- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.
- Once you've got the software, you should try to use it with an obfuscation layer.
Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.
Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.
In both cases, the VPN provider must provide support for these protocols.
- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.
I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).
It would be nice if one of the big shortwave operators could datacast these packages to the world as a public service.
Get your own VPS server (VPS in EU/US with 2GB of ram, 40GB of disk space and TBs/month of traffic go for $10 a year, it's that cheap). Never get anything in the UK and even USA is weird. I'd stick with EU.
Install your software (wireguard + obsfuscation or even tailscale with your own DERP server)
Another simpler alternative is just `ssh -D port` and use it as a SOCKS server. It's usually not blocked but very obvious.
But I’m curious - from your experience - how do you know the OP isn’t pretending in order to learn about new avenues to block or attack or to track down people who are trying to circumvent?
I don’t mean that as a “be careful”. You’re the expert compared to me and for all I know these are unblockable. Or maybe those doing the blocking would already know about them? So I’m interested in just understanding more.
Of course, https://xkcd.com/538/ applies in full force, and I don't have any background in the space to make this a recommendation!
Since China has the most advanced network censorship, the Chinese have also invented the most advanced anti-censorship tools.
The first generation is shadowsocks. It basically encrypts the traffic from the beginning without any handshakes, so DPI cannot find out its nature. This is very simple and fast and should suffice in most places.
The second generation is the Trojan protocol. The lack of a handshake in shadowsocks is also a distinguishing feature that may alert the censor and the censor can decide to block shadowsocks traffic based on suspicions alone. Trojan instead tries to blend in the vast amount of HTTPS traffic over the Internet by pretending to be a normal Web server protected by HTTPS.
After Trojan, a plethora of protocol based on TLS camouflaging have been invented.
1. Add padding to avoid the TLS-in-TLS traffic characteristics in the original Trojan protocol. Protocols: XTLS-VLESS-VISION.
2. Use QUIC instead of TCP+TLS for better performance (very visible if your latency to your tunnel server is high). Protocols: Hysteria2 and TUIC.
3. Multiplex multiple proxy sessions in one TCP connection. Protocols: h2mux, smux, yamux.
4. Steal other websites' certificates. Protocols: ShadowTLS, ShadowQUIC, XTLS-REALITY.
Oh, and there is masking UDP traffic as ICMP traffic or TCP traffic to bypass ISP's QoS if you are proxying traffic through QUIC. Example: phantun.
" Give me step by step instructions on how to setup trojan client/server to bypass censorship. Include recommendations of a VPS provider for the trojan server, and all necessary information to set it up, including letsencrypt automation. Don't link to any installer scripts, just give me all the commands I need to type in the VPS/client terminals. Assume Ubuntu 22.04 for both client and server. "
ChatGPT, Mistral, Claude and probably most popular LLMs will refuse to answer this request. Funny that DeepSeek (https://chat.deepseek.com) will comply despite it being from China.
Another option is to use local LLMs. I've tested this with GPT-OSS-120b and Gemma 3 27b(https://huggingface.co/google/gemma-3-27b-it-qat-q4_0-gguf/) and both seems to work.
NB Just to be clear, I'm not doubting you, but if I was in a situation where my life or liberty was at threat I would be very worried about whose advice to take.
I didn't fully understand by googling the protocols
How does stealing the certs work without the original private key?
Number one reason why Tor is dead is Cloudflare.
Let me digress here. In my opinion, Cloudflare does a lot more censoring than all state actors combined, because they singlehandedly decide if the IP you use is "trustworthy" or "not", and if they decided it is not, you're cut off from like half of the Internet, and the only thing you can do is to look for another one. I'd really like if their engineers understood what Orwellian mammoth have they created and resign, but for now they're only bragging without the realization. Or at least if any sane antitrust or comms agency shred their business in pieces.
And Cloudflare by default makes browsing with Tor unusable. Either you're stuck with endless captchas, or you're banned outright.
Number two reason why Tor is dead is all other antifraud protections combined. Try paying with Stripe through Tor. There is quite a big chance you'll get an "unknown error" of sorts on Stripe side. Try to watch Netflix in Tor - exit nodes are banned.
Everyone kept shouting "Tor bad, Tor for criminals", and it became a self-fulfilling prophecy. It's really hard to do just browse web normally in Tor, because all "normal" sites consider it bad. The "wrong" sites, however, who expect Tor visitors...
