
China tightens Great Firewall by declaring unauthorised VPN services illegal - AlexCoventry
http://www.scmp.com/news/china/policies-politics/article/2064587/chinas-move-clean-vpns-and-strengthen-great-firewall
======
schuke
Here's my translation as a Chinese native, though I'm no technical expert.

 _Companies that provide IDC, ISP, CDN services, without authorization, are
prohibited to set up or lease connections (including virtual private
networks), to conduct business operations across borders._

I guess it means if you're a ISP etc, you're not allowed to sell VPN services
without authorization.

It says nothing about individuals purchasing VPN services from foreign
providers.

It's nonetheless a chilling sign that they're restricting VPN access, which is
consistent with the overall tightening of internet control that's been going
on for quite a while.

It comes as no surprise though, given 2017 will see the Party's 19th national
congress. A lot will happen to make sure the internet does absolutely nothing
remotely similar to what happened in the Middle East in 2010.

~~~
gutnor
> It's nonetheless a chilling sign that they're restricting VPN access, which
> is consistent with the overall tightening of internet control that's been
> going on for quite a while.

It is also consistent with the worldwide tightening of internet. Trump and May
are much more likely to applaud the latest Chinese effort than criticise.

Chinese internet management is the model that will lead the West. Quite a
reversal, quite depressing too.

~~~
TazeTSchnitzel
Good thing the Internet is under decentralised international control, then!

…oh, right.

------
Canada
End user access starts in a provincial/regional network, which is connected to
a national "backbone", which maybe allows the traffic out of the country. In
my experience there's massive packet loss between the province and "backbone".
40% loss is regular throughout the day. Stuff within China mostly works, but
anything outside is flaky at best.

Now obviously enterprise can't put up with that crap, so there's better routes
out. Say a datacenter in Guangdong province that has direct peering with Hong
Kong where licensed companies are colocating. Those companies with access can
take money, (or under the table their sysadmins can) to terminate a VPN or
MPLS connection there, giving unfiltered access to the internet and bypassing
the lossy path.

The going rate I've found for this is about USD $300 per megabit per month,
plus whatever the costs are to get there. (eg. Your regular broadband
connection if using a VPN or cost of MPLS/Lan extension type service from the
telco) Too expensive for most individuals, but definitely worth it if you're a
hotel catering to foreign guests who will be pissed off if Google, Facebook,
and pretty much everything they recognize about the internet doesn't work.

In my view this document is calling for, among other things, rooting out of
this kind of activity.

If anyone is familiar with this market for unfiltered internet in China I'd
like to learn more about it.

~~~
brador
$300 per megabit?? Did you mean GB or TB maybe?

~~~
Canada
I confirm that is indeed megabit per month. (324 gigabytes, or about $0.93 per
gigabyte)

Yeah, harsh. But hey, it's black market internet access.

~~~
thinkloop
> megabit (324 gigabytes, or about $0.93 per gigabyte)

A megabit is a million bits, or an 1/8 of a megabyte, what do you mean 324
gigabytes?

~~~
kalleboo
Sounds like he means 1 Mbps throughput, not 1 Mb transferred.

1 megabit of leased throughput, 24/7 over a month, adds up to 324 GB of data
transferred.

------
x2398dh1
> "No unauthorized use of VPNs through March 2018."

I was wondering, "what just happened internally in China that they want to
censor for a year or so?" Then it dawned on me...they want to censor
everything until the 2018 Winter Olympics is over with. I was wondering if
Trump had tweeted, "free Tibet," or something like that.

~~~
PakG1
What would the 2018 Winter Olympics have anything to do with anything?

~~~
ago
At the 2008 Beijing summer olympics they actually reduced the censorship a
little until the games were over.

~~~
PakG1
But 2018 Winter Olympics are in South Korea. Not sure if you thought Beijing
was hosting 2018, or if you thought that Beijing ups the censors every
Olympics each time.
[https://www.pyeongchang2018.com](https://www.pyeongchang2018.com)

------
hamckio
Just want to mention Streisand here; it's an opensource project that helps you
to "setup a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN,
Shadowsocks, sslh, Stunnel, a Tor bridge, and WireGuard. It also generates
custom instructions for all of these services. At the end of the run you are
given an HTML file with instructions that can be shared with friends, family
members, and fellow activists".

Github here:
[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
lordlimecat
It should be noted that the GFW currently has the ability to detect most or
all of those. Long gone are the days when OpenVPN over TCP 443 could fool
them.

~~~
tiatia
Yeah. This guy has obviously never lived in China.

