Hacker News new | past | comments | ask | show | jobs | submit login
China Cracks Down on VPN Services After Censorship System ‘Upgrade’ (techcrunch.com)
179 points by necrodawg on Jan 23, 2015 | hide | past | favorite | 90 comments



This is the reason I no longer work from Shanghai. Attempting to do anything in the tech spave while constantly playing cat and mouse got to be such a productivity killer that it was becoming impossible to work. You'd rarely know if failures were because of some Firewall nonsense or something else.

It's a tragedy really. I am one guy, but I've since hired several developers and my little company is gaining traction -- we would have been happy to expand our footprint into China in terms of hiring a Shanghai Dev team; yet with the variable and unknown stability of our connections, it was too big of a risk, considering we can operate in Europe and the U.S. with minimal interference.


I was in Shanghai last month & in previous years bypassing the firewall was not too much of a hassle. When I arrived in Shanghai for the holidays this year my old VPN provider didn't work anymore, plus they added DNS poisoning and bandwidth throttling. I actually upgraded TO StrongVPN, which seems to be one of the affected VPN services now.

My conclusion was that it has become effectively impossible to run a western IT-oriented business from Shanghai. Would be interested in hearing stories of people who DO succeed.

Sad thing is that all the infrastructure is in place: plenty of fast finer in the big cities & the "local", balkanised version of the "internet" works fine.


Sorry but aren't you better off with a DO VPS running an OpenVPN?

I mean using a VPN service or Tor public server is like weaving a banner saying Hey I'm trying to bypass you!.

I was able to browse the internet connecting through my home's OpenVPN (DDNS and all) when I was in China (for vacations mostly and some work) without any problems.

Of course a home ADSL pipe is good only for 'www' and maybe not even for that, but now a VPS costs ~ 10 USD per month and has enough bandwidth for most people.


This is exactly what I do, except that I'm using the $5/month droplet from DO, although I don't live in China (currently in Oman), and the censorship here isn't no where near as bad.


Uhm, many of the larger companies have direct connections out of China that don't cross the GFW, even Chinese companies. If you are important and rich enough...


Yep, as always money buys everything in China. I was wondering how the smaller indie IT people do it though: to me it just seems like a cat-and-mouse game not worth the effort.


Right, and I don't know what I would do if I didn't have an open connection in at least my office.


the DNS poisoning is annoying. I'm on the receiving end of 200 requests per second from people who think I'm facebook, bittorrent trackers, various porn sites.

I finally blocked port 80 for lots of chinese IP blocks.


You are not alone. According to reports, many IT businesses relying on stable internet connection have moved away from China Mainland to other countries of Asia like Singapore.

The problem is, government doesn't actually care. They see political stability as the top priority. To achieve it, they are willing to sacrifice foreign business chances.


Any link to such reports? Curious to see


So true. Communication communication communication. 1. They don't have internet. They have something like an intranet. If you want to use baidu or oder on taobao, it will work. 2. Phone calls. Forget skype or VOIP. Make a big down payment on you phone for international calls and you can call abroad. Kind of. 3. Postal mail. Good luck relying on that, especially from mail abroad. Best chances to use an express service (Fedex etc.) and pay the price.


Now is another good time to remind people of projects like Streisand[0], who make setting up censorship avoiding tools simpler that they otherwise would be.

Streisand in particular provides various tools for masking VPN traffic as HTTPS (Stunnel/SSLH et al) that may prove useful during crackdowns like this. As well as setting up things like a tor bridge.

One note, there is currently an issue with the Digital Ocean provisioning, which prevents it from completing initial setup, but I have easily and successfully setup instance on Rackspace and AWS recently.

[0]: https://github.com/jlund/streisand


The DigitalOcean provisioning issue was recently fixed, and creating new droplets is working properly. Making the mirroring segment more resilient to failures is high on my list of priorities. Thanks for the positive feedback!


I cloned this repo on my local machine in case one day all VPN and GitHub itself are blocked.


Unless you are presently in China that seems like overkill - kinda like having a backup plan for your photos that can survive a nuclear war.


