> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.
This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).
Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.
This is it. For years, I had a stable IPSec connection from Germany to the US, where packets would be routed selectively for the convenience of web browsing without geo-blocks. It was a bit excessive for what it did, but the technical challenge of trying it was worth it. [1]
Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.
That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.
I like protectli boxes. x86, low power, coreboot options, lots of network interfaces. The apus everyone recommends (myself included) are no longer available :(
Two devices I use - both running Debian, and both being open-source hardware to some degree or other:
PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.
Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.
I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.
The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.
Also not the OP, but I use a NanoPi M5 for my home router. I've got OpenWRT (technically FriendlyWRT, but it's the same) running on it with Docker for running NgINX and PiHole.
You can do it like this, or (easier IMO if your router doesn't support it) you can just setup a raspberry pi as a VPN router then set you dhcp server on your router to hand out the RPIs address. You can then switch on to the normal connection at any point you need by just changing your default gateway back to .1
my solution to this is to have centralised VPN splitter (x-ray/singbox) sitting on RPi, with tailscale attached to it. This makes it available from anywhere if the device is on TS network. With added benefit of rule based geo splitting to various zones.
I was hoping, from the title ("Geo-Unblocked") that this would be about arranging an IP address block that wasn't associated with the UK, rather than just selectively running some traffic through a VPN.
Sometimes. You can publish whatever geolocation data file you want, but others aren't required to respect that file. It's known that geolocation providers run pings and traceroutes from different locations as well as looking at BGP data.
I don't think that would work though. If you changed your WAN address it wouldn't be dissimilar from changing your IP to a different schema on a machine in a given network, no? It just wouldn't work at all.
"Is this overkill for viewing the occasional Imgur image? Probably."
From the last couple of weeks of researching some stuff, it makes perfect sense - I keep stumbling across blogs and documentation that uses Imgur, and it's really quite annoying that I can't see the screenshot or image that is being referenced. It hasn't /quite/ hit the point to put something in place, but this is super helpful for the final straw - when it comes!
It's been eye-opening how far-reaching Imgur really is - for example, some of the images on the Core Devices (the new Pebble folks) website are actually on Imgur.
This simple block is relatively trivial to bypass - but if they disappear tomorrow, a lot of things break.
> but if they disappear tomorrow, a lot of things break.
Tale as old as time, long-running forums are graveyards of dead Photobucket, Tinypic and Imageshack embeds. Imgur has lasted longer than most but the cycle will probably repeat eventually, especially since they were acquired by faceless corpos a few years ago.
Overkill right now, probably, but the Government seems hell-bent on locking down access to more and more things that we see as completely normal, so I'd say that it's forward planning.
When that happens, most VPN providers will face similar destiny.
Which means that we'll all have to run our own VPNs, possibly masquerading as HTTPS traffic, if that remains viable against government interference (eg. they might ask to re-encrypt all traffic by ISP-level certs, and block any traffic unreadable by them).
also, if foreign servers notice no real loss of traffic because people just circumvent draconian censorship measures from authoritarian regimes, then they can more safely ignore them without real repercussions
the EU seems to be following soon, so it's important that people have readily available tools so the power dynamics change and it doesn't become economically unfeasible to refuse censorship pressures
Imgur is one of the more annoying UK geoblocks because they persist it with cookies, so if you want to view something you can’t just switch to VPN for a second without also changing browser sessions.
Reddit is worse… you can’t even view someone’s profile if they’ve ever submitted a post labeled NSFW.
Why would they do that? (Not a rhetorical question, just curious). It would suffice to block UK IPs for compliance, if visitors use a VPN to circumvent that Imgur would get more traffic and more ad revenue. No reason to put extra work into blocking those users.
Gives them proof they did their best to "protect minors" even if they circumvented the GeoIP rule: someone trying and realising it still does not work might get X percentage to not bother further thinking there was something smarter at play and not just GeoIP (which there is).
Could be for performance? Basically cache the group lookup result into a signed cookie that can be checked at the edge rather than needing to do a geoip lookup for every request.
