this post was submitted on 16 Mar 2026
35 points (97.3% liked)

Selfhosted

57607 readers
1058 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
35
a VPN that is easily self-hostable and resistant to blocking? (eviltoast.org)
submitted 20 hours ago by pr3d@eviltoast.org to c/selfhosted@lemmy.world
31 comments fedilink hide all child comments
 

Hi, i'm looking for a VPN that:

  • is easily deployable via a docker-compose
  • has an Android App and it doesn't drain the battery too much
  • hides as regular HTTPS traffic so it's not blockable by Firewalls. (I don't need strong censorship resistance; it just has to work in offices and hotel WiFis.)
  • Bonus: A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.

https://github.com/TrustTunnel/TrustTunnel sounds interesting, but the PR for docker compose was closed.

Do you know something else?

all 32 comments
sorted by: hot top controversial new old
[–] black0ut@pawb.social 1 points 1 hour ago

If you want a decently hidden VPN, I recommend setting up an OpenVPN instance, with a TCP tunnel, encapsulated within Stunnel. It manages to stay hidden even with DPI.

The setup is a bit convoluted, especially if you want everything to use certificates for maximum security. It's also not the fastest VPN, and TCP isn't the most efficient for a VPN. But it's decent enough for a normal user.

You can set it up on both Linux and Windows, even having both ends of the tunnel on Windows, but it's easier and better to set it up on Linux.

[–] Drusenija@aussie.zone 1 points 2 hours ago

My go to choice for this is ocserv to run a Cisco AnyConnect server, and sniproxy to sit on port 443 and handle traffic routing. You configure sniproxy to go to a different server by hostname, and configure ocserv as the fallback option to access the VPN. Any host I expose via sniproxy provides its own HTTPS certificate via my Traefik server.

[–] ikidd@lemmy.world 7 points 13 hours ago

You can obfuscate Wireguard with a SOCKS proxy.

[–] cmnybo@discuss.tchncs.de 9 points 16 hours ago

You can use stunnel to make your VPN look like HTTPS.

[–] black_flag@lemmy.dbzer0.com 4 points 15 hours ago (1 children)

Amnezia?

[–] BiggestPiggest@lemmy.world 1 points 3 hours ago

Yeah. This.

[–] meme_historian@lemmy.dbzer0.com 9 points 20 hours ago (1 children)

Wireguard on a VPS and run it through port 443. That should get you through most things that don't do TLS inspection

[–] iopq@lemmy.world 4 points 18 hours ago

So, not resistant to blocking

[–] irmadlad@lemmy.world 5 points 20 hours ago (1 children)

resistant to blocking?

That's going to be the sticky wicket right there. It is rather trivial for server admins to know what IPs go with VPNs and not. Wireguard is about the best thing on the planet right now, imho, but it will also get blocked. Occasionally, I will happen on a site that outright blocks me. If I can't bend the site to my will, I just move on. The information on the blocked site will 9 times out of 10 be found duplicated somewhere else.

One 'trick' I've found works fairly well is Opera. So, when I go to pay my bills online, my VPN coupled with the way I have Firefox configured, will trigger a block. I can fire up Opera, engage it's built in VPN, still keep my local VPN connected, and have no problem accessing my bills. It's not an elegant solution, and some users have preclusions to Opera. However, that generally works for me.

[–] iopq@lemmy.world 4 points 18 hours ago (1 children)

Wireguard is not resistant to blocking, it is plain as day if you're using wireguard and china had blocked it for years

[–] irmadlad@lemmy.world 3 points 18 hours ago (1 children)

I sort of said as much. It really doesn't matter, imho, what you use. As soon as that service becomes abused globally, everyone blocks it, including Tor. Any server using DPI or TLS will spot it a mile away. Now, if you have a fool proof way, than I am very much ready to be educated.

[–] iopq@lemmy.world 0 points 4 hours ago

It does matter.

When I connect to my VPN, the network sees that the server name is yahoo.com

It actually connects to my server which sends the request to yahoo.com and then replies with the cert. So the network sees that yahoo.com sent the cert back to my client from that IP address

Then there is a bunch of encrypted communication with timings and sizes that look like I'm downloading stuff over http.