Uh, I am a native Chinese in China. This would look like overkill just one year ago, but today it seems more than likely.


The whole Chinese way of doing things makes me think that most people live in enormous Skinner boxes. It makes me reflect on my own media consumption. What messages am I receiving? How are processing those messages affecting my view of the world? What experiences or opportunities am I missing out on because of the messages I am receiving and processing and how they are affecting my internal model of the world?

Look at people who get addicted to MMOs like World of Warcraft for example. They voluntarily limit themselves to the messages they receive from the game and this influences their behavior significantly.

The proof that control of these messages and what message are received by people is an extremely valuable commodity is that advertising is a multi-trillion dollar industry.

Even if everything was perfectly truthful, there is only a small amount of time for people to digest and absorb the world with their limited perception. Thus, the control of which limited set of messages that people receive is also a huge source of power and why a commercial in the super bowl is worth more than a random banner ad on some no-name website.

Reddit, Twitter and most social media are attempts to optimize this messaging problem.


You might be interested in Walter Lippman's 'Public Opinion' from 1922. It basically lays the groundwork for manipulating and influencing a population's collective mindset by exploiting our inherent cognitive limitations and biases [1]. It has strongly influenced Western governments over the past century.

You can read it for free, courtesy of the American Studies department at the University of Virginia [2].

[1]: http://en.wikipedia.org/wiki/Public_Opinion_%28book%29

[2]: http://xroads.virginia.edu/~hyper/Lippman/cover.html


See also: • Edward Bernays, "Public Relations" (1945) [1]

• "Century of the Self", BBC documentary by Adam Curtis [2].

[1] https://archive.org/details/publicrelationse00bernrich

[2] https://vimeo.com/85948693


Great - thanks a lot for that link to 'Public Relations'. I'll add it to my reading list.


Your media is your eyes and ears. They can manipulate your actions just manipulating what you people see.

When you travel around the world, this is the first thing you learn: all the people, in all countries are manipulated by the media, controlled by the power structures.

"If you prick us, do we not bleed? If you tickle us, do we not laugh? If you poison us, do we not die?"

The Merchant of Venice

There is an almost automatic response from an stimulus you perceive. Being real or artificially created does not matter for the brain.

In the supposedly "free countries", they just control the media that most people watch. Most people just does not care.

For example, most Americans have a SouthPark puppet idea of Saddam Hussein, but he was a very smart person. As this person spoke a different language, you could portray the idea that is convenient for helping the interest of the people in power, basically invading a foreign country for stealing their oil.

Most Americans believe that they invaded Iraq because extending democracy, weapons of mass destruction or whatever. But it only takes an hour of talking with real Iraqis(or traveling to Iraq) to know better.

Just one thing, how many films have you seen about Hitler and Nazism, and how many about Stalin that killed more than Hitler. It was not convenient to portray Stalin as he was when he was alive.

Have you seen the image of Putin in the Western media today. Again, just understanding Russian makes a huge difference in how they could manipulate you.

Putin also manipulates their people, but he is not the only one.


Really really o/t but...

Im going through this now, having just returned to the UK after a number of years away. Last time I felt this way was when i left a village bubble for the bubble of London village.

That said - I'm amazed at how 'broken' everything is - schools, doctors, police, roads. And so much of London is still 'up and coming', i.e. a dump.

However, it can't have changed that much. Friends are still comfortably numb and tolerant of the entropy and propaganda. As I was before - indeed, I maintained a rosy view of Blighty all my time outside and it served as my benchmark for other countries. Im sure the change is more with me - I see this place with new eyes and feel like a foreigner tbh. It's an interesting position. Travel (not tourism) perhaps doesn't broaden the mind as much as create a cognitive dissonance. We deal with it by either denial and retreating into our set patterns or adapting. The former is a living death. Embrace change or be consumed by it.

wrt UK - gov here is stealthily setting up their own great wall. Given the well established corporate news filters, speech censorship and language planning, its no longer in anyones interest to speak openly in public. What a system we have created for ourselves!