------
est
Actually, this is not new, it's only an attempt to enforce a regulation dates
back to 2002

Official content link:

[http://www.miit.gov.cn/n1146295/n1146557/n1146624/c3554573/c...](http://www.miit.gov.cn/n1146295/n1146557/n1146624/c3554573/content.html)

Side-by-side translation provided by Peking Univ. (partially pay-walled)

[http://www.lawinfochina.com/display.aspx?id=2407&lib=law](http://www.lawinfochina.com/display.aspx?id=2407&lib=law)

Also, an interesting article in Chinese talking about the topic

[http://www.winlawfirm.com.cn/_d276432755.htm](http://www.winlawfirm.com.cn/_d276432755.htm)

------
kem
This seems more ominous to me than it normally would...

All this sort of thing worldwide makes me wonder why there isn't more of an
exponential growth in movement to decentralized or federated platforms. It's
definitely seen a lot of growth, but with concerns about centralized
censorship and monitoring in various places, it seems like it should be
getting more attention.

Maybe it's irrelevant in the case of China, or maybe it's a good place to use
as a thought experiment because censorship strategies have been played out so
thoroughly there.

~~~
csydas
Probably because in a lot of the places where this happens, the
owners/operators of the infrastructure have to actually live there and deal
with the consequences of undermining the powers that be. On top of that,
sometimes it pays to play -- thereby be a human rights cost but there's a real
payout whether it's monetary, accruing favor with the local powers, or just
being able to operate.

I think it's very easy to look at the state of the world and judge it to be an
egregious violation of human rights, and the solution is simple. Implementing
it, however, is complicated by external factors and always is in these
situations.

------
BatFastard
When my daughter was in Beijing last year in school, virtually all of the U.S.
students in her class used VPNs to access Youtube and other american content.
I got the impression they were quite common amongst the Beijingers too.

~~~
deepfriedbits
Every hotel I've stayed at in China that caters to Westerners had a VPN in
place. You could check your Gmail at the hotel but not outside of it (unless
you had your own VPN).

~~~
seanmcdirmid
Only true in Shenzhen and Guangzhou, not any other city in china as far as I
can tell.

~~~
arcticbull
My hotel in Shanghai last month had a VPN for guests too. The further you go
inland the crazier the restrictions get.

~~~
fooker
This is because historically most Chinese revolts and movements started with
the inlanders getting frustrated with the amount of trade the coast enjoys.

People in Beijing and Shanghai have it much better and do not have much reason
to cause problems bad for business.

~~~
arcticbull
Not to mention Xinjiang. By the time I got out there communication was
basically a black hole. Out there apparently the police were actually
enforcing the no-VPN rule kicking locals off the internet for extended periods
of time.

------
anardil
It'll be interesting to see what new technologies develop to counteract these
measures. Adversity fosters growth right?

~~~
eganist
Would be interesting to see if Iridium finds a wealthy audience in China.

------
BoorishBears
Is something getting lost in translation or is this targeted at businesses and
not individuals? (Still a big deal, but I thought VPNs were already banned?)

~~~
anonnyj
Not entirely sure, seemed banned, have vague memories of people being harassed
for using proxies.

In any case proxied have definitely been soft banned. If you try searching for
vpn/proxy you'll get dead connections. If a url has the same, you'll also get
a dead connection (as opposed to a "this is banned" page)

Also perhaps of note... When a law isn't working (ie indoor smoking ban) they
have been known to just re-issue it.

~~~
chipperyman573
>Also perhaps of note... When a law isn't working (ie indoor smoking ban) they
have been known to just re-issue it.

This is interesting. Do they re-issue it with a minor change (double
penalties, increasing the radius of "indoors" by 10ft, etc) or do they just
re-issue it word for word?

------
rdlecler1
It's very frustrating. I had a VPN but they were even blocking that.
Thankfully I was able to access Google and Gmail while on international
roaming with Verizon. We're certainly seeing a separation of internets.

------
tmikaeld
About a 6 months ago, all of our open VPN and softether VPNs was blocked,
setting up new ones where blocked in 10 minutes. So we changed to shadowsock
and it's been working since, it seems harder for them to detect.

~~~
oszione
Indeed, Shadowsocks is great but it's just a socks5 proxy under the hood.

------
ommunist
Chinese company Opera Software has VPN client built in developer version of
Opera browser. I assume they have all the necessary licenses from the
government and their software is safe to use from mainland China.

------
EternalData
Ugh, the general tightening of the Firewall will not have many short-term
ramifications on the startup scene in China (it'll probably lead to a fair bit
of protectionist lift actually for mainstream service providers) but the long-
term issues of closeness will lead to inferior service providers thriving
under the protection of the government.

Regardless of the research dollars China is throwing at technology, this is no
way to build a successful/enduring technology infrastructure.

