Shadowsocks always used to work well enough to evade the GFoC if you hosted your own VPS. Which is simpler than say strongSwan - and IPSEC gives the game away anyway.
Nowadays its probably best to set up your own VPN server for that. Back when I lived there, most VPNs got occationally blocked, then they would get new IPs and work fine again. But from what I heard, it got way worse since Winnie the Pooh took over.
Most VPN services get blocked eventually and then play cat-and-mouse to get themselves back up, so the service is overall unreliable.
The China firewall also does some "intelligent" blocking of common VPN protocols by fingerprinting their traffic patterns, handshakes, ports, and other things.
If you set up own server, it helps to modify the protocol or wrap it in a proxy that obfuscates the VPN traffic as something innocent-looking. Basically, if you implement something like TCP/IP-over-cat-picture-jpeg-files-on-HTTP-port-80 you'll generally have a rock solid experience. (That's not exactly what I do, but it's along the same lines of thinking, you get the idea, be creative.)
Unfortunately I'm not going to provide code to do this though because that makes it vulnerable to its traffic pattern being fingerprinted and blocked.
Also, avoid AWS. Using slightly lesser-known IaaS providers helps.
Interesting thought. A little part of me want to make a TCP-over-HTML cat pictures wrapper. Maybe put the payload in every fifth cat pixel or something. Should work for bmp:s right.
I am not sure using your own is a good idea. Every time I was in China for the last 3 years they would quickly find and block my small startups VPN. I was able to send an email and ask someone to move it to a new IP. Now imaging you have your own setup and they block it, as well as access to the provider you used to create the VM that runs it. Using something like Nord or the like at least you know that they will keep changing the IPs. Your mileage might vary, but this was my experience.
I guess if you really wanted to be clever you could set up a number of IP addresses and if your VPN doesn't see you login for, say, a day, switch to another IP. Or just give your VM 14 addresses and rotate them as you need. For a 2 week trip/14 addresses this would cost you about $26 on AWS.
Your activity advertises that to anyone who can see the traffic. Even if you use a popular port, the traffic volume and timing easily stands out — and if you’re actually in China ask what they’d conclude from a client which does no other traffic except for that one IP/protocol/port, unlike basically every other device.
https://gfw.report/blog/ss_advise/en/
https://gfw.report/blog/ss_tutorial/en/