Is the Great Firewall getting taller?

[sthubbar]

Is it just me or does the Great Firewall seem to be getting harder and harder to manage?

5 years ago it was pretty straight forward to use a service like Witopia to go directly through and continue with whatever was required.

Gradually, I have noticed the following maddening trends.

- DNS redirects increasing, even for things like trying to download 7-zip from Download.com. Filehippo.com not accessible, American express account page not accessible

- VPN performance impact until practically shutdown. Even if I'm able to start a VPN, as soon as I try using the VPN, the round-trip-times rapidly increase from about 250ms to 1500ms, than 3000+ms and packet loss quickly jumps to 20+% until packet loss is 90% percent. As soon as the VPN is shut down, things go back to normal.

I have experience with Witopia, StrongVPN, and freegate and they all have these issues. I also experience this from my home and office in Beijing and home and office in Shenyang.

Is it just me or is this getting harder and harder to deal with?

[gato]

It's true. I try to use a mix of methods. One almost has to be a network engineer to manage nowadays. :-(

You might try opening an SSH-capable account with a host in the US and try SSH tunneling.

[imron]

Looks like his website (in the signature) is hosted with bluehost, who already provide SSH shell access.

All he'll need to do is download putty (on windows) or fire up terminal (OSX/Linux), and he should be able to verify if it works in a couple of minutes.

[gato]

If you decided to do SSH tunneling, Bitvise Tunnelier is a great piece of free software for that purpose. It even has FTP built-in. Great SSH and FTP all in one package.

http://theillustratednetwork.mvps.org/Ssh/Configure-Tunnelier.html

[sthubbar]

gato and imron,

Thanks for the great idea. I did setup an SSH account with Bluehost.com then configured the setup as follows:

1) Putty port forward 443 to VPN provider server:443

2) OpenVPN local config set to remote localhost 443

3) It works.

Unfortunately, the behavior is almost the same, as soon as traffic goes through this tunnel, round trip time and packet loss both increase dramatically.

I doubt the encrypted traffic is getting decrypted, especially with AES 256 bit encapsulated inside SSH, I doubt there is enough computing power worldwide to real-time decrypt that.

I assume they just throttle any traffic they can't read.

Do you have a different way to set it up, or other ideas?

Edit:

I added some more to the setup and it seems to be working better.

4) Add a "Dynamic" port forward to setup a Socks server listening on port 12345

5) Configure web browser to use Socks on localhost:12345

This setup allows all traffic, not just SOCKS aware traffic to flow through the SSH tunnel, and also helps reduce/eliminate DNS poisoning that happens with only a SOCKS proxy. Routing the web traffic directly through the SOCKS proxy instead of through the VPN seems to reduce the throttling.

Thanks again for the suggestion.

[gato]

I usually use either VPN or SSH Tunneling, not both at the same time. Can you try that?

Do try the Bitvise Tunnelier software for tunneling, as it makes it easier to set up port forwarding.

With the packet loss, is it just slow, or unusable?

[stoney]

A year ago in Hangzhou I was using Witopia VPN and it always worked great. I'm surprised you're having so many problems. Is it dependent on your location in China? I plan to return to Hangzhou in 2012 and sure hope it still does the trick. Is anyone having problems with Witopia in Hangzhou / Shanghai.

[imron]

Roundtrip time is almost always going to increase because instead of going from:

Local Computer -> GFW -> Website

Local Computer <- GFW <- Website

You are now doing

Local Computer -> GFW -> SSH Host -> Website

Local Computer <- GFW <- SSH Host <- Website

I'm not sure why you have thrown OpenVPN into the mix though, if you have SSH access with bluehost, might as well just use that.

My setup would be as follows:

Install Firefox and the Multiproxy Switch plugin.

Configure said plugin so you have the following:

i.e. Socks proxy should be configured to 127.0.0.1 port 8080 (or some other random port).

Now configure Putty as follows:

1) Put in the domain name you use to connect to your ssh account.

2) If your provider uses a different port from the default (22) put it here.

3) Give this session a name

4) Configure SSH (see next pic)

1)Set the source port to some number (this should correspond to the port number you provided for the "Socks Proxy" in the Multiproxy plugin).

2)Set it to be a dynamic proxy.

3)Click Add

Before clicking anything else, scroll the tree on the left hand side all the way back up and choose "Session" to take you back to the first page.

1) This should still be the name you gave it before

2) Click save

3) The session with all these settings will now appear here.

To fire up the proxy, simply start Putty and double click the saved session name. Log in to your SSH account as per normal, and leave this window open for the duration of however long you want to use the proxy.

Now open firefox, and in the address bar, type about:config

You'll be asked to promise to be careful when changing these settings, click ok.

This will take you to a screen as follows:

1) Type the word socks_remote into the filter bar, which should filter out all the other options and only leave network.proxy.socks_remote_dns

2) Set the value to true so now all DNS requests will go through the proxy (when in use) too.

Close the config box.

You only need to do the above step once. Now to turn the proxy on or off, simply select the proxy from the menu in firefox (I like to remove Multiproxy from the main toolbar, and just use it from the status bar).

You can confirm that everything is working by visiting somewhere like: http://whatismyip.com

Visit first with the proxy off and note your IP address, then turn the proxy on, which will cause it to reload the page and you should see a different IP address there.

Remember to always make sure that the Putty connection is running while the proxy is selected in Firefox, otherwise you'll keep getting "proxy is refusing connection" messages whenever you try to load a page.

