

Ask HN: How would you tunnel through GFW? - juvenn

I think there would be thousands of hackers who're working from Mainland China. So, I'm wondering how could you get through GFW?<p>I've known that GFW has been upgraded recently, and it becomes more sophisticated in filtering the web. Tor nodes, lots of vpn networks, as well as SSH don't work around now.<p>I (or we) appreciate if someone here could come up a good and reliable solution.
======
smanek
My brother was in Beijing for the summer, and he said the SSH tunnel I set up
for him worked fine. It's possible that things have changed in the couple
months since he's left, but I'd be surprised ...

If you want to go really overboard, tunnel IP over DNS, ICMP, or some other
common protocol ;-) (e.g. <http://thomer.com/howtos/nstx.html>)

~~~
juvenn
Oh, it's a long article, I'd try it later. Thanks for the link.

------
neilc
TOR still works fine -- you just need to configure it to use bridges.
<https://www.torproject.org/bridges>

~~~
juvenn
Thanks, I will try this if I get free time, but Tor is difficult to configure.

And I can not even access the bridge link you gave.

~~~
m_eiman
Maybe this link to a PDF version of the info will work:
<http://dl.getdropbox.com/u/34019/tor-bridges.pdf>

If it doesn't, I'll send you the stuff per email.

~~~
juvenn
It works, thank you so much for the stuff.

------
dryicerx
Their blocking vpn and ssh even on non standard ports?

Don't know much about the Great Firewall, but I usually keep a SSH server
listening on port 80 on a box, sometimes those hotels and company networks
don't let anything other than port 80 outbound, and it has yet to fail me.

~~~
est
Theoretically GFW can do that, because SSH handshake has fingerprints that can
be identified. But it will irritate every administrator on this world.

From a reliable source I heard they only ban SSH/VPN service if they can get a
free account for testing. So if you are going to use SSH/VPN, make sure the
provider do not serve free trials.

~~~
juvenn
You mean that ssh fingerprints are out of the encrypted data packets, aren't
they?

Honest to say, I could not afford another premium VPN service.

~~~
dryicerx
Roll your own, start a EC2 box when ever you need one and start openVPN or use
it as a SSH Tunnel :) Just consider it as a $0.1/hr charge.

------
BR
Once a new method is found, people will flood to it, then it will be noticed,
and banned. Since GFW was created, this process happened repeatedly. So IMHO,
there's no silver bullet.

~~~
olefoo
It's a coevolutionary arms race, it follows a predictable cycle of escalating
attacks and defenses until a stable equilibrium is reached, or the environment
changes.

The thing is that in this case the government of China appears to have decided
that it cannot afford to do without the internet; and that means that they
cannot 'win' in the ultimate sense, as by allowing filtered communication they
are opening a channel on which illicit communication can be carried. And from
what little I know of it, the chinese government isn't attempting to enforce a
particular orthodoxy, they just don't want to be swept away by the social
changes that are in progress. My sense is that a few foreigners looking at
strange ideas doesn't bother the Chinese government, but large groups of young
people getting exposed to new and exciting ideas all at once does.

~~~
juvenn
It's an open secret in IT industry. And I think the policy will not help, but
intensify the discontent under the ground, and it will harm the society in the
long run. But given the flaws of the institution, I don't think it will change
in the near future.

------
cwan
I use witopia.net - great service - but make sure you get the more expensive
ssl package (and play around trying the various nodes). As others have said,
it is truly the best $60 bucks I've ever spent if you're a frequent traveler
in China. I use it to watch hulu, youtube, facebook, etc. Sometimes it's a bit
slower than I'd like but I often find that using it I can get foreign sites
faster than even going direct.

~~~
juvenn
If I could afford any premium vpn, it would be a great choice. Thanks any way.

~~~
cwan
Just in case it was ambiguous, that's $60/year... Granted, not entirely cheap
but...

You can also consider <http://hotspotvpn.com/> (I don't know anyone who has it
but it was one of the ones that I researched before getting witopia) - $8.88
USD/month if it's the initial $60 that's an issue.

------
abalashov
OpenVPN + NAT.

Unlike most VPN technologies which rely on additional encapsulation in Layer
3/4 like GRE and IPSec (which have signatures that can be filtered out easily
without deep packet inspection), OpenVPN works over userspace TUN/TAP drivers
and a UDP transport. So, it just looks like plain old application-layer UDP
traffic. The standard port it uses (1194) can be changed easily.

Although not impossible, it would be very hard to block something like that
without catching in the same rules many other ordinary applications that use
UDP, such as most online games, Skype, etc.

It does, however, require that you tunnel to a concentrator outside the GFW.

------
juvenn
A lot of feedbacks from kind hackers, I could only conclude that there is no
silver bullet.

Though I think the best work-around is hosting a server outside of mainland
china, and then tunnel through ssh or vpn. An EC2 might works here, but I've
not tested it. If someone tested, please share us your hacking.

Thanks all.

------
est
All bypass methods can be categorized into two:

1\. Methods that requires a 3rd-party server

2\. Methods that do NOT requires a 3rd-party server

Currently mainland underground hackers focus on methods #2, and as far as I
know 3 POC works fine through GFW on OSI level 3, 4, and 7, unless the target
is an IP ban.

~~~
trevelyan
There is also now DNS poisoning of high profile sites like Facebook and
Twitter. So be sure to use a DNS proxy that is outside China.

~~~
est
> So be sure to use a DNS proxy that is outside China.

This is where many people think wrong. GFW hijacks all UDP port 53 data, and
OpenDNS fails like others. You _MUST_ use a clean DNS server inside China or
on localhost. Query DNS via IPv6/SSH/VPN/Socks/TOR/TCP.

~~~
juvenn
Yes, I use OpenDNS now, but it fails like others.

------
jgrahamc
I thought the GFW worked by sending a RST to any TCP connection that it didn't
like. If you ignore the RST then the connection goes ahead. Has that changed?

<http://www.cl.cam.ac.uk/~rnc1/talks/060628-Ignoring.pdf>

~~~
juvenn
Oh, I could not get the pdf, would please mail me a copy machese AT gmail,
thanks.

------
rgrieselhuber
Just read a recent blog post about this:

[http://zygote.egg-co.com/5-interesting-facts-about-the-
inter...](http://zygote.egg-co.com/5-interesting-facts-about-the-internet-in-
china/)

------
ev0
ssh tunnel always works for me

~~~
juvenn
You host your own ssh server, or a 3rd party's?

