Can I self host a VPN that sneakies through the China firewall?

⁨0⁩ ⁨likes⁩

Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ by ⁨JimVanDeventer@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Like, from inside China to the outside, but a bilateral solution would be fine with me, too.

source

Comments

Sort:hotnew top

possiblylinux127@lemmy.zip ⁨11⁩ ⁨months⁩ ago
What?

I would avoid China since it is illegal to bypass the Firewall or do anything that most western counties would consider protected speech.

If you need to make sure to use Tor with snowflake proxies enabled.

source
krasny@lemmy.ml ⁨11⁩ ⁨months⁩ ago
I travelled to China in October 2023. I have a Wireshark VPN running at home with my internet provider (dinamic IP), and it worked for few hours (about 6) and they ban the IP. Resetting the router and getting a new made it work for another few hours.

As others suggested the vpn traffic is encrypted but very easy to detect. I read about some protocols that can bypass it like shadow shocks but I didn’t have time to tinkering (it was my first time in China).

I ended by using the service provided by 12vpx and it worked flawlessly. Someone recommended it and it is specialized in provided access in china with lots of gateways. I never had problems with this provider.

Probably there are others that also work but that is my experience.

source
- possiblylinux127@lemmy.zip ⁨11⁩ ⁨months⁩ ago
  Be careful of some of those services as they may be using botnets.
  
  Tor snowflakes allow for volunteers to proxy traffic to Tor. They are hard to block since there is effectively unlimited IPs.
  
  source
bonapetit@lemmy.world ⁨11⁩ ⁨months⁩ ago
Try gdr.name/tuntox

Sloooow but works

source
crmsnbleyd@sopuli.xyz ⁨11⁩ ⁨months⁩ ago
I wonder why nobody has mentioned using tor

source
- krasny@lemmy.ml ⁨11⁩ ⁨months⁩ ago
  I couldn’t use Tor inside China, I tried but did not establish a connection. Didn’t dig into it also.
  
  source
  - possiblylinux127@lemmy.zip ⁨11⁩ ⁨months⁩ ago
    Look into Snowflakes. The snowflake proxies are hosted by people in low censorship countries with the browser extension installed. The IP addresses are all over the place so they are hard to block.
    
    source
JubilantJaguar@lemmy.world ⁨11⁩ ⁨months⁩ ago
ITT: lots of generic VPN advice by people who have no experience with the specific problem.

source
Captain_Stupid@lemmy.world ⁨11⁩ ⁨months⁩ ago
Social Credit --;

source
jagged_circle@feddit.nl ⁨11⁩ ⁨months⁩ ago
Yeah. But it kinda defeats the purpose.

The whole point of a VPN is to mix your traffic with tons of other people’s traffic

source
- Darkassassin07@lemmy.ca ⁨11⁩ ⁨months⁩ ago
  Where in the world did you get that idea?
  
  VPNs serve three functions:
  
  add a layer of encryption so your local network operator and ISP can’t inspect your traffic, its contents and its true destination. (this is what OP is looking for)
  
  make it appear to the service you are connecting to, that you are connecting from a different location than where you actually are. (for example make Netflix think you’re in a different region to show you different content)
  
  provide secure access to private services that are not exposed directly to the Internet. IE securely connecting devices on seprate LAN networks together over the Internet via an encrypted tunnel. This is a VPNs true purpose and how they are primarily used in Professional/Comercial settings. (pretty much every corporation you’ve ever interacted with runs a VPN that connects its stores/warehouses/offices together)
  
  source
  - jagged_circle@feddit.nl ⁨11⁩ ⁨months⁩ ago
    If all your connections come from the same IP, and you’re the only one using that IP, then everyone knows all of your traffic is associated with you.
    
    source
  - sem@lemmy.blahaj.zone ⁨11⁩ ⁨months⁩ ago
    These are the true points, however the 4th reason to use a VPN is if you are using a fingerprint-resistant browser and lots of other people are too, it’s harder to track who is going where, since the exit IP is shared.
    
    If tor isn’t working for whatever reason
    
    source
Yingwu@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
It’s better to pay for a VPN provider that is verified to work in China.

source
neidu3@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
Yes. China’s great firewall mostly handles content filtering and deals with low hanging fruit. Getting around it is fairly simple, and the censorship is mostly focused on stuff that would otherwise be easily accessible.

VPN is your obvious choice here. CCP blocks most public VPN providers, so you’d have to roll your own.

You can set up a VPN concentrator somewhere in the world, and you would be able to reach it. As far as I’ve noticed, they don’t block VPN as a whole, and default port should work fine - the reason for this is probably that VPN has many commercial uses that they don’t want to harm.

