Check out v2ray. You'll need to have your own domain, server, and a cloudflare account, but in terms of speed it is unmatched. Unfortunately many of the best tutorials are in Chinese.
Looks interesting. From https://www.v2ray.com/en/index.html it seems that it's "just" a VPN protocol / software that can tunnel over TLS. I assume the point of using your own server + Cloudflare is that it breaks IP based blocking of most VPN providers. I guess just your own server without Cloudflare would work fine for a while, but they probably have heuristics for a lot of encrypted traffic sent to a single unknown server?
The remaining question for me is about the TLS part of all this. Does China not have agreements with most external services about stripping TLS such that a lot of TLS traffic would be suspect? Or do they not mandate their citizens to use a Government provided root cert that would allow them to "securely" MITM connections? That would be how I'd do it if I were an authoritarian government.
If not, then what's their plan for the future? I could see a Firewall kind of mostly working for now on a combination of DNS, IP, and SNI filtering, but all three are going away in the near term. DNS with DNS-over-HTTP, SNI with eSNI, and IP blocking has become less plausible already through routine use of proxies like Cloudflare.
They want to make the networks transparent to the government, and apply machine learning for understanding the data and warnings the monitoring system will provide.
You either provide decryption keys, or your traffic will be dropped.
Yeah, that's what I figured would happen next. It's honestly very difficult to defend against an adversary that nakedly aggressive. It's like trying to browse the Internet privately on your computer at your desk at the major IT firm you work at.
The remaining question for me is about the TLS part of all this. Does China not have agreements with most external services about stripping TLS such that a lot of TLS traffic would be suspect? Or do they not mandate their citizens to use a Government provided root cert that would allow them to "securely" MITM connections? That would be how I'd do it if I were an authoritarian government.
If not, then what's their plan for the future? I could see a Firewall kind of mostly working for now on a combination of DNS, IP, and SNI filtering, but all three are going away in the near term. DNS with DNS-over-HTTP, SNI with eSNI, and IP blocking has become less plausible already through routine use of proxies like Cloudflare.