Hacker News new | comments | show | ask | jobs | submit login

I was visiting China recently (my first time there). I thought bypassing The Great Firewall was going to be as simple as an "ssh -D" SOCKS setup, or a "ssh -w" tunnel. Oh boy, I was wrong. If you try this, or even a basic OpenVPN setup, you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out. After some research I read online the government does deep packet analysis and uses machine learning to find heuristics to guess which TCP connection or UDP stream is likely being used as a VPN. When they think there is a high probability a VPN is detected, they simply start dropping all the packets.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS). For example in a traditional HTTPS session, if the client browser downloads, say, a 500kB image over HTTPS, it will send periodical empty TCP ACK packets as it receives the data. But when using a VPN that encrypts data at the IP layer, these empty ACK packets will be encrypted, so The Great Firewall will see the client sending small ~80-120 bytes encrypted packets, and will count this as one more sign that this might be a VPN.

That's why people in China have to use VPN tools that most westerners have never heard of: obfsproxy, ShadowVPN, SoftEther, gohop, etc. All these tools try to obfuscate and hide VPNs. I have a lot of respect for all these Chinese hackers like clowwindy who try to escape censorship, as it takes more technical prowess than you think to design a VPN that works in China.

I am in Iran , you cannot believe it , same here , They use deep packet inspection too, they will shut every package down. every open vpn , cisco vpn , etc connection will lose connection every 2-3 min . Connection to outside web is almost impossible.

I have noticed they have multiple situation, for example when everything's quiet internet is not so bad (despite the fact bandwidth is extremely low for huge amount of people), but when some news came out about government corruption, guess what ? some vpn does not work . In 2009 green movement they closed every https connection.(maybe that was red alert situation)

p.s : https://en.wikipedia.org/wiki/Deep_packet_inspection

p.s. : I use vps from netherlands for bypassing firewall. but It takes huge amount of time and a little money.but the point is 99.999% people don't have this option (I use shadowsocks, sometimes another tunnels) so they use internet the way is or some software like freegate and other but with extremely low speed unbearable lag.

p.s. : pptp, l2ps and others are closed right now. even president rohani couldn't manage the situation . I have heard he did want to do something but supreme leader and his people stopped him.

A few years ago I had a friend visiting Iran who wanted unrestricted access to sites. I didn't have any personal Linux servers on the internet at the time, but I did have a Windows one with Remote Desktop licenses.

It turned out that RDP actually worked pretty well. I did hesitate to post this in case it's seen by the wrong people(!), though given it's a while since it was necessary to use, it may be blocked by now anyway.

I wonder if it was available because it was relatively little known and, if so, what other little known protocols might be available.

sadly with RDP you cannot have same experience.it is not about 1 or 2 site , for example for me , my vpn connection is always on because there is not internet without it.but with RDP loging into another machine , with all lag you see , is almost impossible at least for power user like me which most of the time have 50+ tab open in chrome in site's like youtube , android dev doc's, etc.

You can RDP into a machine and use the browser there.

But you have to send a packet every time the remote screen changes. It is much more demanding on network resources than a VPN and thus will be more difficult to use on a daily basis.

Why nos havig a local cache like wwwoffle (someone has to reimplement such a thing) or squid? that way you won't need a connection just to browse a bunch of (mostly static?) html pages... just sayin'.

You can get arrested for hosting illegal web content. All public facing servers in China must be registered at the government, or they can get raided.

I'm not sure but I suspect that they got the technology (hardware and software) from China too.

As a Chinese netizen I don't know if I should be proud that we have world-class advanced technology or be ashamed. Possibly ashamed.

Allegedly it's mostly or at least originally Cisco's technology: https://insidersurveillance.com/cisco-huawei-and-semptian-a-... .

At first China also used Cisco's stuff, but soon they could't keep up with the requirements of the Chinese govt. After that a man usually criticized to be "the father of GFW", FANG Binxing, came up and built more powerful censorship hardware and software for the govt at Beihang U. It is said that they now use supercomputers to parse, analyse and block (and even inject, remember GitHub?) all packages going through the Chinese network boundary.

Oh I just gave away so much secret. I'm so doomed. Everything above are just made up stories. Don't believe me. Don't track me down. Please.

There's one mistake on your statements. It's at Beiyou U that Fang Binxing get all those things dones.

