Hacker News new | ask | show | jobs
by votkon 711 days ago
those protocols that can be configured from iOS are already blocked in Russia. You'll need an obfuscated Wireguard or other stealth protocols to make it work there. You can't configure them from the settings, but you can download the app and just add the configs there. That's what Le VPN does with Le VPN Give - they just give away the coupons to generate a VPN config, which you then just copy into the open source VPN app, which is still available in App Store.
1 comments
lwtve 710 days ago
I've not tested protocols that are available on iOS "out of the box" (guessing L2TP, IPSec?), but here's my two cents:

1. It differs from ISP to ISP. Right now I'm using a major ISP and I have no problems connecting to a Hetzner IP via:

- plain WG

- OpenVPN

- Shadowsocks

My mobile operator blocks OpenVPN, other methods work.

2. Time could also play a role - there seem to be "tests" about how the government could block some protocols without affecting business etc. - these happen bi-monthly and last ~2-5 days. My friend uses a different major ISP and he reported broken Shadowsocks this week, though it started working again.

3. The endpoint also matters (obvious in hindsight). "Internal" endpoint seem to "break" very rarely, if at all. Obvious, if you consider that a lot of people need to remote into their corp nets.

link
votkon 710 days ago
The main difference there is right now is that mobile operators have much better hardware because it's newer. That makes it easier for them to implement government-requested blocks including using DPI. The landscape is changing right now, that's true as each provider got it's own issues and tech abilities.

They can block services by IPs, but that the game they failed miserably while trying to block telegram. Also most modern VPNs(well at least Le VPN does it) rotate their IPs to avoid blocks. It's a lot of work, but that's a lot of work for those who try to block them too..

They can also block ports, but that's easy to change.

I saw them blocking the domain names, to kill the API communication of VPN apps, but that's a pathetic move too - you just buy another domain, push the update and that's it.

I'd recommend using Wireguard with Amnezia modification. It obfuscate the WG handshake as well as transport channel.

link