
VPN access being disabled in China - ajitk
http://rendezvous.blogs.nytimes.com/2012/12/23/adding-more-bricks-to-the-great-firewall-of-china/
======
austenallred
This sucks for travelers and ex-pats, but for China's future this is a very,
very, very big deal.

I lived in Shanghai last year, and Chinese Internet surveillance is unreal. I
could use gmail chat to talk about tiananman square, but as soon as I did all
of my Google apps would suddenly be unavailable. I can only assume that when i
used certain keywords my every chat was being monitored. A VPN was the only
way I could access YouTube, Twitter, Facebook, and even some Google searches.

But reality is 90% of the young population of Shanghai didn't really care what
the "great firewall" did, because EVERYONE used a VPN. I saw more people
watching YouTube in China than I do in the states, even though Chinese
versions of these platforms exist. Some platforms, like RenRen (Facebook-like
but more similar to Russia's VKontakte) were popular, but most just used the
US-built versions. Now most of them won't be able to.

This absolutely terrifies me. I was literally minutes away from being on a
bullet train from Shanghai to Beijing that killed "x" people. Chinese
authorities cite incredibly low numbers for a train traveling at 300 km/h.
Most non-state observers cited hundreds of deaths. China slowly grew its
number from 20-40.

It's illegal for foreigners to talk about the "Three Ts" with Chinese
nationals - Tibet, Taiwan, and Tiananman Square. But previously the youth
learned through their VPNs letting them access the outside world. With that
shut down, the government might as well be burning books.

~~~
contingencies
While knowledge of VPNs is huge, their use is not as large as you posit. I
would argue instead that the real reason many young Chinese don't really care
what the "great firewall" does is that they're almost exclusively using the
domestic Chinese internet. Browsing in simplified Chinese, there's rarely a
need to access the outside internet.

~~~
austenallred
Perhaps it's not; I spent most of my time among very internationally-oriented,
business-minded English speakers, which is by no means a fair sample, but it's
not an insignificant subset, either. I'm most concerned about VPNs as the only
possible path to avoid censorship on a large scale.

------
contingencies
I used to run a relatively successful internet-oriented startup in mainland
China. Having spent most of a decade there since 2001, in fact the majority of
my adult life, I considered it home. Unfortunately, the government - who
initially woeed me to return to China with a reasonably lucrative scholarship
- keeps making shitty decisions that just make it less and less attractive to
live in. Increasing levels of internet censorship is one of them, making visas
ridiculously hard to acquire (the Chinese consulate in a neighbouring country
actually just flat out refused to even discuss issuing a tourist visa, earlier
this year) is another.

I really hope the next generation of the communist party sort their shit out.
Otherwise, China's basically going to continue breeding vast generations of
uneducated, inward looking nationalists and stifling anything remotely like
innovation that somehow manages to occur between the cracks. Foreign business
professionals and overseas Chinese will continue to view time in China as a
non-negotiable sentence of rice wine banquets, pollution, a complete vacuum in
the upper-eschelons of conversationalism, a constant redoubling of cigarette
smoke, spit, and bad Chinglish.

~~~
trevelyan
Out of curiosity, what was the startup?

~~~
contingencies
'Dajiudianwang' hotel reservation, ~2007-2009. We reached the same property
network size as CTrip and ELong (3300+ individual property contracts across
China), but also provided services in (non-broken) English, Japanese Korean,
Thai and Vietnamese. We were highly automated, running a call center and
paperless, digital fax workflow on a custom diskless Linux and asterisk on an
E1 over private fibre.

I gave up on it because, despite basically winning Europe's largest travel-
industry VC event in London in 2009, I didn't find a viable source of venture
capital to expand our marketing, once the system was proven and almost break-
even on self-funded capital. Basically locals wanted to take over, and
foreigners didn't trust the Chinese legal system. I write it off as my
'Chinese MBA' now, and happily take a salary and less stress instead.

I'd be interested to pick it up again, if I found the right backers.

PS. Oh! David! Hey .. I think we corresponded once before. :)

~~~
trevelyan
Hey -- we chatted a couple of times actually -- I remember you ran into some
pretty hardcore this-is-China experiences down south that I'm glad I never
went through as well. Happy to hear you're doing well and that things have
worked out. Let me know when/if you're coming back and we can meet up for
drinks.

p.s. mostly asked the question just because I like to keep track of people
who've done various things from here. Funny to think it really is such a small
world.

------
rossjudson
Before travel to China, create a throwaway email account on a service,
possibly Yahoo. Don't touch your real email accounts while you're there, if
possible. The only time I've ever had an email account hacked is following use
in China.