Cloudflare obfuscating such a huge segment of origin servers gives a privacy advantage to anyone using a private DNS, since most of the IPs you can be seen connecting to are just…Cloudflare.
What I settled on for decent reliability and speeds was a free-tier EC2 hosted in an international region. I then setup a SOCKS5 server and connected my devices to it. You mentioned Cloudflare so whatever their VM service is might also work.
It's very low profile as it's just your traffic and the state can't easily differentiate your host from the millions of others in that cloud region.
LPT for surviving the unfree internet: GitHub won't be blocked and you'll find all the resources and downloads you need for this method and others posted by Chinese engineers.
Edit: If you're worried about being too identifiable because of your static IP, well it's just a computer, you can use a VPN on there too if you want to!
Like others commented in this thread, having an obfuscator is a good idea to ensure the traffic is not dropped by DPI.
When the inevitable ban comes and your VPN stops working, rotate the IP of the external VPN and update the firewall/socat config to reflect it. Usually, the internal VM's IP doesn't need to be updated.
I'd be very surprised if the GFW DPI can't pick up SOCKS5 protocol.
More likely version is the handful of people with both ability and means to do this are simply not worth going after
Something quite depressing is if we (HN crowd) find workarounds, most regular folks won't have the budget/expertise to do so, so citizen journalism will have been successfully muted by government / big media.
They would argue back on technical merits, I was talking political, a politics doesn't give a damn about the tech. We have slowly been going down this path for a while now.
“The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia,” - PM Malcolm Turnbull in 2017.
I grew up in a pretty deprived area of the UK, and we all knew "a guy" who could get you access to free cable, or shim your electric line to bypass the meter, or get you pirated CD's and VHS' and whatever.
There will always be "that guy down the pub" selling raspberry pi's with some deranged outdated firmware that runs a proxy for everything in the house or whatever. To be honest with you, I might end up being that guy for a bunch of people once I'm laid off from tech like the rest. :)
I think this (incorrectly) assumes that nobody will ever capitalize on easy (and free/cheap) access to workarounds and advertise it far and wide.
- Tailscale with Mullvad exit nodes. Pros: little setup but not more than installing and configuring a program, faster than Got, very versatile. Cons: deep packet inspection can probably identify your traffic is using Mullvad, costs some money.
- Your own VPSs with Wireguard/Tailscale. Pros: max control, you control how fast you want it, you can share with people you care about (and are willing to support). Cons: the admin effort isn't huge but requires some skill, cost is flexible but probably 20-30$ per month minimum in hosting.
Tailscale is completely unnecessary here, unless OP can't connect to Mullvad.net in the first place to sign up. But if the Indonesian government blocks Mullvad nodes, they'll be out of luck either way.
> - Your own VPSs with Wireguard/Tailscale
Keep in mind that from the POV of any websites you visit, you will be easily identifiable due to your static IP.
My suggestion would be to rent a VPS outside Indonesia, set up Mullvad or Tor on the VPS and route all traffic through that VPS (and thereby through Mullvad/Tor). The fastest way to set up the latter across devices is probably to use the VPS as Tailscale exit node.
Typo? Wireguard-capable VPSes are available for $20-$30 per year. (https://vpspricetracker.com/ is a good site for finding them.)
Stay safe
Like I've written here.
VPS in EU with 2GB RAM, 40 GB disk and >1TB a month of traffic go for $10 PER YEAR!
https://billing.chunkserve.com/cart.php?a=confproduct&i=0
$4/month VPS from DigitalOcean is more than enough to handle a few users as per my experience. I have a Wireguard setup like this for more than a year. Didn't notice any issues.
Also for your unability to access the VPN, as far as my experience goes, in the past some providers do block access to VPN. But, I am not experiencing that for at least the last 5 years.
So, maybe you can try changing your internet provider and see if you can connect to VPN?
What would probably work UNLESS they roll out pretty sophisticated DPI that could block by signatures and do active probing:
1. AmneziaVPN (https://amneziavpn.org) - they have the hosted option, or you could run your own on a cheap VPS (preferable). They use Xray/REALITY or a variant of Wireguard with extra padding that confuses DPIs. Should be good enough.