It is not a secret at all....

And let's not forget BlueCoat.

These are our colleagues designing and implementing these tools of oppression. We should ask them why they exercise their talents in this way.

"Of the ten conflicts in human history with the highest death tolls, five were civil wars in China.

Chief among these was the Three Kingdoms War when up to 40 million are reckoned to have perished in military operations and from the destructive consequences of warfare. This is an enormous number, considering that the global population at that time is unlikely to have exceeded 400 million. More recently, the Taiping Rebellion claimed more than 20 million lives while the civil war that brought the Communist Party to power resulted in 7.5 million deaths, over and above the 20 million estimated to have been killed in the roughly contemporary Japanese invasion.

This is not the history we were taught at school but Chinese leaders are well aware of these facts.

When disorder breaks out in China, things turn very nasty indeed.

It is best, therefore, to avoid disorder at almost any cost."

That is why.

Or would you prefer to have China descend into the chaos of Rwanda or Sudan ?

Wait, I may be misunderstanding your comment, but are you saying you support censorship by the Chinese government on the basis of some paternalistic "those dang Chinese can't handle themselves and start a-killin' if they get to know too much, so it's better to keep them in the dark"?

Also, when quoting large blocks of text it is usually helpful to source that quote.

Oppression causes civil wars.

If they are using oppression to avoid disorder, they better have long term plan. Otherwise they are digging their own grave.

Not many people fear of chaos in the USA and not because they have the best firewall.

Millions of doomsday preppers may disagree.

> Millions

There are not millions of doomsday preppers in the US. And their obsession is not representative of public will or sentiment.

The comment you're replying to said: >Not many people fear of chaos in the USA and not because they have the best firewall

So you seem to be saying that if the US had a Great Firewall the nutjobs who spend half their salary on underground bunkers and armament wouldn't. That's a pretty silly argument.

Well, thousands anyway.

Historically, I believe it would be much more accurate to say that opportunity creates civil wars. People start wars because they think they can win.

Incidentally, in most of those Chinese conflicts (4 out of 5 I believe), they were right. Many other wars were similar : starts with "immigration", numbers increasing, conflict, open conflict (and mass death), repression (of the losing side). Extermination is often tried but rarely succeeds. Well it succeeds in causing mass death, but it doesn't succeed in the sense that extermination is the result.

Good statement so far. But wait... do you assume that censorship could cause another civil war or could avoid another civil war? And where is your reasoning or evidence?

It doesn't take much to motivate someone to do it. A paycheck is enough 99.99% of the time.

They probably appreciate having their family alive...or something. It'd be better if our colleagues who don't have their hands and relatives tied to create and proliferate liberating software.

Are you saying that Blue Coat (based in Sunnyvale, California) develops censorship tools in order to keep their family alive? Who is threatening them?

I propose proud of the technologists, ashamed of the political system :)

be sure soon the dev will be cordially invited to write the deep inspector for that vpn if it ever leaves the ground.

and i wonder if filling the apple form helped them finding him or it was just bad timing

I heard rumors that that before Halal Internet was launched the censorship of Iran was relegated to Huawei, the same company that builds and maintains the Great Firewall...

Yes , I have heard it too . halal internet not going to launch , because Rohani is not believe in it and tries to postpone it every year(maybe they have technical issues too , I don't have information) . all military site's have ethernet and connect to each other with it.

wish you all the best. I pay 5$ for a digitalocean droplet to provide my family in Iran with an OpenVPN connection. This works quite well, we do not have any issues so far.

I have a friend in Iran and I let him use one of my servers as a proxy using the ssh -D flag. This has been working well so far as I know.

In my experience ... spending a lot of time working in China ... most people use Astrill or ExpressVPN. I'm surprised no one has mentioned them here yet. They own the VPN market in China. Almost every senior developer I've met here subscribes to one or the other -- with Astrill being far ahead in terms of user base. They both champion their "stealth" options and other than the odd day you don't really notice the GFW.

Pretty much all the ISPs sell "international lines" as well. But only as part of their business packages. Usually it will run for about US$1k/mo - US$3k/mo with minimum 1-2 year contract for their "starter" package. Most tech companies in my area have them; they work very well. Essentially they are a hardline to Hong Kong and they ration out to subscribers.

