
China Cracks Down on VPN Services After Censorship System ‘Upgrade’ - necrodawg
http://techcrunch.com/2015/01/23/china-vpn-crackdown/
======
briandear
This is the reason I no longer work from Shanghai. Attempting to do anything
in the tech spave while constantly playing cat and mouse got to be such a
productivity killer that it was becoming impossible to work. You'd rarely know
if failures were because of some Firewall nonsense or something else.

It's a tragedy really. I am one guy, but I've since hired several developers
and my little company is gaining traction -- we would have been happy to
expand our footprint into China in terms of hiring a Shanghai Dev team; yet
with the variable and unknown stability of our connections, it was too big of
a risk, considering we can operate in Europe and the U.S. with minimal
interference.

~~~
c1sc0
I was in Shanghai last month & in previous years bypassing the firewall was
not too much of a hassle. When I arrived in Shanghai for the holidays this
year my old VPN provider didn't work anymore, plus they added DNS poisoning
and bandwidth throttling. I actually upgraded TO StrongVPN, which seems to be
one of the affected VPN services now.

My conclusion was that it has become effectively impossible to run a western
IT-oriented business from Shanghai. Would be interested in hearing stories of
people who DO succeed.

Sad thing is that all the infrastructure is in place: plenty of fast finer in
the big cities & the "local", balkanised version of the "internet" works fine.

~~~
atmosx
Sorry but aren't you better off with a DO VPS running an OpenVPN?

I mean using a VPN service or Tor public server is like weaving a banner
saying _Hey I 'm trying to bypass you!_.

I was able to browse the internet connecting through my home's OpenVPN (DDNS
and all) when I was in China (for vacations mostly and some work) without any
problems.

Of course a home ADSL pipe is good only for 'www' and maybe not even for that,
but now a VPS costs ~ 10 USD per month and has enough bandwidth for most
people.

~~~
subliminalpanda
This is exactly what I do, except that I'm using the $5/month droplet from DO,
although I don't live in China (currently in Oman), and the censorship here
isn't no where near as bad.

------
Joe8Bit
Now is another good time to remind people of projects like Streisand[0], who
make setting up censorship avoiding tools simpler that they otherwise would
be.

Streisand in particular provides various tools for masking VPN traffic as
HTTPS (Stunnel/SSLH et al) that may prove useful during crackdowns like this.
As well as setting up things like a tor bridge.

One note, there is currently an issue with the Digital Ocean provisioning,
which prevents it from completing initial setup, but I have easily and
successfully setup instance on Rackspace and AWS recently.

[0]: [https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
jlund
The DigitalOcean provisioning issue was recently fixed, and creating new
droplets is working properly. Making the mirroring segment more resilient to
failures is high on my list of priorities. Thanks for the positive feedback!

~~~
netheril96
I cloned this repo on my local machine in case one day all VPN and GitHub
itself are blocked.

~~~
tomjen3
Unless you are presently in China that seems like overkill - kinda like having
a backup plan for your photos that can survive a nuclear war.

~~~
netheril96
Uh, I am a native Chinese in China. This would look like overkill just one
year ago, but today it seems more than likely.

------
narrator
The whole Chinese way of doing things makes me think that most people live in
enormous Skinner boxes. It makes me reflect on my own media consumption. What
messages am I receiving? How are processing those messages affecting my view
of the world? What experiences or opportunities am I missing out on because of
the messages I am receiving and processing and how they are affecting my
internal model of the world?

Look at people who get addicted to MMOs like World of Warcraft for example.
They voluntarily limit themselves to the messages they receive from the game
and this influences their behavior significantly.

The proof that control of these messages and what message are received by
people is an extremely valuable commodity is that advertising is a multi-
trillion dollar industry.

Even if everything was perfectly truthful, there is only a small amount of
time for people to digest and absorb the world with their limited perception.
Thus, the control of which limited set of messages that people receive is also
a huge source of power and why a commercial in the super bowl is worth more
than a random banner ad on some no-name website.

