> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.
This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).
Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.
This is it. For years, I had a stable IPSec connection from Germany to the US, where packets would be routed selectively for the convenience of web browsing without geo-blocks. It was a bit excessive for what it did, but the technical challenge of trying it was worth it. [1]
You can do it like this, or (easier IMO if your router doesn't support it) you can just setup a raspberry pi as a VPN router then set you dhcp server on your router to hand out the RPIs address. You can then switch on to the normal connection at any point you need by just changing your default gateway back to .1
2GB Pi5 maxes out the 1Gb port.
> This is what routers are for.
Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.
That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.
You can just use FoxyProxy instead of a separate browser instance. This firefox addon will use a proxy based on URL patterns.
You don't even need an extension - FF can do it natively via proxy file
You can do this in the configuration for Firefox containers too.
> a cheap fanless box with several network ports running linux
Do you remember the name of the product?
Not the poster you're responding to, but...
I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.
The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.
I like protectli boxes. x86, low power, coreboot options, lots of network interfaces. The apus everyone recommends (myself included) are no longer available :(
Two devices I use - both running Debian, and both being open-source hardware to some degree or other:
PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.
Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.
Just a heads up that PC Engines is winding down. The chip they use in the APU2 is EOL, and they've decided to shut down altogether.
> Far from it, there are separate registration and recycling schemes for each of the 28+ EU member jurisdictions (and even a few of their provinces). What part of COMMON MARKET was so hard to understand for EU lawmakers ?
Since there is no single registration available, and separate registration would involve mindboggling complexity, bureaucracy and costs, we do not sell to EU end users until the EU gets their act together. Please order from EU based distributors, or as a business customer.
> Business customers are expected to meet their obligations by registering in the EU countries they sell in.
> Wildly ironic that an EU company doesn't ship to the EU.
Switzerland is not part of the EU in this timeline... But their rant sounds very much like an excuse, the WEEE is in effect at least since 2021:
"All EU Member States are required to adopt the Waste Electrical and Electronic Equipment (WEEE) Directive 2012/19/EU, which sets rules for the collection, treatment, and recycling of electronic waste. However, some countries were granted an extension until August 2021 to meet the collection targets due to infrastructure limitations, including Bulgaria, Czechia, Latvia, Lithuania, Hungary, Malta, Poland, Romania, Slovenia, and Slovakia" - courtesy Google AI overview
Being based in Switzerland, which is not a member state, PC Engines is not an EU company.
And in the end, 90% of people will throw it in the trash with everything else. I'm actually in the other 10%, but I live in the middle of a big city where I have electronic waste container like 300m away.
Btw, that's an awful website. I like simple minimalistic websites, but some people confuse "simple" with "give literally 0 fucks about the reader" and then I have 50-word long lines to read on my 32" monitor. Just put something like {max-width: 1200px; margin: 0 auto;} on the body at least.
You’re lucky. For people without cars anything other than curbside recycling is usually a nightmare. Ironically.
Yeah, that was my point, it's easy for me, but that's not the case for most people in the country. And I guess that most people living near me don't think about putting electronics in the dedicated container anyway, even if that container is near them.
> And in the end, 90% of people will throw it in the trash with everything else.
And if they don't, the "recycling" company will do it.
Reuse is dead.
[deleted]
Well maybe if they cared a bit more about customers they wouldn't be needing to wind down
Qotom is a good chinesium brand for small cheap fanless multi-NIC PCs: https://qotom.net
+1, have had 10/10 experience with my Qotom - in fact I had to look up the brand to be sure that was what I had. Forgettability (due to reliability) is exactly what you want in router hardware.
my solution to this is to have centralised VPN splitter (x-ray/singbox) sitting on RPi, with tailscale attached to it. This makes it available from anywhere if the device is on TS network. With added benefit of rule based geo splitting to various zones.
I was hoping, from the title ("Geo-Unblocked") that this would be about arranging an IP address block that wasn't associated with the UK, rather than just selectively running some traffic through a VPN.
If you're your own ISP you can be wherever you want to be
Sometimes. You can publish whatever geolocation data file you want, but others aren't required to respect that file. It's known that geolocation providers run pings and traceroutes from different locations as well as looking at BGP data.
I guess maybe we should start some kind of initiative to detect these geolocation providers so we can blacklist them. Maybe it can be some kind of database that is used to null-route all traffic coming from their network /s
Would be an interesting idea in 2004, but now they have access to all the same evasion techniques as everyone else.
I don't think that would work though. If you changed your WAN address it wouldn't be dissimilar from changing your IP to a different schema on a machine in a given network, no? It just wouldn't work at all.
"Is this overkill for viewing the occasional Imgur image? Probably."
From the last couple of weeks of researching some stuff, it makes perfect sense - I keep stumbling across blogs and documentation that uses Imgur, and it's really quite annoying that I can't see the screenshot or image that is being referenced. It hasn't /quite/ hit the point to put something in place, but this is super helpful for the final straw - when it comes!
It's been eye-opening how far-reaching Imgur really is - for example, some of the images on the Core Devices (the new Pebble folks) website are actually on Imgur.
This simple block is relatively trivial to bypass - but if they disappear tomorrow, a lot of things break.
> but if they disappear tomorrow, a lot of things break.
Tale as old as time, long-running forums are graveyards of dead Photobucket, Tinypic and Imageshack embeds. Imgur has lasted longer than most but the cycle will probably repeat eventually, especially since they were acquired by faceless corpos a few years ago.
I've said before that the age of an internet user can be estimated by how many free image hosting services they have seen come and go, like rings on a tree trunk.
> Imgur has lasted longer than most
They did a big data purge years ago, and were already enshittified almost a decade before that.
Only "removing old, unused, and inactive content that is not tied to a user account" right?
A service shutting down, or being replaced is very different to one being blocked at a country level because of waves hands things
> waves hands things
government censorship
called it for what it is
The Online Safety Act is clear-cut censorship but that's not why Imgur left the UK. They were facing fines for violating the UKs data protection laws, specifically a set of rules that were introduced years before the OSA was even passed. Their parent company hasn't pulled any of their other services from the UK either, which you'd expect them to do if their goal was to protest or avoid the OSA.
"There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws." ... "When you sign up you can be targeted for advertising, you can be profiled, your data contributes to an algorithm which feeds content," said the Information Commissioner.
So even before the OSA, the idea was: social media sites using algorithmic feeds must prevent children's access, and just asking "are you over 13" isn't enough. That's a demand for age verification, in practice.
makes me thankful for imgur deleting anonymous uploads a year or 2 ago
that made multiple forums I've been on rush to download everything to their servers
Overkill right now, probably, but the Government seems hell-bent on locking down access to more and more things that we see as completely normal, so I'd say that it's forward planning.
it will certainly not stop at Imgur
also, if foreign servers notice no real loss of traffic because people just circumvent draconian censorship measures from authoritarian regimes, then they can more safely ignore them without real repercussions
the EU seems to be following soon, so it's important that people have readily available tools so the power dynamics change and it doesn't become economically unfeasible to refuse censorship pressures
I've found it a bit harder than I thought to bypass but veepn free with the location set to Singapore kind of works, if slowly.
Imgur is one of the more annoying UK geoblocks because they persist it with cookies, so if you want to view something you can’t just switch to VPN for a second without also changing browser sessions.
Reddit is worse… you can’t even view someone’s profile if they’ve ever submitted a post labeled NSFW.
Why would they do that? (Not a rhetorical question, just curious). It would suffice to block UK IPs for compliance, if visitors use a VPN to circumvent that Imgur would get more traffic and more ad revenue. No reason to put extra work into blocking those users.
vindictiveness
In other words, we're entering a dark age for the internet.