Still as Kierkegaard reminded us: people lay so much store by freedom of expression, but not so much for freedom of thought. They can't take that away from us (yet)


You spend multiple sentences telling us the wrong reasons U.S. went into Iraq. Pray tell, what is the real reason U.S. invaded Iraq?


Agreed 100%. The media you (choose to?) consume has a profound influence on how you think / feel / react. The only way to win this game is not to participate. But that makes you a loner, "anti-social" etc ...


I've found that "hyper-nicheing" via twitter is a good way to go. I basically follow specific niche interests that I have and unfollow anyone who mentions any mainstream news. I just don't need those messages to achieve any of my goals. I dig deep into the message areas I'm interested in.


Well, we do have subcultures/countercultures. You can live a pretty comfortable life consuming non-mainstream media that is just as good and entertaining/informative as the Big stuff.


>It makes me reflect on my own media consumption. What messages am I receiving? How are processing those messages affecting my view of the world?

One day about 5 years ago, I swore in disgust that I would henceforth watch or listen to no more news media. Up to that point, I was a regular listener to NPR and also watched various news shows.

Other than occasional (and usually tech related) news articles on HN, I've kept my promise. And I've been stunned at how my politics and perceptions of the world have changed in just 5 years.


You mean optimize the messages to more perfectly craft a filter? :)


I'm living in Shanghai. Still connected fine over a IPSec tunnel. I run my own VPN server on Rackspace/AWS (only 2 public IPs), the connection is and has been relatively stable (about a year). 12MBit/s from Shanghai to the IPSec server in Hong Kong, 38ms consistent ping (100MBit/s connection). Using a Cisco SMB router, so the connection is pure IPSec and standard ports.


I'm expecting to see that a version of IP over Avian Carriers with Chinese Characteristics (IPoACwCC) becomes true. Actually we can setup smuggling service like we smuggles brand new iPhones, discounted Louis Vuitton and stuffs out of Hong Kong. In the next decade, for example, when you want to file a pull request to github.com from Beijing, you just place an order at Taobao.com and save your pull request well in an SD card, mail to Shenzhen and wait for it being smuggled to the other side (Hong Kong), sent to github, and then the response being sent back.

This service is expected to work just like pigeon-based and drone-based ones, in theory. The only concern not reassured is whether Hong Kong would fall under the siege of the Great Fire Wall.

Meanwhile, I use ssh tunnel to connect to a major US-based cloud service provider at work and home in Beijing, and yes, the low speed and the long round trip time suck. And by now my own Strong VPN subscription still works.


The ping would be terrible but if you ship a box of DVDs the bandwidth would be decent.


Relevant XKCD What if: When - if ever - will the bandwidth of the Internet surpass that of FedEx?

https://what-if.xkcd.com/31/


How do you handle access from mobile devices? I found managing a VPN (from iPhone) more trouble than it's worth. Moving between networks often dropped the connection long enough to kill the VPN.


Running my own L2TP/IPSec server for that as well. Older versions of iOS consistently closes the VPN connection when the phone was locked (or not connected via USB). iOS 8 is more stable it seems, because it keeps the VPN connection active for longer.


Maybe you can try the Shadowsocks browser app from the App Store. It has a public SSH tunelling proxy. You can also use your own server settings if you have one. Works pretty well for basic web stuff.


Thanks. That's cool & would alleviate the pain a bit I guess. The thing that drove me nuts is that Slack was blocked, but I guess I could have run that from within a private browsing app like the one your recommended.


Cost?


Instance cost for Rackspace is basically nothing depending on data transfer, they have a relatively new program they call Developer+[0] which is basically 50USD for free per month. The VPN server software is open-source, I use OpenSWAN (couldn't get the new fork Libreswan up an running correctly).

[0] https://developer.rackspace.com/developer-plus/faq/#what_is


What stops meaningful visits from visitors within China to sites hosted outside of China today is, thanks to the prevalence of CDNs, the CDN.

Need a font? Google fonts? Blocked.

Need a picture? Instagram? Blocked.