Maybe, maybe not. It'll be signficiantly harder for the EU to target decentralised services with no organisation behind them. It'll be far easier for them to put every major tech site which accepts VPN traffic into the box of organisations they can still fine. I'm not entirely sure the wider population will really care all that much once the dust settles. The internet works in China, and people are happy with it, and while we can agree that is probably what you'd call th dark age, you'll need significantly public opposition to do anything about it. I think we'll sadly see most major tech sites adopt whatever age verification tool the EU builds. They did with all the various form of payment system though this was obviously helped along with the API provided by companies like visa.
Honestly you could probably even use the 0 cost back charge that visa has, which is used by some finance services to verify that you are who you say you are through the visa connection to your national digital identity.
This can be done on UniFi using policy based routing too trivially if anyone wants to repeat this.
Instructions using the unifi mobile app as it’s what I have to hand:
1) download wireguard conf file from vpn provider. On mobile app settings -> vpn client -> add new -> wireguard. Upload the file and save it
2) settings -> policy engine -> policy based routes. New. Select what to route -> specific traffic. Source = all devices. destination = domain name. Here add any domains you like. Interface = add the vpn you added in step 1
Wow, this is unbelievable. I thought UniFi was a premier networking product. Certainly its price would suggest so. Not supporting IPv6 in 2025 is unacceptable.
I've done similar. But I just used PBR (policy based routing) on my OpenWRT router. Took about 15 minutes to set it up. You can pick which domains go through VPN. Works great.
I feel like I'd rather solve this with a proxy PAC file. I recently started using this on airplane Wi-Fi where they'd block VPNs, but strangely not SSH. Dynamic forwarding with a good PAC to "direct" connect the onboard entertainment and flight tracking hosts/URLs works great!
they block VPNs too, if yours is working it's just a matter of time until they get to it. Avoid using imgur entirely. What I find insidious is that unlike reddit and some other sites, they won't tell you it's blocked, they'll give you this:
{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}
Readit News
This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).
Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.
[1]: https://du.nkel.dev/blog/2021-11-19_pfsense_opnsense_ipsec_c...
Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.
That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.
Do you remember the name of the product?
PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.
Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.
I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.
The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.
https://www.friendlyelec.com/index.php?route=product/product...
2GB Pi5 maxes out the 1Gb port.
https://blog.lyc8503.net/en/post/asn-5-worldwide-servers/
From the last couple of weeks of researching some stuff, it makes perfect sense - I keep stumbling across blogs and documentation that uses Imgur, and it's really quite annoying that I can't see the screenshot or image that is being referenced. It hasn't /quite/ hit the point to put something in place, but this is super helpful for the final straw - when it comes!
This simple block is relatively trivial to bypass - but if they disappear tomorrow, a lot of things break.
Tale as old as time, long-running forums are graveyards of dead Photobucket, Tinypic and Imageshack embeds. Imgur has lasted longer than most but the cycle will probably repeat eventually, especially since they were acquired by faceless corpos a few years ago.
that made multiple forums I've been on rush to download everything to their servers
Which means that we'll all have to run our own VPNs, possibly masquerading as HTTPS traffic, if that remains viable against government interference (eg. they might ask to re-encrypt all traffic by ISP-level certs, and block any traffic unreadable by them).
Internet as we know it is fading away.
also, if foreign servers notice no real loss of traffic because people just circumvent draconian censorship measures from authoritarian regimes, then they can more safely ignore them without real repercussions
the EU seems to be following soon, so it's important that people have readily available tools so the power dynamics change and it doesn't become economically unfeasible to refuse censorship pressures
Reddit is worse… you can’t even view someone’s profile if they’ve ever submitted a post labeled NSFW.
Honestly you could probably even use the 0 cost back charge that visa has, which is used by some finance services to verify that you are who you say you are through the visa connection to your national digital identity.
Instructions using the unifi mobile app as it’s what I have to hand:
1) download wireguard conf file from vpn provider. On mobile app settings -> vpn client -> add new -> wireguard. Upload the file and save it
2) settings -> policy engine -> policy based routes. New. Select what to route -> specific traffic. Source = all devices. destination = domain name. Here add any domains you like. Interface = add the vpn you added in step 1
I ended up making a long list of firewall rules to block specific sites IPv6 ranges, which worked until I hit cloudflare backed sites.
I’m really hoping UniFi start supporting IPv6 WireGuard soon.
Deleted Comment
Deleted Comment
{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}