a VPN that is easily self-hostable and resistant to blocking?
from pr3d@eviltoast.org to selfhosted@lemmy.world on 16 Mar 14:57
https://eviltoast.org/post/25539021
from pr3d@eviltoast.org to selfhosted@lemmy.world on 16 Mar 14:57
https://eviltoast.org/post/25539021
Hi, i’m looking for a VPN that:
- is easily deployable via a docker-compose
- has an Android App and it doesn’t drain the battery too much
- hides as regular HTTPS traffic so it’s not blockable by Firewalls. (I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.)
- Bonus: A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.
github.com/TrustTunnel/TrustTunnel sounds interesting, but the PR for docker compose was closed.
Do you know something else?
#selfhosted
threaded - newest
That’s going to be the sticky wicket right there. It is rather trivial for server admins to know what IPs go with VPNs and not. Wireguard is about the best thing on the planet right now, imho, but it will also get blocked. Occasionally, I will happen on a site that outright blocks me. If I can’t bend the site to my will, I just move on. The information on the blocked site will 9 times out of 10 be found duplicated somewhere else.
One ‘trick’ I’ve found works fairly well is Opera. So, when I go to pay my bills online, my VPN coupled with the way I have Firefox configured, will trigger a block. I can fire up Opera, engage it’s built in VPN, still keep my local VPN connected, and have no problem accessing my bills. It’s not an elegant solution, and some users have preclusions to Opera. However, that generally works for me.
Wireguard is not resistant to blocking, it is plain as day if you’re using wireguard and china had blocked it for years
I sort of said as much. It really doesn’t matter, imho, what you use. As soon as that service becomes abused globally, everyone blocks it, including Tor. Any server using DPI or TLS will spot it a mile away. Now, if you have a fool proof way, than I am very much ready to be educated.
Wireguard on a VPS and run it through port 443. That should get you through most things that don’t do TLS inspection
So, not resistant to blocking
I’ve run Wireguard on 443 (on my router) for exactly that purpose and never had a problem, even when my standard WG port was blocked by some businesses. I’ve since had to move to port 587 due to router conflicts and it’s worked fine so far too.
The battery drain on Android is negligible (at least for my uses) and WG is activated by Tasker whenever my home wifi is out of range. From what I can see WG is configurable via Docker compose.
Have you tried [github.com/zaneschepke/wgtunnel](WG Tunnel)
I use this WG client and it has options for auto-tunneling
Thanks for the link. Will take a look.
I quite like the option! I do love tasker, but if i only need auto tunneling this does it quite well!
Doesn’t work in China, can be easily blocked by censors
Who said anything about China?
OP: “I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.”
Most Chinese exits through port snooping. And you really need to be on a Chinese corp network to know - if you take your western mobile there they do very little blocking.
I’ve been fairly successful with most China corp networks letting me out and in to self-hosted WG server on port 123.
Use xray. I suggest the REALITY + XHTTP setup where you look like another h2 server
You can docker compose your panel for managing your server, get a free subdomain from afraid.org and set up tls on it
I use the v2rayng mobile app since I don’t switch servers much, I only have two
the repos i’ve found do not look very trustworthy. github.com/2dust/v2rayNG github.com/XTLS/Xray-core well its chinese
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.
[Thread #171 for this comm, first seen 16th Mar 2026, 17:30] [FAQ] [Full list] [Contact] [Source code]
It’s not quite a VPN, but it is very resistant against blocking:
programming.dev/comment/22662028
ok, not what i’ve been looking for, but they provide a docker-compose.yaml. Looks simple
You can use stunnel to make your VPN look like HTTPS.
For your exact use case (hiding as HTTPS, Docker, works behind restrictive firewalls), I would strongly recommend looking at:
WireGuard + wstunnel — WireGuard itself is great but easily blocked. Wrapping it in wstunnel makes it look like regular WebSocket/HTTPS traffic. Docker-compose setup is straightforward.
Cloak + OpenVPN/Shadowsocks — Cloak is specifically designed to make VPN traffic look like normal HTTPS to a CDN. Very effective against DPI.
Headscale (self-hosted Tailscale control server) — not inherently resistant to blocking, but combined with a DERP relay behind Caddy, it works well on most networks. The Tailscale Android app is excellent on battery life.
For the Caddy coexistence requirement specifically, wstunnel is probably your best bet since it literally runs as a WebSocket endpoint that Caddy can reverse proxy alongside your regular sites.
I have been running a similar setup (WireGuard over wstunnel behind Caddy) on a small VPS and it has worked through hotel and airport WiFi without issues.
Amnezia?