They key thing to understand about the GFW is that it's not about general censorship of the population. Frankly the government doesn't care if someone who is middle class, i.e., invested in the status quo, gets around the GFW. They are more concerned about conservatives in lower classes trying to organize to stop the move towards capitalism. And it's mostly about protecting the market now so local companies can get access to these lower classes as their position improves and they join the middle class.

I don't understand, who can afford US$1000 per month? I'm assuming only medium-large businesses, so do they divide up these "international lines" among their employees or something? Can these employees also use these lines at home, or only in the office?

It's for business of course, mainly international companies I guess. Local companies don't need to cross the firewall. Employees can only use these lines in the office. Actually most Chinese are not aware of the existence of the Great Firewall (GFW), really bad.

In the tech field, everyone is very very aware. I can't speak about other fields though. In my experience, pretty much anyone who is middle class or above knows about it. Granted middle class and above is only about 300 million of the almost 1.4 billion people -- so very much a minority. Granted China is huge and I mainly move in tech circles so YMMV.

It's not just international companies. Chinese companies are all about going overseas now. China is now a next exporter of investment. Plus it seems every company with an app that has a moderate amount of success wants to reach Chinese outside of the China -- they have more money -- and so need to integrate with blocked services like FB. And exporting Chinese online games to other developing nations is really taking off.

Thanks for your info. As a graduate student major in civil engineering in China, people around me come across the firewall when they need Google Scholar, which is rare also. Sometimes they come to me for help to get access to sites like Google Scholar. But, believe me, they don't care about what is GFW or anything about the censorship. yes, the big brother is watching and they want to be good netizens. Traditional industries like CE don't depend on internet much, so GFW does not have much influences on them. Even to programmers in internet companies, I doubt the proportion of people accessible to the free internet. Above is based on personal experiences and may not be that precise. Things are complicated in China anyway.

As an undergraduate student majoring in software engineering in China, I'm interning for a foreign company and we have access to free internet through proxies. And in my experience, most programmers regard free network as a necessity. And for people in large cities, it is true that they don't actually care about GFW, but I think many of them are at least aware of the existence of it, and sometimes break through it out of curiosity.

Yes, Astrill and Express VPN has been popular in China. But probably because they are too well-known, their services are not totally reliable. Instead, some smaller VPN providers now offer better services. Check out this test result: http://www.vpndada.com/best-vpns-for-china/

I visited your page expecting to see details of a testing methodology, along with results for a number of providers. However, the information you provide is no better than that provided by friends' anecdotes.

"Reason for Recommending: Reliable connection, fast speed. Fast customer support."

What do you mean by 'reliable'? What do you mean by 'fast'? Are you talking about latency or throughput?

"Reason for not recommending: sometimes hard to connect"

How many times out of ten? Using which VPN protocol(s)? Was this using PPTP, or OpenVPN over stunnel?

I run my own VPN servers (for myself and friends) but of course there is some ongoing maintenance effort to add new servers to replace those for which latency and/or throughput have declined. If there were a site with specific data about different companies' performance (over time), that would help me to decide whether it's still worth the effort.

I've had almost the opposite experience. VPN sort of worked, but I could not open a single HTTPS connection. The VPN problems I had I could trace to a bad WiFi connection (I had to lower my MTU and it worked fine).

Now, on previous trips I experienced what you mentioned. It seemed really like there was some machine learning going on, and after using a VPN for a while the connection would get bad. But I guess it might not be machine learning, there might just be a huge number of humans watching your traffic - which would explain why it is so inconsistent.

The thing that worked best for me is just using ssh -D (on most days). Our workplace uses ssh a lot for secure communication with outside china, so that couldn't possibly be blocked without hindering our work (and I believe 'they' have no interest in that). So whenever I had to access something for work that was sillily blocked (argh gmail), I just used the ssh connection that was open anyway.

Actually this is classic daily life of a chinese netizen: you are never quite sure what the cause of your network woes is (not without spending time digging into it). Is it due to ISP QoS, or is it reset by GFW, or is it just mere network failure?

And what most ppl do when facing this? They choose a local service instead of Twitter, Facebook, Youtube, Google. See, censorship is only a part (though a vital part) of the grand scheme.