Maybe, maybe not. It'll be signficiantly harder for the EU to target decentralised services with no organisation behind them. It'll be far easier for them to put every major tech site which accepts VPN traffic into the box of organisations they can still fine. I'm not entirely sure the wider population will really care all that much once the dust settles. The internet works in China, and people are happy with it, and while we can agree that is probably what you'd call th dark age, you'll need significantly public opposition to do anything about it. I think we'll sadly see most major tech sites adopt whatever age verification tool the EU builds. They did with all the various form of payment system though this was obviously helped along with the API provided by companies like visa.
Honestly you could probably even use the 0 cost back charge that visa has, which is used by some finance services to verify that you are who you say you are through the visa connection to your national digital identity.
> I think we'll sadly see most major tech sites adopt whatever age verification tool the EU builds.
No, we won't. Tech doesn't care about users. We saw this when Valve delisted thousands of games in Germany instead of implementing the (completely anonymous) age verification process we've had built into our ID cards for years.
Authoritarian regimes interpret the Internet as damage and geoblock it.
This can be done on UniFi using policy based routing too trivially if anyone wants to repeat this.
Instructions using the unifi mobile app as it’s what I have to hand:
1) download wireguard conf file from vpn provider. On mobile app settings -> vpn client -> add new -> wireguard. Upload the file and save it
2) settings -> policy engine -> policy based routes. New. Select what to route -> specific traffic. Source = all devices. destination = domain name. Here add any domains you like. Interface = add the vpn you added in step 1
The only downside is this doesn’t work if you have IPv6 enabled as UniFi Network still allows those to bypass the VPN.
I ended up making a long list of firewall rules to block specific sites IPv6 ranges, which worked until I hit cloudflare backed sites.
Wow, this is unbelievable. I thought UniFi was a premier networking product. Certainly its price would suggest so. Not supporting IPv6 in 2025 is unacceptable.
To be clear, the rest of the OS supports IPv6, just the WireGuard VPN doesn’t. Disappointing all the same.
[deleted]
I've done similar. But I just used PBR (policy based routing) on my OpenWRT router. Took about 15 minutes to set it up. You can pick which domains go through VPN. Works great.
[deleted]
I feel like I'd rather solve this with a proxy PAC file. I recently started using this on airplane Wi-Fi where they'd block VPNs, but strangely not SSH. Dynamic forwarding with a good PAC to "direct" connect the onboard entertainment and flight tracking hosts/URLs works great!
> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop?
Also, Imgur blocks many VPN IPs. I use Mullvad and I have not yet found a single Mullvad IP that can access Imgur.
I’m also on Mullvad, keep trying. It took me like 20 servers but I did find one.
Would you mind sharing which server please?
Did this with policy based routing in my opnsense (pfsense) router a couple of weeks ago. egress via a specific tailscale exit node for a list of domains including Imgur.
Also browsing Minecraft mods/shaders was my motivation ha.
> even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.
Is there a way to install a VPN such that requests to/from certain domains (e.g. imgur.com) are routed via the VPN and the rest of your traffic is via non-VPN?
This would solve the problem of constantly having to dis/re connect VPN, and do it in an automatic fashion (i.e. without the manual steps of first recognising there's an unavailable asset on the page, opening VPN app, switching it on etc).
Such a configuration would also be very useful in other situations, e.g:
- using social media in countries that require age-verification
- using apps that geoblock (e.g. spotify blocks my subscription every few days because it detects a change in country, but what it's really detecting is simply whether or not my VPN happens to be on/off)
- accessing sites which are blocked (e.g. Thailand blocks common UK news sites which have said unflattering things about Thai royalty).
That'd be "split tunnel/VPN" by domain name, and usually it's limited to HTTP/S requests (because the hostname comes with the petition header), but some vendors (like ZScaler) do tricks to apply it to different protocols.
For example, the equivalent in Tailscale would be an "App Connector":
This is all new to me, but seems odd (startup idea?) why there isn't a SaaS letting me accomplish this on iPhone in a few minutes. (a few youtube searches for 'how to split VPN' are hopelessly theoretical as opposed to practical)
E.g. I'd definitely pay $10/month for an app that lets me input domains and which country to re-route traffic through.
E.g. a handful of social media apps via US (my country has age verification), a handful of news sites via UK (some countries I travel to block them entirely), spotify via a single country (I don't care which one, so long as it's constant).
I currently use ProtonVPN iPhone and macOS apps but AFAIK it routes all traffic through a single country which requires opening the app and manually changing it each time you want traffic routed via a different country.
Extremely keen to hear any solutions people have used on their own devices.
This also seems like an easy way for VPN providers to differentiate themselves with their apps. The fact that it hasn’t happened makes me think that it’s impossible with unrooted iOS
It's tricky to do for large public websites, because routing happens at the IP level while users want to input a domain name.
That domain could constantly resolve to different IPs, requiring updates to the routing rules, and those IPs could be shared with many other domain names that the user didn't list (for example Cloudflare IPs). So the mapping isn't clean and you're likely to miss some IPs some of the time or incorrectly intercept some traffic that the user didn't want to route through the VPN.
A proxy would not have this problem, it gets to inspect the request and hostname and then decide how to reach that host.
VPN app can still solve it by locally resolving configured domain into special local IP, which get VPNed into real IP on their side. You'll need to encode original DNS name into protocol somehow, so that remote side knows which real IP to access, but it is certainly doable.
[deleted]
That’s what they did effectively
they block VPNs too, if yours is working it's just a matter of time until they get to it. Avoid using imgur entirely. What I find insidious is that unlike reddit and some other sites, they won't tell you it's blocked, they'll give you this:
{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}
Even if they give you this error if you load and image directly, it will often still work if hotlinked in a web page.
That’s what I get if I go to their page, but when curling the image directly it works fine
> First, I just upgraded to 2.5 Gbps internet and I don’t want to route all my traffic through a VPN and take the speed hit. I have this bandwidth for a reason
You don't have to. You create a container which runs openvpn to connect to your vpn provider, and also hosts an ssh daemon. The ssh daemon receives incoming SOCKS5 connections from a firefox portable browser, which has been configured to use the proxy (your Docker openvpn-container) for browsing and DNS resolution, and pipes it through the VPN tunnel.
So you have that one browser just to surf imgur. if that's your thing. And you could also use Firefox on Android (maybe also iOS) with those proxy settings (a secondary Firefox browser, like the beta version).
So you get very high control about what you are using the VPN for, you don't just pipe your entire OS's network traffic through the VPN.
Wow thanks for this, was using the above linked addon myself until I read your comment.
This would have the exact problem mentioned immediately after the paragraph you quoted. Every computer, phone, etc. would need specific setup. The author is clear about their goal:
> I wanted something cleaner: a solution that works for every device on my network, automatically, without any client-side configuration.
This is a great idea except for me (and for the author I suspect) I regularly come across attachment of Imgur hosted images on sites (like a post on a DIY forum but not all of them) so it wouldn't solve my issue unless I were to use your browser in the container all the time (I suspect the author also doesn't just 'surf imgur' but randomly comes across images hosted on imgur linked to from other locations).
In that case FoxyProxy's proxy by URL pattern would be what you'd want to use.
That doesn't seem very practical. The issue is that imgur links are everywhere and you wouldn't want to switch browsers whenever you encounter one. Not to mention it requires per device setup. Author's solution is much better than what you describe.
> So you have that one browser just to surf imgur.
Doesn't solve the real problem, being fails of imgur embedded it many others you surf.
