Internet censorship: technical solutions to stay connected
- Published on
- ·12 min read
François GUERLEZGabon, February 2026
On February 17, 2026, Gabon's High Authority for Communication (HAC) ordered the suspension of Facebook, TikTok, YouTube, WhatsApp and Instagram across the entire territory. Official reason: fighting "hateful and defamatory" content. Real context: massive teacher strikes, growing opposition to the ruling power, and a presidential election scheduled for April 12, 2026.
Result: VPN demand exploded by 25,000% within 24 hours according to NetBlocks — that's 180,000 VPN app downloads in the first week, up from 45,000 before the suspension. Proton VPN recorded +60,000% in Gabonese sign-ups. The HAC announced plans to block VPNs too — distinguishing three categories: professional VPNs (tolerated), pre-existing VPNs (monitored), and consumer VPNs downloaded after the suspension (targeted). But as of March 9, 2026, three weeks later, no VPN blocking is in effect.
On the negotiation front, TikTok sent a delegation to Libreville in early March and proposed the TikTok Safety Enforcement Tool (TSET) — a priority reporting channel allowing the HAC to request rapid takedowns of illegal content. Meta reached out the day after the suspension, but discussions are progressing more slowly with no clear timeline. Two legal challenges have been filed: former Prime Minister Bilie-By-Nze filed an emergency injunction at the Libreville court, and four citizens petitioned the Constitutional Court citing Article 14 (freedom of expression). The Court has not yet ruled.
Gabon is not an isolated case. The DRC is considering similar measures. Russia, China, Iran are already blocking. And even in Europe, discussions about platform "regulation" are intensifying. Understanding how internet censorship works and how to bypass it is a basic technical skill in 2026.
How a state blocks the internet
Before talking solutions, we need to understand the mechanisms. A government has several levers, from simplest to most sophisticated.
Level 1: DNS blocking
This is the most common and simplest method to implement. The government orders ISPs to modify their DNS servers so that queries for facebook.com return an NXDOMAIN error (non-existent domain) instead of the real IP address.
This is exactly what Gabon did. Analysis by OONI (Open Observatory of Network Interference) confirms the blocking is implemented via DNS tampering: Gabonese ISPs return NXDOMAIN responses for targeted platform domains. As of March 9, 2026, three weeks after the suspension, no IP blocking or DPI has been observed — VPNs remain fully functional. Proton VPN confirms their servers are accessible without even enabling the Stealth protocol.
It's trivial to bypass. The government knows it. But it's enough to block 90% of the population who don't know what DNS is.
Level 2: IP blocking
More aggressive: the ISP directly blocks the IP addresses of the targeted platform's servers. Your browser may correctly resolve facebook.com to 157.240.1.35, but the packets never arrive.
More effective, but harder to maintain. Major platforms have thousands of IPs and add new ones regularly.
Level 3: Deep Packet Inspection (DPI)
Deep Packet Inspection analyzes the content of network packets in real time. Even if you bypass DNS and IP blocks, DPI can identify traffic types (VPN, Tor, etc.) and block them.
This is what China does with the Great Firewall. It's expensive, technically complex, and slows down the entire network. Few African countries can afford to deploy it at scale.
Level 4: total shutdown
The kill switch. Cut the fiber, turn off the antennas. This is what Myanmar did in 2021. No technical solution bypasses a physical shutdown.
Solution 1: change your DNS
Difficulty: trivial — 2 minutes, no installation
If the blocking is DNS-based (Gabon's case), you just need to stop using your ISP's DNS. Replace it with a public resolver:
| Provider | IPv4 | IPv6 |
|---|---|---|
| Cloudflare | 1.1.1.1 / 1.0.0.1 | 2606:4700:4700::1111 |
8.8.8.8 / 8.8.4.4 | 2001:4860:4860::8888 | |
| Quad9 | 9.9.9.9 / 149.112.112.112 | 2620:fe::fe |
On Android
Settings → Network → Private DNS → one.one.one.one (Cloudflare) or dns.google (Google).
This is DNS-over-TLS. Your ISP can't even see your DNS queries.
On iPhone
Settings → Wi-Fi → your network → Configure DNS → Manual → add 1.1.1.1 and 1.0.0.1.
For cellular, install Cloudflare's 1.1.1.1 app which applies encrypted DNS system-wide.
On desktop (Linux/Mac/Windows)
# Linux - temporary change
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
# Linux - permanent with systemd-resolved
sudo mkdir -p /etc/systemd/resolved.conf.d
cat << EOF | sudo tee /etc/systemd/resolved.conf.d/dns.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved
On Windows: Settings → Network → Adapter properties → DNS → 1.1.1.1.
