Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


China orders telecoms to block personal VPNs by February
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

China orders telecoms to block personal VPNs by February

It's getting harder to climb over the Great Firewall.

China declared that virtual private networks were illegal back at the start of the year, and now it's giving telecoms no choice but to fall in line. Bloomberg sources understand that the government has told carriers to block individual access to VPNs by February 1st. Companies can still use VPNs internally, and will reportedly be allowed to use leased lines (registered with officials, of course) to access the full internet, but everyone else appears to be out of luck.

It's no secret as to why China would set a firm deadline. Officials know VPNs are regularly used to get around the Great Firewall and access blocked services that might host political dissent, but merely making these private, secure connections illegal won't deter people. It has to make the very act of accessing a VPN difficult if the law is going to have any teeth.

This is bad news for free speech in China, of course, as it makes eluding censorship that much harder. Moreover, it may hurt businesses that are just trying to get work done. What if you're visiting China and need to use a VPN account to access business info while you're away? Not every company needs or can justify internal VPNs in China, and it's not always an option to visit someone else's offices just to check a website or send a message.

Thankfully, this isn't the only way of dodging the censors. Open proxies like Shadowsocks are still around. The question is whether or not China will clamp down on these alternatives as swiftly and thoroughly as it is with VPNs. Historically, solutions like Shadowsocks tend to be reborn or adapt in the face of threats -- there's just no guarantee that they can keep it up forever.

https://www.engadget.com/2017/07/10/china-orders-telecoms-to-block-personal-vpns-by-february/

«1

Comments

  • mate VPN is like for last century, let it be at peace.
    shadowsocks is working and will still be.

  • I am in China, now shadowsocks still working

  • ClouviderClouvider Member, Patron Provider

    @server1 said:
    I am in China, now shadowsocks still working

    Feb 2018...

  • server1server1 Member
    edited July 2017

    Can not be sealed, sealed off shadowsocks there are other ways

  • ClouviderClouvider Member, Patron Provider

    @server1 said:
    Can not be sealed, sealed off shadowsocks there are other ways

    Of course the tech evolves, I was merely pointing out that saying it works now is pointless.

  • No way, most Chinese do not like to talk about politics

  • ClouviderClouvider Member, Patron Provider

    Ok, let me excuse myself from this discussion.

  • tamicrealo said: mate VPN is like for last century, let it be at peace. shadowsocks is working and will still be.

    Foreign companies have no use for shadowsocks. I'd like to see how you get a Cisco ASA - IPSEC - to run over that for a link to a banks NYC office.

    Shadowsocks can also be blocked; Iran did do this at times and uses similar - if not same - tech as China.

    Thanked by 1Aidan
  • meanwhile, Taiwan is to allow same-sex marriage.

    If China is a glorious name, don't you think taiwan should be the rightful one to earn it?

    Thanked by 1Nuntius
  • You can still use stunnel to encapsulate the content of the TCP stream in TLS/TCP.

    So basically add another plain TLS layer over your OpenVPN traffic in port 443 to fool the DPI thinking it's a plain HTTPS traffic.

  • NeoonNeoon Community Contributor, Veteran

    @NexusH798 said:
    meanwhile, Taiwan is to allow same-sex marriage.

    If China is a glorious name, don't you think taiwan should be the rightful one to earn it?

    You still need to keep the citizens motivated, at least with sex and alcohol.

    Otherwise, tons of them move on the street and demonstrate.

    If you keep that minimum, only a small amount will complain even when you cut down the rights of the citizens.

    Thanked by 1Yura
  • WilliamWilliam Member
    edited July 2017

    stefeman said: So basically add another plain TLS layer over your OpenVPN traffic in port 443 to fool the DPI thinking it's a plain HTTPS traffic.

    Not for long either; modern ZTE IDS (16 models and on) can call the source with the spoofed user IP (so IP filter useless) and tries to build a HTTPS (not TLS/SSL, HTTPS) connection, if failed it can drop the entire stream.

    Result is thus that you need to have HTTPS running and a valid plaintext reply on it then.

    Thanked by 1vimalware
  • @William said:

    stefeman said: So basically add another plain TLS layer over your OpenVPN traffic in port 443 to fool the DPI thinking it's a plain HTTPS traffic.

    Not for long either; modern ZTE IDS (16 models and on) can call the source with the spoofed user IP (so IP filter useless) and tries to build a HTTPS (not TLS/SSL, HTTPS) connection, if failed it can drop the entire stream.

    Result is thus that you need to have HTTPS running and a valid plaintext reply on it then.

    You could enable TLS client authentication: an attacker will not be able to initiate a working TLS session and will not be able to guess which payload is encapsulated over TLS.

    or..

    Serve both HTTP and OpenVPN over the TLS session with sslh and automatically detect the payload of the protocol and dispatch either to a plain HTTP/TCP server or your OpenVPN/TCP server.

    or..

    Use a standard HTTP/TLS server and use HTTP CONNECT/TLS to connect to the OpenVPN server: it will look like a standard HTTP server. You can even require authentication of client in order to authorise the HTTP CONNECT request (squid should be able to do this).