Nope, security/privacy is always a trade off. It's much much safer just to route all your traffic through a VPN. I get ~200-500 Mbps with Mullvad, that seems good enough. Sucks if you upgraded to 2.5 Gbps before checking, but oh well
[deleted]
Next-gen VPN: content-aware routing. Just as NAT keeps track of who is talking to what, VPNs will one day actively detect that traffic is hitting blocks and re-route that through exits not subject to blocks. Bypassing local restrictions on an ad-hoc basis will become seemless.
a-ha, if you happen to have a Unifi router then a simpler setup would be to do policy based routing by hostnames through a vpn client maintained in the router config
Nice work.
I've thought about doing something similar as well! It drives me nuts this ban, everywhere I look I see these blocked images. I thought about making a chrome extension that proxies.
That's a lot of steps for something that would be a simple route rule or mangle + mark routing on mikrotik.
The route rule would route out a VPN instead of the main route.
If the domain name resolves to many IPs you can keep an address list up to date using a simple script.
With proper configuration Mikrotik can do preety much everything network related. Awesome product and os.
> That's a lot of steps for something that would be a simple route rule or mangle + mark routing on mikrotik.
I'm sorry but suggesting buying and setting up hardware as an easier and more accessible alternative to a purely software-based solution that will take at most a couple of hours to install is simply ridiculous.
Could this be built into open source routers? If you wanted to get fancy you could even select the best VPN for the particular service.
OpenWRT supports PBR which makes this a breeze.
You can run the shadowsocks client on some routers and pass selected traffic via your external shadowsocks server.
I haven't needed to do this since I move to the US, but IIRC the rules were based on IP subnets.
The approach in TFA is more sophisticated and fine-grained.
gl.inet routers running OpenWRT do this easily in the newer firmware versions the last few months.
> The key detail is network_mode: "service:gluetun"
Such a clear giveaway that this was written by an AI
Oh, I guarantee you that this has not been touched by any AI. I used to use emdashes all the time, then people thought those were AI telltale signs, so I stopped. I loved making lists. Same thing.
Now I’m not allowed to say “key detail”??
Just write correctly in your preferred style, and ignore the anti‑AI hate. You’re allowed to say whatever you want, and you’re allowed to use AI as a tool while writing — there’s nothing wrong with it.
Angry AI-phobic keyboard warriors on the internet don't decide what's right or wrong, or what you're allowed to do.
(Is this very comment AI-generated? Make your guess. Good luck!)
I'm autistic and get mistaken for AI all the time. At first I was annoyed but now I feel like it is adorable.
[dead]
Yeah that's annoying. Maybe you could add a disclaimer on your blog saying you do not use AI to write and then just write however you like the most? I think it would help both yourself and those who want to avoid AI content.
The 'no AI used' disclaimer is a nice idea, however, how long is that going to last?
We could all have disclaimers or identifiable 'stickers' such as what we had in the olden days of IE6, to send people over to Firefox/Chrome/whatever.
However, next time the tech bros scrape the web, their AI beasts could learn the trick, to decorate their piffling output with similar disclaimers.
In the olden days, 'the camera never lied', however, nowadays, 'the camera always lies'. Even if it is not AI, you know it has been staged and Photoshopped to within an inch of its pixels.
So, what to do?
One way would be to have 'guilds'. Maybe tie it into academic institutions, where teaching staff are at the sharp end of AI use and exacting penalties for AI abuse. Imagine if there was a 'guild of human writers' and being in it meant better SEO with the consequence of abusing AI meaning getting kicked out of the guild.
Ultimately though, without any 'guild system', it all comes down to quality content.
Possibly a great way to circumvent stuff like Netflix/Spotify/whoever's "same household" requirements? A RasPi or cheapo Mini pc configured with this and PiHole that I can set up in my "remote family's house to funnel their Netflix/Spotify traffic through my internet connection/IP address?
If your VPN provider offers a socks5 instance you can do this entire thing with a socat oneliner + the dns hijack of course.
For some reason T-Mobile in the Bay Area can get randomly geoIPed to the UK so imgur just randomly breaks on my phone. Marvelous
[deleted][deleted]
This is quite easy with OpenWRT.
Install the Wireguard packages, create a connection to your VPN of choice in a nearby country (I chose Sweden). Then I used the "vpn-policy-routing" package to route Imgur IPs (199.232.196.193 199.232.192.193) through the VPN.
Works for websites that keep nagging you for age verification too.
But seriously, it's been more emotional than I'd expected to get my cat memes back.
Yeah, doing it with OpenWRT and PBR is definately much simpler than this approach. However by using hard-coded IP addresses you are at risk of breakage if they change in the future.
Also fastly-hosted services are a bit awkard to configure IP ranges to cover whole blocks as they seem to not use normal CIDR-blocks for different customers.
But you use PBR's ntfset functionality to have your dns server automatically update a set whenever an DNS entry is resolved, then set the policy rules based on the set.
Didn't even know it was possible. But thanks to this comment - got the same setup via my Unifi router too. Thanks!
Interesting. I have nextdns.io and VPN proxy and a unifi router. Is this possible for me?
it could be easily done by policy based routing on your machine or your router.
So you are just a simple GB citizen and some external site blocked access by country affiliation?! Is there any practical reason for blocking access to that site by geotargeting?
The UK’s “online safety act” means a number of medium sized sites have decided it’s not worth doing business in the UK.
This is not why imgur have left though, they didn't want to comply with Data Protection laws.
The "online safety act" introduced mandatory age verification starting in July 2025.
The government announced "plans to fine Imgur after probing its approach to age checks and use of children's personal data" in September 2025 [1]
Are you telling me those were unrelated? How are you going to fine a website over age checks without the law that requires age checks?
Seeing as the investigation was by the ICO instead of OFCOM, yes, very much so. Do you have any evidence to the contrary?
That makes no difference. "Data protection" or not, it was pressure for age verification.
Can you please provide a source for your claim?
No, it doesn't need a source. It's not mysterious. To meet the demand, age verification would be necessary. What's your claim?
I guess you could be saying that the regulators were carrying out legal duties like blind automatons, without giving a thought to the way their requirements would have to be met.
Yes. The ICO investigation that resulted in Imgur blocking the UK pre-dates the Online Safety Act coming into force.
As others have mentioned, Ofcom is responsible for enforcement of the OSA - but the investigation against Imgur was carried out by the ICO.
[deleted]
The governments of the countries that dabbling into the "think of the children" laws should build their own "safe" internets for their citizens, walling them in, requiring them to "verify their age" before letting them out of their cages into the Internet.
What's annoying about this block is that Imgur detects Telegram's server for image previews as coming from the UK but they are in the Netherlands so when someone sends an imgur link through Telegram with the little preview attached you now only get the "not available" image as prevew...
I've not managed to succesfully use a VPN to get around the geoblock. It seems that most of VPN exit nodes are also blocked (but in a different way)
I wonder how did you overcome https. As I understand the request that goes to rerouted Imgur proxy will have different cert.
AIUI, nginx doesn't terminate the SSL/TLS connection - it is just passed through as is. `ssl_preread on` extracts the server name from the Server Name Indication (SNI) send as part of the TLS handshake, which is unencrypted.
I just set up a similar system (Debian LXC permanently connected to a VPN, nginx proxying imgur.com and all its subdomains with the rest being dropped), and it works quite well. Setting DNS records for imgur.com and {api,i,s}.imgur.com seems to be sufficient to get the site and inline images working (not 100% if all are needed - I haven't fully tested it yet).
Presumably TLS still only happens at the browser and at the Imgur origin server. Everything in between just routes the request without being able to read any of the encrypted stuff. This is no different than using your browser while your computer is connected to the web via a VPN, except that in this case only a small subset of requests go through the VPN.