2. Psiphon
3. Lantern
4. Sometimes Tailscale works surprisingly well (even in Russia where they have advanced DPI systems!)
Here's a link to several Tor browser mirrors for you so you could download the VPN software itself:
https://mirror.freedif.org/TorProject/
https://mirrors.mit.edu/torproject/download/
A couple of Tor bridges in case Tor is blocked:
webtunnel [2001:db8:9947:43ae:8228:97b7:7bd:2c2e]:443 6E6A3FCB09506A05CC8E0D05C7FEA1F5DA803412 url=https://nx2.nexusocean.link ver=0.0.1
webtunnel [2001:db8:a436:6460:fa7b:318:4e8e:9de3]:443 F76C85011FD8C113AA00960BD9FC7F5B66F726A2 url=https://disobey.net/vM8i19mU4gvHOzRm33DaBNuM ver=0.0.2- Tor
- Wireguard and derivatives (incl. Mullvad, Tailscale, ProtonVPN)
- OpenVPN
- Shadowsocks (incl. Outline)
What still works is Xray-core [1] with vless and Reality protocols, whatever those mean. Xray-core is an innovation over v2ray [2]. v2ray might also still work, but I've never tried it. If you have the capacity to run your own VPS, the simplest solution would be to install the 3x-ui [3], which is something like "Xray-core with a simple to use UI in a single package ready-to-use", but you'd also need to setup some basic security measures and a firewall.
For those technically inclined, here [4] is a rough ansible playbook to install 3x-ui on a blank Debian machine. Additional configuration will be needed in the UI itself, there is a lot of online tutorials, and I link to one of them in [5] (in Russian, unfortunately). Don't just trust me blindly, please review before running!
There are also commercial xray-aware VPN providers, but I wouldn't publicly vouch for any of them.
I found it very strange that there is not much info on HN about xray and v2ray, and I also hope it stays this way for most of the people here and not here. However, we live in a weird reality and have to actively engage in such an arms race now.
As a side note, if anyone here has quality info about security of the xray-core implementation, I'd be happy to get familiar. I didn't look at the code myself and still am slightly suspicious, but oh well it works :shrug:
[1]: https://github.com/XTLS/Xray-core
[2]: https://github.com/v2fly/v2ray-core
[3]: https://github.com/MHSanaei/3x-ui/
No reason not to use the *rays anyway.
It's the first time I've encountered where the entire protocol is just blocked. Worth checking what is blocked and how before deciding which VPN provider to use.
There are some solutions that mimic the traffic and, say, route it through 443/TCP.
Honestly this is the route I'm sure the UK will decide upon in the not too distant future.
The job of us hackers is going to become even more important...
Wireguard is indeed blocked.
how does it differ from regular TLS 1.3 traffic?
I followed [1] to set up my own proxy, which works pretty fine. More config examples may be helpful, e.g. [2].
[1]: https://cscot.pages.dev/2023/03/02/Xray-REALITY-tutorial/
[2]: https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XT...
My use case consists of passing some apps on my Android through interface A (e.g. banking apps through my 5G modem), some apps through US residential proxy (for US banks that don't like me visiting from abroad), and all the rest through VPN. And no root required!
It's wild that GFW triggered creation of this and nothing like it existed / exists.
I once considered using an Indonesian VPS to bypass my country's censorship. However, the Indonesian VPS provider actually refused my direct connection request from my country. I was quite frustrated at the time, wondering why they refused me. But now I understand – it turns out these two countries are in cahoots.
Emmm, if you want to break through the censorship, you can start here: https://github.com/free-nodes/v2rayfree
It provides many free proxy nodes that are almost unusable in my country, but might work in Indonesia (although you may need a lot of patience to test which ones actually work).
A good proxy software is Clash.Meta for Linux (you’ll need to install Linux on Windows using VMware, then set up Clash.Meta).
You can start by installing the Windows version of the proxy client software (V2rayN) for a simple way to bypass censorship, but it's not a long-term solution.
A special reminder: these free nodes are not secure (they could very well be "honeypot" lines, but if you're not from my country, the police should have no way of dealing with you). You need to quickly set up your own route by purchasing a U.S. VPS and setting up your own proxy nodes.
Lastly, I recommend a good teacher: ChatGPT. It will solve all the problems you encounter on Linux. Also, use the Chrome browser with translation.
Good luck!
Go on https://lowendbox.com and get a cheap cheap cheap VPS. Use ssh SOCKS proxy in your browser to send web traffic through it.