Reddit, Twitter and most social media are attempts to optimize this messaging
problem.

~~~
Htsthbjig
Your media is your eyes and ears. They can manipulate your actions just
manipulating what you people see.

When you travel around the world, this is the first thing you learn: all the
people, in all countries are manipulated by the media, controlled by the power
structures.

"If you prick us, do we not bleed? If you tickle us, do we not laugh? If you
poison us, do we not die?"

The Merchant of Venice

There is an almost automatic response from an stimulus you perceive. Being
real or artificially created does not matter for the brain.

In the supposedly "free countries", they just control the media that most
people watch. Most people just does not care.

For example, most Americans have a SouthPark puppet idea of Saddam Hussein,
but he was a very smart person. As this person spoke a different language, you
could portray the idea that is convenient for helping the interest of the
people in power, basically invading a foreign country for stealing their oil.

Most Americans believe that they invaded Iraq because extending democracy,
weapons of mass destruction or whatever. But it only takes an hour of talking
with real Iraqis(or traveling to Iraq) to know better.

Just one thing, how many films have you seen about Hitler and Nazism, and how
many about Stalin that killed more than Hitler. It was not convenient to
portray Stalin as he was when he was alive.

Have you seen the image of Putin in the Western media today. Again, just
understanding Russian makes a huge difference in how they could manipulate
you.

Putin also manipulates their people, but he is not the only one.

~~~
lurcio
Really really o/t but...

Im going through this now, having just returned to the UK after a number of
years away. Last time I felt this way was when i left a village bubble for the
bubble of London village.

That said - I'm amazed at how 'broken' everything is - schools, doctors,
police, roads. And so much of London is still 'up and coming', i.e. a dump.

However, it can't have changed that much. Friends are still comfortably numb
and tolerant of the entropy and propaganda. As I was before - indeed, I
maintained a rosy view of Blighty all my time outside and it served as my
benchmark for other countries. Im sure the change is more with me - I see this
place with new eyes and feel like a foreigner tbh. It's an interesting
position. Travel (not tourism) perhaps doesn't broaden the mind as much as
create a cognitive dissonance. We deal with it by either denial and retreating
into our set patterns or adapting. The former is a living death. Embrace
change or be consumed by it.

wrt UK - gov here is stealthily setting up their own great wall. Given the
well established corporate news filters, speech censorship and language
planning, its no longer in anyones interest to speak openly in public. What a
system we have created for ourselves!

Still as Kierkegaard reminded us: people lay so much store by freedom of
expression, but not so much for freedom of thought. They can't take that away
from us (yet)

------
logotype
I'm living in Shanghai. Still connected fine over a IPSec tunnel. I run my own
VPN server on Rackspace/AWS (only 2 public IPs), the connection is and has
been relatively stable (about a year). 12MBit/s from Shanghai to the IPSec
server in Hong Kong, 38ms consistent ping (100MBit/s connection). Using a
Cisco SMB router, so the connection is pure IPSec and standard ports.

~~~
c1sc0
How do you handle access from mobile devices? I found managing a VPN (from
iPhone) more trouble than it's worth. Moving between networks often dropped
the connection long enough to kill the VPN.

~~~
schuke
Maybe you can try the Shadowsocks browser app from the App Store. It has a
public SSH tunelling proxy. You can also use your own server settings if you
have one. Works pretty well for basic web stuff.

~~~
c1sc0
Thanks. That's cool & would alleviate the pain a bit I guess. The thing that
drove me nuts is that Slack was blocked, but I guess I could have run that
from within a private browsing app like the one your recommended.

------
zhte415
What stops meaningful visits from visitors within China to sites hosted
outside of China today is, thanks to the prevalence of CDNs, the CDN.

Need a font? Google fonts? Blocked.

Need a picture? Instagram? Blocked.

Need a video? Youtube? Blocked.

Need a CSS sheet? Use a CDN? Blocked or really slow.

Visiting a text-based website hosted outside of China [from within China] is
usually pretty good. No VPN necessary.

CDNs are a Firewall quick-kill, a lazy-kill. If you host a site outside China,
that you'd like to be visible within China, self-host anything you'd otherwise
think about off-loading to a CDN. That makes the need for a VPN for your
audience redundant.