I'd like to hear a credible model of blocking this

[–] spaghettiwestern@sh.itjust.works 3 points 19 hours ago (2 children)

I've run Wireguard on 443 (on my router) for exactly that purpose and never had a problem, even when my standard WG port was blocked by some businesses. I've since had to move to port 587 due to router conflicts and it's worked fine so far too.

The battery drain on Android is negligible (at least for my uses) and WG is activated by Tasker whenever my home wifi is out of range. From what I can see WG is configurable via Docker compose.

[–] hellmo_luciferrari@lemmy.zip 2 points 18 hours ago (1 children)

Have you tried [https://github.com/zaneschepke/wgtunnel](WG Tunnel)

I use this WG client and it has options for auto-tunneling

[–] spaghettiwestern@sh.itjust.works 2 points 16 hours ago (1 children)

Thanks for the link. Will take a look.

[–] hellmo_luciferrari@lemmy.zip 1 points 15 hours ago

I quite like the option! I do love tasker, but if i only need auto tunneling this does it quite well!

[–] iopq@lemmy.world -2 points 18 hours ago (3 children)

Doesn't work in China, can be easily blocked by censors

[–] eleitl@lemmy.zip 1 points 1 hour ago

Russia has harsher blocks than China, meanwhile.

[–] spaghettiwestern@sh.itjust.works 5 points 16 hours ago* (last edited 16 hours ago) (1 children)

Who said anything about China?

OP: "I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis."

[–] moonpiedumplings@programming.dev -1 points 8 hours ago (1 children)

Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement, so it is not an unreasonable assumption.

If you are evading less locked down firewalls, then you don't need as stealthy VPNs.

[–] spaghettiwestern@sh.itjust.works 4 points 8 hours ago* (last edited 8 hours ago) (1 children)

Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement

OP said exactly the opposite. Where the fuck do you get this stuff?

[–] moonpiedumplings@programming.dev -2 points 7 hours ago* (last edited 7 hours ago)

hides as regular HTTPS traffic so it’s not blockable by Firewalls

From OP's post, of course. If OP does not need to evade firewalls that are that aggressive, then they should have settled for a less stealthy VPN solution, as many of these HTTPS proxy solutions have performance and usability (can often only proxy TCP traffic) tradeoffs.

Perhaps they have already tried the wireguard on port 443 solution, and it didn't work for them. My high school would auto detect and block wireguard to any port. Perhaps they are in a similar situation.

[–] sunbeam60@feddit.uk 2 points 15 hours ago (1 children)

Most Chinese exits through port snooping. And you really need to be on a Chinese corp network to know - if you take your western mobile there they do very little blocking.

I’ve been fairly successful with most China corp networks letting me out and in to self-hosted WG server on port 123.

[–] iopq@lemmy.world 1 points 5 hours ago

Because if you're roaming it creates a VPN, basically through the Chinese network

But it you want a lot of data, like for YouTube, you're not going to want to pay roaming rates

[–] iopq@lemmy.world 2 points 18 hours ago* (last edited 18 hours ago) (1 children)

Use xray. I suggest the REALITY + XHTTP setup where you look like another h2 server

You can docker compose your panel for managing your server, get a free subdomain from afraid.org and set up tls on it

I use the v2rayng mobile app since I don't switch servers much, I only have two

[–] pr3d@eviltoast.org 0 points 16 hours ago (2 children)

the repos i've found do not look very trustworthy. https://github.com/2dust/v2rayNG https://github.com/XTLS/Xray-core well its chinese

[–] iopq@lemmy.world 2 points 4 hours ago

Xray-core is the one you want, very hard to block

[–] moonpiedumplings@programming.dev 3 points 8 hours ago* (last edited 8 hours ago)

Yes because they are all designed to evade the great firewall of China, which automatically catches almost all other VPN's and proxies.

Github is blocked in China. The fact that these repos are on Github and Chinese is proof of their effectiveness.

[–] moonpiedumplings@programming.dev 1 points 17 hours ago (1 children)

It's not quite a VPN, but it is very resistant against blocking:

https://programming.dev/comment/22662028

[–] pr3d@eviltoast.org 1 points 16 hours ago

ok, not what i've been looking for, but they provide a docker-compose.yaml. Looks simple

[–] Decronym@lemmy.decronym.xyz 1 points 18 hours ago* (last edited 1 hour ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #171 for this comm, first seen 16th Mar 2026, 17:30] [FAQ] [Full list] [Contact] [Source code]