  • WilliamWilliam Member
    edited July 2017

    stefeman said: You could enable TLS client authentication: an attacker will not be able to initiate a working TLS session and will not be able to guess which payload is encapsulated over TLS.

    IDS will kick this connection; the HTTPS stream will not work.

    The point is that ONLY HTTPS is allowed with this flag set, any encapsulated stream is terminated. If the IDS cannot build one due to cert auth or because it is not HTTPS it will kill the entire connection for your link.

    stefeman said: Serve both HTTP and OpenVPN over the TLS session with sslh and automatically detect the payload of the protocol and dispatch either to a plain HTTP/TCP server or your OpenVPN/TCP server.

    Hard as the source for HTTPS is your connection IP and the IDS has full stream view in-line. Can be detected by watching stream after it's established for certain markings of HTTPS vs. plain TCP (connection time/traffic burst and others).

    stefeman said: Use a standard HTTP/TLS server and use HTTP CONNECT/TLS to connect to the OpenVPN server: it will look like a standard HTTP server

    This works but slows down plus causes load on both sides. Can also be detected if your web proxy does not deliver an actual website on HTTPS and just a string/whatever.

    And these are just the ways to actually block a single connection/stream; if desired the IDS can on suspicious behaviour - example again Iran - just drop your entire external IPv4 of the server into the countries firewall (so here GFW). Error rate might be somewhat high, but as we know from the past why would any gov care much about that...

  • randvegetarandvegeta Member, Host Rep

    William said: And these are just the ways to actually block a single connection/stream

    What about Tunnels over SSH and other encrypted protocols where you can form some sort of tunnel. You think those can be blocked?

    I see this as a problem for VPN companies in general, but not likely to be a problem for people who run their own private VPNs. So VPS providers in HK may see an uptick in sales if we see an exodus of Chinese users move away from VPN companies. No?

  • @Neoon said:
    You still need to keep the citizens motivated, at least with sex and alcohol.

    Otherwise, tons of them move on the street and demonstrate.

    If you keep that minimum, only a small amount will complain even when you cut down the rights of the citizens.

    like father, like son. I think people in China mainland are satisfied with the government. After all, most of the politicians are Han Chinese, they have the same culture, same values, same servility with the citizens.

    That's why One-China policy is no more than self-deception. People in Taiwan, even in Hong Kong, have quite different attitude to politics. They are no longer part of traditional Han Chinese.

  • randvegetarandvegeta Member, Host Rep

    NexusH798 said: They are no longer part of traditional Han Chinese.

    Umm.. aren't you confusing this with ethnicity?

  • @randvegeta said:
    Umm.. aren't you confusing this with ethnicity?

    That's the only interesting thing in the news. When does a new ethnicity appear?

    over the wall or break the wall. The choice could be the divide.

  • randvegetarandvegeta Member, Host Rep

    NexusH798 said: That's the only interesting thing in the news. When does a new ethnicity appear?

    over the wall or break the wall. The choice could be the divide.

    I don't think you can just create a new ethnicity, especially not one that's based on political differences. You cannot choose your ethnicity, but you can choose your political ideology. The vast majority of HK, TW and CN are ethnic Hans. This won't change any time soon (if ever).

    Separate these areas long enough and you may very well indeed end up with different 'ethnicity', but that seems unlikely. Chinese tend to stick together. That's why Vancouver is sometimes known as Hong Kong 2!

  • BAKABAKA Member

    @randvegeta said:

    William said: And these are just the ways to actually block a single connection/stream

    What about Tunnels over SSH and other encrypted protocols where you can form some sort of tunnel. You think those can be blocked?

    SSH can be easily detected. If you have high amount of traffic (e.g. YouTube), GFW will start to interrupt it. Openssh-obfs doesn't last long either. Moreover, you have to solve the congestion problem of SSH tunnel.
    If you try to solve all these problem, in the end you'll find yourself re-inventing Shadowsocks.

  • WilliamWilliam Member
    edited July 2017

    randvegeta said: What about Tunnels over SSH and other encrypted protocols where you can form some sort of tunnel. You think those can be blocked?

    No, but again: Iran. Iran throttles SSH to a few Kbit/s depending on political climate; this is fine for SSH text usage but not for tunneling.

    This is a standard IDS feature in ZTE as well.

    BAKA said: Moreover, you have to solve the congestion problem of SSH tunnel.

    That is network. SSH tunnel has no congestion if both sides do crypto in hardware or have enough CPU; it also has not much overhead if your general network quality is not horrible.

    NexusH798 said: I think people in China mainland are satisfied with the government

    No, the corruption is a major issue, however this is - by most i know - attributed far more to provincial and local gov than Beijing; the central gov is "corrupt" on an international scale (selling out ressources and so on) but obviously not local much.

    NexusH798 said: they have the same culture, same values, same servility with the citizens.

    "Han" is not the same culture. Han chinese in coast and inland differ in culture; a LOT.

    NexusH798 said: over the wall or break the wall. The choice could be the divide.