~~~
drzaiusapelord
I imagine the things you list are, to the CCP, a feature and not a bug. The
harder it is for Chinese to leave the censorship bubble the better. I imagine
the end-game for China is a completely cut off internet. Once they have enough
domestic services it'll be safe to do. They're just not there yet.

My organization was forced to deploy a server in China with specialized
content for the Chinese. That server and its content is under the CCP's
censorship and control, and being an autocratic non-democratic government
means that chances of reform are virtually nill. We're allowed, by the good
graces of the CCP, to have a presence in China that they control. This is
their end game. Controlled foreign sites hosted locally and international
internet either completely cut off or just allowed for certain companies and
elites.

Autocracy and freedom of information just don't work. The Chinese people, who
are very nationalist, have chosen the former and are quite proud of it, often
citing the "decadent west" as something they don't want to become and using
the word "democracy" as an insult. Let's stop acting surprised about
censorship in China. Some people prefer to be ruled by an iron fist.

~~~
Normati
It's not just autocracy. The US government is quite aggressive in shutting
down websites that spread information it doesn't like. They also sometimes go
further and arrest and imprison the operators. Examples include gambling,
piracy and drug trading sites.

~~~
CamperBob2
While true in a literal sense, it's an insane exercise in false equivalence to
compare US censorship practices with the PRCs. You will not see political
speech treated as if it were a physical threat here.

~~~
happyscrappy
Some people need to believe that the West is just as bad as China, reality be
damned.

------
tiatia
This blocking shit is so annoying. The Chinese shoot themself in the right
knee, then in the left knee and say, look, we have the biggest balls! Yes, you
may have the biggest balls, but you can't walk anymore dumbo!

I experienced that feeding someone his own poison is often the best medicine.
Providers world wide should block email access to all China based email for a
month or two. Would be a picture for the gods having the Chinese executives
and CEOs abroad cut off from their email and crying "foul!" "foul!".

This being said, the Chinese are pretty good in what they are doing. What will
it buy them in the long run? Even big Chinese companies in China use VPN to
access the internet. The final result will be that China won't have internet
but something like an intranet. Good luck with that!

~~~
c1sc0
Well, with all the nationalism I guess they WANT an intranet. And I think they
can probably pull it off. The Chinese Intranet is pretty good actually &
there's a lot of pride in using home-grown services and hardware, just count
the XiaoMi phones next time you're in the subway. (Brilliant brand name BTW)

~~~
tiatia
You can't afford to have only an intranet. Not if you want to be a leading
power. I even had problems looking up pages from small technology companies
that were blocked.

They don't have google. Baidu does not compare, not the slightest bit. Yes,
they have bing. Try finding an address at bing (or baidu) maps in China. It
does not work 50% of the time when google is right on the spot.

XiaoMi? Yes, some nice hardware. But the software comes from the west.

~~~
mschuster91
> XiaoMi? Yes, some nice hardware. But the software comes from the west.

