Bypassing the Great Firewall of China

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Xentrk

Part of the Furniture
Sweet, I have a long layover in Guangzhou Airport in China. I can personally verify that TorGuard's VPN service is able to penetrate the Great Firewall of China using the Stealth Mode option. How can I tell? I was able to access Facebook and other news sites.
 

Xentrk

Part of the Furniture
The other test I did was to try to go to snbforums.com when not using the VPN. It is blocked!

upload_2018-3-28_18-59-50.png


No wonder we do no get very many people from China on the forums. :)
 

RMerlin

Asuswrt-Merlin dev
Cloudflare will block various tunnel provider's IP ranges indeed, as these are often used by attackers hiding themselves, in addition to possibly some country's IP ranges.

If you intend to be in China for an extended period of time, personally I would suggest getting a VPS, and setting up your own OpenVPN server there. I think the tls-crypt support added in OpenVPN 2.4.x can obfuscate the protocol sufficiently to bypass the GWoC, otherwise I guess you could always patch your OpenVPN builds with that stealth hack.
 

kvic

Part of the Furniture
personally I would suggest getting a VPS, and setting up your own OpenVPN server there. I think the tls-crypt support added in OpenVPN 2.4.x can obfuscate the protocol sufficiently to bypass the GWoC, otherwise I guess you could always patch your OpenVPN builds with that stealth hack.

The de facto standard is Shadowsocks. OpenVPN is a niche if still being used.
 

sfx2000

Part of the Furniture
The de facto standard is Shadowsocks. OpenVPN is a niche if still being used.

For now - and that might change... because the GFW adapts.

The GFW is a bit of a pain to work with - I have to admire what and how they're doing it - much of it is automated these days, and there's still some curation by humans in the loop. That being said - it's very fast at catching on - so there's a fair amount of AI, and it can do it in near real-time - even to the point of interrupting chat's and VOIP messages (long story there). Rumor there is Tencent and Baidu are powering that effort. Combine that with Huawei and ZTE infra, and you know the hooks are in at layer 3 and below... they're doing a fair amount of Deep Packet Inspection, and they're doing it in real time.

Oddly enough - as a foreigner going in to places like Xian, Chengdu, Shanghai, Beijing, and of course the Shenzen area - the GFW is remarkably open, until it isn't - depends on where one is headed, and the site's location.
 

sfx2000

Part of the Furniture
If you intend to be in China for an extended period of time, personally I would suggest getting a VPS, and setting up your own OpenVPN server there. I think the tls-crypt support added in OpenVPN 2.4.x can obfuscate the protocol sufficiently to bypass the GWoC, otherwise I guess you could always patch your OpenVPN builds with that stealth hack.

See above - GFW is adaptive, it's fast and near real-time these days...

If one gets thru, don't bet for a single moment that streams are being inspected...
 

kvic

Part of the Furniture
that might change... because the GFW adapts.

There is already one method to detect Shadowsocks. However, it's still prohibitively expensive to do so at real-time. That might change...just like everything else on Earth.
 

kvic

Part of the Furniture
Oddly enough - as a foreigner going in to places like Xian, Chengdu, Shanghai, Beijing, and of course the Shenzen area - the GFW is remarkably open, until it isn't - depends on where one is headed, and the site's location.

If you're using data roaming, GFW isn't going to hurt you at all. If you switch to a local SIM (much cheaper data rate), you're just like a local from GFW perspective.

When Trump was visiting China, people were surprised he could still tweet.. (of 'cos that's supposed to be a joke)
 

sfx2000

Part of the Furniture
here is already one method to detect Shadowsocks. However, it's still prohibitively expensive to do so at real-time. That might change...just like everything else on Earth.

And you're going against a motivated national infrastructure that is bigger than the US?

That's the GFW - Good luck!
 

sfx2000

Part of the Furniture
If you're using data roaming, GFW isn't going to hurt you at all. If you switch to a local SIM (much cheaper data rate), you're just like a local from GFW perspective.

On 4G - CN Mobile/Unicom/Telecom - even roaming, the GFW can trigger, but generally not - the big issue there is if one is having comms with folks that don't.