Very unfancy, a 30+ year old solution, but uses such primitive internet basics that it will almost certainly never fail. Builtin to everything but Windows (which afaik doesn't have an ssh client built-in).
Tailscale is also super fantastic.
It already fails in China and Russia. Simply tunneling HTTP through SSH is too easy to detect with DPI.
> Windows (which afaik doesn't have an ssh client built-in)
It has had both SSH client and SSH server built-in since Win10.
For an example of a proxy service https://www.digitalocean.com/community/tutorials/how-to-set-...
That will give you a hard to snoop proxy service that should completely circumvent a government blockaid (they likely aren't going to be watching or blocking ssh traffic).
Technical details: https://obscura.net/blog/bootstrapping-trust/
Let us know what you think!
Disclaimer: I'm the creator of Obscura.
Such coincidence might seems like the government trying to do some damage control by restricting internet access, but I hope that's not what happen here. At the moment, cloudflare status for Jakarta is still "rerouted".
(Disclaimer: I work there.)
https://github.com/v2fly/v2ray-core https://github.com/XTLS/Xray-core https://github.com/net4people/bbs https://en.wikipedia.org/wiki/Great_Firewall
Another obfuscated solution is Amnezia
If you are not ready to set up your own VPN server and need any kind of connection right now, try Psiphon, but it's a proprietary centralized service and it's not the best solution.
Countries like China have blocked SSH-based tunneling for years.
It can also block sessions based on packet sizes: a typical web browsing session involves a short HTTP request and a long HTTP response, during which the receiving end sends TCP ACKs; but if the traffic traffic mimics the above except these "ACKs" are a few dozen bytes larger than a real ACK, it knows you are tunneling over a different protocol. This is how it detects the vast majority of VPNs.
Details are not at the top of my mind these years later, but you can probably rig something up yourself that looks like regular web dev shit and not a known commercial VPN. I think there was a preference in Firefox or something.
https://old-reddit-com.translate.goog/r/WkwkwkLand/comments/...
Cloudflare says some issue affecting Jakarta has been resolved. They aren't saying what the issue was.
I can't imagine those who are caught in the chaos with only their phone and unable to access information that could help them to be safe.
Since you get to pick where the hardware is located and it is just you (or you and a small group of friends & family) using the VPN, blocking is more difficult.
If you don't want the hassle of using your own hardware you can rent a Digital Ocean droplet for <$5 per month.
https://www.theguardian.com/world/2025/aug/26/indonesia-prot...
So well, my guess is they're trying to control it.
Prior to this, pre-Covid I used to use shadowsocks hosted on a DO droplet. Shadowsocks with obfs, or a newer equivalent (v2ray w/ vmess or vless protocol) and obfs (reality seems to be the current hotness) will probably work within Indonesia given their blocking will be way less sophisticated than China. The difference here is that it’s a proxy, not a VPN, but it makes it a lot easier to obfuscate its true nature than a VPN which stands out because obfuscation isn’t in its design.
Hosting on big public VPSs can be double edged. On one hand, blocking DO or AWS is huge collateral. On the other, it’s an obvious VPN endpoint and can help identify the type of traffic as something to block.
If you have access to reddit, r/dumbclub (believe it or not) has some relatively current info but it’s pretty poor signal to noise. Scratch around there for some leads though.
Note that this stuff is all brittle as hell to set up and I usually have a nightmarish time duct-taping it all together. That’s why I’m overjoyed my WireGuard tunnel has worked whenever I’ve visited for a year now.
One other left-field option, depending on your cost appetite, is a roaming SIM. Roaming by design tunnels all data back to your own ISP before routing out so even in China roaming SIMs aren’t blocked. It’s a very handy backup if you need a clear link to ssh into a box to set up the above, for example.
I've used this on multiple trips to China over the past decade (including a trip last year). You can find carriers that will charge very low (or even no) roaming rates.
Chinese forums / blogs have a lot of information about this stuff. I usually ask ChatGPT to translate "Research topic re: some form of circumvention and give me forum posts and blog posts about it" to Chinese, then paste that into DeepSeek with search enabled and just let Chrome translate the responses. Does a really good job. At least better than what I can manage with Baidu.
https://github.com/amnezia-vpn/amneziawg-go https://github.com/wgtunnel/wgtunnel
It’s a nice technical question on how to run a VPN but the ultimate goal is not the best technical solution but the ability to avoid detection by the state. And that’s not a technical problem but an opsec one
If someone is participating in online discussions (discord and twitter) to spread local news - then it’s hard to know who is who, and who to trust - and that’s kind of the why Arab spring did not spring “hey wear a red carnation and meet me by the corner” can become a death sentence
The answer to opsec is avoid all digital comms - but at this point you are seriously into “regieme change”, or just as Eastern Europe did, keep your heads down for forty years and hope those who leave you economically behind will half bankrupt them selves bringing you back.
