Jump to content
Chinese-forums.com
Learn Chinese in China

  • Why you should look around

    Since 2003, Chinese-forums.com has been helping people learn Chinese faster and get to China sooner. Our members can recommend beginner textbooks, help you out with obscure classical vocabulary, and tell you where to get the best street food in Xi'an. And we're friendly about it too. 

    Have a look at what's going on, or search for something specific. We hope you'll join us. 
roddy

Internet Blocks, the Great Firewall and VPNs

How are you getting round Internet blocks in China?  

60 members have voted

  1. 1. How are you getting round Internet blocks in China?

    • I just give up and read the China Daily
      20
    • Free web proxy like Anonymouse
      20
    • Paid web proxy like Proxify
      2
    • A browser plug in like Gladder
      12
    • I installed a bit of software, like Tor
      21
    • Something else which I will detail below . . .
      3
    • Port forwarding over SSH to a remote proxy, like Imron
      10
    • VPN, like Witopia
      53


Recommended Posts

roddy

Man, I really should get me some of that juicy VPN affiliate income...

  • Like 1

Share this post


Link to post
Share on other sites
Site Sponsors:
Pleco for iPhone / Android iPhone & Android Chinese dictionary: camera & hand- writing input, flashcards, audio.
Study Chinese in Kunming 1-1 classes, qualified teachers and unique teaching methods in the Spring City.
Learn Chinese Characters Learn 2289 Chinese Characters in 90 Days with a Unique Flash Card System.
Hacking Chinese Tips and strategies for how to learn Chinese more efficiently
Popup Chinese Translator Understand Chinese inside any Windows application, website or PDF.
Chinese Grammar Wiki All Chinese grammar, organised by level, all in one place.

mungouk
2 hours ago, roddy said:

Man, I really should get me some of that juicy VPN affiliate income...

 

Hmmm. I've been using ibVPN and flogging affliate links for coming up to 9 years now, which has "earned" me USD 22.40.  Or it would if it got above the USD 50 threshold which would mean they actually paid me anything.  #TheoryVsPractice 

Share this post


Link to post
Share on other sites
banjo67xxx

Damn. The Great Firewall guys are getting cleverer.

 

On Monday, they noticed I was sending encrypted traffic over port 1701 pptp and blocked my European computers for 4 days.

 

So, my next plan is to use port 443 and set the router to dial-on-demand so that the traffic looks like HTTPS. However, does anyone know if they use deep packet inspection traffic profiling to recognise the difference between OpenVPN and HTTPS on the same port?

 

I've found that sslh allows me to share OpenVPN and HTTPS on the same port, but I haven't seen a solution yet for how to run SSTP and HTTPS on the same port. SSTP would have a packet profile more like HTTPS so would make it more difficult to detect. Does anyone have a solution for sharing SSTP and HTTPS on port 443?

Share this post


Link to post
Share on other sites
imron
8 hours ago, banjo67xxx said:

does anyone know if they use deep packet inspection traffic profiling

Yes they do, and have done for years.  I don't know how it will affect openvpn vs https on the same port though, so the only way is to try it and see.

 

Honestly though, for the amount of time and hassle it takes to sort out something like this by yourself (and continually keep it up to date), you're probably better off just paying for a VPN that'll work in China (assuming you value your time).   They likely have full time engineers working on problems like this and fixing/working around issues as they come up.

Share this post


Link to post
Share on other sites
banjo67xxx

Interesting that you say they've been traffic profiling for years. They can't be very good at it, as I've been using port 1701 with a permanently active link and weak encryption for about 8yrs, and they only noticed it on Monday. 

 

Anyway I have found a solution using Pound as an SSL load balancer instead of sslh. It can direct traffic based on SSL certificate. So the profile will be indistinguishable from HTTPS. Only I know the certificate so I can still reroute SSTP. 

 

It's no big deal for me to adapt my private network, as it's another Linux technology I can add to my CV. 

Share this post


Link to post
Share on other sites
imron
3 hours ago, banjo67xxx said:

They can't be very good at it,

I think it's rather that they're pretty lenient about it if only a handful of people (and mostly foreigners at that) are doing it, and then they slowly tighten the screws.

 

3 hours ago, banjo67xxx said:

as it's another Linux technology I can add to my CV. 

Fair enough, as long as it's adding value in a field related to your career, then file it under gaining skills and qualifications.  At some point you might find the balance tips.  I was happy using ssh tunnelling for years when all it involved was ssh'ing in to a box outside the firewall.  It's since reached a point where I think it's far better time/cost tradeoff just to pay for a VPN - but then I'm not living in China any more so my priorities are slightly different in that I want something that will work as soon as I arrive and that I don't have to spend any time getting it working.

 

I was using http tunnelling over ssh since 2004 and it always worked perfectly.  Then on a visit towards the end of 2014 I noticed that the ssh tunnel would drop out more regularly than it used to - especially if downloading larger files.  It still wasn't a major issue.  On my most recent trip to China in 2016 the disconnections were far more frequent and I ended up just using a VPN.  I don't know what it's like now tunnelling web traffic over ssh but I don't expect they've gotten more lenient about it.

 

Back to the topic of Deep Packet Inspection, here's a paper describing some of the details of what they use DPI for, and here's an article I came across while searching for that paper that describes ways to circumvent DPI that might help you set something up.

 

 

  • Like 2
  • Helpful 1

Share this post


Link to post
Share on other sites
mungouk

My first experiences here of using VPNs from inside PRC... can anyone point me to an up to date description of how the blocking works?  For example does your connection get shut down for a period of time if you access anything banned?  (I think I may have read this somewhere.)

 

So far on this trip I've been successfully using ibVPN on my ageing Android phone, since I've been using that provider for years and they've generally been pretty good.  

 

Just before I left home I also subscribed to ExpressVPN "just in case" since everyone here seems to have good things to say.  I tried it at home and it crashed my Macbook and I had to reset the router to get online again, so I gave up on it until I arrived here in Hangzhou.

 

I've spent ages yesterday and today trying to get my laptop online.  Over the last 10 days in Shanghai, Suzhou and Nanjing hotels I had always been able to connect to some server or other using ibVPN, but here in Hangzhou I'd had nothing. 

 

(My phone is still working great though — in fact it's still connected to the same VPN server this morning as I was using yesterday, while I was out and about. FWIW I have a pre-paid/PAYG Singaporean SIM card — Singtel — for which I bought a 1GB roaming package before leaving home.)

 

Out of desperation this morning I just connected my macbook to the wired ethernet connection in the hotel room, rebooted, tried ExpressVPN and it connected to the first server it tried immediately.

 

Which makes me wonder... has my WiFi MAC address been added to a blacklist somewhere?  (Since my wired ethernet adapter has a different MAC address.)  If so, how long does this last?

 

Thanks!

 

 

Share this post


Link to post
Share on other sites
imron
1 hour ago, mungouk said:

can anyone point me to an up to date description of how the blocking works? 

That's probably a state secret :mrgreen:

  • Like 1

Share this post


Link to post
Share on other sites
banjo67xxx

There are several methods used. Fake DNS replies. Fake DNS injection to replies from foreign DNS servers. IP address blocking of banned sites. Keyword inspection of unencrypted traffic. Recently they've started blocking IP addresses that receive known VPN protocols. 

 

Your MAC address is irrelevant as that is never transmitted beyond the hotel network. I have noticed many hotels, bars, cafes even in Europe block VPN. No idea why bars would but I can understand hotels don't want you to make cheap VOIP phone calls. 

 

PS: I believe Express VPN has the option to use obfsproxy to make your VPN traffic look like Web browsing. 

  • Helpful 1

Share this post


Link to post
Share on other sites
mungouk
2 hours ago, banjo67xxx said:

Your MAC address is irrelevant as that is never transmitted beyond the hotel network.

 

Unless Hotel itself was doing the blacklisting?

What would be the explanation for ethernet working immediately after 100% no-go with WiFi, any ideas?  Just luck?  Not monitoring the wired connections in the same way?

 

2 hours ago, banjo67xxx said:

I believe Express VPN has the option to use obfsproxy to make your VPN traffic look like Web browsing

 

I don't know about that, I've only been using it for a day.  Looking at the diagnostics earlier I noticed it was cycling through OpenVPN, PPTP, L2TP etc to try to establish a connection.  Right now I'm on TLS/port 443 so presumably that looks just like an HTTPS connection...

 

 

Share this post


Link to post
Share on other sites
renzhe

It's most likely due to the hotel's network setup, and probably something as simple as blocking all ports except WWW and a few common services. What usually works in such cases is using port 443 for VPN like you noted. Most VPN providers support this. The Ethernet connection probably goes via a different subnet/router/firewall.

 

Hotels/bars in Europe will sometimes block VPN ports because they sell your browsing data, and VPN interferes with this.

  • Like 1

Share this post


Link to post
Share on other sites
MSG9

Hi guys!

I'm looking into VPNs to avail so that I already have one set-up before I enter the country by the last week. I'm currently looking into either NordVPN, Hotspot Shield (premium), or AstrillVPN. Most probably NordVPN, though. Do you guys have any experience with these ones? If not, do you have any other recommendations to get past the firewall? I know that some VPNs are having issues nowadays especially with the stricter imposed measures.

 

PS. Not a techy person, but I really just need the VPN for facebook from time to time to contact people back home. Having said that, I probably don't need an "insane" VPN. Anything simple and will function from time to time will do.

 

Any help/assistance would be appreciated. Thank you!

Share this post


Link to post
Share on other sites
mungouk

ExpressVPN and ibVPN both worked for me at various times last month – see above. Used them both on my phone and on my laptop. 

 

ibVPN has many many more servers in countries worldwide you can connect to (which makes it appear that you’re in that country). Also has more servers in Asia which are likely to give you better speed. 

  • Helpful 1

Share this post


Link to post
Share on other sites
mungouk

Given how unpredictable it can be, I figured having 2 different setups was a useful strategy. Turned out that it was, in my case. If you’re paying monthly it’s not such a big outlay. 

  • Helpful 1

Share this post


Link to post
Share on other sites
MSG9

That's actually a great idea - one that I feel like I've never of before even from people I know who stayed in China from quite lengthy periods. Will be helpful especially in emergency situations. Thank you! @mungouk

Share this post


Link to post
Share on other sites
banjo67xxx

@mungouk have you noticed that Asian servers are actually quicker?

 

From looking at traceroute I see that getting between Beijing and Europe only takes 40-50ms, but going through the deep packet inspection of the Great Firewall takes about 180-200ms. So I wouldn't have thought the location of the proxy would make a significant difference. 

Share this post


Link to post
Share on other sites
mungouk
1 hour ago, banjo67xxx said:

have you noticed that Asian servers are actually quicker?

 

For me it varied from time to time, but the best results I was getting 4 weeks ago were with servers in HK and Singapore.

 

As they say: your mileage may vary. 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×