Limitations
This only works against DNS blocking. If the government moves to IP blocking or DPI, changing DNS won't help. And some ISPs intercept DNS queries even to third-party servers (DNS hijacking). In that case, you need encrypted DNS (DoH or DoT).
Solution 2: DNS-over-HTTPS (DoH)
Difficulty: easy — 5 minutes
DNS-over-HTTPS encapsulates DNS queries in regular HTTPS traffic. To the ISP, it looks like a normal web connection to cloudflare-dns.com. Impossible to distinguish or intercept without blocking HTTPS entirely (which would break the entire internet).
In the browser
Firefox and Chrome support DoH natively:
- Firefox: Settings → Privacy → DNS-over-HTTPS → Max Protection → Cloudflare
- Chrome: Settings → Security → Use secure DNS → Cloudflare (
1.1.1.1)
This only protects the browser, not other apps.
System-wide with dnscrypt-proxy
To cover the entire system:
# Debian/Ubuntu
sudo apt install dnscrypt-proxy
# Config file is in /etc/dnscrypt-proxy/dnscrypt-proxy.toml
# Default servers already use DoH
sudo systemctl enable --now dnscrypt-proxy
Then point your system DNS to 127.0.0.1 (the local proxy).
Limitations
Against DNS blocking and DNS hijacking, it's effective. But if platform IPs are blocked directly, it won't help — you resolve the name correctly, but packets still don't arrive.
Solution 3: commercial VPN
Difficulty: easy — 5 minutes, one app to install
A VPN encrypts all your traffic and routes it through another country. Your ISP only sees an encrypted connection to the VPN server. It doesn't know if you're accessing Facebook, Google or your bank.
Which one to choose
Not all VPNs are equal. Important criteria when it comes to censorship:
- Anti-censorship protocols: WireGuard is good, but identifiable by DPI. Look for a VPN with obfuscated protocols (Stealth, Shadowsocks)
- No logs: verified by independent audit, not just stated on their website
- Jurisdiction: outside the 14 Eyes preferably
| VPN | Anti-DPI protocol | No-log audit | Jurisdiction |
|---|---|---|---|
| Proton VPN | Stealth | Yes (Securitum) | Switzerland |
| Mullvad | Shadowsocks, bridges | Yes (Assured AB) | Sweden |
| IVPN | V2Ray, obfs4 | Yes (Cure53) | Gibraltar |
Proton VPN has a free plan (limited but functional). For Gabon specifically, Proton confirmed their servers remain accessible without even enabling the Stealth protocol.
On mobile
- Download the app (Proton VPN, Mullvad, etc.) from the Play Store or App Store
- Create an account
- Connect to a server in an uncensored country
- That's it
Limitations
- Cost: good VPNs are paid (~5-10EUR/month), free ones are limited or dubious
- Blockable: commercial VPN server IPs are known and listed. A motivated government can block them
- Trust: you're shifting trust from the ISP to the VPN provider. If they're compromised or cooperate with a government, you're exposed
- Speed: encryption and rerouting add latency
Solution 4: Tor
Difficulty: easy to install, slow to use
Tor routes your traffic through three successive relays, each knowing only part of the path. Nobody — not your ISP, not the relays, not the destination site — can reconstruct the complete chain.
Installation
# Tor Browser (the simplest)
# Download from torproject.org
# Or via command line on Debian
sudo apt install tor torbrowser-launcher
torbrowser-launcher
On Android: install Tor Browser from the Play Store or F-Droid.
Bridges: when Tor is blocked
If the government blocks known Tor relays, there are bridges — relays not listed publicly. obfs4 bridges camouflage Tor traffic to look like random noise.
In Tor Browser: Settings → Connection → Bridges → Use a built-in bridge → obfs4.
Limitations
- Slow: three layers of encryption comes at a cost. Not usable for streaming or video calls
- Not for everything: Tor protects the browser, not WhatsApp or other apps
- Sites blocking Tor: many services detect and block Tor exit IPs
Solution 5: SSH tunnel (SOCKS proxy)
Difficulty: intermediate — requires a server abroad
If you have access to a server (VPS, machine at a friend's place) in a free country, you can create an SSH tunnel that acts as a proxy:
ssh -D 1080 -N -f user@my-server.com
This creates a local SOCKS5 proxy on port 1080. Configure your browser to use localhost:1080 as a SOCKS proxy.
All browser traffic then goes through your server, encrypted in SSH. To the ISP, it looks like a regular SSH connection.