You can also forward any other program you like down the same proxy. Note however that this will be taking up your download allowance for your host, so you might not want to be downloading GBs and GBs of movies or whatever.

Edit:

For people using OSX/Linux, you can achieve the same thing as the Putty session by opening up a terminal and typing:

ssh -N -D 8080 user@myhost.com

where user and myhost.com are your SSH account details. (-N for non-interactive, -D for dynamic port forwarding).

Similar to the advice above, make sure you leave the terminal window open for as long as you want to stay connected to the proxy.

[sthubbar]

imron,

Thanks for the detailed walk through.

I add OpenVPN in the mix because I still like the warm and fuzzy feeling I get from being able to ping servers around the world.

There are also programs that don't support a Socks proxy.

The increase in RTT is not because of what you describe. Yes, I agree without the tunneling the RTT might be 200 - 250 ms and then starting the tunneling it might be 300 - 350 ms. What I am talking about is shooting up to 1500 - 4500 ms RTT.

Your Firefox plugin is nice, though what about websites that work best with IE? I would still be subject to DNS poisoning without the use of the additional OpenVPN tunnel.

Like gato said, it almost takes being a network engineer to manage all this. Another brick in the wall.

[imron]

I would still be subject to DNS poisoning without the use of the additional OpenVPN tunnel.

In IE maybe, but not in Firefox if you set the DNS requests to go through the proxy too like I mentioned in the last step above.

For other programs, I'm sure there is software out there that will allow you to route DNS requests via a port on your local machine. I'm guessing the current GFW is playing funny buggers when it sees VPN connections, so if you can avoid that altogether you'll be better off.

what about websites that work best with IE?

Do these still exist outside of China? Most web developers I know hate IE with a passion, and avoid it like the plague.

[hongputaojiu]

Hi guys

I am wondering if it would be possible to get a VPN or similar that is hosted in Australia so that from China I can view Australian-only content eg http://www.abc.net.au/tv/iview/ ?

Is such a thing possible? Forgive me if this is a stupid question!!

cheers

hongputaojiu

[roddy]

Witopia at least lets you choose from servers around the world - not sure if they have an Australian one, but it's worth checking. I've got mine set up so I can choose between Hong Kong (where I am) and the US and UK.

Actually, I can check - last time I installed they had one, in Sydney. However, if the admin folk at the sites you want to use notice that particular IP address is a proxy they may block it - I had to go through a couple of US options before I found one that would work with Hulu.

[sthubbar]

Despite the initial enthusiasm, the SSH solution does not seem to work as well as hoped.

The performance of an SSH tunnel does seem to be better with less dropped packets and better RTT.

Unfortunately with computers there are often these corner cases that defy explanation.

When trying to register for the American Express 1 million points give away on Facebook at:

https://apps.facebook.com/amexmillionpoints/contests/129287/entries/new

When trying through the SSH tunnel + StrongVPN solution the page just won't render.

It is only when I go straight through StrongVPN will the page render. And the packet loss and increased RTT is also still present.

Weird.

[gato]

I don't understand why you keep on using SSH and VPN at the same time....

Try using one or the other.

[imron]

With the plain SSH solution (i.e. no OpenVPN/StrongVPN) are you using Firefox and have you set network.proxy.remote_socks_dns to true?

[sthubbar]

First, gato thanks for suggesting the SSH tunnel and imron for the detailed walk through. The SSH tunnel does work wonderfully, especially with Firefox and proxying the DNS.

To answer gato's question about why I was using SSH and OpenVPN at the same time...

At work there is a corporate proxy. I like to be able to ping remote hosts and do things like nmap, telnet to specific ports and other stuff that just doesn't work so well through proxies. Also, company intranet pages are difficult to reach if there is any remote proxy enabled or if DNS does not get resolved locally.

To allow me to seamlessly do "work" as well as have full internet access, I have Firefox configured to use the company proxy server and IE to either use no proxy server, therefore going directly through OpenVPN, or with the new solution, to use the SSH VPN. I then use IE tab to seamlessly access all resources and also still be able to ping/nmap.

From home, there is less of a need for the OpenVPN on top of SSH because there is no secondary proxy controlling general internet access.

You asked. :blink:

[jbradfor]

Is your corporation located outside China? If so, why don't you just configure your system to send ALL traffic through your VPN connection and drop the SSH?

[gato]

I see. Big Brother at work is even tougher to deal with than Big Brother in Zhongnanhai. :-)

[imron]

How fine grained access control do you have with OpenVPN (I've never used it so I'm not sure of its features)? For instance, can you tell it which programs use the VPN and which ones exist outside it? If so, just fire up putty outside the VPN, then using the multiproxy plugin for firefox, set up one proxy to use the corporate network, one to use the plan SSH tunnel with putty, and one to just use default network.

Then, at the flick of a switch you can go from the corporate proxy to your plain SSH proxy with remote DNS lookups and back, and then use OpenVPN for all your pinging, nmapping and telnetting needs.

Alternatively, get yourself a VPS, then you'll not only have SSH access, but you'll also be able to install whatever software you like on it (like nmap), and/or open up whatever ports you like for random telnetting.

I like to be able to ping remote hosts and do things like nmap, telnet to specific ports and other stuff...

Out of curiosity, is there a specific reason for this?

[sthubbar]

imron,

Another reason to keep using OpenVPN is that I can't seem to get Outlook to access my imap email accounts except through an OpenVPN connection. I tried doing port tunneling through the SSH connection and it just wouldn't connect.