Need a video? Youtube? Blocked.

Need a CSS sheet? Use a CDN? Blocked or really slow.

Visiting a text-based website hosted outside of China [from within China] is usually pretty good. No VPN necessary.

CDNs are a Firewall quick-kill, a lazy-kill. If you host a site outside China, that you'd like to be visible within China, self-host anything you'd otherwise think about off-loading to a CDN. That makes the need for a VPN for your audience redundant.


I imagine the things you list are, to the CCP, a feature and not a bug. The harder it is for Chinese to leave the censorship bubble the better. I imagine the end-game for China is a completely cut off internet. Once they have enough domestic services it'll be safe to do. They're just not there yet.

My organization was forced to deploy a server in China with specialized content for the Chinese. That server and its content is under the CCP's censorship and control, and being an autocratic non-democratic government means that chances of reform are virtually nill. We're allowed, by the good graces of the CCP, to have a presence in China that they control. This is their end game. Controlled foreign sites hosted locally and international internet either completely cut off or just allowed for certain companies and elites.

Autocracy and freedom of information just don't work. The Chinese people, who are very nationalist, have chosen the former and are quite proud of it, often citing the "decadent west" as something they don't want to become and using the word "democracy" as an insult. Let's stop acting surprised about censorship in China. Some people prefer to be ruled by an iron fist.


Another feature (for the CCP) of disconnecting from the Internet-at-large (and recreating whatever they want within a walled garden) is that then they can work on making the rest of the Internet dangerous or unusable for other countries [1].

With enough support from non-Chinese providers (think: Apple, Cisco, Google, etc), the transition could be entirely smooth to completely disconnect (even to the point where Apple and it's ecosystem are effective replaced by Xiaomi/Huawei at hardware/devices level).

[1] https://news.ycombinator.com/item?id=8931827


It's not just autocracy. The US government is quite aggressive in shutting down websites that spread information it doesn't like. They also sometimes go further and arrest and imprison the operators. Examples include gambling, piracy and drug trading sites.


While true in a literal sense, it's an insane exercise in false equivalence to compare US censorship practices with the PRCs. You will not see political speech treated as if it were a physical threat here.


Some people need to believe that the West is just as bad as China, reality be damned.


This blocking shit is so annoying. The Chinese shoot themself in the right knee, then in the left knee and say, look, we have the biggest balls! Yes, you may have the biggest balls, but you can't walk anymore dumbo!

I experienced that feeding someone his own poison is often the best medicine. Providers world wide should block email access to all China based email for a month or two. Would be a picture for the gods having the Chinese executives and CEOs abroad cut off from their email and crying "foul!" "foul!".

This being said, the Chinese are pretty good in what they are doing. What will it buy them in the long run? Even big Chinese companies in China use VPN to access the internet. The final result will be that China won't have internet but something like an intranet. Good luck with that!


Well, with all the nationalism I guess they WANT an intranet. And I think they can probably pull it off. The Chinese Intranet is pretty good actually & there's a lot of pride in using home-grown services and hardware, just count the XiaoMi phones next time you're in the subway. (Brilliant brand name BTW)


You can't afford to have only an intranet. Not if you want to be a leading power. I even had problems looking up pages from small technology companies that were blocked.

They don't have google. Baidu does not compare, not the slightest bit. Yes, they have bing. Try finding an address at bing (or baidu) maps in China. It does not work 50% of the time when google is right on the spot.

XiaoMi? Yes, some nice hardware. But the software comes from the west.


> XiaoMi? Yes, some nice hardware. But the software comes from the west.

Not entirely. They use (or at least have used) mediatek chipsets. Their drivers... well, do a github search for mediatek chipset-based android source code. People have placed entire dumps of Mediatek stuff on Github... and the stuff I could find in 5min is SCARY. Fucking scary. And that's just the tools for the manufacturer, their kernel drivers are a mess of ifdefs and commented out code, with the sparse comments written in some Asian language.


Scary in what sense? Could you elaborate whether you are talking in terms of security, backdoors etc. or just buggy badly organized code?