This is a great talk about some of the methods China and other governments use to block the Tor network: https://www.youtube.com/watch?v=GwMr8Xl7JMQ

It's a pretty sophisticated arms race that's lead to some cool stuff, notably pluggable transports (like the obfsproxy you mentioned): https://www.torproject.org/docs/pluggable-transports.html.en

Unfortunately the companies that enable this deep packet inspection are often American companies working overseas. My friend who used to work at Cisco said they had internal slide decks about the improvements they could make to the Chinese firewall. Then there's Bluecoat in Sunnyvale (https://www.bluecoat.com/) building the censorship systems for the middle east.

Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

> Why do American companies sell this kind of stuff to China and non-democracies in the middle east? They must rationalize it in someway, but I think it's wrong.

Pursuit of the almighty Free Market without regard for scruples or morality. Basically, public corporations base success only on money. If you as an executive refuse to bow down before Mammon[1,2] then you are replaced by someone who will. Seealso Charles Stross' excellent Invaders From Mars[3]. The Chinese government and other regimes pay big money for these tools.

[1] https://en.wikipedia.org/wiki/Mammon [2] https://en.wikipedia.org/wiki/Mammon_%28Dungeons_%26_Dragons... [3] http://www.antipope.org/charlie/blog-static/2010/12/invaders...

Note: that video is from 2011, and in my experience China's VPN blocking has changed significantly over that time. In 2011, I could use OpenVPN over UDP reliably, as long as I didn't use the same port for every connection. That is no longer the case, and I'm grateful for Shadowsocks as it's easy to set up (both server-side and Android client) than OpenVPN over stunnel.

Very interesting... I was just in China recently and was sshing into a box I had in the states for an impromptu SOCKS proxy. I did notice that things would work fine for up to an hour or so before things started bogging down. I would start seeing "channel x: open failed..." errors. However, closing the session and reconnecting would fix the problem... until it started lagging out again.

I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections. The internet situation was barely tolerable for a few weeks stay; I can't imagine what living in these conditions 24/7/365 is like.

I'm always brought up short when someone says/writes "24/7/365" because it really doesn't make sense.

"24/7" means 24 hours a day, seven days a week.

"24/365" means 24 hours a day, 365 days a year.

"24/7/365" means 24 hours a day, 7 days a week, 365 weeks a year?

I know, I know, it's become an idiom, and it's like "I could care less", and you can't try to understand it except as an atom that caries a meaning, but it just looks wrong to me.

Sorry - I'll now return you to your regular programming.

As an expression of time, its origin is a relation to business hours. 24 hours is "we don't close overnight." 7 days is "we don't close on weekends." 365 days is "we don't close on holidays." Those are the standard periods of unavailability.

If the sole holiday were a single Golden Week sometime in the year, the idiom may indeed have been "24/7/52", but holidays are simply scattershot like that.

The slashes aren't maths operators, they're language/grammar/shorthand. The lexeme as a whole is merely a mnemonic for the linger phrase: "24 hours per day, 7 days per week, 365 days per year."

It's not that the individual segments relate to each other. Rather they answer three sets of questions:

What are your daily hours? All of them. 24 hours / day.

What weekdays are you open? Again, all of them. 7 days/week.

What holidays do you observe per year? None, we're open 365 days/year.

Since there's rarely a monthly cycle to business closings and there aren't a standard number of days per month, that's elided.

It also helps to realize that human timekeeping is really based on three independent phenomena which are utterly unrelated. There are day-based units: seconds, minutes, and hours are all subdivisions of the period of rotation of Earth about its axis.

The month is based on the Moons orbit about Earth. That it is roughly 30 days is a notional convenience, similarly its rough divisibility by 4 into 7 day periods. The week is entirely synthetic (though profoundly persistent).

And the year on Earth's orbit about the Sun. Again, relationship to days and months are entirely arbitrary.

That's why it often seems time units are arbitrary. They are.

There's a brief book which Kay's this ought and traces the calendar through time, The Seven Day Cycle.

24/7/365 is dead. Long live 24/7/52!


  7 *days* per *week*
  24 *hours* per *day*
  365 *days* per... *year*
Why you'd read that as 365 weeks per year I'm not sure, because there's no pre-established convention that would lead you to interpret it that way (both 24 and 7 would have to be "per week"), and most people know there are 365 days in a year.