Why not call it split tunneling, which is what it is.
because saying "i used a split tunnel to access geo-blocked resources" doesn't get you those sweet sweet internet points on hacker news, ofc
This is such a deep rabbit hole! Other alternatives include CDN and residential proxies, no VPN required
Another thing that you can do when you have the IP address range is just run a traditional split-tunnel. A simple way to do that is to run Wireguard on a cheap VPS, then have only traffic to those fixed IPs go to that tunnel. The nice thing about this is that tiny WiFi routers (e.g. hAP AX S) these days support Wireguard at pretty decent speeds. Then anyone on your network gets this, and if you want it while you roam you can just run the Wireguard VPN on your phone as well with the same rules.
So imgur is still alive?
From Italy (no VPN) I've been getting «{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}» for any imgur url for maybe an year
It works great till you leave your house.
Unless you vpn back to your house, but then again, now you are using double vpn!
There is currently no alternative to geo-blocking the UK if you don't want to get threatening legal letters from Ofcom that order you to break the laws of your country.
This is the correct way to make exceptions for hostnames, not policy based routing on a router that merely translates hostnames to IPs, IPs which could be shared by 1000s of services and thus a much wider whitelist than you wanted. Nice
[deleted]
in summary: wasn't using a vpn, is now using a vpn ¯\_(ツ)_/¯
Imgur doesn't even let me sign into my almost 10 year old account from many countries while traveling. Never seen this kind of wack shit anywhere else. The fuck's their problem?
Imagine having to install a vpn to browse the internet in a first world country.
The country didnt block it. This aint comparable to China if that is what you mean.
[flagged]
that's a bit histrionic, isn't it?
[deleted]
Imagine deciding to pull out of a country because you refuse to comply with protecting the personal data of actual children.
> Imagine deciding to pull out of a country because you refuse to comply with protecting the personal data of actual children.
Haha. You mean like Meta, Google, Apple and Microsoft ?
If EU really cared about children, those companies would not be doing business in the EU.
[dead]
[dead]
[dead]
> ⌘+F, "vote", Not found
Seems the author forgot one step.
The law was drafted by the government of one party, enacted by the government of the other party.
That isn't quite true, because the law was enacted on October 26, 2023, which was still the same party that drafted it.
Of course, it is true that it is being supported by the current government, however the only way a future government could have avoided the law coming into force would be to repeal it with a new act of parliament (because it was already enacted).
[deleted]
And backed by popular support.
It’s another good example of internet sentiment being far different to popular sentiment.
Polling shows around 70% supported it, though far fewer thought it would be effective. Pretty much matches my views on it.
Polls don't handle nuance, though. Most people would support "children not watching hardcore porn", but most wouldn't support "not allowed to access imgur anymore". The polls don't ask those kinds of question, though, they ask "do you support the OSA", to which the only reasonable answer is "yes and no".
This little "solution" might be fine for .. imgur .. but it shows your nation is well into the authoritarian descent. And there's no where left in the western world to move to either ... It's not a slippery slope, it's a landslide.
We legally have to keep porn on the top shelf in opaque packaging too in any shop where under 18s are allowed.
I mean, it's basically a police state.
Great work! Perhaps not the appropriate OSI layer, but would be cool if this could pull the imgur blob from the wayback machine if unavailable on imgur proper. You'd still need this networking setup, as archive.org is blocked as well in the UK per ground truth from others on HN.
I'm in the UK and we use 'mobile broadband' for our domestic Internet connection. So a mains powered router box that connects to the local G4 (or G5) mobile data network and provides wifi and a few cat 5 sockets. We don't need to subscribe to a phone line (e.g. last mile supplied by Openreach/BT or fibre from Virgin or whoever). I pay a single flat fee monthly by credit card. It is reasonably fast and meets our modest needs. There is no hard data cap. We average 150 Gb per quarter or so.
archive.org is blocked (along with other nsfw type sites), but as the last post in your link to an earlier discussion says, I could get it unblocked by filling in a declaration that I'm over 18. Paying by credit card isn't enough to unblock automatically for this particular package.
I've chosen not to unblock for no particular reason. The block sort of makes sense to me because archive.org records a lot of Web sites, some of which may have what is regarded as adult content, and it is unreasonable to expect archive.org to label individual records of sites according to the criteria the UK uses (each country probably has its own set of criteria e.g. gambling Web sites of certain kinds in the US).
archive.org is easily accessible in the UK from most wifi connections in cafes, libraries and, hilariously, colleges (where people under 18 gather in large numbers), and also from domestic adsl or fibre Internet connections.
> archive.org is blocked (along with other nsfw type sites), but as the last post in your link to an earlier discussion says, I could get it unblocked by filling in a declaration that I'm over 18. Paying by credit card isn't enough to unblock automatically for this particular package
That's something to do with your provider. Maybe you need a non-crappy provider.
You do not need to provide any kind of declaration that you're over 18 to access archive.org in the UK.
See comment from another UK resident further down.
I suspect it depends on the contract you have, and quite possibly when the contract started.
It appears to be something to do with using PAYG SIMs for mobile broadband. Back when I lived ten minutes from one of the largest cities in the country I used 4G, but didn't run into this or their CGNAT crap because I tunneled out to a sane ISP.
Given that you can buy a SIM that'll give you a couple of hundred GB of data for under a tenner, it seems reasonable that they'd block stuff you didn't want young children getting access to (easily).
The op in the thread is wrong, it's not blocked.
Source: am British, on phone.
> as archive.org is blocked as well in the UK per ground truth from others on HN
I am in the UK.
archive.org is not blocked — not the Library or the Wayback Machine.
ETA: I just checked re: the comment toomuchtodo linked to, and it actually is blocked by default on my mobile phone as adult content, because I've never bothered to disable the adult content lock on that device. I get redirected to a page operated by my mobile network where I can undo the lock by giving them info; I might do that one day, might not.
For non-UK users: UK mobile phone providers all block adult content by default at the account level as a simple parental control measure, and have done for some time, largely because PAYG data is really rather cheap here.
Interesting but not particularly bothersome. Apparently this decision is about eleven years old.
It seems to differ by provider. When I was with Three it was an irritating process of having to either call up or visit a shop in person and say "I want to look at the naughty pages, please". Another provider (I can't remember which) had a method where you had to supply a credit card number.
I'm with "1p Mobile" now who are a virtual network on EE, and their adult content block is just a toggle in your online account, with no faffing around required - you can just hit the toggle. I presume the idea is that you don't give little Timmy the password to his own account portal, but I don't know what's to stop him getting his own SIM by himself.
With Three, I found the adult content block caused other problems with SSH connections dropping, various random stuff getting blocked and so on, which all went away as soon as I had it disabled, so it's worth doing even for non porn fans.
> I presume the idea is that you don't give little Timmy the password to his own account portal, but I don't know what's to stop him getting his own SIM by himself.
Well — perhaps the toggle is only available if the account has been topped up with a credit card?
One thing that distinguishes you getting a SIM and Little Timmy getting a SIM is that you're over the age of majority and can enter into credit contracts, whereas Little Timmy can only get a debit card.
This fact is actually central to one of Ofcom's recommended age verification techniques, though the adult block on mobile phone networks is much older than these recent measures.
> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.
This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).
Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.
This is it. For years, I had a stable IPSec connection from Germany to the US, where packets would be routed selectively for the convenience of web browsing without geo-blocks. It was a bit excessive for what it did, but the technical challenge of trying it was worth it. [1]
[1]: https://du.nkel.dev/blog/2021-11-19_pfsense_opnsense_ipsec_c...
IPsec to be precise, not IPSec.
You can do it like this, or (easier IMO if your router doesn't support it) you can just setup a raspberry pi as a VPN router then set you dhcp server on your router to hand out the RPIs address. You can then switch on to the normal connection at any point you need by just changing your default gateway back to .1
2GB Pi5 maxes out the 1Gb port.
> This is what routers are for.
Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.
That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.
You can just use FoxyProxy instead of a separate browser instance. This firefox addon will use a proxy based on URL patterns.
