VPN advice needed (May 2014)

[akclau]

Free trial at senvpn.com.  Try before you buy is better than reading those long reviews.

[Manuel]

All these 'big-name' companies that spend a lot on marketing are rubbish: expensive, slow and unreliable. The more publicity the more likely the service is to be blocked. Recently I bought an SSH connection to a server in Singapore through some dude on Taobao, works like a charm. Now I can watch Youtube videos without interruption. It costs about the equivalent of €1/month, and there is no subscription or contract nonsense. Customer support is actually very good too, if you have any problems you can contact the seller and he fixes the problem himself directly at once, no need to send boring support request emails or chat on a crappy web-based instant-messaging app that puts you on a queue for 5 minutes before you can get through, and that doesn't even allow you to send screenshots so you can explain to them what your set-up looks like.

 

I chose SSH as it's very convenient to use with a proxy switcher in Firefox, but other connection types are also available. Definitely worth checking, just search for "proxy" on Taobao.

[Razumihin]

Manuel, that sounds really good. However, I'm currently not in China yet I'd like to have my PC ready before going there. Also, never bought anything from Taobao and I have no idea how to do it.

Still, that SSH tunneling sounds good. Has anyone else done it and are there any guides how to do it (never done anything like that either, but I'm willing to try)?

I still haven't bought VPN, but I guess I need to do it soon. Is it possible to use some VPN's to make your connection to go through specific country, for example USA in order to use American web services etc.

[imron]

Has anyone else done it and are there any guides how to do it

See the link in my previous post.  I was about to say I've been using it for years without any problems, however I've just realised I can now say a decade.

[ChTTay]

Is there an issue with privacy using a service run by "some guy on taobao"?

I mean, with most companies big or small, they at least have privacy policies spelled out on their sites. Also, if they log any data, they usually end up being called out for doing it on various sites and lose customers.

[Manuel]

I am not sure all big companies have strong privacy policies. If you are very concerned about privacy you will need to dig a lot deeper than just subscribing to a VPN.

 

There are simple things you can do though, e.g. if you want to email sensitive documents or media you could encrypt it yourself using TrueCrypt and attache the encrypted files, then tell the receiving party the password by other means e.g. telephone, fax, an email sent from another account, etc. It is also possible to send encrypted text over a heavily-monitored chat program such as Tencent QQ and be completely safe. Of course it's not as convenient as sending human-readable text directly but that's one of the drawbacks of encryption. Using encryption they'll know you are sending "something", but they wont' know what it is, which should be good enough.

 

When you were back in your home country, how did you access the Internet? Did you worry about privacy? If you use a VPN the situation will be similar (as long as your service provider does not work for the government): you'll have the same non-existent privacy but at least you'll be able to access useful web content that's otherwise blocked in China.

[imron]

If they wanted, they'll be able to see all your unencrypted (e.g. non httpS://) traffic because it's going through their servers and they'll also be able to see domains that you access.  This is no better or worse than any other ISP you use.

 

It's unlikely they are going to care about you though.  That being said, if it's an issue, Digital Ocean mentioned above has a datacenter in Singapore, and the cost is still relatively cheap ($5 a month), though technically, it's also possible for the DO guys to access that stuff anyway if they wanted.

[Manuel]

Today I wasted a substantial amount of time trying to get my SSH connection to work with Internet Explorer, which is achieved by redirecting all connections to a local SOCKS proxy which in turn connects to the SSH server. The SSH server, which is located outside China, is then able to access Youtube etc. But Internet Explorer does not support SOCKS at all, even though it gives the user the option to specify a SOCKS proxy, for decorative purposes I guess?. Apparently earlier versions of IE did support SOCKS, it seems big companies are very good at breaking stuff that ain't broke. Once again, Microsoft had to go and vista it...

 

 

PS: I just thougth I'd post this here to save everyone else going too deep down the rabbit hole LOL.