Just trying to help. ;-)

But it doesn't make sense to say:

  24 hours a day, 7 days a week, 365 days a year.
That just really doesn't make sense at all. I know that the numbers means, and are for, but if someone is saying every hour in the year, to say 24/7/365 is just nonsense.

Of course, this is a losing battle. People just don't care if what they say makes sense, they just say stuff and assume that people will understand. This is one of the things that makes language bizarre, miraculous, infuriating, and impossible to analyse. I note examples like this because they are caltrops on the road for NLP.

They are all relative timeframes by which a store my be closed; certain hours during the day, certain days during the week, and certain days during the year. Your inability to make sense of it doesn't affect the rest of us. It's like a creationist saying evolution doesn't make sense to them: at some point it is the result of a willful ignorance that you are bragging about. It doesn't make for very interesting trolling.

  > They are all relative timeframes by which
  > a store my be closed; certain hours during
  > the day, certain days during the week, and
  > certain days during the year.
Huh. That's a way of interpreting it I'd never seen. Thank you.

  > Your inability to make sense of it doesn't
  > affect the rest of us.
No, except that it may help people see that what they think is obvious isn't always obvious to others.

  > ... it is the result of a willful ignorance
  > that you are bragging about.
Well, that's obviously your interpretation, but if others see it that way then it explains the hitherto mysterious yoyoing of points on my comments.

  > It doesn't make for very interesting trolling.
I find it disappointing that you think I'd troll.

>what they say makes sense

I would argue that no single statement can make sense. Sense is made when multiple statements are combined.

It's really all just about appropriate cognitive load. Every statement must be processed and it's great to be as accurate as possible and as accurate as the consensus agrees to.

Anything higher quality than that falls under the category of "great writing," which only a handful of people cherish.

Hey, FWIW, you've completely convinced me to never use this phrase again.

So you read 24/7/365 as 7/24/365? That only makes sense to Americans, I guess.

I agree with the understanding that each segment of 24/7/365 addresses a different possible shutdown condition.

And I'll add that "I could care less" derives from the earlier "I couldn't care less", which makes a lot more sense. See http://blog.dictionary.com/could-care-less/

24/7/52 does seem more logical...

365 means they don't close for holidays. I don't know what 52 would mean.

There's 52 weeks in a year.

24 hours in a day, 7 days in a week, 52 weeks in a year.

What business closes for a week out of a year? Are there businesses which are 24/7/50?

Well, where I work at is 24/7/51.

Interesting, are you in Europe?

UK. Last week of the year (Christmas celebrations and so, you know) this joint shuts down.

Gotcha, here in the US most people will take off that week, but no business would ever shut down entirely for a week. You'd piss off all of your customers and associates. (Which is why American workers hate dealing with ones in the EU, they're always on vacation!)

Whoever doesn't stay home during the Christmas period in the US gets accolades from management, so there's incentive to work if you're career-focused.

> I thought it was just a consequence of being on spotty < 5mbps(ADSL?) connections.... I can't imagine what living in these conditions 24/7/365 is like.

In my experience splitting my time between North America and China, the difference is not terribly noticeable once you invest in a solid VPN -- which everyone does.

The network speeds here are generally far better than NA -- in tier 1 and tier 2 cities at least. If you're accessing site in China, i.e., not going through the GFW, the average is far better than you'd find in the US. However the GFW slows everything down. However, there are a handful of VPN providers that specialize in getting through the GFW: notably Astrill and ExpressVPN. This those on my phone, tablet, and laptop it's easy, you'd never know you were in China -- expect the odd day when you have to hunt for a different server. Most experienced developers here subscribe to one of them.

Also, a lot of tech companies subscribe to "international lines". Pretty much all the ISPs offer them to business customers. They are expensive but they work very well. Usually about US$1k/mo to US$3k/mo on contract. The international lines are just hard lines to Hong Kong.

Yea, in my most desperate I wrote a script that opened ~10 connections and kept restarting them and used HAproxy as a frontend. It was maybe helping, but honestly, I couldn't tell. Luckily I discovered shadowsocks soon after that.

Working in such network 24/7/365 means I have to spend about $90 per year on my vpn service, and keep vpn connection all the time when working. (otherwise google and SO will not come to save me from problems.)

Were your DNS queries going over SOCKS?