I think in the end, a thriving middle class with a sufficient amount of land reform, wealth taxes which can over a generation push for liberalisation sounds a good idea.
Our job in the very lucky liberal West is to keep what our forefathers won, and then push it further to show why our values are worth the sacrifice in copying
Would it be possible for you to 'keep what our forefathers won', and then just stay at home?
It was the liberal West who helped China build the Great Firewall – Cisco, Sun Microsystems, Nortel, Siemens and others.
As long as a lucrative commercial opportunity was there, they seized upon it shoving the liberal values up the orifice where the sun does not shine.
https://www.theguardian.com/world/2025/aug/26/indonesia-prot...
Sorry I don't have a better freely accessible source, maybe someone with more knowledge can fill it in.
Yes, it's hard work. Yes, it will take a long time. Yes, you personally may not get very far with your efforts.
But if Indonesians don't take responsibility for and work to improve Indonesia then the rest of it doesn't matter.
To use them, one need to first rent a (virtual) server somewhere from a foreign cloud provider as long as the payment does not pose a problem. The first step sometimes proves difficult for people in China, but hopefully Indonesia is not at that stage yet. What follows is relatively easy as there are many tutorials for the deployment like: https://guide.v2fly.org/en_US/
I found this article [0] summarizing the history of censorship and anti-censorship measures in China, and I think it might be of help to you if the national censorship ever gets worse. As is shown in the article, access blocking in China can be categorized into several kinds: (sorted by severity)
1. DNS poisoning by intercepting DNS traffic. This can be easily mitigated by using a DOT/DOH DNS resolver.
2. Keyword-based HTTP traffic resetting. You are safe as long as you use HTTPS.
3. IP blocking/unencrypted SNI header checking. This will require the use of a VPN/proxy.
4. VPN blocking by recognizing traffic signatures. (VPNs with identifiable signatures include OpenVPN and WireGuard (and Tor and SSH forwards if you count those as VPNs), or basically any VPN that was designed without obfuscation in mind.) This really levels up the blocking: if the government don't block VPN access, then maybe any VPN provider will do; but if they do, you will have a harder time finding providers and configuring things.
5. Many other ways to detect and block obfuscated proxy traffic. It is the worse (that I'm aware of), but it will also cost the government a lot to pull off, so you probably don't need to worry about this. But if you do, maybe check out V2Ray, XRay, Trojan, Hysteria, NaiveProxy and many other obfuscated proxies.
But anyways, bypassing techniques always coevolve with the blocking measures. And many suggestions here by non-Indonesian (including mine!) might not be of help. My personal suggestion is to find a local tech community and see what techniques they are using, which could suit you better.
Is there any good DoT/DoH DNS resolver that works well in China? I know I can build one myself, but forwarding all DNS requests to my home server in NA slows down all connections...
https://www.reddit.com/r/Tailscale/comments/16zfag4/travelin...
Some good ideas, though. There seems to be OSS alternatives for TailScale control servers which would make it harder to block - I'd go that route. The top recommendation boils down to, "Set up several different methods, and one will always work".
Though if Indonesia has blocked VPNs only now, possibly they only block major providers and don't try to detect the VPN protocol itself, which would make self-hosting any VPN possible.
If those don't work you can try something like wssocks (https://github.com/genshen/wssocks) or wstunnel (https://github.com/erebe/wstunnel). It tunnels connections through WebSockets, so you can make the connection look like a regular HTTPS connection. Another option would just be a regular-old HTTPS proxy (Nginx, Apache2, etc). Set up an HTTPS proxy somewhere on the internet, connect through it, but configure it to return a regular web page if someone tries to make a non-proxy connection through it. Another tool that may help setting up is chisel (https://github.com/jpillora/chisel). Those HTTPS ones may work if, when authorities connect to the host, it returns pages that look like some kind of private video server. (Maybe run an actual video server, in addition to the proxy...) Also, try to enforce TLS 1.3 for the HTTPS server.