~~~
theatrus2
My employer (smartly) prohibits bringing any corporate equipment into China -
including cell phones which access company email, and generally suggest not
touching the Internet (at least any of your accounts) at all.

Having been there, this is honestly very good advice.

~~~
seanmcdirmid
I heard Google does that. I work for Microsoft and am based in China, so
obviously this is not an option for me. It turns out not to be a problem in
practice, everything is encrypted well enough, the only annoying thing are
GFW-instigated DOS attacks on secure connections.

------
BrianPetro
Here is a real test for Anonymous; take down the worlds most notorious
firewall.

~~~
jimworm
The lulz does not seem like a fair reward when the adversary's not even
slightly squeamish about abducting you and your family and selling your
organs.

~~~
sea6ear
That's a pretty strong statement (not that I disagree with it), just that it's
strong enough that I'd love to see a citation for evidence of that history.

~~~
log0
Just go google for the news, one of the latest victim is the families of
Guangcheng Chen (<http://en.wikipedia.org/wiki/Chen_Guangcheng>), whose family
members gets sued for protecting himself (as "attacking ferociously), etc.

And take a look at the whereabouts of human rights lawyers at the sensitive
dates.

You can't miss that.

------
jcampbell1
This is nothing new. They have added more IPs to the VPN blocklist. I have no
idea why this is news. This happens several times per year. This cat and mouse
game has been going on for years.

Every time this happens it is just a pain in the ass to find a new VPN that
isn't blocked.

If you are technical, it is best to just setup your own VPN on linode or
amazon. That way you have less problems with blocked IPs.

~~~
newhouseb
This is what they used to do, but they've gotten more sophisticated - I've
been running VPNs for China for my family on EC2 for a while. As far as I can
tell, they almost never flat out block an IP. Initially they block a DNS
hostname from resolving to a specific IP, then they start filtering out
various different ports (including the default VPN ones). You can normally
change to a random port and get OpenVPN to start working again, but it appears
in the last couple weeks they've been able to identify and block OpenVPN
activity on random ports. This happens so quickly, now, that it's pretty
futile to try to IP hop unless you can come up with a traffic pattern that is
less detectable.

~~~
Sami_Lehtinen
Well, that's exactly why I thinked of this (concept only at this point).
[http://www.sami-lehtinen.net/blog/simple-protocol-
obfuscator...](http://www.sami-lehtinen.net/blog/simple-protocol-obfuscator-
protoobfs-concept)

------
jerguismi
Time to create Bitcoin-enabled p2p VPN market?

I have thought about the idea for some time. The marketplace operator could
take something like 30% cut. Any private invidual could sell their internet
connection to the chinese and earn some bitcoins in the process.

There could be some rules which could stop the chinese goverment from knowing
which IP's operate in the market. For example, someone could buy certain
VPN/IP address recurringly, and others couldn't purchase that specific IP -
that way the goverment would have no way to know how that specific connection
is used.

And of course, bitcoin isn't very easy or well established payment method -
bring in the resellers/market makers from china. These could (with some easy
to use software/API) resell these VPN's to the chinese inviduals.

~~~
theatrus2
Bitcoin "solves" the problem of anonymous payments, but with copyright and
other liability, never mind asymmetrical connections, would probably make this
unappealing to providers.

------
hnriot
I'm wondering how this effects corporate outsourcing. The company I work has a
Chinese development and as center. This has to be behind the corporate
firewall so I'm thinking we will just close that down and move to a country
that wants to be part of the future.

------
ajitk
VPN and SSH[1] have been means of evasion. But there have been anecdotal
evidence of "unstable" VPN[2] and SSH connections before.

[1] <http://en.wikipedia.org/wiki/Great_Firewall_of_China> [2]
[http://www.guardian.co.uk/technology/2011/may/13/china-
crack...](http://www.guardian.co.uk/technology/2011/may/13/china-cracks-down-
on-vpn-use)

------
aneth4
I'm in Shanghai where I've lived off and on for 8 years. I've been using an
ec2 image with Poptop installed. The problem is the IP addresses of the major
vpns become known and blocked.

Any suggestions of software that would deploy images to various cloud services
on behalf of users? I don't think China would be able to block all of ec2 and
Rackspace, though they do sometimes seem to throttle ec2.