[Manuel]

The system proxy settings don't work in Chrome either but you can launch Chrome like this, which works:

chrome.exe --proxy-server="socks5://127.0.0.1:8580

[imron]

The problem is likely that web requests are done via proxy, but DNS requests are done through normal channels and china also does DNS blocking.

In Firefox there is a configuration setting to do DNS requests through the proxy also which had to be enabled for things to work correctly.

[Manuel]

I think that's correct, Imron. Based on my previous testing, when DNS requests don't go through the proxy I am unable to access blocked sites. In Firefox, if I disable the relevant option, Firefox will try to connect to the blocked site for a while until it times out, typically several seconds. But IE directly displays an error page as soon as I click the Go button, which means it's not even trying. I once used an SSH-to-HTTP utility which did the trick though it seemed like one step too many so I ditched it (plus FF is my browser of choice).

 

Do you know if there's a way to get all connections to go through the proxy?

 

Since you mentoined SSH I have a new religion, it's just so much easier to set up than any VPN I've used and a lot cheaper if you purchase the subscription from Taobao. I've recommended it to several friends here and they all seem very happy, although they were a bit baffled by the setup process, so I made a simple front end for plink.exe (part of PuTTY) to present only the important settings in a user-friendly interface. When you buy your subscription from Taobao, the seller will give you the data you need to enter into the first four input boxes, the last box can be any valid port number and is set to 8580 by default which is the same port used by FreeGate. If anyone's interested...

 

[imron]

Do you know if there's a way to get all connections to go through the proxy?

 

Do you mean all connections on the machine including non HTTP traffic and traffic from programs that are not browsers?  I don't think you can do that easily on Windows, which is one of the big advantages of a VPN instead of SSH.

 

Personally I've never had a need for it so I've never looked in to it too deeply.  I've always just used Firefox configured to route DNS requests through the proxy.

[Manuel]

Yes, I mean all connections. On my Android device I have an app called SSHTunnel that provides an option to set the "global proxy". I'd like to have something like a big button to temporarily tunnel everything. For example, the Google Chrome web installer (which is the official installation method) fails to download the installation files, so I am forced to manually look for an "offline" installer. Dropbox doesn't work either but luckily it supports SOCKS.

[Triling]

How do these SSH things work?

 

I have PureVPN and ExpressVPN but they are all slow as <Admin Edit: please mind your language>

[Manuel]

It's actually quite easy and very reliable once you get it working, here's how.

 

1) Download MyEnTunnel

 

2) Buy an SSH proxy subscription from Taobao. Some are faster than others, for example I find servers based near China, e.g. Singapore or Hong Kong, are faster than those based in, say, the US. The seller knows this and will charge a little more but it's worth the extra money in my opinion.

 

3) The seller will then give you four pieces of information, which you need to enter into MyEnTunnel, as shown below. The SOCKS port number, shown in green, can be any number in the range 1-65535 and it can be chosen at random as long as you use the exact same number in your web browser proxy settings (see step 5).

 

 

4) In MyEnTunnel, click "Connect" and the go to then "Status" tab. When the log says "Connection is stable" it means you've successfully connected to the SSH server.

 

 

5) Now all you have to do is configure your web browser to use the proxy. Here's how you do it in Firefox v32.0 which I am currently using. Go Tools menu > Options > Advanced > Network > Settings... and then configure as shown below. Here you can see, shown in green, the SOCKS port number matches the number we chose at step 3 above.

 

 

Now you should be able to connect to Youtube etc

 

Note 1: The above procedure may be slightly different for other web browsers e.g. in Chrome you need to use command-line options in order to get it to use the proxy.

Note 2: There are add-ons, also called extensions, for Firefox such as FoxyProxy or SwitchProxyTool which offer the ability to set up multiple proxy settings and choose the one you want, or turn them on/off with a single click or using using a drop down menu. This is extremely convenient because you don't always want to use the proxy, for example if you are connecting to a Chinese website. I use FoxyProxy Standard and it works extremely well. You can set up rules so that the proxy is bypassed for some connections (e.g. baidu.com, taobao.com) and not others (e.g. youtube.com, facebook.com). My suggestion is: follow the above instructions first and get the proxy working without any add-ons. Once you are up and running, start looking into FoxyProxy.