Limitations
- Only covers apps configured to use the proxy (mainly the browser)
- SSH is identifiable by DPI (port 22, characteristic handshake)
- Requires a server, so cost and skills
Solution 6: VLESS+Reality (Xray)
Difficulty: intermediate — requires a server abroad
This is the most effective solution against advanced DPI in 2026. Xray with the VLESS+Reality protocol doesn't just encrypt traffic — it makes it look like a legitimate HTTPS connection to a real website (e.g. www.microsoft.com).
Unlike a classic VPN that creates an identifiable tunnel, VLESS+Reality performs a real TLS 1.3 handshake with the target site. To an observer (ISP, national firewall), the traffic is indistinguishable from a normal visit to microsoft.com. China's Great Firewall and Russia's TSPU cannot block it without blocking access to microsoft.com — which they won't do.
Why it's superior to other anti-DPI solutions
| Anti-DPI solution | Principle | Resists advanced DPI |
|---|---|---|
| Obfuscated VPN (Stealth) | Masks VPN traffic | Partially |
| Tor + obfs4 bridges | Random noise | Detectable by statistical analysis |
| Shadowsocks | Encryption without signature | Detectable in China since 2022 |
| VLESS+Reality | Mimics real HTTPS | Proven in Russia and China |
How it works
- You install Xray on your VPS abroad
- Xray listens on port 443 and impersonates
www.microsoft.com - On your device, a client (v2rayN on Windows, Xray on Linux) connects to the VPS
- DPI sees a normal HTTPS connection to microsoft.com — it lets it through
- In reality, your traffic is tunneled through this connection
Clients
Limitations
- Requires a VPS and technical skills for installation
- Doesn't create a mesh network like Tailscale — it's a proxy, not a VPN
- Configuration is more complex than a classic VPN
- If the government blocks your VPS IP specifically, you need to change it
Which solution for which blocking method?
| Censorship method | DNS | DoH | VPN | Tor | SSH tunnel | VLESS+Reality |
|---|---|---|---|---|---|---|
| DNS blocking | Yes | Yes | Yes | Yes | Yes | Yes |
| DNS hijacking | No | Yes | Yes | Yes | Yes | Yes |
| IP blocking | No | No | Yes | Yes | Yes | Yes |
| Basic DPI | No | No | ~ | Yes | ~ | Yes |
| Advanced DPI (China) | No | No | ~* | ~* | No | Yes |
| Total shutdown | No | No | No | No | No | No |
*With obfuscated protocols (Stealth, obfs4 bridges) — variable effectiveness
The Gabonese case: what to do concretely
The blocking in Gabon is DNS tampering — confirmed by OONI measurements. In practice, changing DNS is enough to unblock everything. No need for a VPN or Tor. It's the easiest censorship to bypass.
- Immediate: change your Android phone's private DNS to
one.one.one.one. It takes 30 seconds and unblocks everything - If that's not enough (DNS hijacking by ISP): install Proton VPN (free) or Cloudflare WARP (free). One app, one button
- If VPNs are blocked: enable the Stealth protocol in Proton VPN, or use Tor with obfs4 bridges
As of March 9, 2026, we're still at step 1. Three weeks after the suspension, the blocking remains plain DNS tampering. The HAC announced plans to block VPNs, but the technical reality is more complicated. The estimated cost of VPN blocking via DPI ranges from 10 million (1.86 to 6.2 billion CFA francs) for deployment, plus $1-3 million per year in operating costs — and it would break the digital economy, since businesses, banks and NGOs all use VPNs.
Meanwhile, negotiations with platforms are progressing. TikTok is proposing a priority reporting tool (TSET) and Meta is in discussions. A new digital regulatory framework adopted by the Council of Ministers expands the HAC's mandate. But on the legal front, two challenges contest the very legality of the suspension — the Constitutional Court could redefine the HAC's powers over digital media. The outcome of this legal and diplomatic standoff will also depend on the political calendar: the April 12 presidential election is approaching.
What's next?
These solutions are immediate responses. They all depend on a third party: Cloudflare for DNS, Proton for VPN, the Tor network for bridges.
In the second part, we'll see how to take back full control: set up your own VPN server with Headscale and a VLESS+Reality proxy (Xray) on a Swiss VPS, depending on no one. Both coexist on port 443 through nginx SNI routing — Headscale for daily VPN use, Xray for bypassing DPI when traveling to a country that blocks VPNs.
The techniques presented here aim to preserve access to information, a fundamental right recognized by Article 19 of the Universal Declaration of Human Rights. Use them responsibly and with knowledge of local laws.