Back in 2006/2007 when I was doing web development, I knew a few people at F5 and Zeus Technology (developers of application firewalls at the time), and they said The Great Firewall was using loads of F5 tech with deep packet inspection for all data.

I assume 9 years later (don't know what the modern tech for web stuff is these day, but I assume encryption plays a key part) they're doing just as intrusive inspection and filtering of data.

Encryption is not enough. You need to disguise your VPN traffic to make it look like standard HTTPS sessions (since they don't block HTTPS).

In other words, steganography.

How do multinational companies' china offices get through the firewall? For example if my company uses Google apps, how do I ensure that my china office has access?

Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!

Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.

> Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?

It's a private network/route with traffic containing nothing but corporate data. Most multinationals facing this situation route out through HK, with a secondary failover usually in Taiwan or Singapore. Works a treat, but is costly and latency can be subpar.

It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.

Google Apps will drain your battery when they can't access Google's servers. Roaming with a China Unicom Hong Kong sim card, like the cross border king, will give you gfw free access.

> Google Apps will drain your battery

Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.

If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.

This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.

I think you can turn this off. My phone has a setting called 'Scanning always available', which says "Let Google's location service and other apps scan for networks, even when Wi-Fi is off.". If I turn off this setting, and turn off wi-fi, then the problem you point out should be avoided, right?


But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.

Oh. My phone has three options for 'Location mode':

- High accuracy (GPS, wi-fi, mobile)

- Battery saving (Wi-fi, mobile)

- Device only (GPS)

From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?

How do you setup a routing protocol to do fast failover? Is it easy?

For fast failover, you'd generally use BFD (bi-directional forwarding detection) in conjunction with a standard routing protocol like BGP, OSPF, or IS-IS. It's sufficiently complex to do on a proper networking platform, and even more difficult to do in a general purpose operating system. You can also just use aggressive timeout values with your routing protocol, but failover won't be quite as graceful.

As far as Microsoft office in Beijing, I think they VPN to their Tokyo office first. Their traffic is ensured by negotiating directly with the big telecom company. Disclaimer: I do not work for them.

This is correct

Source: worked there for a while

This is interesting, I'd love to read/hear more about it. Is the negotiation an above-board thing? What are the conditions and costs to getting this kind of exception ensured?

From what I've heard, it's something like 100 000 USD a year for a 100 Mbit connection.

Funny thing is: this is the same price payed in Brazil for a 100mbps MPLS link.

We have colleagues in china and generally speaking, you find an alternative, and host it on premise.

I believe this is the reason why they use Atlassian[1] products, where rest of us would use trello, e.t.c.

[1] company that created jira

Aren't there a dozen of bugtrackers, intranet collaboration software, CI tools and git hostings that they could download and install? What's so special with the Atlassian products?

those sucks a little less than, say, bugtraq, offer enterprise support on premises which you'd never use but you need to do the purchasing when you go for a big company and kind of have a big recognized name for their customization support even if their whole stack sucks.

I think the "enterprise support on premisses" is the main deal, along with the fact that we have already used it for some of our big projects.

I've heard that commercial DCs and high-end hotels are less censored.

I'm in the Sheraton in Qingdao atm, and it's definitely less censored, I can access YouTube and Google Apps just fine; where as earlier today from a business down the road these websites were all blocked.

Register your VPN with the authorities. We are atm doing this for a office in Beijing.

Is the primary purpose of your VPN to bypass GFW, or to provide access to your corporate network? I guess the latter would be considered a good reason.

yes, mainly to access the corp network.

Not all VPN services are censored, and not all VPN protocol triggers the reset. But you can bet whatever you get for free (thus likely popular), will get banned soon enough.

OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.

Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.

"Thanks" to the Great FireWall by one of the evilest governments, I might have to finally give up Gmail after many years struggling using it with the help of a wide variety of GFW-fighting tools. My deepest respect to all the authors.

This might sound a bit counter intuitive but they really hate OpenVPN and SSH tunnels - not to mention they are trivial to detect and the process is highly automated.

Traditional VPNs such as PPTP/IPsec as well as various forms of obfuscated proxies are generally not interfered with unless something major happens. A lot of the alleged "censorship" are actually symptoms of high latency and packet loss on home connections.

I suppose that means OpenVPN and SSH are too secure for the Chinese government to eavesdrop on. PPTP, on the other hand, has been known to be insecure for ages.