Not entirely. They use (or at least have used) mediatek chipsets. Their
drivers... well, do a github search for mediatek chipset-based android source
code. People have placed entire _dumps_ of Mediatek stuff on Github... and the
stuff I could find in 5min is SCARY. Fucking scary. And that's just the tools
for the manufacturer, their kernel drivers are a mess of ifdefs and commented
out code, with the sparse comments written in some Asian language.

~~~
mih
Scary in what sense? Could you elaborate whether you are talking in terms of
security, backdoors etc. or just buggy badly organized code?

------
wanderingstan
How would (will?) China react if Musk gets his low-earth orbit satilites
providing Internet globally? I assume China could block the domestic sale of
the receivers. But in the long run, a globally accessible Internet would raise
interesting issues, and perhaps be seen as an act of aggression by regimes in
North Korea, China, etc.

------
kesor
Meanwhile China's new upgraded Great Firewall is DDoSing many websites in the
west because of the randomness of their DNS Cache Poisoning. For example see
our post about it on [http://dvps.me/ddos-attack-by-
torrent](http://dvps.me/ddos-attack-by-torrent) and many more posts like
[http://www.webhostingtalk.com/showthread.php?p=9351951](http://www.webhostingtalk.com/showthread.php?p=9351951),
[http://furbo.org/2015/01/22/fear-china/](http://furbo.org/2015/01/22/fear-
china/),
[http://serverfault.com/questions/656093](http://serverfault.com/questions/656093),
[http://serverfault.com/questions/658433](http://serverfault.com/questions/658433),
[http://www.jwz.org/blog/2015/01/chinese-bittorrent-the-
gift-...](http://www.jwz.org/blog/2015/01/chinese-bittorrent-the-gift-that-
keeps-on-giving/),
[https://isc.sans.edu/forums/diary/Are+You+Piratebay+thepirat...](https://isc.sans.edu/forums/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to+Various+Hosts/19175/)
and more.

------
kszx
My company hires freelancers for China-related research. Contributors from
Mainland China would be ideal. But my reliance on services like Google Drive
means that I typically end up with people from HK, Taiwan, Singapore and
Malaysia. It's simply much more convenient.

~~~
ttflee
Try to setup a cloud service that is not from Google, e.g. Amazon AWS or MS
Azure.

~~~
netheril96
Connection to Amazon AWS is frequently disrupted by GFW (but not completely
blocked like Google's services). I don't know about MS Azure, but nothing is
safe these days.

------
mcbridematt
This has been going on for some time now, I'm surprised it is being reported
again now.

Rule of thumb.. if someone can work out what you are doing by launching
Wireshark, so can a nation-scale IPS system a la Great Wall

~~~
olalonde
That's true but just to be clear, they are not blocking VPNs at protocol level
but "manually" blocking the IPs of specific providers. They do the same with
Tor: block all public Tor relay IPs.

~~~
mcbridematt
My own VPN instances have been shot down within a couple of days of use,
definitely IPS-style behavior.

I can't comment on commercial providers, but the capability to autoblock
common VPN protocols is definitely there.

~~~
olalonde
Interesting, I didn't know they did that. I've been running my own VPN as well
for a couple of years without problem. Is it possible you were running Tor on
your server or something else got you blocked (some AWS IPs seem to get
blocked for no apparent reason)?

~~~
mcbridematt
No, just OpenVPN, and from the searching I did at the time, this is a well
known problem.

These days I just tunnel over SSH or even remote desktop into a remote server.

------
ShaneWilton
At Tinfoil Security we wrote a service for generating disposable VPNs on the
fly. It's open source, and I personally made use of it while in China a few
weeks ago.

[https://www.tinfoilsecurity.com/vpn/new](https://www.tinfoilsecurity.com/vpn/new)

------
greatabel
My old company has its dev team in Shanghai, we used multiple VPNs: openvpn
and a Cisco vpn; we setted them on company's router.Normally it's ok except
some special days like every year's session.

~~~
atmosx
Isn't that illegal in China? Or not? Are there any repercussions if you get
_caught_ evading in one way or another their national firewall?

~~~
greatabel
I think it's ok since CCP denied the existence of GFW; and we would just do
things related to work,it's like an unwritten rule.

~~~
higherpurpose
Cisco is known to support "lawful intercept" protocols in their routers (in
fact they were the ones to propose it to IETF a decade ago), so I wonder if
they find it ok to _not_ censor your connection because they can already spy
on it. This way at least they can check if it's really for "work". Other VPNs
who they _know_ aren't used for work, get blocked.