And another option, if all else fails, is to run a straight-up SOCKS proxy over the internet, on a weird port. It might be so obvious they aren't looking for it.
To mask your DNS requests with the SOCKS proxy, use something like Tor-DNS (https://github.com/bfix/Tor-DNS), or set up a VPN through the SOCKS proxy and use DNS through that route. Another option is DNS-over-HTTPS.
What with certain countries (they know who they are) and their hatred for encryption, it got me wondering how people would communicate securely if - for example - Signal/WhatsApp/etc. pulled out and the country wound up disconnecting the submarine cables to "keep $MORAL_PANIC_OF_THE_DAY safe."
How would people communicate securely and privately in a domestic situation like that?
At that point you've essentially lost.
You either hope another country sees value in spreading you some democracy, or you rise up and hope others join you.
Or not and you accept the protection the state is graciously providing to you.
Think about it Aachen. If the government has enough power to censor internet traffic, that what was the first thing it censored? Which media is traditionally known for being censored or just speaking propaganda? That's the classical newspapers. It's not uncommon in authoritarian countries for editors to need state to sign off on the day's paper. And if not that, articles are signed and publishers are known. They will auto-censor to avoid problems. Just like creators on YouTube don't comment on this one country's treatment of civilians to avoid problems.
I can only talk about Russia where I'm from — we have quite a lot of success with DPI bypass tools like GoodbyeDPI. If that fails, use VPN protocols specifically designed for censorship circumvention, like VLESS. Better yet, get yourself a VDS in another country and self-host your VPN there.
We tried things like Proton VPN and Windscribe VPN, as well as enabling MT proxy on Telegram, but soon govts find it easier to just mass ban internet access.
Use Netblocks.org to analyse the level of internet blockage and try to react accordingly.
Don't know if it will help in this situation as it's designed to be a VPN not controlled by Israel, but it might be worth a try.
SSH over socks is another option or you can run your own proxy server, nobody will ever know... This makes me wonder if you cannot just run OpenVPN on a different port like 443 since it's also TLS based.
You can see it here: https://github.com/paddlesteamer/gcrproxy. I don't know whether it works or not (maybe something has changed; it is very old code), but the idea beneath it remains. And I think it is also applicable to other cloud services, too. Cheaper (even free to some point) than having your own VPS.
Using full-blown VPNs under such environments has the disadvantage of affecting your use of domestic web services. You might want to try something like https://github.com/database64128/shadowsocks-go, which allows you to route traffic based on domain and IP geolocation rules.
i.e. One is better off tunneling over https://www.praise-the-glorious-leader.google.com.facebook.c...
include SSH traffic protocol auto-swapping on your server (i.e. no way to tell the apparent web page differs between clients), as some corporate networks are infamously invasive. People can do this all day long, and they do... =3
Uses TCP and works pretty much anywhere.
That’s basically undetectable. Long lived ssh connection? Totally normal. Lots of throughput? Also normal. Bursts throughput? Same.
Not sure how to do this on mobile.
Tailscale might be an option too (they have a free account for individuals and an exit node out of country nearly bypasses your problem) It uses wireguard which might not be blocked and which comes with some plausible deniability. It’s a secure network overlay not a VPN. It just connects my machines, honest officer.
OpenVPN or WireGuard are my tools of choice. Professionally, I also use OpenVPN's EasyRSA PKI framework for certificates, but you can just generate your keys using any tutorial out there. "OpenVPN Cookbook" ebook from Packt is my go to source. For performance reasons, WireGuard is better.
Very helpful community.
If you’ve ever worked in the DPI space and actively participated in the development or installation of state surveillance and censorship products…
Shame.
Shame.
Shame.
Of course, that would still impact international remote workers, but it's probably niche enough for the government to offload it as their problem.
1. (Easy, fast but someday it will be blocked, because it is relatively easy to block) Just buy vpn. Mullvad and "Private Internet Access" are ones of the best.
2. (Requires experience, not fast, but the most reliable and flexible). Get a VPS (server) somewhere and install your own VPN. VLESS is the best at this moment
It seems to me that using WireGuard (UDP) in conjunction with something like Raptor Forward Error Correction would be somewhat difficult to block. A client could send to and receive from a wide array of endpoints without ever establishing a session and communicate privately and reliably, is that correct?
If so you can run BrowserBox in a GitHub action runner exposed via IP or ngrok tunnel. That will give you a browser in a free region. Easy set up via workflow.
You’ll need a ngrok API key and a BrowserBox key. Hit us up: sales@dosaygo.com for a short term key at a discount if it works for you.
We will offer keys for free to any journalists in censored regions.
Hope it helps!
That said, you are much less anonymous with that. But you could opt for your server using an additional VPN service to mitigate that.
ssh -D 9999 user@my.server
This gets you a temporarily usable system and if you can tunnel this way successfully installing some WireGuard or OpenVPN stuff will likely work.
EDIT: Thanks it's -D not -R
Why is Indonesia in chaos?
I was wondering that too, looks like https://en.wikipedia.org/wiki/2025_Indonesian_protests.
Prepare to fill in Cloudflare captchas all day, but that's what it takes to have a bit of privacy nowadays.
https://www.stunnel.org/index.html
https://github.com/yarrick/iodine
https://infocondb.org/con/black-hat/black-hat-usa-2010/psudp...
..and many many more, as networks see reduced throughput as an error to naturally route around. =3
You can also connect to some random corporate wifi and it's very likely that this will work (not necessary in "direct" mode).
Other than that: tor
Nonetheless this is a surprisingly simple and bullet proof solution: SSH, that's not vpn boss, i need it for work.
AWS ap-southeast-3 should still be up, and isn't in a different partition like CN, govcloud, iso etc. So a VM there and a vpc peer in the US should get you around a lot of stuff.
Also Telegram using MTProto proxies (that you have to host, do not use those free ones out there), if those don't qualify as VPNs.
I don't know if indonesia is becoming exactly like china/ so a complete crackdown as people are discussing things as if its for china, but I feel like that there are definitely some easier things than hosting your own server or using shadowsocks.
Check if proton vpn/mullvad vpn are working once please, they are definitely plug n play and proton even offers a free tier.
Just checked with NordVPN connected to their server Indonesia #54 (Borneo) and I was able to access twitter.com (via Chrome) and Discord (via app).
I’m on iPhone.
You could also buy a VPS and use SSH tunneling to access a tor daemon running on a VPS. Host some sort of web service on the VPS so it looks inconspicuous
Be very careful with random free VPNs being shared around on WhatsApp right now, many could be honeypots.
Like others have said, the most reliable long-term fix is rolling your own. I've had a cheap VPS in Singapore for years for moments just like this. The latency is low and it's been rock solid. I'm using v2ray with a simple setup, and it's been working fine because it just looks like normal web traffic to my ISP (Indihome). The guides posted in the top comment are excellent starting points.
For my less technical friends, I've been helping them set up ProtonVPN. Their 'Stealth' protocol seems to be holding up for now, but who knows for how long. The hardest part is getting this info to people who aren't tech-savvy.
Stay safe out there, everyone. Jaga diri.
They just "blocked" Reddit today, I selected another DoH provider from the menu in my browser settings, and continued.
Not every website will allow it, but it should get you access to more than you have now.
One way they tend to "solve" workarounds is making examples of people
Here's a list of public instances hosted by volunteers: https://www.vpngate.net/en/
For anyone reading this who still lives in a somewhat free country and has resources to spare, please consider hosting a public instance or mirroring the VPN Gate site.
Esimdb is a good place to start.
It worked well for me in UAE when other solutions didn’t
let's say Github codespaces. Launch a new codespace, setup vpn or just squid. Use it.
It will not stop working unless your gov. decides to block said service (GitHub) too.
Then, setup Tailscale on the server. You can VPN into it and essentially browse the internet as someone from NA.
Obviously I have 0 real experience with this.
If so, then you have a VPN.
Indistinguishable from any other server on the internet.
There are 2 paths you can take here:
1. Roll your own VPN server on a VPS at a less common cloud provider and use it. If you're tech savvy and know what you're doing, you can get this going in <1hr. Be mindful of the downsides of being the sole user of your custom VPN server you pay for: cloud providers log all TCP flows and traffic correlation is trivial. You do something "bad", your gov subpoenas the provider who hands over your personal info. If you used fake info, your TCP flows are still there, which means your ISP's IP is logged, and deanonymizing you after that is a piece of cake (no court order needed in many countries).
