Jump to content
Chinese-Forums
  • Sign Up

Internet Blocks, the Great Firewall and VPNs


roddy

How are you getting round Internet blocks in China?  

69 members have voted

  1. 1. How are you getting round Internet blocks in China?

    • I just give up and read the China Daily
      20
    • Free web proxy like Anonymouse
      21
    • Paid web proxy like Proxify
      3
    • A browser plug in like Gladder
      12
    • I installed a bit of software, like Tor
      21
    • Something else which I will detail below . . .
      4
    • Port forwarding over SSH to a remote proxy, like Imron
      10
    • VPN, like Witopia
      57


Recommended Posts

2 hours ago, roddy said:

Man, I really should get me some of that juicy VPN affiliate income...

 

Hmmm. I've been using ibVPN and flogging affliate links for coming up to 9 years now, which has "earned" me USD 22.40.  Or it would if it got above the USD 50 threshold which would mean they actually paid me anything.  #TheoryVsPractice 

Link to comment
Share on other sites

  • 2 weeks later...

Damn. The Great Firewall guys are getting cleverer.

 

On Monday, they noticed I was sending encrypted traffic over port 1701 pptp and blocked my European computers for 4 days.

 

So, my next plan is to use port 443 and set the router to dial-on-demand so that the traffic looks like HTTPS. However, does anyone know if they use deep packet inspection traffic profiling to recognise the difference between OpenVPN and HTTPS on the same port?

 

I've found that sslh allows me to share OpenVPN and HTTPS on the same port, but I haven't seen a solution yet for how to run SSTP and HTTPS on the same port. SSTP would have a packet profile more like HTTPS so would make it more difficult to detect. Does anyone have a solution for sharing SSTP and HTTPS on port 443?

Link to comment
Share on other sites

8 hours ago, banjo67xxx said:

does anyone know if they use deep packet inspection traffic profiling

Yes they do, and have done for years.  I don't know how it will affect openvpn vs https on the same port though, so the only way is to try it and see.

 

Honestly though, for the amount of time and hassle it takes to sort out something like this by yourself (and continually keep it up to date), you're probably better off just paying for a VPN that'll work in China (assuming you value your time).   They likely have full time engineers working on problems like this and fixing/working around issues as they come up.

Link to comment
Share on other sites

Interesting that you say they've been traffic profiling for years. They can't be very good at it, as I've been using port 1701 with a permanently active link and weak encryption for about 8yrs, and they only noticed it on Monday. 

 

Anyway I have found a solution using Pound as an SSL load balancer instead of sslh. It can direct traffic based on SSL certificate. So the profile will be indistinguishable from HTTPS. Only I know the certificate so I can still reroute SSTP. 

 

It's no big deal for me to adapt my private network, as it's another Linux technology I can add to my CV. 

Link to comment
Share on other sites

3 hours ago, banjo67xxx said:

They can't be very good at it,

I think it's rather that they're pretty lenient about it if only a handful of people (and mostly foreigners at that) are doing it, and then they slowly tighten the screws.

 

3 hours ago, banjo67xxx said:

as it's another Linux technology I can add to my CV. 

Fair enough, as long as it's adding value in a field related to your career, then file it under gaining skills and qualifications.  At some point you might find the balance tips.  I was happy using ssh tunnelling for years when all it involved was ssh'ing in to a box outside the firewall.  It's since reached a point where I think it's far better time/cost tradeoff just to pay for a VPN - but then I'm not living in China any more so my priorities are slightly different in that I want something that will work as soon as I arrive and that I don't have to spend any time getting it working.

 

I was using http tunnelling over ssh since 2004 and it always worked perfectly.  Then on a visit towards the end of 2014 I noticed that the ssh tunnel would drop out more regularly than it used to - especially if downloading larger files.  It still wasn't a major issue.  On my most recent trip to China in 2016 the disconnections were far more frequent and I ended up just using a VPN.  I don't know what it's like now tunnelling web traffic over ssh but I don't expect they've gotten more lenient about it.

 

Back to the topic of Deep Packet Inspection, here's a paper describing some of the details of what they use DPI for, and here's an article I came across while searching for that paper that describes ways to circumvent DPI that might help you set something up.

 

 

  • Like 2
  • Helpful 1
Link to comment
Share on other sites

  • 4 weeks later...

My first experiences here of using VPNs from inside PRC... can anyone point me to an up to date description of how the blocking works?  For example does your connection get shut down for a period of time if you access anything banned?  (I think I may have read this somewhere.)

 

So far on this trip I've been successfully using ibVPN on my ageing Android phone, since I've been using that provider for years and they've generally been pretty good.  

 

Just before I left home I also subscribed to ExpressVPN "just in case" since everyone here seems to have good things to say.  I tried it at home and it crashed my Macbook and I had to reset the router to get online again, so I gave up on it until I arrived here in Hangzhou.

 

I've spent ages yesterday and today trying to get my laptop online.  Over the last 10 days in Shanghai, Suzhou and Nanjing hotels I had always been able to connect to some server or other using ibVPN, but here in Hangzhou I'd had nothing. 

 

(My phone is still working great though — in fact it's still connected to the same VPN server this morning as I was using yesterday, while I was out and about. FWIW I have a pre-paid/PAYG Singaporean SIM card — Singtel — for which I bought a 1GB roaming package before leaving home.)

 

Out of desperation this morning I just connected my macbook to the wired ethernet connection in the hotel room, rebooted, tried ExpressVPN and it connected to the first server it tried immediately.

 

Which makes me wonder... has my WiFi MAC address been added to a blacklist somewhere?  (Since my wired ethernet adapter has a different MAC address.)  If so, how long does this last?

 

Thanks!

 

 

Link to comment
Share on other sites

There are several methods used. Fake DNS replies. Fake DNS injection to replies from foreign DNS servers. IP address blocking of banned sites. Keyword inspection of unencrypted traffic. Recently they've started blocking IP addresses that receive known VPN protocols. 

 

Your MAC address is irrelevant as that is never transmitted beyond the hotel network. I have noticed many hotels, bars, cafes even in Europe block VPN. No idea why bars would but I can understand hotels don't want you to make cheap VOIP phone calls. 

 

PS: I believe Express VPN has the option to use obfsproxy to make your VPN traffic look like Web browsing. 

  • Helpful 1
Link to comment
Share on other sites

2 hours ago, banjo67xxx said:

Your MAC address is irrelevant as that is never transmitted beyond the hotel network.

 

Unless Hotel itself was doing the blacklisting?

What would be the explanation for ethernet working immediately after 100% no-go with WiFi, any ideas?  Just luck?  Not monitoring the wired connections in the same way?

 

2 hours ago, banjo67xxx said:

I believe Express VPN has the option to use obfsproxy to make your VPN traffic look like Web browsing

 

I don't know about that, I've only been using it for a day.  Looking at the diagnostics earlier I noticed it was cycling through OpenVPN, PPTP, L2TP etc to try to establish a connection.  Right now I'm on TLS/port 443 so presumably that looks just like an HTTPS connection...

 

 

Link to comment
Share on other sites

  • 2 weeks later...

It's most likely due to the hotel's network setup, and probably something as simple as blocking all ports except WWW and a few common services. What usually works in such cases is using port 443 for VPN like you noted. Most VPN providers support this. The Ethernet connection probably goes via a different subnet/router/firewall.

 

Hotels/bars in Europe will sometimes block VPN ports because they sell your browsing data, and VPN interferes with this.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Hi guys!

I'm looking into VPNs to avail so that I already have one set-up before I enter the country by the last week. I'm currently looking into either NordVPN, Hotspot Shield (premium), or AstrillVPN. Most probably NordVPN, though. Do you guys have any experience with these ones? If not, do you have any other recommendations to get past the firewall? I know that some VPNs are having issues nowadays especially with the stricter imposed measures.

 

PS. Not a techy person, but I really just need the VPN for facebook from time to time to contact people back home. Having said that, I probably don't need an "insane" VPN. Anything simple and will function from time to time will do.

 

Any help/assistance would be appreciated. Thank you!

Link to comment
Share on other sites

ExpressVPN and ibVPN both worked for me at various times last month – see above. Used them both on my phone and on my laptop. 

 

ibVPN has many many more servers in countries worldwide you can connect to (which makes it appear that you’re in that country). Also has more servers in Asia which are likely to give you better speed. 

  • Helpful 1
Link to comment
Share on other sites

@mungouk have you noticed that Asian servers are actually quicker?

 

From looking at traceroute I see that getting between Beijing and Europe only takes 40-50ms, but going through the deep packet inspection of the Great Firewall takes about 180-200ms. So I wouldn't have thought the location of the proxy would make a significant difference. 

Link to comment
Share on other sites

1 hour ago, banjo67xxx said:

have you noticed that Asian servers are actually quicker?

 

For me it varied from time to time, but the best results I was getting 4 weeks ago were with servers in HK and Singapore.

 

As they say: your mileage may vary. 

 

 

Link to comment
Share on other sites

  • 1 year later...

I'm going to be in China for a month, and I've purchased and installed ExpressVPN on my laptop and mobile.

 

If it's a hardship for me to go more than a day without connecting to US websites that are probably blocked in China, then should I get a backup VPN also?

 

In other words, if ExpressVPN goes out, or I cannot connect to it, then does that tend to be a passing thing or a persistent thing?

 

 

Link to comment
Share on other sites

20 minutes ago, Moshen said:

if ExpressVPN goes out, or I cannot connect to it, then does that tend to be a passing thing or a persistent thing?

You just try again a while later (not sure how long the while should be, I tried again the next day and then it worked, but perhaps half an hour can also do it), until it does work. If you need to be able to connect to the blocked parts of the internet at all times, it's wise to buy two or even three VPNs.

Link to comment
Share on other sites

3 hours ago, Moshen said:

 

In other words, if ExpressVPN goes out, or I cannot connect to it, then does that tend to be a passing thing or a persistent thing?

 

 

 

When my expressvpn goes out I ask my wechat buddies and everytime , everyone has the same problem, irrespective of VPN (usually) , so it looks like it's pretty uniform from my experience anyway.  

I think if you're  coming here any time soon you can expect VPNs to have a lot of problems with the 70th anniversary if the PRC. i noticed today even where I live the army / armed police or whatever they are, were checking underpasses, and coming back into Beijing this afternoon the queue at the checkpoint was enormous (despite it being a quiet day here). I got somewhat interrogated and told off for not carrying my passport, ( but after showing my driver license they sent me on my way)

 

Point is: security will be tight

Link to comment
Share on other sites

Join the conversation

You can post now and select your username and password later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Click here to reply. Select text to quote.

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...