You don't even need an extension - FF can do it natively via proxy file
You can do this in the configuration for Firefox containers too.
> a cheap fanless box with several network ports running linux
Do you remember the name of the product?
Not the poster you're responding to, but...
I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.
The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.
I like protectli boxes. x86, low power, coreboot options, lots of network interfaces. The apus everyone recommends (myself included) are no longer available :(
Two devices I use - both running Debian, and both being open-source hardware to some degree or other:
PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.
Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.
Just a heads up that PC Engines is winding down. The chip they use in the APU2 is EOL, and they've decided to shut down altogether.
https://pcengines.ch/eol.htm
Wildly ironic that an EU company doesn't ship to the EU.
Regulatory compliance shouldn't be hard. The idea is to quell negative externalities, not to shut off innovation itself.
> Because of unbelievably bureaucratic recycling regulations, PC Engines will NOT sell directly to end users within the EU.
https://pcengines.ch/order.htm
> EU - a single market ?
> Far from it, there are separate registration and recycling schemes for each of the 28+ EU member jurisdictions (and even a few of their provinces). What part of COMMON MARKET was so hard to understand for EU lawmakers ? Since there is no single registration available, and separate registration would involve mindboggling complexity, bureaucracy and costs, we do not sell to EU end users until the EU gets their act together. Please order from EU based distributors, or as a business customer.
> Business customers are expected to meet their obligations by registering in the EU countries they sell in.
https://pcengines.ch/recycle.htm
> Wildly ironic that an EU company doesn't ship to the EU.
Switzerland is not part of the EU in this timeline... But their rant sounds very much like an excuse, the WEEE is in effect at least since 2021:
"All EU Member States are required to adopt the Waste Electrical and Electronic Equipment (WEEE) Directive 2012/19/EU, which sets rules for the collection, treatment, and recycling of electronic waste. However, some countries were granted an extension until August 2021 to meet the collection targets due to infrastructure limitations, including Bulgaria, Czechia, Latvia, Lithuania, Hungary, Malta, Poland, Romania, Slovenia, and Slovakia" - courtesy Google AI overview
Being based in Switzerland, which is not a member state, PC Engines is not an EU company.
And in the end, 90% of people will throw it in the trash with everything else. I'm actually in the other 10%, but I live in the middle of a big city where I have electronic waste container like 300m away.
Btw, that's an awful website. I like simple minimalistic websites, but some people confuse "simple" with "give literally 0 fucks about the reader" and then I have 50-word long lines to read on my 32" monitor. Just put something like {max-width: 1200px; margin: 0 auto;} on the body at least.
You’re lucky. For people without cars anything other than curbside recycling is usually a nightmare. Ironically.
Yeah, that was my point, it's easy for me, but that's not the case for most people in the country. And I guess that most people living near me don't think about putting electronics in the dedicated container anyway, even if that container is near them.
> And in the end, 90% of people will throw it in the trash with everything else.
And if they don't, the "recycling" company will do it.
Reuse is dead.
Well maybe if they cared a bit more about customers they wouldn't be needing to wind down
Qotom is a good chinesium brand for small cheap fanless multi-NIC PCs: https://qotom.net
+1, have had 10/10 experience with my Qotom - in fact I had to look up the brand to be sure that was what I had. Forgettability (due to reliability) is exactly what you want in router hardware.
my solution to this is to have centralised VPN splitter (x-ray/singbox) sitting on RPi, with tailscale attached to it. This makes it available from anywhere if the device is on TS network. With added benefit of rule based geo splitting to various zones.
I was hoping, from the title ("Geo-Unblocked") that this would be about arranging an IP address block that wasn't associated with the UK, rather than just selectively running some traffic through a VPN.
If you're your own ISP you can be wherever you want to be
https://blog.lyc8503.net/en/post/asn-5-worldwide-servers/
Sometimes. You can publish whatever geolocation data file you want, but others aren't required to respect that file. It's known that geolocation providers run pings and traceroutes from different locations as well as looking at BGP data.
I guess maybe we should start some kind of initiative to detect these geolocation providers so we can blacklist them. Maybe it can be some kind of database that is used to null-route all traffic coming from their network /s
Would be an interesting idea in 2004, but now they have access to all the same evasion techniques as everyone else.
I don't think that would work though. If you changed your WAN address it wouldn't be dissimilar from changing your IP to a different schema on a machine in a given network, no? It just wouldn't work at all.
"Is this overkill for viewing the occasional Imgur image? Probably."
From the last couple of weeks of researching some stuff, it makes perfect sense - I keep stumbling across blogs and documentation that uses Imgur, and it's really quite annoying that I can't see the screenshot or image that is being referenced. It hasn't /quite/ hit the point to put something in place, but this is super helpful for the final straw - when it comes!
It's been eye-opening how far-reaching Imgur really is - for example, some of the images on the Core Devices (the new Pebble folks) website are actually on Imgur.
This simple block is relatively trivial to bypass - but if they disappear tomorrow, a lot of things break.
> but if they disappear tomorrow, a lot of things break.
Tale as old as time, long-running forums are graveyards of dead Photobucket, Tinypic and Imageshack embeds. Imgur has lasted longer than most but the cycle will probably repeat eventually, especially since they were acquired by faceless corpos a few years ago.
I've said before that the age of an internet user can be estimated by how many free image hosting services they have seen come and go, like rings on a tree trunk.
> Imgur has lasted longer than most
They did a big data purge years ago, and were already enshittified almost a decade before that.
Only "removing old, unused, and inactive content that is not tied to a user account" right?
A service shutting down, or being replaced is very different to one being blocked at a country level because of waves hands things
> waves hands things
government censorship
called it for what it is
The Online Safety Act is clear-cut censorship but that's not why Imgur left the UK. They were facing fines for violating the UKs data protection laws, specifically a set of rules that were introduced years before the OSA was even passed. Their parent company hasn't pulled any of their other services from the UK either, which you'd expect them to do if their goal was to protest or avoid the OSA.
... in regard of age checks, yes?
https://www.bbc.com/news/articles/c4gzxv5gy3qo
If you follow the links to earlier articles you get to this one about fining TikTok: https://www.bbc.com/news/uk-65175902
"There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws." ... "When you sign up you can be targeted for advertising, you can be profiled, your data contributes to an algorithm which feeds content," said the Information Commissioner.
So even before the OSA, the idea was: social media sites using algorithmic feeds must prevent children's access, and just asking "are you over 13" isn't enough. That's a demand for age verification, in practice.
makes me thankful for imgur deleting anonymous uploads a year or 2 ago
that made multiple forums I've been on rush to download everything to their servers
Overkill right now, probably, but the Government seems hell-bent on locking down access to more and more things that we see as completely normal, so I'd say that it's forward planning.
it will certainly not stop at Imgur
also, if foreign servers notice no real loss of traffic because people just circumvent draconian censorship measures from authoritarian regimes, then they can more safely ignore them without real repercussions
the EU seems to be following soon, so it's important that people have readily available tools so the power dynamics change and it doesn't become economically unfeasible to refuse censorship pressures
I've found it a bit harder than I thought to bypass but veepn free with the location set to Singapore kind of works, if slowly.
Imgur is one of the more annoying UK geoblocks because they persist it with cookies, so if you want to view something you can’t just switch to VPN for a second without also changing browser sessions.
Reddit is worse… you can’t even view someone’s profile if they’ve ever submitted a post labeled NSFW.
Why would they do that? (Not a rhetorical question, just curious). It would suffice to block UK IPs for compliance, if visitors use a VPN to circumvent that Imgur would get more traffic and more ad revenue. No reason to put extra work into blocking those users.
vindictiveness
In other words, we're entering a dark age for the internet.