> Would be a picture for the gods having the Chinese executives and CEOs abroad cut off from their email and crying "foul!" "foul!"

The government could care less about the difficulties of CEOs as long as their power is consolidated and ensured. I used to believe that the CPC's first and foremost goal is economy building. How naive I was! Their priority has always been power.


How would (will?) China react if Musk gets his low-earth orbit satilites providing Internet globally? I assume China could block the domestic sale of the receivers. But in the long run, a globally accessible Internet would raise interesting issues, and perhaps be seen as an act of aggression by regimes in North Korea, China, etc.



My company hires freelancers for China-related research. Contributors from Mainland China would be ideal. But my reliance on services like Google Drive means that I typically end up with people from HK, Taiwan, Singapore and Malaysia. It's simply much more convenient.


Try to setup a cloud service that is not from Google, e.g. Amazon AWS or MS Azure.


Connection to Amazon AWS is frequently disrupted by GFW (but not completely blocked like Google's services). I don't know about MS Azure, but nothing is safe these days.


This has been going on for some time now, I'm surprised it is being reported again now.

Rule of thumb.. if someone can work out what you are doing by launching Wireshark, so can a nation-scale IPS system a la Great Wall


That's true but just to be clear, they are not blocking VPNs at protocol level but "manually" blocking the IPs of specific providers. They do the same with Tor: block all public Tor relay IPs.


More than that. They look for outgoing connections that look like Tor, and then, few minutes later they actively scan it:

https://idea.popcount.org/2013-07-11-fun-with-the-great-fire...


My own VPN instances have been shot down within a couple of days of use, definitely IPS-style behavior.

I can't comment on commercial providers, but the capability to autoblock common VPN protocols is definitely there.


Interesting, I didn't know they did that. I've been running my own VPN as well for a couple of years without problem. Is it possible you were running Tor on your server or something else got you blocked (some AWS IPs seem to get blocked for no apparent reason)?


No, just OpenVPN, and from the searching I did at the time, this is a well known problem.

These days I just tunnel over SSH or even remote desktop into a remote server.


At Tinfoil Security we wrote a service for generating disposable VPNs on the fly. It's open source, and I personally made use of it while in China a few weeks ago.

https://www.tinfoilsecurity.com/vpn/new


My old company has its dev team in Shanghai, we used multiple VPNs: openvpn and a Cisco vpn; we setted them on company's router.Normally it's ok except some special days like every year's session.


Some provider (like NTT) also offer MPLS lines. The company I work for rents one which goes directly to Europe. Those are also not affected by the firewall and in general much faster than normal VPN setups.


Isn't that illegal in China? Or not? Are there any repercussions if you get caught evading in one way or another their national firewall?


I think it's ok since CCP denied the existence of GFW; and we would just do things related to work,it's like an unwritten rule.


Cisco is known to support "lawful intercept" protocols in their routers (in fact they were the ones to propose it to IETF a decade ago), so I wonder if they find it ok to not censor your connection because they can already spy on it. This way at least they can check if it's really for "work". Other VPNs who they know aren't used for work, get blocked.


My impression is that they don't care too much about individuals evading the firewall. It's a tool for broad social control, which doesn't need to be airtight to accomplish its goals. As long as it's inconvenient to browse to blocked sites, it redirects conversational topics to safer areas, and a small number of individuals bypassing it doesn't affect that too much.


Most Chinese give a f. if something is illegal or not. Look at he xray machines that you are supposed to put your luggage in before you enter the subway. Many Chinese just walk by and ignore the complaining security girls.

VPNs? Well, companies need internet and EVERY company in China used them. It is so stupid and insane at the same time.


China is not a state ruled by law (, as some believe it is ruled by theft, or a kleptocracy). So it is not well defined whether this incident is illegal, and usually for controversial issues, argument for or against its legal status is not helpful at all.


Your experience may be old. VPNs are getting worse every day.


The Shanghai American school also uses a Cisco VPN. Pretty great for the students since the entire campus is on a VPN.


