[b6]

> vpn that can unblock all those web site can be purchased for $15/year

Have you lived in China? If so, please tell me what VPN service you're talking about. If not, I think you might not be aware how sophisticated and annoying the GFW is.

[dis-sys]

search for "god use vpn". not trolling, that is the actual name of the service I am using. they charge for 100 RMB per year, that is $15/year, you get access to ~20-30 of their geographically distributed servers and all of them can help you to bypass vpn.

[userbinator]

The name is also a rather clever pun on an existing item of Chinese food, likely chosen precisely to avoid censorship: http://languagelog.ldc.upenn.edu/nll/?p=22954

[boomboomsubban]

There's nothing sophisticated about China's attack strategy on VPN's, make them illegal and block their IP. Sites like greatfire.org maintain lists of working ones, or running one on a vps would be pretty easy.

[kaybe]

Check out the CCC talks for details on what the sibling comments talk about if you want. It's actually very interesting.

[chatmasta]

This is just false. China has a massive censorship operation, of which their wry advanced anti firewall technology is a critical piece.

Start here: http://blog.zorinaq.com/my-experience-with-the-great-firewal...

[iliketosleep]

Maybe 15 years ago, but today it's very sophisticated, incorporating deep packet inspection and machine learning. Under normal circumstances, they allow some VPN traffic. But they ramp up the firewall during big political events, at which times it's almost impossible to gain proper connectivity.

[e12e]

But there's no "deep packet" inspection of encrypted vpn or an ssh tunnel? Sure, you can guess that the connection is encrypted, and block it on general principle - but there's no way (that I know of) you could selectively block ssh based on the content/traffic pattern (you might let through low-throughput ssh only, ie: only allow use that "looks like" shell use, but a) you could run w3m on the other end of that tunnel, and b) it sounds unlikely - as that would also kill many other uses like file transfer for backup etc).

I'm curious if ssh access to eg: digital ocean is allowed?

If so, you can simply use ssh as a socks5 proxy:

  ssh -D 8080 you@example.com
  # Set your browser to use 127.0.0.1:8080
  # as a socks5 proxy for dns lookup and
  # traffic, via eg foxyproxy for firefox

I'm not saying GFW won't block this, but I'm doubtful it'll allow plain ssh, and block this use case?

[tluyben2]

In my experience ssh works but tunneling over ssh does not. Not sure how they do that. Personally when I am there I only miss Google for programming issues. It is terribly inefficient to use something else imho.

[Canada]

The reason why tunneling over SSH doesn't work very well is because the network is crap. SSH runs on TCP, and TCP doesn't perform well when there's a lot of packet loss. Even for interactive logins it's frustrating without mosh.

[codedokode]

One could also distinguish between "normal" SSH and SSH used as a tunnel by used bandwidth.

[dis-sys]

this has been blocked for ages.

[dis-sys]

you must be kidding. the great firewall of China is arguably one of the most sophisticated systems ever deployed on the Internet.

try IPSec or PPTP based vpn, they turn your encrypted communication into plain text. then think about the scale - they do this on almost 1 billion users.