Maybe, maybe not. It'll be signficiantly harder for the EU to target decentralised services with no organisation behind them. It'll be far easier for them to put every major tech site which accepts VPN traffic into the box of organisations they can still fine. I'm not entirely sure the wider population will really care all that much once the dust settles. The internet works in China, and people are happy with it, and while we can agree that is probably what you'd call th dark age, you'll need significantly public opposition to do anything about it. I think we'll sadly see most major tech sites adopt whatever age verification tool the EU builds. They did with all the various form of payment system though this was obviously helped along with the API provided by companies like visa.
Honestly you could probably even use the 0 cost back charge that visa has, which is used by some finance services to verify that you are who you say you are through the visa connection to your national digital identity.
> I think we'll sadly see most major tech sites adopt whatever age verification tool the EU builds.
No, we won't. Tech doesn't care about users. We saw this when Valve delisted thousands of games in Germany instead of implementing the (completely anonymous) age verification process we've had built into our ID cards for years.
Authoritarian regimes interpret the Internet as damage and geoblock it.
This can be done on UniFi using policy based routing too trivially if anyone wants to repeat this.
Instructions using the unifi mobile app as it’s what I have to hand:
1) download wireguard conf file from vpn provider. On mobile app settings -> vpn client -> add new -> wireguard. Upload the file and save it
2) settings -> policy engine -> policy based routes. New. Select what to route -> specific traffic. Source = all devices. destination = domain name. Here add any domains you like. Interface = add the vpn you added in step 1
The only downside is this doesn’t work if you have IPv6 enabled as UniFi Network still allows those to bypass the VPN.
I ended up making a long list of firewall rules to block specific sites IPv6 ranges, which worked until I hit cloudflare backed sites.
I’m really hoping UniFi start supporting IPv6 WireGuard soon.
Wow, this is unbelievable. I thought UniFi was a premier networking product. Certainly its price would suggest so. Not supporting IPv6 in 2025 is unacceptable.
To be clear, the rest of the OS supports IPv6, just the WireGuard VPN doesn’t. Disappointing all the same.
I've done similar. But I just used PBR (policy based routing) on my OpenWRT router. Took about 15 minutes to set it up. You can pick which domains go through VPN. Works great.
I feel like I'd rather solve this with a proxy PAC file. I recently started using this on airplane Wi-Fi where they'd block VPNs, but strangely not SSH. Dynamic forwarding with a good PAC to "direct" connect the onboard entertainment and flight tracking hosts/URLs works great!
> Second, even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop?
Also, Imgur blocks many VPN IPs. I use Mullvad and I have not yet found a single Mullvad IP that can access Imgur.
I’m also on Mullvad, keep trying. It took me like 20 servers but I did find one.
Would you mind sharing which server please?
Did this with policy based routing in my opnsense (pfsense) router a couple of weeks ago. egress via a specific tailscale exit node for a list of domains including Imgur.
Also browsing Minecraft mods/shaders was my motivation ha.
> even if I installed a VPN on my main machine, what about my phone? My laptop? My desktop? Every device would need the VPN running, and I’d have to remember to connect it before browsing. It’s messy.
Is there a way to install a VPN such that requests to/from certain domains (e.g. imgur.com) are routed via the VPN and the rest of your traffic is via non-VPN?
This would solve the problem of constantly having to dis/re connect VPN, and do it in an automatic fashion (i.e. without the manual steps of first recognising there's an unavailable asset on the page, opening VPN app, switching it on etc).
Such a configuration would also be very useful in other situations, e.g:
- using social media in countries that require age-verification
- using apps that geoblock (e.g. spotify blocks my subscription every few days because it detects a change in country, but what it's really detecting is simply whether or not my VPN happens to be on/off)
- accessing sites which are blocked (e.g. Thailand blocks common UK news sites which have said unflattering things about Thai royalty).
That'd be "split tunnel/VPN" by domain name, and usually it's limited to HTTP/S requests (because the hostname comes with the petition header), but some vendors (like ZScaler) do tricks to apply it to different protocols.
For example, the equivalent in Tailscale would be an "App Connector":
https://tailscale.com/kb/1342/app-connectors-setup#add-a-cus...
This is all new to me, but seems odd (startup idea?) why there isn't a SaaS letting me accomplish this on iPhone in a few minutes. (a few youtube searches for 'how to split VPN' are hopelessly theoretical as opposed to practical)
E.g. I'd definitely pay $10/month for an app that lets me input domains and which country to re-route traffic through.
E.g. a handful of social media apps via US (my country has age verification), a handful of news sites via UK (some countries I travel to block them entirely), spotify via a single country (I don't care which one, so long as it's constant).
I currently use ProtonVPN iPhone and macOS apps but AFAIK it routes all traffic through a single country which requires opening the app and manually changing it each time you want traffic routed via a different country.
Extremely keen to hear any solutions people have used on their own devices.
This also seems like an easy way for VPN providers to differentiate themselves with their apps. The fact that it hasn’t happened makes me think that it’s impossible with unrooted iOS
It's tricky to do for large public websites, because routing happens at the IP level while users want to input a domain name.
That domain could constantly resolve to different IPs, requiring updates to the routing rules, and those IPs could be shared with many other domain names that the user didn't list (for example Cloudflare IPs). So the mapping isn't clean and you're likely to miss some IPs some of the time or incorrectly intercept some traffic that the user didn't want to route through the VPN.
A proxy would not have this problem, it gets to inspect the request and hostname and then decide how to reach that host.
VPN app can still solve it by locally resolving configured domain into special local IP, which get VPNed into real IP on their side. You'll need to encode original DNS name into protocol somehow, so that remote side knows which real IP to access, but it is certainly doable.
That’s what they did effectively
they block VPNs too, if yours is working it's just a matter of time until they get to it. Avoid using imgur entirely. What I find insidious is that unlike reddit and some other sites, they won't tell you it's blocked, they'll give you this:
{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}
Even if they give you this error if you load and image directly, it will often still work if hotlinked in a web page.
That’s what I get if I go to their page, but when curling the image directly it works fine
> First, I just upgraded to 2.5 Gbps internet and I don’t want to route all my traffic through a VPN and take the speed hit. I have this bandwidth for a reason
You don't have to. You create a container which runs openvpn to connect to your vpn provider, and also hosts an ssh daemon. The ssh daemon receives incoming SOCKS5 connections from a firefox portable browser, which has been configured to use the proxy (your Docker openvpn-container) for browsing and DNS resolution, and pipes it through the VPN tunnel.
So you have that one browser just to surf imgur. if that's your thing. And you could also use Firefox on Android (maybe also iOS) with those proxy settings (a secondary Firefox browser, like the beta version).
So you get very high control about what you are using the VPN for, you don't just pipe your entire OS's network traffic through the VPN.
https://addons.mozilla.org/en-US/firefox/addon/container-pro...
You can default route domains through a VPN using a Firefox tab container, you don’t need a separate browser instance running!
You can use the official add-on for that https://addons.mozilla.org/en-US/firefox/addon/multi-account... On the surface the proxy option looks like it is only their own VPN service, but you can set up your own too.
Wow thanks for this, was using the above linked addon myself until I read your comment.
This would have the exact problem mentioned immediately after the paragraph you quoted. Every computer, phone, etc. would need specific setup. The author is clear about their goal:
> I wanted something cleaner: a solution that works for every device on my network, automatically, without any client-side configuration.
This is a great idea except for me (and for the author I suspect) I regularly come across attachment of Imgur hosted images on sites (like a post on a DIY forum but not all of them) so it wouldn't solve my issue unless I were to use your browser in the container all the time (I suspect the author also doesn't just 'surf imgur' but randomly comes across images hosted on imgur linked to from other locations).
In that case FoxyProxy's proxy by URL pattern would be what you'd want to use.