[Triling]

What is the advantage of setting up VPN vs. SSH?

It seems like all the recommendations are VPN so I'm just wondering why nobody recommended SSH if it's superior.

[imron]

I'm just wondering why nobody recommended SSH if it's superior.

I've been recommending it for years in almost every forum thread where it comes up.  It's more involved to set up compared to a VPN and doesn't give as much flexibility (you have to manually configure each program individually to use your SSH tunnel rather than a VPN which automatically deals with all internet traffic on your computer), but it's been a consistently reliable way to beat the firewall for at least the decade or so I've been using it.

[Manuel]

Commercial VPN services stand out like a sore thumb because they invest very heavily in marketing, therefore censors quickly become aware of their existence and eventually impose restrictions. That's why a lot of "big name" commercial VPN service providers such as Astrill, which used to work great a year or so ago, become unreliable after they get big. They have to keep finding smarter ways to bypass the Great Firewall.

 

By contrast, the little guy on Taobao has a modest user base and virtually zero visibility because most of his customers are earned by chance or by friend recommendations. He's probably does not even want to get big as he might get into trouble, being a Chinese citizen. His servers are very unlikely to be even investigated and effortlessly slip under the radar.

 

The reason why all the recommendations are for VPNs is because VPN providers go great lengths to gain visibility, therefore when you do your search on Google that's the first thing that comes up and that's what the average Joe will end up buying. Heck even I bought it.

 

Here is my summary of cons & pros of using an SSH connection:

 

Pros:

• Biggest advantage for me is this: most VPNs will tunnel all traffic, which makes browsing Chinese websites slow or impossible (some are not accessible from abroad). With an SSH connection and something like FoxyProxy you get to choose which websites get tunnelled and which don't; you can do this manually or set up very sophisticated rules to make it all automatic.
• You don't need to install anything or mess with your computer's network settings. MyEnTunnel, which I recommended above, is portable and will run off a USB pen drive.
• Up to 10 times cheaper than most VPNs.
• More reliable than most commercial VPNs based on my experience.
• As fast or faster than most commercial VPNs, again based on my experience. On occasion I can watch HD youtube videos without interruption.
• You can conveniently purchase the service on Taobao, no contract nonsense, so you can switch to another provider at any time at practically no loss.
• Unless the provider imposes restrictions, you can connect multiple clients simultaneously at no additional cost, which most commercial VPNs usually charge extra for. Right now I have two PCs and my Android device going through the proxy simultaneously without issue.
• Customer support is really good because the seller tends to be the server administrator himself, so any tech problems get fixed fast.

Cons:

• A bit trickier to set up, (just follow the mini tutorial posted earlier) but you only need to do that once, and after that it works great.
• You've got to set it up for each app individually (although I suspect there's a way to set it up for all apps globally, it's just that I've not had time to look into it, but it is possible on my Android device).

[gato]

A big downside for SSH tunneling is that you can't use it on the iOS, and if usable on Android, then at least hard to set up.

Given that most people go online through smartphones and tablet nowadays, VPN has a big advantage there.

[Manuel]

I beg to differ. It was easier to set up on my Android phone than on my PC. Just install SSHTunnel v2.0.3 BETA, run it, fill in the connection values/credentials given to you by the service provider, tap the Enable SSH Tunnel checkbox and you are away. Furthermore, there is a "Global Proxy" options which, when enabled, will tunnel all traffic through the proxy so you won't have to configure each app individually. The second time all you just need one tap to open the app and another one to connect. Surely there's an app for iPhone out there?

 

By the way, I don't think VPNs are intrinsically easier to set up, it's just that service providers make it easy for you by supplying an app sugar-coated in marketing hype