    Divide what, the few % non-Han out of China? Beijing tries since a long time to basically decimate the Muslim (UIghur) population already, so this is not a new concept. See also Tibet. What China will NEVER do, in any case, is giving up land area for another country.

    randvegeta said: The vast majority of HK, TW and CN are ethnic Hans. This won't change any time soon (if ever).

    Mainlanders are not much liked in HK though (as you probably know anyway) and i can only agree with that, their integration will, education (both science and political) as well as general cultural manners/behaviour (especially refusing to use english and thinking they own HK + Mainland is so much better) are plainly annoying at best.

  • Interesting fact that when I bring my Project Fi phone to China (China Mobile being the roaming carrier) I can browse the blocked contents without any efforts; however if I purchase a China Mobile card directly in China then it comes blocked with those contents.

  • @William said:

    randvegeta said: What about Tunnels over SSH and other encrypted protocols where you can form some sort of tunnel. You think those can be blocked?

    No, but again: Iran. Iran throttles SSH to a few Kbit/s depending on political climate; this is fine for SSH text usage but not for tunneling.

    This is a standard IDS feature in ZTE as well.

    BAKA said: Moreover, you have to solve the congestion problem of SSH tunnel.

    That is network. SSH tunnel has no congestion if both sides do crypto in hardware or have enough CPU; it also has not much overhead if your general network quality is not horrible.

    NexusH798 said: I think people in China mainland are satisfied with the government

    No, the corruption is a major issue, however this is - by most i know - attributed far more to provincial and local gov than Beijing; the central gov is "corrupt" on an international scale (selling out ressources and so on) but obviously not local much.

    NexusH798 said: they have the same culture, same values, same servility with the citizens.

    "Han" is not the same culture. Han chinese in coast and inland differ in culture; a LOT.

    NexusH798 said: over the wall or break the wall. The choice could be the divide.

    Divide what, the few % non-Han out of China? Beijing tries since a long time to basically decimate the Muslim (UIghur) population already, so this is not a new concept. See also Tibet. What China will NEVER do, in any case, is giving up land area for another country.

    randvegeta said: The vast majority of HK, TW and CN are ethnic Hans. This won't change any time soon (if ever).

    Mainlanders are not much liked in HK though (as you probably know anyway) and i can only agree with that, their integration will, education (both science and political) as well as general cultural manners/behaviour (especially refusing to use english and thinking they own HK + Mainland is so much better) are plainly annoying at best.

    at worse comes to worse can lynx still work with throttling? is it possible for them to detect lynx in anyway?

  • raindog308raindog308 Administrator, Veteran

    server1 said: No way, most Chinese do not like to talk about politics

    For the first time in my life, I have a powerful desire to move to China.

    Thanked by 3AuroraZ david_W netomx
  • @dedipromo said:
    Interesting fact that when I bring my Project Fi phone to China (China Mobile being the roaming carrier) I can browse the blocked contents without any efforts; however if I purchase a China Mobile card directly in China then it comes blocked with those contents.

    What (external) IP do you get though?

    Usually all mobile data roaming is backhauled through the "home" network.

    Not sure if Project Fi is any different in that sense, but I can roam in the mainland with a Hong Kong SIM card bypassing the GFW (since all traffic is directly backhauled through HK).
    However, considering added latency, costs and lack of 4G access it's far from being an ideal solution.

  • @salakis said:

    @dedipromo said:
    Interesting fact that when I bring my Project Fi phone to China (China Mobile being the roaming carrier) I can browse the blocked contents without any efforts; however if I purchase a China Mobile card directly in China then it comes blocked with those contents.

    What (external) IP do you get though?

    Usually all mobile data roaming is backhauled through the "home" network.

    Not sure if Project Fi is any different in that sense, but I can roam in the mainland with a Hong Kong SIM card bypassing the GFW (since all traffic is directly backhauled through HK).
    However, considering added latency, costs and lack of 4G access it's far from being an ideal solution.

    Didn't check my IP during my last stay in China, but I suppose it was a China Mobile IP because I did get 4G access at full speed to local websites like Baidu and 12306.cn while bypassing GFW when visiting facebook and twitter.

  • @dedipromo said:
    Interesting fact that when I bring my Project Fi phone to China (China Mobile being the roaming carrier) I can browse the blocked contents without any efforts; however if I purchase a China Mobile card directly in China then it comes blocked with those contents.

    Roaming is kinda complex situation. I'm a China Mobile user in China, last month I went to South Korea with roaming traffic ( handled by Korean Telecom ) . Only finding out I'm still blocked from ins/fb/twi and even Google Maps.WTF...My backend IP was still from China,Beijing and Korean Telecom was only a proxy.

  • dragonballz2k said: at worse comes to worse can lynx still work with throttling? is it possible for them to detect lynx in anyway?

    Sure, just slow. There is no way to tap SSH unless you accept a wrong host key, they can only disable the port entirely.

    dedipromo said: Didn't check my IP during my last stay in China, but I suppose it was a China Mobile IP because I did get 4G access at full speed to local websites like Baidu and 12306.cn while bypassing GFW when visiting facebook and twitter.

    Depending on your carrier you get either backhaul which is uncensored or a local IP which is less censored. Average CN users do not have the ability to get this.

Sign In or Register to comment.