All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Looking for a Networking-Friendly Host for a Connectivity Project (Censorship Circumvention)
Hi everyone,
I’ve been working on a project to help users in highly restricted regions regain access to the global internet. As many of you know, maintaining a stable connection in these areas is becoming increasingly difficult.
The Background:
I’ve already conducted several tests using providers in locations like Turkey. While they work to some extent, the overall quality, latency, and throughput are unfortunately not meeting the requirements for a reliable service. I’m now looking for a better-performing alternative.
The Technical Challenge:
My current solution involves a specific tunneling method that requires loose Source Address Validation (SAV) / loose uRPF. I need the ability to send packets with custom headers (where the source IP might not match the interface IP) to maintain the connection state across restrictive middleboxes.
I know how this sounds: I’m fully aware that "Disabled SAV" is often associated with DDoS activity. However, this is strictly a connectivity/freedom project. To put your mind at ease:
1. I am happy to undergo full KYC.
2. I am perfectly fine with a strict bandwidth or PPS (Packets Per Second) limit. I don't need "Gbit" spoofing capacity; I just need the routing logic to work for my users.
3. This is about bypassing censorship, not attacking others.
What I need:
* A VPS provider that is "networking-friendly" and allows this kind of header flexibility.
* Decent peering (preferably better than what we typically see in the TR region).
* A transparent relationship with the host—I’d rather tell you what I’m doing than have my account flagged later.
If you are a provider who supports these kinds of projects, or if you know a host that is open to network-level experimentation for a good cause, please reach out or comment below.
Thanks in advance!
Comments
First comment...
So, Iran ?
Haha, you caught me! To be fair, things have been looking a bit better lately and access is starting to open up a little. But as they say, it’s always better to be prepared for the future... assuming there’s any future left to plan for!
)
Out of curiosity, what is the connectivity of Snowflake like over there? Has it been getting better? Worse?
@Murv what we thinkin?
Uh... I think IP spoofage is goon and I use it to good everyday. (Shout out to @Alyx (ᵔ ᵕ ᵔ˶) ♡)
Also apparently there's some new working SNI spoofage method now that they've eased the shutdown a bit.
I was also thinking about the new Nekopara game Nekopara Sekai Connect that's out now. I like catgirls.
I wonder how this mechanism works exactly .. there are many use cases where the source IP won't match the 'primary' IP, but it will still be a an IP that is routed (partially) to that server.
If you don't feel like sharing in public, please feel free to write in DM to evaluate if this is something we can accomodate without allowing plain spoofing :-)
The gov't here whitelists certain IPs even during the shutdowns, people spoofage such IP from both inside and outside to send UDP/ICMP packets.
Is there ever a situation where ICMP would work and UDP wouldn't? Because UDP can always carry a bigger payload than trying to smuggle it in ICMP.
Yes, plain WireGuard traffic to outside is blocked but WireGuard-over-ICMP works fine.
Thou it doesn't really matter in a spoof setup, I'm using plain UDP WireGuard with some nftables rules to spoof the source address.
To be honest, Snowflake is a bit of a cat-and-mouse game here. It’s been "breathing" lately, but it's inconsistent. When the DPI kicks in hard, it gets throttled to the point of being unusable, then a new workaround brings it back for a while. We can't really rely on it as a primary backbone anymore, which is why I’m looking for more... structural solutions.
Haha, glad to see someone who appreciates the 'art' of header manipulation!
The SNI tricks are definitely keeping the lights on for now, but as the filters get smarter, we need to go deeper into the stack. Also, respect for the Nekopara shout-out—priorities, right? Catgirls might be the only thing the firewalls haven't figured out how to block yet!
@RickBakkr Precisely! It's about custom routing logic for state maintenance, not volumetric "plain spoofing." I've just sent you a DM with the technical breakdown of what I'm trying to achieve. Looking forward to your thoughts!