When Trump was visiting China, people were surprised he could still tweet.. (of 'cos that's supposed to be a joke)

Well - might be in CN's best interest to let Trump be Trump and that resolves that thing in an international context.
 

kvic

Part of the Furniture
On 4G - CN Mobile/Unicom/Telecom - even roaming, the GFW can trigger, but generally not - the big issue there is if one is having comms with folks that don't.

That's true and I've also seen myself. It's due to e.g. China Mobile sometimes erroneously directed roaming users to a gateway for locals. You're surprisingly observant on this. Send a report to Zuckerberg's buddy for a bug bonty...
 

sfx2000

Part of the Furniture
That's true and I've also seen myself. It's due to e.g. China Mobile sometimes erroneously directed roaming users to a gateway for locals. You're surprisingly observant on this. Send a report to Zuckerberg's buddy for a bug bonty...

Is what it is - and doing business on the mainland one must be mindful of things.

It is a very interesting place - outside of politics, many smart folks trying to do cool stuff...
 

RMerlin

Asuswrt-Merlin dev
See above - GFW is adaptive, it's fast and near real-time these days...

If one gets thru, don't bet for a single moment that streams are being inspected...

What helps OpenVPN 2.4 is that tls-crypt will also encrypt the control packets, making the protocol less "obvious" to DPI analysis. Can't tell if it's still foolproof (it did work pretty well when it came out last year), but it's definitely better obfuscated than old OpenVPN (even with that silly XOR patch).

I know that China also tune things up and down during certain events, so it's indeed highly dynamic in nature.
 

RMerlin

Asuswrt-Merlin dev
The de facto standard is Shadowsocks. OpenVPN is a niche if still being used.

At one point, China was very actively cracking down on Shadowsocks discussions. If I recall, there were even DoS attacks targeting Shadowsocks-related repos on Github back then.
 

Xentrk

Part of the Furniture
One interesting "turn-key" solution for setting up your own VPN server:

https://github.com/StreisandEffect/streisand

Never tried it personally, but it looks quite nice.
I tried Streisand. I used RasPi 3 to stage it. I did have some issues with the setup. Via a web search, I was able to overcome them. I think I was missing a package. But since the VPN server was on an Amazon data farm, Netflix and Hulu still blocked me.
 

chncar

Occasional Visitor
The other test I did was to try to go to snbforums.com when not using the VPN. It is blocked!

View attachment 12491

No wonder we do no get very many people from China on the forums. :)

I have to clarify that GFW doesn’t block this forum so far. The Chinese in the picture is saying “One more step, you can visite snbforums by entering verification code bellowed.”

However, GFW does block some advertisements since I can see that slogan “Pls help this forom, don’t blacklist advertisements.” The reason why block I guess some advertisements are provided by google? GFW hates google.
 

sfx2000

Part of the Furniture
I tried Streisand. I used RasPi 3 to stage it. I did have some issues with the setup. Via a web search, I was able to overcome them. I think I was missing a package. But since the VPN server was on an Amazon data farm, Netflix and Hulu still blocked me.

Not sure if you're discussing things behind the GFW, or just basic issues getting your setup working....

It's been a couple of months since I was on the mainland, and shadowsocks was still generally working, but it's interesting that certain keywords will get blocked (I won't post them here, as that would block folks back behind the GFW).

What's more scary is that CN based Apps - let's say "WeChat" which is one of the most popular IM apps on the mainland, they're getting smarter about things - even to the point of decoding voice messages in near real-time can get blocked with a note to the user about restricted content, similar to images...

From the outside - going into the mainland is a bit scary, and really forces one to self-censor these days to avoid getting attention.
 
Last edited:

sfx2000

Part of the Furniture
The easiest way is to move to Canada, this town needs people, It is the village for Muslims and Chinese.

let's try to keep politics out of things, rather focus on challengs and solutions - there's a fair number of forums members that do have to deal with the GFW...
 
Similar threads
Thread starter Title Forum Replies Date
B Bypassing Merlin router-based VPN for specific software VPN 20
S Firewall, parental control request VPN 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top