Does anyone know if there is technology out there which would allow for VPN traffic to blend in with other traffic, or to bypass DPI in any way?


Golden Frog's Chameleon protocol does something like this. It's based on OpenVPN256, but adds packet scrambling for the header and footer.


SSL VPN, but it would likely be targeted anyway.


Fucked up! Baidu should never be used to search English pages. Even you search English glossary, it will return some unrelated low quality Chinese webs. And in many professional sections, you can only find stupid shallow scraped content in Chinese even with google. When you have to search in English, Bing is the most convenient one left. The problem is I have to speak to myself loudly each time I search in Bing: "is Bing retarded!?" Maybe Bing is trying it's best to be difference from G. Then when G gets most of right results, Bing sucks so hard by bringing tons of heavily SEOed craps.

I use gmail, adsense, google calendar daily, and expecting to use facebook, twitter and other SM daily. I use 3 to 4 methods to get through GFW, none of them can guarantee a stable access. The fuckest thing is I waste 1/3 of my working time only because of the blocking. (Really, when you can’t get through or the speed is too slow, you just don’t know where you’ve surfed to and what you’ve being read for hours).


I am currently a Business VPN user of PureVPN and its working perfectly fine. My employees can access the Google/Gmail and rest of the website easily.I did face the speed issue but their support team has provided me with the "Stealth" protocols after that the speed gets normal.

source: http://www.purevpn.com/blog/china-great-firewall-update-has-...


Many VPN services now provide obfuscated access. Some use haggismn's XOR patch for OpenVPN. Others provide access via SSH, Stunnel (SSL) and/or obfsproxy (obfs3). I presume that any approach developed for Tor could be used with VPN. Using meek, traffic is obfuscated and routed through arbitrary third-party sites.


Here's a question: If some VPNs are blocked and others aren't maybe they are just blocking stuff that they can't control?

In other words: The services that are good enough to prevent eavesdropping are blocked, while the other services are "clear text" to the attacking party. Is that a possibility?


God is the internet annoying there. They randomly drop packets just to disrupt VPN connections. One method may work today but not tomorrow. I've had luck with alternating between obfsproxy and ssh and l2tp.

The truth is that no one cares. Everyone more or less knows, but it's a pain in the ass to bypass.


I know China uses a lot of Linux... how the hell do they get by with SSH?! If you are an administrator wouldn't SSH immediately flag you as using a VPN?


How do foreigners doing business in China deal with this? Presumably there are a lot of large companies doing very important work and very important deals in China and being able to connect to the company network while they are in China over VPN is necessary?


I'm not clear on the details, but the last place I worked at had a (very expensive) tunnel through Hong Kong to our US data center.


What about i2p,Tor?

Communism, dictators, some kings, like extreme religions wants to control the flow of information so the minds of the population doesn't catch dangerous memes like freedom movements.


Tor does not work in China. You can't enter the network. You need something called "bridges". You have to send an email to get IP addresses of "entry points". If I remember right, you had to have an gmail email address to receive them. I never worked for me.


Could they ever possibly break an SSH tunnel over port 80/443?


I think that theres evidence they are already doing packet inspection and active interrogation for anything they deem suspicious. So if your SSH tunnel has some recognizable traffic characteristics, it's game over.

There is an option to configure OpenVPN with a fixed key that it uses to encrypt all and any traffic, leaving only random data. That's very desirable right now since there are no easy ways to detect it, but in the future I guess they'll just outright block any traffic that is just too random. Real plaintext traffic, certainly with verbose 1980 protocols like HTTP, trivially fails many randomness tests.


It's implausible that they could decrypt it, but they could certainly block it.


Sometimes. It depends on the day, time, location. Many things. A website may be blocked today but not tomorrow. Even gmail (web interface) worked on SOME days. It may be blocked in Shanghai but not in Beijing and vice versa.

Port 443? Good chance if you have you own IP address that it works most of the time so so. But I have a 50% packet loss. Facebook and google (?) rarely worked over ssh.


Port-forwarded proxies over ssh work better than OpenVPN.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: