DIY VPN?

[mungouk]

OK I know this has come up before, but in terms of the GFW and tech stuff generally, things change pretty quickly.

 

I've been wondering for a while if it's worth setting up my own private VPN server in my mum's house back in the UK.  The cat-and-mouse thing with my normal provider has become a pain in the neck recently (especially when all you want to do is benign stuff like read wikipedia and watch youtube).

 

I presume there are fairly simple ways of doing this with something like a Raspberry Pi?  Maybe even some off-the-shelf boot images?

 

Does anyone have recommendations?  I will be home over the Christmas holiday so this would be a good opportunity to get something set up.

 

 

[889]

I believe it's not just a question of having a server that's not on a black list but also disguising the traffic itself in such a way that it's not marked out as headed to a VPN. China's put some effort into technical ways of identifying VPN traffic: blocking certain servers is just one tool.

[mungouk]

Hmm... 

I suspect they're not simply blocking IP addresses since I've been able to ping ones I've tested.

Presumably modern VPN protocols hide their port numbers, or at last masquerade as port 80 to look like normal website requests.

So they're doing deep packet inspection with their supercomputers or what?

 

Paging @imron ?

 

 

 

[889]

Obviously they're not telling how they do the blocking.

 

And obviously too the people that make a business of figuring out how to get around the blocking aren't talking, either.

[mungouk]

Well, fair point. 

There must be white-hat hackers out there who have some idea, though.

 

And yes, I suppose it's also obvious that they could just switch EVERYTHING off if they wanted to, given that these things come and go. 

 

[jannesan]

I am planning to try this the next time I am in China. I was thinking to try different setups, using both OpenVPN and wireguard.

I have the OpenVPN up on AWS right now, would be interested to see it works for you.

Probably it's better to self-host and use wireguard instead of OpenVPN as it is less used by VPN providers, but that's just a theory.

 

@mungouk Pm me if you're up for trying it out.

[vellocet]

I remember several rounds of blocking ago, people with their own VPNs reported they got blocked, despite being the only person using the server.  So they're doing deep packet inspection and can spot packets that aren't disguised.  That's one reason you go with a commercial provider, they have to stay one step ahead.  

[imron]

4 hours ago, mungouk said:

So they're doing deep packet inspection with their supercomputers or what?

Yup.  I remember reading something somewhere a while back that they do DPI with machine learning and a bunch of other things too.

 

I haven't visited mainland China for a number of years so don't know how well a roll your own solution works.  Previously I just used an SOCKS5 proxy over SSH (on a custom port) and modified the config options in firefox to send DNS requests via the proxy also.  Don't know how well that still works these days, but it's trivial to try if you have ssh access to a box outside of China.

[DavyJonesLocker]

12 hours ago, mungouk said:

(especially when all you want to do is benign stuff like read wikipedia and watch youtube).

 

You would wonder what they are afraid of especially with websites  like wikipedia, dumb ones like  YouTube(it's so politically correct anyway)

Foreigners in China are not going to be persuaded by propaganda, and the amount of Chinese that will actually have the reading ability and inclination to start browsing overseas websites (predominately in English) is a tiny percentage of the population. In fact every Chinese person I know who has a great command of English never bothers checking overseas websites.

 

Access to illegal online material such as drug's, promoting criminal activity, pornographic 

 

[mungouk]

7 hours ago, DavyJonesLocker said:

dumb ones like  YouTube

 

Well, for me it's a good source of UK comedy shows (when I can't get iPlayer to work), nature documentaries, video podcasts, occasional lectures and of course lots of Chinese learning videos.

 

 

[jannesan]

Anyone else who lives in China and could help me test out two VPN setups I have running right now?

One uses OpenVPN and requires you to download either Tunnelblick[0] (MacOS) or OpenVPN Connect client[1] (Windows),

the either one uses Wireguard and you need the Wireguard client[2] for that one.

 

The OpenVPN client and Wireguard are also available on mobile platforms.

 

[0] https://tunnelblick.net/downloads.html

[1] https://openvpn.net/client-connect-vpn-for-windows/

[2] https://www.wireguard.com/install/

[feihong]

On 12/5/2019 at 2:52 PM, imron said:

I haven't visited mainland China for a number of years so don't know how well a roll your own solution works.  Previously I just used an SOCKS5 proxy over SSH (on a custom port) and modified the config options in firefox to send DNS requests via the proxy also.  Don't know how well that still works these days, but it's trivial to try if you have ssh access to a box outside of China.

This approach worked great for a good while but has been totally ineffective for the past few years. I haven’t tried it lately, but not much reason to suspect they would suddenly start allowing this again.