[e12e]

But there's no "deep packet" inspection of encrypted vpn or an ssh tunnel? Sure, you can guess that the connection is encrypted, and block it on general principle - but there's no way (that I know of) you could selectively block ssh based on the content/traffic pattern (you might let through low-throughput ssh only, ie: only allow use that "looks like" shell use, but a) you could run w3m on the other end of that tunnel, and b) it sounds unlikely - as that would also kill many other uses like file transfer for backup etc).

I'm curious if ssh access to eg: digital ocean is allowed?

If so, you can simply use ssh as a socks5 proxy:

  ssh -D 8080 you@example.com
  # Set your browser to use 127.0.0.1:8080
  # as a socks5 proxy for dns lookup and
  # traffic, via eg foxyproxy for firefox

I'm not saying GFW won't block this, but I'm doubtful it'll allow plain ssh, and block this use case?

[tluyben2]

In my experience ssh works but tunneling over ssh does not. Not sure how they do that. Personally when I am there I only miss Google for programming issues. It is terribly inefficient to use something else imho.

[Canada]

The reason why tunneling over SSH doesn't work very well is because the network is crap. SSH runs on TCP, and TCP doesn't perform well when there's a lot of packet loss. Even for interactive logins it's frustrating without mosh.

[codedokode]

One could also distinguish between "normal" SSH and SSH used as a tunnel by used bandwidth.

[dis-sys]

this has been blocked for ages.