That doesn't seem very practical. The issue is that imgur links are everywhere and you wouldn't want to switch browsers whenever you encounter one. Not to mention it requires per device setup. Author's solution is much better than what you describe.
> So you have that one browser just to surf imgur.
Doesn't solve the real problem, being fails of imgur embedded it many others you surf.
Nope, security/privacy is always a trade off. It's much much safer just to route all your traffic through a VPN. I get ~200-500 Mbps with Mullvad, that seems good enough. Sucks if you upgraded to 2.5 Gbps before checking, but oh well
Next-gen VPN: content-aware routing. Just as NAT keeps track of who is talking to what, VPNs will one day actively detect that traffic is hitting blocks and re-route that through exits not subject to blocks. Bypassing local restrictions on an ad-hoc basis will become seemless.
a-ha, if you happen to have a Unifi router then a simpler setup would be to do policy based routing by hostnames through a vpn client maintained in the router config
Nice work.
I've thought about doing something similar as well! It drives me nuts this ban, everywhere I look I see these blocked images. I thought about making a chrome extension that proxies.
That's a lot of steps for something that would be a simple route rule or mangle + mark routing on mikrotik.
The route rule would route out a VPN instead of the main route.
If the domain name resolves to many IPs you can keep an address list up to date using a simple script.
With proper configuration Mikrotik can do preety much everything network related. Awesome product and os.
> That's a lot of steps for something that would be a simple route rule or mangle + mark routing on mikrotik.
I'm sorry but suggesting buying and setting up hardware as an easier and more accessible alternative to a purely software-based solution that will take at most a couple of hours to install is simply ridiculous.
Could this be built into open source routers? If you wanted to get fancy you could even select the best VPN for the particular service.
OpenWRT supports PBR which makes this a breeze.
You can run the shadowsocks client on some routers and pass selected traffic via your external shadowsocks server.
I haven't needed to do this since I move to the US, but IIRC the rules were based on IP subnets.
The approach in TFA is more sophisticated and fine-grained.
gl.inet routers running OpenWRT do this easily in the newer firmware versions the last few months.
> The key detail is network_mode: "service:gluetun"
Such a clear giveaway that this was written by an AI
Oh, I guarantee you that this has not been touched by any AI. I used to use emdashes all the time, then people thought those were AI telltale signs, so I stopped. I loved making lists. Same thing.
Now I’m not allowed to say “key detail”??
Just write correctly in your preferred style, and ignore the anti‑AI hate. You’re allowed to say whatever you want, and you’re allowed to use AI as a tool while writing — there’s nothing wrong with it.
Angry AI-phobic keyboard warriors on the internet don't decide what's right or wrong, or what you're allowed to do.
(Is this very comment AI-generated? Make your guess. Good luck!)
I'm autistic and get mistaken for AI all the time. At first I was annoyed but now I feel like it is adorable.
[dead]
Yeah that's annoying. Maybe you could add a disclaimer on your blog saying you do not use AI to write and then just write however you like the most? I think it would help both yourself and those who want to avoid AI content.
The 'no AI used' disclaimer is a nice idea, however, how long is that going to last?
We could all have disclaimers or identifiable 'stickers' such as what we had in the olden days of IE6, to send people over to Firefox/Chrome/whatever.
However, next time the tech bros scrape the web, their AI beasts could learn the trick, to decorate their piffling output with similar disclaimers.
In the olden days, 'the camera never lied', however, nowadays, 'the camera always lies'. Even if it is not AI, you know it has been staged and Photoshopped to within an inch of its pixels.
So, what to do?
One way would be to have 'guilds'. Maybe tie it into academic institutions, where teaching staff are at the sharp end of AI use and exacting penalties for AI abuse. Imagine if there was a 'guild of human writers' and being in it meant better SEO with the consequence of abusing AI meaning getting kicked out of the guild.
Ultimately though, without any 'guild system', it all comes down to quality content.
Possibly a great way to circumvent stuff like Netflix/Spotify/whoever's "same household" requirements? A RasPi or cheapo Mini pc configured with this and PiHole that I can set up in my "remote family's house to funnel their Netflix/Spotify traffic through my internet connection/IP address?
If your VPN provider offers a socks5 instance you can do this entire thing with a socat oneliner + the dns hijack of course.
For some reason T-Mobile in the Bay Area can get randomly geoIPed to the UK so imgur just randomly breaks on my phone. Marvelous
This is quite easy with OpenWRT.
Install the Wireguard packages, create a connection to your VPN of choice in a nearby country (I chose Sweden). Then I used the "vpn-policy-routing" package to route Imgur IPs (199.232.196.193 199.232.192.193) through the VPN.
Works for websites that keep nagging you for age verification too.
But seriously, it's been more emotional than I'd expected to get my cat memes back.
Yeah, doing it with OpenWRT and PBR is definately much simpler than this approach. However by using hard-coded IP addresses you are at risk of breakage if they change in the future.
Also fastly-hosted services are a bit awkard to configure IP ranges to cover whole blocks as they seem to not use normal CIDR-blocks for different customers.
But you use PBR's ntfset functionality to have your dns server automatically update a set whenever an DNS entry is resolved, then set the policy rules based on the set.
Didn't even know it was possible. But thanks to this comment - got the same setup via my Unifi router too. Thanks!
Interesting. I have nextdns.io and VPN proxy and a unifi router. Is this possible for me?
it could be easily done by policy based routing on your machine or your router.
So you are just a simple GB citizen and some external site blocked access by country affiliation?! Is there any practical reason for blocking access to that site by geotargeting?
The UK’s “online safety act” means a number of medium sized sites have decided it’s not worth doing business in the UK.
This is not why imgur have left though, they didn't want to comply with Data Protection laws.
The "online safety act" introduced mandatory age verification starting in July 2025.
The government announced "plans to fine Imgur after probing its approach to age checks and use of children's personal data" in September 2025 [1]
Are you telling me those were unrelated? How are you going to fine a website over age checks without the law that requires age checks?
[1] https://www.bbc.co.uk/news/articles/c4gzxv5gy3qo
Seeing as the investigation was by the ICO instead of OFCOM, yes, very much so. Do you have any evidence to the contrary?
That makes no difference. "Data protection" or not, it was pressure for age verification.
Can you please provide a source for your claim?
No, it doesn't need a source. It's not mysterious. To meet the demand, age verification would be necessary. What's your claim?
I guess you could be saying that the regulators were carrying out legal duties like blind automatons, without giving a thought to the way their requirements would have to be met.
Yes. The ICO investigation that resulted in Imgur blocking the UK pre-dates the Online Safety Act coming into force.
As others have mentioned, Ofcom is responsible for enforcement of the OSA - but the investigation against Imgur was carried out by the ICO.
The governments of the countries that dabbling into the "think of the children" laws should build their own "safe" internets for their citizens, walling them in, requiring them to "verify their age" before letting them out of their cages into the Internet.
What's annoying about this block is that Imgur detects Telegram's server for image previews as coming from the UK but they are in the Netherlands so when someone sends an imgur link through Telegram with the little preview attached you now only get the "not available" image as prevew...
I've not managed to succesfully use a VPN to get around the geoblock. It seems that most of VPN exit nodes are also blocked (but in a different way)
I wonder how did you overcome https. As I understand the request that goes to rerouted Imgur proxy will have different cert.
AIUI, nginx doesn't terminate the SSL/TLS connection - it is just passed through as is. `ssl_preread on` extracts the server name from the Server Name Indication (SNI) send as part of the TLS handshake, which is unencrypted.
I just set up a similar system (Debian LXC permanently connected to a VPN, nginx proxying imgur.com and all its subdomains with the rest being dropped), and it works quite well. Setting DNS records for imgur.com and {api,i,s}.imgur.com seems to be sufficient to get the site and inline images working (not 100% if all are needed - I haven't fully tested it yet).