So... could you avoid detection by passing an SSH tunnel through a PPTP VPN? Add enough layers, and the censors might not bother to unwrap all of them.

Given that most US websites are now over HTTPS, breaking PPTP won't actually give Chinese government much information to eavesdrop on. They may know that someone is accessing Google or Twitter, but they cannot know the actual keywords or tweets they are reading.

Note that Chinese government does not have backdoor access to those US websites, nor do they control a significant fraction of Internet infrastructure.

What about Chinese signed root certs?

That is why it is recommended to untrust every Chinese CA from your system. It won't affect daily browsing even for most Chinese users. The super majority of Chinese websites, even state owned ones, buy certificates from US companies.

Yes you can. Shadowsocks was intended for the similar purpose of tunnelling traffic and it is a bit more flexible than GRE-based VPNs

IPsec is blocked now.

Blocked for a few established VPN providers e.g.Astrill. The protocol itself is not blocked per se.

You won't get a stable site2site ipsec tunnel for long. That's why you have to Register your vpn vor go mpls.

I currently use a mixture of PPTP and Shadowsocks. Shadowsocks (even to the same servers) seems to successfully connect a little more often, and drop a little less often. Otherwise, performance seems similar, and goes up and down.

Some of my friends have had success with VPNGate.


It's based on SoftEther VPN, which happens to be open-source and cross platform.


I'm using it for most of my VPN setups and I've generally found it to be superior to OpenVPN in every aspect (performance, usability, protocol support, obfuscation, etc).

This was exactly what I experienced in summer at China this year, no openvpn(not even commercial one or Linode self-hosted one), no ssh-tunnel, no other used-to-work vpn solutions.

For ssh it sometimes work for a few days then the whole IP/host is blocked.

I did not have to time try obfsproxy, shadowsock or whatever, but it really really sucked, to make things worse, my Nexus phone could not get any updates etc either, as Google is also _fully_ blocked, I felt I was back to Stone age there.

I have a good amount of recent experience with this. I found that it wasn't just a matter of your connection getting blocked; if you leave it up you'll experience some unreliable good periods (so, say, a torrent would download through the VPN overnight without a problem, but if I wanted to use the internet at any particular time, my connection was unlikely to be working). But yeah, I ended up signing up with Astrill.

When I was in China last year I had no problems using OpenVPN on my Holland based server.

Hotel WiFi may not be as restricted as the average citizen's connection. Local 3G/4G service may be more restricted than your home provider's roaming service. It's a bit of a crapshoot, but the GFW is definitely targeted more towards locals than visitors.

The Chinese authorities neither understand how FOSS works nor the Streisand Effect.

Not having to worry about != not understanding

I'm curious, what is the risk of getting caught, and what is the penalty?

Spending on what you do, detainment, torture, death.

Based on my experience, if you set up a VPN server (such as OpenVPN) by yourself and use it in China, you will see strange behaviours and the VPN server might stop working after some time. As a result, I've given up using my VPN but been using third party VPN service, which works better. Here's a list of VPNs that currently works in China: http://www.vpndada.com/best-vpns-for-china/

"you will quickly find out your VPN works fine for about 5 minutes, but then latency increases to 5sec, 10sec, 30sec(!), and then everything times out"

I recall the same thing occurring in Shanghai with many of the popular webmail services, they'd work briefly, usually just long enough to log in and get a glimpse at an inbox, then it would time out endlessly and that'd be it.

> Encryption is not enough.

I use an unencrypted PPTP VPN and the connection is really fast and stable here (Shenzhen, China Telecom). I have tried OpenVPN and ssh but both were much slower. FWIW, I don't believe using a VPN is illegal in China (though operating a VPN service without a license most likely is) and pretty much every single foreigner I know uses one.

PPTP is not secure. You need to open another, more secure, tunnel within your PPTP session.

According to a recent file. Using a VPN isn't illegal. But hosting an unregistered VPN service in China is illegal. And the right of using an unregistered VPN service is not guaranteed.

Per the other comment, MS-CHAP2 is crackable. The PRC govt is probably happy to encourage people to think they're secure using it.

Yes, that was my point. They are happy to let people circumvent the firewall as long as they're still able to read the traffic.

How do foreign organizations with email and internal applications inside the firewall do business in China? Do they simply have to make an exception to their security policies for employees based in China? Put them on Baidu email accounts instead? Or are IT departments of big lumbering fortune-500s also dependent on these tools?