2. Get a paid commercial VPN service that values your privacy, has a diverse network of endpoints and protocols. Do not use any random free VPN apps from the Play/App stores, as they're either Chinese honeypots (https://www.bitdefender.com/en-us/blog/hotforsecurity/china-...) or total scams (https://www.tomsguide.com/computing/vpns/this-shady-vpn-has-...).
Do not go with a VPN service that is "mainstream" (advertised by a Youtuber) or one that has an affiliate program. Doing/having both of these things essentially requires a provider to resort so dishonest billing practices where your subscription renews at 2-5x of the original price. This is because VPNs that advertise or run affiliate programs don't make a profit on the initial purchase for that amazing deal thats 27 months with 4 months free or whatever the random numbers are, they pay all of this to an affiliate, sometimes more. Since commercial VPNs are not charities, they need ROI and that comes only when someone rebills. Since many people cancel their subscriptions immediately after purchase (to avoid the thing that follows) the rebill price is usually significantly more than the initial "amazing deal". This is why both Nord and Express have multiple class action lawsuits for dishonest billing practices - they have to do it, to get their bag (back). It's a race to the bottom of who can offer the most $ to affiliates, and shaft their customers as the inevitable result.
Billing quirks aside, a VPN you choose should offer multiple VPN protocols, and obfuscation techniques. There is no 1 magic protocol that just works everywhere, as every country does censorship differently, using different tools.
- Some do basic DNS filtering, in which case you don't need a VPN at all, just use an encrypted DNS protocol like DOH, from any provider (Cloudflare, Google, Control D[I also run this company], NextDNS, Adguard DNS)
- Then there is SNI filtering, where changing your DNS provider won't have any effect and you will have to use a VPN or a secure proxy (HTTPS forward proxy, or something fancier like shadowsocks or v2ray).
- Finally there is full protocol aware DPI that can be implemented with various degrees of aggressiveness that will perform all kinds of unholy traffic inspection on all TCP and UDP flows, for some or all IP subnets.
For this last type, having a variety of protocols and endpoints you can connect to is what's gonna define your chance of success to bypass restrictions. Beyond variety of protocols, some VPN providers (like Windscribe, and Mullvad) will mess with packets in order to bypass DPI engines, which works with variable degree of success and is very region/ISP specific. You can learn about some of these concepts in this very handy project: https://github.com/ValdikSS/GoodbyeDPI (we borrow some concepts from here, and have a few of our own).
Soooo... what are good VPNs that don't do shady stuff, keeps your privacy in mind, have a reasonably sized server footprint and have features that go beyond basic traffic proxying? There is IVPN, Mullvad, and maybe even Windscribe. All are audited, have open source clients and in case of Windscribe, also court proven to keep no logs (ask me about that 1 time I got criminally charged in Greece for actions of a Windscribe user).
If you have any questions, I'd be happy to answer them.
quick resort: you can use quad9 or nextdns if they are just using the classic dpi blocking thing. if these just doesnt work, then there is psiphon. its an anti surveillance kit iirc. other comments might include more options. i just want to list the ones that i've tried and used.
Just look for any VPNs that are advertised specifically for China, Russia, or Iran. These are the cutting edge tech, they may not be so privacy-friendly as Mullvad, but they will certainly work.
So the solution is no-name providers using random ad-hoc hackery, chosen according to a criterion more or less custom designed to lead you into watering hole attacks.
Right.
If I was working for a secret service for these countries, I would set up many "VPNs that are advertised specifically for x" as honeypots to gather data about any dissidents.
If you’re worried about ending up on a list, using things that look like VPNs while the VPNs are locked down is likely to do so.
Also… your neighbors in Myanmar didn’t do a lockdown during the genocide and things got pretty fucking dire as a result. People have taken different lessons from this. I’m not sure what the right answer is, and which is the greater evil. Deplatforming and arresting people for inciting riots and hate speech is probably the best you can do to maintain life and liberty for the most people.
1. They are in most cases run by national spy agencies.
2. They will at least appear to work, i.e., they will provide you with access to websites that are blocked by the country you are in. Depending on which country's spies run the system, they may actually work in the sense of hiding your traffic from that country's spies, or they may mark you as a specific target and save all your traffic for later analysis.
My inclination is to prefer free (open-source) software that isn't controlled by a company which can use that control against its users.
This is a good start but more should be blocked. Then force ISP to block ads.
Not just for Indonesia but all countries. But we still have a lot more to do to fix the web.