
Ask HN: Is there anyway besides a private VPN to make the Internet less hostile? - rootsudo
One issue I always encounter when I&#x27;m out of the USA is how hostile the Internet is.<p>Captchas upon endless Captchas designed to create friction, geoblocking, inability to log onto financial services because of very basic conditional access rules that don&#x27;t take into account 2FA whitelisting.<p>Of course the customer service is non-existent, automated, or simply does not comprehend what I&#x27;m talking about and defaults to my &quot;computer&quot; is broken.<p>Running an VPN on an Azure&#x2F;AWS&#x2F;Digital Ocean instance is not viable because the whole ip range is blocked by automated services like cloudflare, even if it&#x27;s static.<p>This also applies to public VPN vendors like PrivateInternetAccess. You also run the risk of being commingled w&#x2F; other &quot;malicious&quot; users and general account bans by IP address from basic meta data analysis (Time&#x2F;Date + IP address + Account accessed = disable access basically.) and then have to beg to be enabled, further confirm your identity and minimize plausible deniability for &quot;risk management.&quot;<p>Besides running a VPN from a residential node, is there something I&#x27;m missing?
======
nunez
It's hostile because malicious actors ensure that we can't have nice things.

CAPTCHAs and reCAPTCHAs may seem nefarious and hostile...until you realize
that there are bots on AWS/Azure/${insert_cloud_here} that do nothing but try
and brute-force logging into stuff or pay for things on peoples' behalf
because they use passwords that were leaked ages ago and so many people use
their FB login credentials for their bank and government stuff.

You could add backoffs, retry limits, user agent verification and all sorts of
server-side tricks to slow hostile actors down, but services like Lambda make
these extremely trivial to bypass now. You could invest in machine learning to
detect hostile patterns and defend against them, but that's a really expensive
game of whack-a-mole at best and useless at worst, and blocking out IP ranges
is really, really easy in comparison.

You could do something like what India does where every service that involves
PII must be authenticated with SMS two-factor against a phone number
registered in India, but at US scale that would be hard to manage.

~~~
jiehong
If India can pull it off, “US scale” is achievable.

That is, if you only meant in term of population size.

------
sigmaprimus
I can't think of much you could do other than maybe something through TOR, but
that comes with its own set of issues.

Your idea of running through a residential node is probably the best solution,
I would suggest getting a couple of cheap routers that are compatible with DD-
WRT then leave one at home or with a friend and travel with the other. That
way you can connect your devices through wifi with no extra setup. I have a
router that I setup with HMA VPN about 5 years ago and it seems to get past
most geoblocking schemes but I think that may be because the IP pool they put
me in has not gotten burned yet or Im in a pool specifically assigned to
legacy rather than new customers.

------
NathanTinker
You could try to host a ssh/shadowsocks/v2ray tunneling server on your own
Openwrt home router. However you need a static public IP address for your home
router. And you can control all or specific traffic aboard through this
tunnel.

> Running an VPN on an Azure/AWS/Digital Ocean instance is not viable because
> the whole ip range is blocked by automated services like cloudflare, even if
> it's static.

I am not sure about that. Since I host my tunneling server on an VPS instance
for 5 years. My IP packages have never been blocked by any website or CDN even
once. However I don't use internet banking, so no idea about that.

~~~
contravariant
You don't need a static IP per se if you use something like duckdns to keep
track of where your router is at.

~~~
NathanTinker
Yes, that's right. Static IP is not necessary, any kind of DDNS could make a
workaround.

Public IP is not necessary as well. Third party service like ngrok could
reverse a tunnel.

However, public static IP is my first choice. Easier, safer and more stable.

------
blackflame7000
Perhaps a SOCKS Proxy would be more appropriate depending on your usage. You
can also use SSH forwarding to tunnel services over ssh

~~~
rootsudo
I'll try this instead of running an OpenVPN server. :)

------
chatmasta
> Running an VPN on an Azure/AWS/Digital Ocean instance is not viable because
> the whole ip range is blocked by automated services like cloudflare, even if
> it's static.

This is not my experience, on AWS and also lightsail. But it may be because
I've been using the IP for so long it's become associated with my accounts. Of
course for some services (netflix) it's a non-starter; but I don't have a
problem with recaptcha.

------
greys
There are many cool services. Not so long ago I found info about Double VPN
here [https://veepn.com/vpn-features/double-vpn/](https://veepn.com/vpn-
features/double-vpn/) . It is covered with two servers instead of one and
provide the highest level of internet security. I've already tested it and it
works great.

~~~
ThePowerOfFuet
Mullvad offers double-hop VPN as well.

>provide the highest level of internet security

o.O

------
denkmoon
I know this isn't super helpful to your direct problem, but consider not using
hostile services. Are there viable alternatives to the services you need?

------
Coritenst
Blockers that are under your control like Pi-hole and more obliquely, NextDNS

These are instant and adjustable filters down to the level of rewriting paths