~~~
ryan-c
I hope you're aware that pptp connections (including via poptop) can be broken
easily.

[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-
cha...](https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/)

~~~
aneth4
Thanks. Fortunately I don't really care if it's cracked - I only care if I can
have access to the western internet, and that works just fine.

------
stevendaniels
The thing about the great firewall... It only affects expats or visitors to
China.

Any Chinese person who wants to read the NYTimes can get access to it. Anyone
who wants to read about the "Three T's" can find away (good luck finding
anyone). Chinese people who want to spend all day on the Facebook or the
Twitter, will.

But the rest of the Chinese internet, the 99% of them, being disconnected from
the rest of the world's internet, doesn't matter that much. They have neither
the desire nor the interest to look at blocked pages. They're happy with the
Chinese-language internet they have.

Personally, I'm starting to believe the Great Firewall is mostly there to
annoy expats like me.

------
Benares
Our startup uses a pair of Sonicwall TZ215s to establish a site-to-site tunnel
between our China branch office and our U.S. HQ.

It has been quite difficult to get the tunnel stable enough to survive for
more than a few hours. We had to use lower security settings and more uncommon
modes to fix our constant disconnections. SSL-VPN has always worked well, but
that is only an option for our remote workers; site-to-site does not offer
that option. Dell support engineers have generally been clueless on the
matter.

------
tcoppi
Does anyone know of any work related to automatically making arbitrary "look"
like, say, an HTTP session? I'm thinking of something that would automatically
encode a VPN session as a valid, renderable HTML document (and not via the
trivial way of just gzipping it and making it look like an HTTP compressed
document, as I'm sure that would still be easy to block.) It seems like this
should be possible, albeit with tons of performance decrease, but I can't find
anything.

~~~
andreasvc
Such a technique is called steganography. It's possible but would require lots
of bandwidth depending on how secure you need it to be. For example you can
hide data in a photo by slightly changing the shades of red in it without
changing the appearance of the photo noticeably.

~~~
tcoppi
I'm aware of steganography, but this would be slightly different than any
published steg technique that I am aware of, as it would not be hiding in a
preexisting carrier signal, it would be creating its own.

------
jasonjei
How is Cisco IPSec affected by this blockage? Any business or foreign mission
conducting transactions in China should be very wary if they start targeting
IPSec in any way.

~~~
sneak
...and by "Cisco IPSec" you mean "IPSec", right?

I would assume, based on the various anecdotal reports I've read, that IPSec
tunnels are blocked under this new program, along with PPTP and L2TP.

They're using machine learning packet classifiers to identify the traffic
running over tcp and udp, as well.

~~~
kaptain
I'm using IPSec now without any problems. OpenVPN is blocked.

China has the power to be more selective about what it blocks. For example,
Wikipedia is not blocked here (yet). But trying to access an article within
Wikipedia on Tiananmen results in a dropped connection. Why China completely
blocks entire blocks of ip addresses (like YouTube, Blogger, Wordpress) is not
clear to me. There are a number of easy heuristics you could use to block most
of what you don't want.

It is ironic to me that a government that preaches a belief in rationality (eg
I received a text message last week urging citizens to believe in science and
not the end of the world reports) would use censorship instead of rational
debate/discussion to counter viewpoints it doesn't agree with.

~~~
stock_toaster

      > OpenVPN is blocked.
    

Are just the standard ports blocked? Or are they doing some type of traffic
analysis to differentiate openvpn traffic over any port, be it tcp or udp (as
openvpn can of course be configured for any port over tcp or udp)?

~~~
Fivesheep
GFW is getting more advanced. It doesn't simply block you by ports anymore,
but by your accessing patterns.

------
gimbuser
It has to be very selective, otherwise it would disturb hell lot of state
admins and companies :P

~~~
sneak
It's been doing EXACTLY that. It's not that selective.

------
cypherpunks01
How prevalent is Tor usage in China? Is it a PITA because one has to go
through bridge relays?

~~~
nwh
Somewhere around a thousand a day (which is extremely low), with spikes way
beyond that. I assume that they have difficulty finding relays, as the
Firewall would be very updatable. For comparison, the daily connections for
Australia and the US are over 4000 and 70000 respectively. You'd assume that
the only ones being able to use the onion router at the moment are those that
could find bridge relays with the obfuscation proxy enabled.

The TOR project has lots of neat graphs, broken down on a country basis:

[https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2010-12-23&end=2012-12-23&country=cn&events=off#direct-users)

