[org3432]

This was my experience as well, my USA cell phone wasn't even blocked from accessing websites that were normally blocked in China, they make an exception. There could be some cases where you could run into issues, but the paranoia is greatly exaggerated, and being a "socially responsible" techie is not acting like a conspiracy theorist wing nut.

[dis-sys]

vpn that can unblock all those web site can be purchased for $15/year.

ironically, you don't get comparable Internet speed or cost (my 200mbps Internet costs me $180/year, or I can upgrade it to 500mbps for $400/year) in most "free" countries. I'd be protesting really hard if I have to pay some unfair cost, say $50/month or more, to suffer from the so called uncensored broadband running at tortoise speed such as 50mbps or less.

[thyrix]

Nearly all vpn that you can get now by searching will be blocked when they are becoming popular quickly. But if you have your own server(or a vps) and setup a vpn or shadowsocks server, there will never be such problem. It's because China block website via blacklist, so only some well-known ip will be blocked. Many friends of mine is using shadowsocks to unblock now(I'm a Chinese :).

[dis-sys]

That is not true. It is a well know fact that the Great Fire wall does deep packet inspection since early 2000s, e.g. when google was still available in China, your connection got stopped for a few minutes every time when you search for some undesirable keywords.

[nie]

I'm afraid your follow-up is even more inaccurate.

We developed shadowsocks for the exact purpose of battling machine learned DPI head on.

The real challenge is the (poor) quality of the networks and the topology of censorship body all around China. The Blackbox nature of such state system made each improvement feel like experiment at best, simulated annealing at worst.

[dis-sys]

The claims I was referring to are highly inaccurate:

1. shadowsocks is a good example that certain vpn/proxy can survive after becoming popular. 2. GFW blocks sites/pages/connections based on content, it has been doing this for more than a decade. whether shadowsocks can fool GFW or not doesn't change the nature of GFW.

[thyrix]

I don't know how GFW work exactly, but I think it's not blocking based on content, which means to check every page. What China gov want to do is just prevent those naive people from being deceived by some vicious foreigners, and they don't really care about normal college students or programmers(we don't care about politics too). Indeed, en.wikipedia is unblocked at all, and we can get all academic resource(including history, most universities bought them). So if you know English, you can get everything about, e.g., 64 event. Even the gov is more anxious about contemporary politics, clever guys can get some information by just refer a politician as "big tiger".

So, 1. Chinese gov don't care about those who just want to paste a photo on twitter, they blocked website such as twitter because it's known by even some Chinese farmers or workers. They are supposed to be susceptible, which means, danger.

2. It is said that China will block by whitelist instead of blacklist(maybe like North Korea), but they didn't do that.

3. Usually, someone who can buy and setup a server for himself is clever enough to distinguish between lie by terrorists and the truth.

[thyrix]

There is block based on content now, but not by check package by gov themselves(is it possible?). Search engine in China must follow the instructions by gov to block some content, which is the reason that google exit China. What I've learned told me if you have encrypted, it's impossible to get what you sent without a key. If it's possible, clearly it's in use in CIA too, not just GFW.

[b6]

> vpn that can unblock all those web site can be purchased for $15/year

Have you lived in China? If so, please tell me what VPN service you're talking about. If not, I think you might not be aware how sophisticated and annoying the GFW is.

[dis-sys]

search for "god use vpn". not trolling, that is the actual name of the service I am using. they charge for 100 RMB per year, that is $15/year, you get access to ~20-30 of their geographically distributed servers and all of them can help you to bypass vpn.

[userbinator]

The name is also a rather clever pun on an existing item of Chinese food, likely chosen precisely to avoid censorship: http://languagelog.ldc.upenn.edu/nll/?p=22954

[boomboomsubban]

There's nothing sophisticated about China's attack strategy on VPN's, make them illegal and block their IP. Sites like greatfire.org maintain lists of working ones, or running one on a vps would be pretty easy.

[kaybe]

Check out the CCC talks for details on what the sibling comments talk about if you want. It's actually very interesting.

[chatmasta]

This is just false. China has a massive censorship operation, of which their wry advanced anti firewall technology is a critical piece.

Start here: http://blog.zorinaq.com/my-experience-with-the-great-firewal...

[iliketosleep]

Maybe 15 years ago, but today it's very sophisticated, incorporating deep packet inspection and machine learning. Under normal circumstances, they allow some VPN traffic. But they ramp up the firewall during big political events, at which times it's almost impossible to gain proper connectivity.

[e12e]

But there's no "deep packet" inspection of encrypted vpn or an ssh tunnel? Sure, you can guess that the connection is encrypted, and block it on general principle - but there's no way (that I know of) you could selectively block ssh based on the content/traffic pattern (you might let through low-throughput ssh only, ie: only allow use that "looks like" shell use, but a) you could run w3m on the other end of that tunnel, and b) it sounds unlikely - as that would also kill many other uses like file transfer for backup etc).

I'm curious if ssh access to eg: digital ocean is allowed?

If so, you can simply use ssh as a socks5 proxy:

  ssh -D 8080 you@example.com
  # Set your browser to use 127.0.0.1:8080
  # as a socks5 proxy for dns lookup and
  # traffic, via eg foxyproxy for firefox

I'm not saying GFW won't block this, but I'm doubtful it'll allow plain ssh, and block this use case?

[tluyben2]

In my experience ssh works but tunneling over ssh does not. Not sure how they do that. Personally when I am there I only miss Google for programming issues. It is terribly inefficient to use something else imho.

[dis-sys]

this has been blocked for ages.

[dis-sys]

you must be kidding. the great firewall of China is arguably one of the most sophisticated systems ever deployed on the Internet.

try IPSec or PPTP based vpn, they turn your encrypted communication into plain text. then think about the scale - they do this on almost 1 billion users.

[org3432]

on a desktop we'd just setup an ssh tunnel to an ec2 instance and use SwitchyOmega in Chrome.

[srett]

How did that work out performance wise? I was on an adsl connection in Beijing. Inside the country it was really great, could max out the 100mbit. Foreign websites were a pain. I found that ingress traffic constantly had a packet loss of 30%, which made TCP really unhappy, including ssh tunnels. Ended up writing my own tunnel software that was tuned to cope with the network situation.

[auganov]

I found the most success with https://github.com/shadowsocks/shadowsocks/tree/master . It was a while back though.

With ssh, restarting the connection would help for whatever reason. So I had a little script rotating a set of connection behind haproxy.

EDIT: oh and Hong Kong. HK VPSes seemed to work the best.

[e12e]

Does anyone know the story behind:

https://github.com/shadowsocks/shadowsocks

"Removed according to regulations." vs:

https://github.com/shadowsocks/shadowsocks/tree/master

Is it the shadowsocks project dancing around github censorship, or github allowing ss to dance around chinese censorship?

[auganov]

TLDR: Police asked the developer to stop working on it. (and judging by their Twitter activity, no crazy stuff happened)

https://web.archive.org/web/20150822042959/https://github.co...

[chmars]

What's about connections outside the browser (and SSH)?

BTW, I have noticed a trend to block port 22 in international hotels. It's annoying!