare block. I'm a robot now...
It's not a dumb question at all. Level on hn really got down lately if you're getting downvoted.
Think about it Aachen. If the government has enough power to censor internet traffic, that what was the first thing it censored? Which media is traditionally known for being censored or just speaking propaganda? That's the classical newspapers. It's not uncommon in authoritarian countries for editors to need state to sign off on the day's paper. And if not that, articles are signed and publishers are known. They will auto-censor to avoid problems. Just like creators on YouTube don't comment on this one country's treatment of civilians to avoid problems.
OP, you can rent a VPS from a reputable and cheap provider within the NA region - OVH, Vultr, Linode etc. are decent. Also check out lowendtalk.com
Then, setup Tailscale on the server. You can VPN into it and essentially browse the internet as someone from NA.
HTTPS to you own proxy on a foreign VPS.
Remote desktop (RDP/AnyDesk/etc) into a VM hosted somewhere else?
Emigration.
Residential VPNs, but try to find ones that are ran ethically.
SOCKS proxy over SSH?
Android doesn't come with system wide socks proxy support, and i couldn't find an open source app for it either. Is anyone aware of one?
Nonetheless this is a surprisingly simple and bullet proof solution: SSH, that's not vpn boss, i need it for work.
Outline is an open source shadowsocks client, and you provision your own server to act as the proxy. You can use it against any Shadowsocks server you want, and the protocol makes it look like regular https traffic.
https://github.com/Jigsaw-Code/outline-apps
Android & iOS & Linux & Mac & Windows
their server installer will help set up a proxy for users that aren't familiar with shadowsocks, too
For web browsing, Firefox lets you configure socks on android.
Psiphon works
[deleted]
Tor should be pretty good even for environments where they crack down on VPNs, although it can be a bit slow, at least it works.
Then you will be blocked by Twitter and Discord, which is the same thing.
Yeah, sucks, but really should find better places for people to gather regardless, if you're in that sort of environment.
How is this practical advice in a thread where someone mentions that the clampdown happened without notice?
The "shoulda done..." advice isn't useful in the slightest, and I'd argue is malicious with how often it's done simply to satiate a poster's ego.
People in Turkey use https://github.com/ValdikSS/GoodbyeDPI together with DNS over HTTPS (DoH).
Use an Actual Private Network? Radio links that you control. Peer with someone who owns a Starlink terminal. Rent instances in GCP's Jakarta datacenter.
Mullvad
Mullvad doesn't really have any modern censorship circumvention options.
Genuine question is Shadowsocks outdated? Because it supports it
I can relate to this because my country has an election soon and I'm sure we wont have internet for 3 - 5 days then.
ssh -D 48323 -p 61423 my-vps.big-company.com
Just please be safe and necessarily paranoid
One way they tend to "solve" workarounds is making examples of people
There's a new VPN that you might try, built by Boycat.
Don't know if it will help in this situation as it's designed to be a VPN not controlled by Israel, but it might be worth a try.
localtunnel.me, some node in the cloud, tunnel…
Get a cheap VPS anywhere, and use DSVPN https://github.com/jedisct1/dsvpn
Uses TCP and works pretty much anywhere.
SSH SOCKS proxy if you have an SSH host somewhere that is not Indonesia.
SSH tunneling on port 80 could work since it's rarely blocked, rent a cheap vps.
megavpn, should be around a dollar a month for 5 devices.
Maybe you could buy VPS in another country and set up VPN server yourself?
There are many options, but avoiding the legal consequences may be a grey area:
https://www.stunnel.org/index.html
https://github.com/yarrick/iodine
https://infocondb.org/con/black-hat/black-hat-usa-2010/psudp...
..and many many more, as networks see reduced throughput as an error to naturally route around. =3
[dead]
[dead]
[dead]
[dead]
Blocking Twitter is a good start, now Facebook, Instagram, Whatsup and TikTok.
This is a good start but more should be blocked. Then force ISP to block ads.
Not just for Indonesia but all countries. But we still have a lot more to do to fix the web.
I can't stand most of these things you want blocked but this is bonkers.
The issue with that is where do they draw the line. Next thing you know each country becomes North Korea.