not working

Imgur Geo-Blocked the UK, So I Geo-Unblocked My Entire Network :: The Tymscar Blog

by

Imgur decided to block UK users. sincerely? I don’t really care that much. I haven’t actively browsed the site for years. But it happened everywhere. Maybe fifteen years ago when Reddit embedded everything on Imgur, it was really useful. Then Reddit created its own image hosting, Discord did the same, and Imgur slowly faded into the background.

Except that it never completely disappeared. And since the block, I keep stumbling upon Imgur links that just show “unavailable”. This is a little infuriating.

Imgur appears to be unavailable in the UK

Minecraft shader problem#

Here is a concrete example. I was playing Minecraft with some coworkers and wanted to try out different shaders. Most shader pages embed preview images hosted on Imgur. So I clicked on shader after shader and each preview was gone. I couldn’t see what any of them looked like without images.

This kind of thing happens all the time now. Old forum posts, Reddit threads, documentation pages, random project READMEs. Imgur links are still scattered across the internet, and in the UK, they are all broken.

Why didn’t I install a VPN#

The obvious solution is to use a VPN. Change your location, problem solved. But I have some issues with that approach.

First of all, I just upgraded to 2.5 Gbps internet and I don’t want to route all my traffic through the VPN and impact the speed. I have this bandwidth for a reason.

Second, even if I set up a VPN on my main machine, what will happen to my phone? my laptop? my desktop? Each device would need to be running a VPN, and I would have to remember to connect to it before I could browse. It’s dirty.

I wanted something clean: a solution that worked for every device on my network automatically, with no client-side configuration.

Network-level approach#

I already run a homelab with Traefik as my reverse proxy, everything configured declaratively with Pi-Hole and NixOS for DNS. If you read my previous post on Docker containers with secrets, you’ll recognize the pattern.

The idea was simple: block all requests i.imgur.com At the DNS level, route them through a VPN-connected container, and serve the images back. Every device on my network automatically uses Pi-hole for DNS via DHCP, so it will be completely transparent.

Here is the flow:

  1. device request i.imgur.com
  2. Pi-hole returns the IP of my Trafic instance instead
  3. Traffic looks at SNI hostnames and routes to glutun
  4. Glutun tunnels requests through a VPN
  5. Nginx (connected to Glutton’s network) is a proxy for the real Imgur.
  6. The image returns to the device through the tunnel

Why Nginx when I already have the traffic?#

Good question. Glutun is not a reverse proxy. It is a container that provides VPN connectivity to other containers connected to its network namespace. So I really needed something inside Gluetun’s network to handle the proxy. Nginx was the simplest option.

Nginx configuration is minimal. It just does TCP passthrough with SNI:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

stream {
    resolver 127.0.0.1 valid=30s;
    resolver_timeout 5s;

    server {
        listen 443;
        ssl_preread on;
        proxy_pass i.imgur.com:443;
        proxy_connect_timeout 10s;
        proxy_timeout 60s;
    }
}

It listens on port 443, reads the SNI header to confirm the destination, and forwards the connection to the real i.imgur.comThe TLS handshake is end-to-end; Nginx never sees decrypted traffic,

docker setup#

The compose file runs two containers. Gluetun handles the VPN connection, and nginx connects to Gluetun’s network:

version: '3.8'

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=${VPN_SERVICE_PROVIDER}
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - SERVER_COUNTRIES=${SERVER_COUNTRIES}
      - FIREWALL=on
      - FIREWALL_INPUT_PORTS=443
      - FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/8
      - DOT=on
      - DOT_PROVIDERS=cloudflare
      - HEALTH_VPN_DURATION_INITIAL=30s
    volumes:
      - ./gluetun:/gluetun
    restart: unless-stopped
    networks:
      - proxy
    healthcheck:
      test: ["CMD", "/gluetun-entrypoint", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

  imgur-proxy:
    image: nginx:alpine
    container_name: imgur-proxy
    depends_on:
      gluetun:
        condition: service_healthy
    network_mode: "service:gluetun"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    restart: unless-stopped

networks:
  proxy:
    external: true

main details are network_mode: "service:gluetun"It shares Glutun’s network stack with Nginx, so all its traffic automatically goes through the VPN tunnel,

I won’t reveal which VPN provider I use. This is one of the major ones with WireGuard support, but honestly I’m not thrilled with it. Use whatever you have.

Traffic Routing#

The last part is asking traffic to route i.imgur.com Traffic to Glutton container. It uses TCP routing with TLS passthrough:

tcp:
  routers:
    imgur-router:
      rule: "HostSNI(`i.imgur.com`)"
      entryPoints:
        - https
      service: imgur-service
      tls:
        passthrough: true
  services:
    imgur-service:
      loadBalancer:
        servers:
          - address: "gluetun:443"

passthrough: true Is important. This means that the traffic does not terminate TLS; It just inspects the SNI header and forwards the connection.

NixOS integration#

Following the same pattern as my Docker with secrets post, I created a systemd service that runs the compose stack with Agenix-managed secrets:

{ pkgs, config, ... }:
let
  docker-env = config.age.secrets.docker-imgur-proxy.path;
in
{
  systemd.services.imgur-proxy = {
    description = "Imgur Proxy with VPN";
    after = [
      "network.target"
      "docker.service"
      "docker-create-proxy-network.service"
    ];
    wants = [
      "docker.service"
      "docker-create-proxy-network.service"
    ];
    serviceConfig = {
      ExecStart = "${pkgs.docker}/bin/docker compose --env-file ${docker-env} -f docker-compose.yml up --force-recreate";
      ExecStop = "${pkgs.docker}/bin/docker compose -f docker-compose.yml down";
      WorkingDirectory = "/home/tymscar/dotfiles/apps/nixos/docker/imgur-proxy";
      Restart = "always";
    };
    wantedBy = [ "multi-user.target" ];
  };
}

The VPN credentials are stored encrypted with Agenix, so my entire dotfiles repo remains public, keeping secrets safe.

Result#

Now when any device on my network requests an Imgur image, it works. My phone, my laptop, guest devices, everything. No VPN app to install, no browser extensions, no manual configuration. Pi-Hole intercepts the DNS, routes the traffic connection, and Glutun tunnels it through a non-UK exit point.

Imgur is working after improvements

The latency increase for loading images is negligible, and it only impacts Imgur traffic. Everything else is still running at full speed.

Is it too much to look at an Imgur image occasionally? Perhaps. But it’s a clean solution that requires minimal ongoing maintenance, and it scratches the homelab itch. Plus I can finally see what those Minecraft shaders look like.



<a href

Leave a Comment