------
infruset
Does anyone know if there is technology out there which would allow for VPN
traffic to blend in with other traffic, or to bypass DPI in any way?

~~~
intopieces
Golden Frog's Chameleon protocol does something like this. It's based on
OpenVPN256, but adds packet scrambling for the header and footer.

------
mark_lee
Fucked up! Baidu should never be used to search English pages. Even you search
English glossary, it will return some unrelated low quality Chinese webs. And
in many professional sections, you can only find stupid shallow scraped
content in Chinese even with google. When you have to search in English, Bing
is the most convenient one left. The problem is I have to speak to myself
loudly each time I search in Bing: "is Bing retarded!?" Maybe Bing is trying
it's best to be difference from G. Then when G gets most of right results,
Bing sucks so hard by bringing tons of heavily SEOed craps.

I use gmail, adsense, google calendar daily, and expecting to use facebook,
twitter and other SM daily. I use 3 to 4 methods to get through GFW, none of
them can guarantee a stable access. The fuckest thing is I waste 1/3 of my
working time only because of the blocking. (Really, when you can’t get through
or the speed is too slow, you just don’t know where you’ve surfed to and what
you’ve being read for hours).

------
shaunstevin7
I am currently a Business VPN user of PureVPN and its working perfectly fine.
My employees can access the Google/Gmail and rest of the website easily.I did
face the speed issue but their support team has provided me with the "Stealth"
protocols after that the speed gets normal.

source: [http://www.purevpn.com/blog/china-great-firewall-update-
has-...](http://www.purevpn.com/blog/china-great-firewall-update-has-no-
effect-on-purevpn/)

------
mirimir
Many VPN services now provide obfuscated access. Some use haggismn's XOR patch
for OpenVPN. Others provide access via SSH, Stunnel (SSL) and/or obfsproxy
(obfs3). I presume that any approach developed for Tor could be used with VPN.
Using meek, traffic is obfuscated and routed through arbitrary third-party
sites.

------
serverhorror
Here's a question: If some VPNs are blocked and others aren't maybe they are
just blocking stuff that they can't control?

In other words: The services that are good enough to prevent eavesdropping are
blocked, while the other services are "clear text" to the attacking party. Is
that a possibility?

------
atian
God is the internet annoying there. They randomly drop packets just to disrupt
VPN connections. One method may work today but not tomorrow. I've had luck
with alternating between obfsproxy and ssh and l2tp.

The truth is that no one cares. Everyone more or less knows, but it's a pain
in the ass to bypass.

~~~
Apofis
I know China uses a lot of Linux... how the hell do they get by with SSH?! If
you are an administrator wouldn't SSH immediately flag you as using a VPN?

------
brandon272
How do foreigners doing business in China deal with this? Presumably there are
a lot of large companies doing very important work and very important deals in
China and being able to connect to the company network while they are in China
over VPN is necessary?

~~~
univerio
I'm not clear on the details, but the last place I worked at had a (very
expensive) tunnel through Hong Kong to our US data center.

------
acd
What about i2p,Tor?

Communism, dictators, some kings, like extreme religions wants to control the
flow of information so the minds of the population doesn't catch dangerous
memes like freedom movements.

~~~
tiatia
Tor does not work in China. You can't enter the network. You need something
called "bridges". You have to send an email to get IP addresses of "entry
points". If I remember right, you had to have an gmail email address to
receive them. I never worked for me.

------
antihero
Could they ever possibly break an SSH tunnel over port 80/443?

~~~
revelation
I think that theres evidence they are already doing packet inspection and
_active interrogation_ for anything they deem suspicious. So if your SSH
tunnel has some recognizable traffic characteristics, it's game over.

There is an option to configure OpenVPN with a fixed key that it uses to
encrypt all and any traffic, leaving only random data. That's very desirable
right now since there are no easy ways to detect it, but in the future I guess
they'll just outright block any traffic that is just too random. Real
plaintext traffic, certainly with verbose 1980 protocols like HTTP, trivially
fails many randomness tests.

------
contingencies
Port-forwarded proxies over ssh work better than OpenVPN.