No. Big foreign corporations, like in all countries, VPN back to their home country. The same all over the world.

Internal policy dictates this, all over the world.

Email is usually on self-hosted Exchange.

Corporate firewall blocks stuff like Youtube and Facebook - also the same over the world, but some users with the business need can access whatever the business need dictates.

Some large companies just bypass the national firewall for speed reasons - this is negotiated with the government on an individual basis - pragmatically this makes sense, as the traffic is 100% encrypted back between fixed sources and destinations, and inspecting it just wastes resources for all parties. Some corporations may also have their websites for the public access bypass any filtering, also for speed reasons (for example, internet banking).

So exemptions from the VPN detection/shutdown mechanism can simply be negotiated by those with the political clout to do so?

Indeed. The point of the GFW is to prevent political unrest. MNC's workers are unlikely to be fermenting dissent at work. Deploying the GFW on their connections doesn't really aid the government as a whole in terms of staying in power, but it does mean that MNCs will get pissed off and may reduce their presence in China.


Weird, was just there a month ago for two weeks and used https://www.expressvpn.com/ with no issue. I mostly cruised reddit / the internet so maybe there wasn't enough volume.

It depends. I am a bit surprised that reddit is not blocked. Neither is hackernews. Apart from classic Google, Facebook, Twitter, AWS is targeted intensely for its role in "affiliated freedom", to the point releases on github are blocked, others not as much.

Why go through Internet access providers in first place? Just get a radio transmitter and start broadcasting on short waves with encrypted digital modes... at least for short, critical transmissions.

At 1.2kbps?

Q: "Would you like a free, uncensored system to talk to anyone in the world? On top of that you could also send data at 1.2 kpbs, again free and uncensored. You just need to swich frequencies quite often and randomly, in order to avoid that the bad guys will track you down..."

A: "No, 1.2kpbs is not enough, thanks but I prefer censorship."

Is that what you're saying?

Sorry, I've already had my fill of stupid arguments on the internet for the next couple days. Maybe some other time we can get together and do our best to misunderstand eachother.

Haha. Ok. And sorry.

using ssh tunnel works just fine in china but they detect it and start blocking the ips. You can usually get a few weeks before they block the ip address. It works better if the server is from a legitimate source like an edu.

Most of the detection is focused on blocking vpns and they are very good and disrupting vpn traffic

Sounds like an overseas vendor needs to drop a blanket of satellite internet coverage over mainland China.

Sounds like you live in a world where you didn't notice that China became the second most powerful economy, and which will become the most powerful economy within a decade or so. Of course they're going to have the military to go with that:


The great firewall is a cowardly, non-confrontational technical infrastructure. I don't see China using a multi-billion$ missile system to shoot down a harmless foreign communications satellite that also served people outside of China. They're smarter than that.

... usage of which would be detected, and the users arrested and hauled off for "questioning" about spying and/or being a terrorist.

And using a VPN doesn't have these risks?

Of course it does, but they have a less expensive and more effective means of enforcement, which is just to shut it down. That's effective because the actions they take at a single location apply to a large number of infringements.

But if they can't shut it down via technology, they'll most likely shift to individual enforcement and harassment. In that case they have to chase people one at a time, so to get widespread effectiveness they have to make sure that each individual case frightens as many people as possible. That means that the individuals targeted will be punished more severely.

Enforcement 101.

Escalating the issue could be a good thing, even if people suffer. The problem with technological oppression like censoring or pervasively surveilling the Internet is that it's invisible and there's very little organised outcry. Just look at Snowden revelations. Nothing has changed, and most people simply don't care. Effectively once the requirements for bypassing the GFW become harder to deploy than a few clicks, from an easy to follow guide, the majority of the population will just accept this oppression.

My point was not whether this would be a good thing or bad, but to point out a likely consequence.

More likely they'd just buy up all the satco's and run the thing out of business.

Spoofing GGP tends to work very well in these situations.

which leads me to two questions:

1. if you need custom vpn, why even have apple devices?!

2. why focus on vpn over their network instead of mesh?

What is this supposed to mean?


"Removed according to regulations."

As a matter of fact I did, thank you.

Let me just find the nearest cliff to jump off.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact