Are your VPNs still usable?

[daofeishi]

I have been running my own OpenVPN instance on an virtual server in the US for 3 years now. It has worked impeccably in the past, but the last few months it seems like the Chinese ISPs have found ways of detecting OpenVPN connections and preventing them from working correctly. 

 

Last October I started having intermittent problems with connecting to port 1192 on my server. That is, I never had a problem with the initial connection, but the TLS-handshake that establishes the encrypted connection would sometimes not go through. Nothing abnormal was happening in my own logs or the server logs, so I suspected that the firewall was specifically monitoring data to that port. I switched to port 443 and things seemed to work fine for a while.

 

However, it only took a couple of weeks before I started having to play whack-a-mole with the firewall. Connections would often fail on reconnect, and I would have to change ports again to reconnect. Every reconnect would force me to NAT a new port to my VPN instance in order to reconnect. 

 

Now that has become unviable. It seems like the ISP has started to use some sort of deep packet inspection on all packets to identify which ones contain OpenVPN data. Specifically, it seems to be able to identify the TLS handshake, because that is the stage at which my connection attempts fail. Some googling seems to verify that that is what is going on - apparently some details of the implementation of OpenVPN makes the handshake packets identifiable, and therefore droppable, by the firewall. 

 

Do any of you run your own VPN instances? Have you run into similar problems? Have you found a reliable way around them? Are commercial VPN providers having the same problems? 

[gato]

I use one of the commercial VPN providers and have noticed that there has been more dropping of connections in the last two months or so.

 

Since you are running your own VPN service, have you tried the solutions discussed on the page below?

https://www.bestvpn.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction/

How to hide OpenVPN traffic – an introduction

 

More here.  Wanna give it a try?  Let us know if it addresses the problem.

https://forums.openvpn.net/topic12605.html

Patch: Fix for Iran and China users

 

http://www.ab9il.net/crypto/openvpn-cloaking.html

OpenVPN Cloaking with Stunnel or Obfsproxy

An Effective Defense Against Deep Packet Inspection

[icebear]

I use Astrill and it generally runs very smoothly, although there will occasionally be an outage for a day or two. Astrill so far is pretty forthcoming in that only one time they've directly identified a changing in Chinese filtering practices as the culprit. Typically I can stream 720p YouTube videos with minimal preloading.

[tysond]

Thanks icebear - I am considering switching solution as Witopia is up and down a lot.  

 

Astrill as the one I was considering.  Wondering whether I can configure it at a router level or something to handle key websites but leave natural access to China streaming services....

[icebear]

Astrill as the one I was considering.  Wondering whether I can configure it at a router level or something to handle key websites but leave natural access to China streaming services....

 

I believe they have a router option (an add-on to the basic service), although I'm not sure about all the details as I just use basic.

 

Within the app there are a few options to allow you to specify what to filter and what to keep "natural". That includes:

- Browsers

- Websites, including a blanket *.cn if you want (you need to enter these yourself, but that is an easy one...)

 

At least on windows by enabling or disabling IE as a VPN'ed browser you also alter other programs which I assume use IE services. E.g. if I have it enabled on IE then I'm able to access Steam via that app, otherwise it doesn't connect. Just the opposite for an app I use for economic data. It's pretty easy to toggle on/off and for the filters above on the fly.

 

As I said, there have been a few brief periods where it went out completely, but these have been rare. Overall I'm very happy with the basic service.

[daofeishi]

Since you are running your own VPN service, have you tried the solutions discussed on the page below?

 

No, except for changing the standard port which doesn't work. Obfsproxy and stunnel require using openvpn in TCP mode, which I am afraid might lead to a substantial slow-down    It seems like many of the problems are OpenVPN-specific. I guess I have to look into alternative solutions. If I get some time later this week, I'll try to see if the patch works. 

[gato]

Has anyone else been experiencing problems with VPN in China lately?

I've been using the same provider (one that's been mentioned by several people on this forum) for the last two years. Lately the speed has slowed and I've had more disconnects during sessions. And this morning I haven't been able to connect at all, at least through the L2TP protocol (which generally has been more reliable).

[icebear]

Mine has been unstable the last few days also, with the official website acknowledging a problem (but no timeframe for solution).

 

Corporate VPN at work humming along just fine.

[gato]

It turns out that it was the VPN provider's problem.  They are back up now:

http://www.shanghaiexpat.com/phpbbforum/is-astrill-vee-pee-ann-down-t171037.html

[tytzer]

I use a free proxy called GoAgent.. It works wonderful since it's a HK app..

[Suzee]

Like a couple of posters mentioned, I also use Astrill at home and in my business.  There are sometimes troubles but I have noticed both places I run it are different so I guess it also depends on who your internet provider is.  At home we are on a LAN system that is provided by my husbands work (A school) and in my business I pay directly through China Mobile.  The business one seems to have less hassles so I guess it is the school system that has the troubles for us.  But Astrill has been great for us for a few years.

[Tianjin42]

Through my work we keep in touch with large numbers of foreign nationals in China.

 

Many of you will be already aware but just to confirm here, the feedback we have received is suggesting the recent crackdown with VPNs has been the most severe that we have seen.

 

We received mails and messages from across the country; it seems a lot of previously useful VPN services are now blocked/ experiencing issues. This includes a number of academic VPN systems used for access university intranets.

 

Incidentally the VPN that I use doesn’t seem to have been affected.

 

There have been a few news reports about this (e.g. http://www.globaltimes.cn/content/903542.shtml). How are you getting on with this? Anyone experiencing disruption? 

[imron]

Merged.  I know the crackdown is more recent but there are already so many threads discussing VPNs and Internet access that I figure best not to add another one.

[Tianjin42]

No problem - hadn't seen this one. 

[abcdefg]

Many of you will be already aware but just to confirm here, the feedback we have received is suggesting the recent crackdown with VPNs has been the most severe that we have seen.

 

Huge problem with my VPN since returning to China a week or two ago. What worked OK in November no longer does. It's incredibly frustrating, has interfered with some on-line course work I'm doing and has adversely affected my quality of life.

[imron]

Checkout the discussions in this thread, especially the later comments about setting up an SSH tunnel.  There's another post of mine here that discusses the setup in more detail, and that first link contains basic info and advice on how to set up an account with a host that provides SSH access.