------
intrasight
How would they discriminate between business people traveling to China (who
probably wouldn't travel if their VPN was blocked) vs Chinese citizens?

~~~
yorwba
The same way they do it currently.

I'm in Shanghai as an exchange student and I get _very_ different connection
quality depending on whether I'm using the WLAN on campus (fast, some Google-
owned services work even without VPN), using my mobile connection specifically
catering to foreigners (4G, no noticeable slowdown with VPN) or the "citizen
grade" connection at the flat I'm renting. I have observed speeds of 10 MiB/s
connecting to servers on campus, but VPN is usually capped at 10 KiB/s.

Ironically, I was downloading a YouTube video overnight (using a VPN, of
course) and after midnight the speed skyrocketed to breathtaking 200 KiB/s! No
idea whether that has anything to do with this announcement.

~~~
paradite
Curious if you are in NYU Shanghai? I think that's the only campus in China
where you get unfiltered Internet.

~~~
yorwba
No, SJTU. Internet access is not completely unfiltered, just less filtered
than outside.

------
toni
This might sound like a naive or stupid question, so please help me out here:

Let's say I live in Shenzhen. Isn't it possible to connect via a normal phone
line to a dial-up service in Hong Kong and enjoy an almost uncensored (albeit
very slow) internet? Or is that a bit far-fetched?

~~~
robjan
It would probably be quite expensive as, in most cases, calls to +852 are
considered to be long-distance. I don't think internet access is as restricted
in SZ as other parts of the mainland, as I am pretty sure that I bought an
unrestricted SIM at the HK-SZ border last time I crossed.

~~~
janekm
Internet access in SZ is also restricted, but you are right that you can buy
an unrestricted SIM on the border, but that is actually a HK SIM (or dual
network sim) so your data connections are terminated in HK and hence not
filtered.

------
tbronchain
Original link
[http://www.leiphone.com/news/201701/zZyJrgzw4RkReuTJ.html](http://www.leiphone.com/news/201701/zZyJrgzw4RkReuTJ.html)
(for those in china who don't have VPN ;) )

------
thinkloop
VPNs have so many uses besides subverting censorship. How are off site workers
supposed to connect to their intranets? Or individuals to secure public wifis,
etc. Isn't VPN just an encrypted connection to another computer.

~~~
seanmcdirmid
It is very difficult; e.g. Accessing Microsoft corpnet from behind the gfw. It
kind of works, but isn't reliable.

------
fangxing
As a Chinese student，most of my friends（if he need visit blocked website）are
using shadowsocks，it is easy 、fast and more stable than vpn，and I also
installed shadowsocks in my openwrt router.

------
methou
Last time I was trying to `bootstrap` a new OS with my ownVPN, it's been quite
difficult if without commercial services. Most materials you need for a brand
new computer to freely surf the internet can't easily be found on the
Chinternet, it's quite difficult to filter out the malware from a legit.

They've given a quite (technically) reasonable timeline for this, so believe
they are serious on this one. If they put punitive, even the slightest like
cut the wire or urge your ISP to stop service.

------
cm2187
What about RDP into a remote VM? Surely they can't block RDP, techcos in China
need to be able to run servers outside of China. Would that go around VPN
restrictions?

~~~
swiley
I know they used to use ssh tunneling a while ago, idk if they still do.

------
hota_mazi
And by "unauthorized", they mean "all".

~~~
netheril96
I heard that Baidu and some other Internet companies in China have these kind
of unfiltered connection (maybe to use Google? Haha). I don't if these are
"authorized" or not.

~~~
dilfish
They are authorized. All companies has to apply this "specialized line" for
Internet accessing. If there's anything they do not like, they could find the
person responsible for this easily.

------
reubeneli
many are using proxies instead in Hong Kong - like
[http://mediahint.com](http://mediahint.com). Not sure about mainland. Any
ideas what is used on the mainland?

~~~
voltagex_
Well, at least MediaHint isn't joining users to a botnet like one of the
others is.

All it's doing is setting proxy autoconfig to
[https://mediahint.com/chrome.pac](https://mediahint.com/chrome.pac)

Doing a bit more digging it seems like they're using several proxies under the
name \\*.mhgs.co, which looks suspiciously like a whole lot of Linode boxes.

I didn't think the 'net was filtered in HK?

~~~
dylz
Linode/DO boxes are probably frontending the first part of the proxy chain.
The output is probably not going to be a Linode or DO IP at the end.

Linode JP has decent routing to CN afaik.

------
lend000
Well, at least they allow authorized use, so you can route your traffic
directly into their most heavily monitored network analyzers if you so choose.

------
Quarrelsome
So what's the next logical step for users that wish to access restricted
content should they not be able to use VPNs?

------
shalmanese
Link should probably be changed to [http://www.scmp.com/news/china/policies-
politics/article/206...](http://www.scmp.com/news/china/policies-
politics/article/2064587/chinas-move-clean-vpns-and-strengthen-great-firewall)
which provides a more digestible summary.