Presumably TLS still only happens at the browser and at the Imgur origin server. Everything in between just routes the request without being able to read any of the encrypted stuff. This is no different than using your browser while your computer is connected to the web via a VPN, except that in this case only a small subset of requests go through the VPN.
Why not call it split tunneling, which is what it is.
because saying "i used a split tunnel to access geo-blocked resources" doesn't get you those sweet sweet internet points on hacker news, ofc
This is such a deep rabbit hole! Other alternatives include CDN and residential proxies, no VPN required
Another thing that you can do when you have the IP address range is just run a traditional split-tunnel. A simple way to do that is to run Wireguard on a cheap VPS, then have only traffic to those fixed IPs go to that tunnel. The nice thing about this is that tiny WiFi routers (e.g. hAP AX S) these days support Wireguard at pretty decent speeds. Then anyone on your network gets this, and if you want it while you roam you can just run the Wireguard VPN on your phone as well with the same rules.
So imgur is still alive?
From Italy (no VPN) I've been getting «{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}» for any imgur url for maybe an year
It works great till you leave your house.
Unless you vpn back to your house, but then again, now you are using double vpn!
There is currently no alternative to geo-blocking the UK if you don't want to get threatening legal letters from Ofcom that order you to break the laws of your country.
This is the correct way to make exceptions for hostnames, not policy based routing on a router that merely translates hostnames to IPs, IPs which could be shared by 1000s of services and thus a much wider whitelist than you wanted. Nice
in summary: wasn't using a vpn, is now using a vpn ¯\_(ツ)_/¯
Imgur doesn't even let me sign into my almost 10 year old account from many countries while traveling. Never seen this kind of wack shit anywhere else. The fuck's their problem?
Imagine having to install a vpn to browse the internet in a first world country.
The country didnt block it. This aint comparable to China if that is what you mean.
[flagged]
that's a bit histrionic, isn't it?
Imagine deciding to pull out of a country because you refuse to comply with protecting the personal data of actual children.
> Imagine deciding to pull out of a country because you refuse to comply with protecting the personal data of actual children.
Haha. You mean like Meta, Google, Apple and Microsoft ? If EU really cared about children, those companies would not be doing business in the EU.
[dead]
[dead]
[dead]
> ⌘+F, "vote", Not found
Seems the author forgot one step.
The law was drafted by the government of one party, enacted by the government of the other party.
That isn't quite true, because the law was enacted on October 26, 2023, which was still the same party that drafted it.
Of course, it is true that it is being supported by the current government, however the only way a future government could have avoided the law coming into force would be to repeal it with a new act of parliament (because it was already enacted).
And backed by popular support.
It’s another good example of internet sentiment being far different to popular sentiment.
Polling shows around 70% supported it, though far fewer thought it would be effective. Pretty much matches my views on it.
Polls don't handle nuance, though. Most people would support "children not watching hardcore porn", but most wouldn't support "not allowed to access imgur anymore". The polls don't ask those kinds of question, though, they ask "do you support the OSA", to which the only reasonable answer is "yes and no".
This little "solution" might be fine for .. imgur .. but it shows your nation is well into the authoritarian descent. And there's no where left in the western world to move to either ... It's not a slippery slope, it's a landslide.
We legally have to keep porn on the top shelf in opaque packaging too in any shop where under 18s are allowed.
I mean, it's basically a police state.
Great work! Perhaps not the appropriate OSI layer, but would be cool if this could pull the imgur blob from the wayback machine if unavailable on imgur proper. You'd still need this networking setup, as archive.org is blocked as well in the UK per ground truth from others on HN.
> archive.org is blocked as well in the UK
it isn't
https://news.ycombinator.com/item?id=45430848 is the thread where I learned of this. I'll have to do more research, thanks.
https://www.privateinternetaccess.com/blog/internet-archive-...
I'm in the UK and we use 'mobile broadband' for our domestic Internet connection. So a mains powered router box that connects to the local G4 (or G5) mobile data network and provides wifi and a few cat 5 sockets. We don't need to subscribe to a phone line (e.g. last mile supplied by Openreach/BT or fibre from Virgin or whoever). I pay a single flat fee monthly by credit card. It is reasonably fast and meets our modest needs. There is no hard data cap. We average 150 Gb per quarter or so.
archive.org is blocked (along with other nsfw type sites), but as the last post in your link to an earlier discussion says, I could get it unblocked by filling in a declaration that I'm over 18. Paying by credit card isn't enough to unblock automatically for this particular package.
I've chosen not to unblock for no particular reason. The block sort of makes sense to me because archive.org records a lot of Web sites, some of which may have what is regarded as adult content, and it is unreasonable to expect archive.org to label individual records of sites according to the criteria the UK uses (each country probably has its own set of criteria e.g. gambling Web sites of certain kinds in the US).
archive.org is easily accessible in the UK from most wifi connections in cafes, libraries and, hilariously, colleges (where people under 18 gather in large numbers), and also from domestic adsl or fibre Internet connections.
> archive.org is blocked (along with other nsfw type sites), but as the last post in your link to an earlier discussion says, I could get it unblocked by filling in a declaration that I'm over 18. Paying by credit card isn't enough to unblock automatically for this particular package
That's something to do with your provider. Maybe you need a non-crappy provider.
You do not need to provide any kind of declaration that you're over 18 to access archive.org in the UK.
See comment from another UK resident further down. I suspect it depends on the contract you have, and quite possibly when the contract started.
It appears to be something to do with using PAYG SIMs for mobile broadband. Back when I lived ten minutes from one of the largest cities in the country I used 4G, but didn't run into this or their CGNAT crap because I tunneled out to a sane ISP.
Given that you can buy a SIM that'll give you a couple of hundred GB of data for under a tenner, it seems reasonable that they'd block stuff you didn't want young children getting access to (easily).
The op in the thread is wrong, it's not blocked.
Source: am British, on phone.
> as archive.org is blocked as well in the UK per ground truth from others on HN
I am in the UK.
archive.org is not blocked — not the Library or the Wayback Machine.
ETA: I just checked re: the comment toomuchtodo linked to, and it actually is blocked by default on my mobile phone as adult content, because I've never bothered to disable the adult content lock on that device. I get redirected to a page operated by my mobile network where I can undo the lock by giving them info; I might do that one day, might not.
For non-UK users: UK mobile phone providers all block adult content by default at the account level as a simple parental control measure, and have done for some time, largely because PAYG data is really rather cheap here.
Interesting but not particularly bothersome. Apparently this decision is about eleven years old.
It seems to differ by provider. When I was with Three it was an irritating process of having to either call up or visit a shop in person and say "I want to look at the naughty pages, please". Another provider (I can't remember which) had a method where you had to supply a credit card number.
I'm with "1p Mobile" now who are a virtual network on EE, and their adult content block is just a toggle in your online account, with no faffing around required - you can just hit the toggle. I presume the idea is that you don't give little Timmy the password to his own account portal, but I don't know what's to stop him getting his own SIM by himself.
With Three, I found the adult content block caused other problems with SSH connections dropping, various random stuff getting blocked and so on, which all went away as soon as I had it disabled, so it's worth doing even for non porn fans.
> I presume the idea is that you don't give little Timmy the password to his own account portal, but I don't know what's to stop him getting his own SIM by himself.
Well — perhaps the toggle is only available if the account has been topped up with a credit card?
One thing that distinguishes you getting a SIM and Little Timmy getting a SIM is that you're over the age of majority and can enter into credit contracts, whereas Little Timmy can only get a debit card.
This fact is actually central to one of Ofcom's recommended age verification techniques, though the adult block on mobile phone networks is much older than these recent measures.