Source: I run a (work-related) VPN accessible from inside china.

source
- Yingwu@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
  You don’t have to set up your own VPN. Many public providers work.
  
  source
coherent_domain@infosec.pub ⁨11⁩ ⁨months⁩ ago
China blocks most IPs from foreign cloud providers like AWS or Digital Ocean. And if I am not mistaken, they can also block some VPN protocols, but I am not sure which exactly.

source
- IndustryStandard@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Do mainstream VPN providers not have a Chinese solution?
  
  source
  - coherent_domain@infosec.pub ⁨11⁩ ⁨months⁩ ago
    Last time I was there, express do not work, and I heard proton also does not work. However, my mobile carrier by default routes all roaming traffic through UK, so that did work.
    
    source
  - Yingwu@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
    They have. I don’t know what people are talking about in this post. It’s bypassable easily, and the CCP won’t kill you for it. There are so many Chinese using aVPN themselves to bypass GFW
    
    source
    -> View More Comments
nesc@lemmy.cafe ⁨11⁩ ⁨months⁩ ago
Yeah, you can look up how to setup hysteria2 and xray. Additionally you need to understand that firewall is different in different places, in some places like big cities you can even use plain openvpn (during daytime), in other more rural places almost everything is blocked.

source
- Yingwu@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
  Yeah, I’ve heard Shanghai for example has zones where the GFW is much more lax?
  
  source
InvertedParallax@lemm.ee ⁨11⁩ ⁨months⁩ ago
Not really, you need a license and you can host openvpn at tcp 443, but chances are they’ll try to track you down and make your life unpleasant.

When I was there I vps bumped through Hk, that’s probably harder now.

source
NaibofTabr@infosec.pub ⁨11⁩ ⁨months⁩ ago
Depends - how many family members do you have that the PRC might use against you?

source
- Yingwu@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
  It’s crazy that this is an opinion that people really have. I don’t like authoritarian states and I have a lot of issues with the CCP, but this isn’t true at all. Loads of native Chinese living in China uses a VPN. They don’t care about it.
  
  source
- nesc@lemmy.cafe ⁨11⁩ ⁨months⁩ ago
  VPN’s aren’t illegal in china, and they don’t go about random people who use them. Unless you are very vocal and high profile person no one will black bag you in a country of billion people, lol.
  
  source
  - NaibofTabr@infosec.pub ⁨11⁩ ⁨months⁩ ago
    VPNs as a technology might not be illegal but circumventing the firewall certainly is.
    
    Unless you are very vocal and high profile person no one will black bag you in a country of billion people, lol.
    
    This is a bit of a misunderstanding about how things work in an authoritarian system. Sure, you might fly under the radar for awhile, but if you call attention to yourself (say, by getting caught trying to bypass the government firewall) and you are not high-profile, then it is very low-effort to make you disappear. Few will notice, and those that do will stay silent out of fear.
    
    If you are more high-profile you still get black-bagged, you just get released after, with your behavior suitably modified.
    
    Image
    
    Naomi Wu no longer uploads to YouTube.
    
    source
    -> View More Comments
JiminaMann@lemmy.world ⁨11⁩ ⁨months⁩ ago
I have a private vpn in korea, i could connect to that vpn even through china’s hotel wifi

Could browse as per normal with abysmal internet speed

source
- Zwuzelmaus@feddit.org ⁨11⁩ ⁨months⁩ ago
  
  Could browse as per normal with abysmal internet speed
  
  Of course. It’s because they had to catch and write down every single byte with a pencil on paper, then decrypt it, understand it, report the funny ones to a boss, who nodded slowly and silently and then they typed it in again on the other side.
  
  /s
  
  source
  - SnootBoop@lemm.ee ⁨11⁩ ⁨months⁩ ago
    It’s getting a little better now because they can just scan in what they wrote and OCR it
    
    source
Unchanged3656@infosec.pub ⁨11⁩ ⁨months⁩ ago
You want to look into v2ray for self hosting. For example with https://github.com/hiddify/Hiddify-Manager

source
PetteriPano@lemmy.world ⁨11⁩ ⁨months⁩ ago
Only if you want a visit from the thought police.

source
- Zwuzelmaus@feddit.org ⁨11⁩ ⁨months⁩ ago
  They do not visit you. You do not visit them. You visit bad places.
  
  source
  - jagged_circle@feddit.nl ⁨11⁩ ⁨months⁩ ago
    You do visit them. Its a tea chat
    
    source
Shimitar@downonthestreet.eu ⁨11⁩ ⁨months⁩ ago
It will work for a bit, then they will detect VPN traffic and just block the destination ip for good. Any ip you will use will be shortly unreachable for you, so be prepared to that.

source
- Ulrich@feddit.org ⁨11⁩ ⁨months⁩ ago
  How will they detect “VPN traffic”?
  
  source
  - Mniot@programming.dev ⁨11⁩ ⁨months⁩ ago
    To someone watching network traffic, a VPN connection looks like two machines exchanging encrypted packets. You can’t see the actual data inside the packet, but you can see all the metadata (who it’s addressed to, how big it is, whether its TCP or UDP, when it’s sent). From the metadata, you can make guesses about the content and VPN would be pretty easy to guess.
    
    When sending a packet over the Internet, there’s two parts of the address: the IP address and the port. The IP address is a specific Internet location, blocks of IP addresses are owned by groups (who owns what is public info) and there are many services that do geo-ip mappings. So if you’re connecting to an IP address that belongs to a known VPN provider, that’s easy.
    
    The second part of the address is the port-number. Servers choose port-numbers to listen to and the common convention is to use well-known ports. So, for example, HTTPS traffic is on port 443. If you see a computer making a lot of requests to port 443, even though the traffic is encrypted we can guess that they’re browsing the web. Wikipedia has a list (which is incomplete because new software can be written at any time and make up a new port that it prefers) and you can see lots of VPN software on there. If you’re connecting to a port that’s known to be used by VPN software, we can guess that you’re using VPN software.
    
    Once you’re running VPN software on an unknown machine and have configured it to use a non-standard port, it’s a bit harder to tell what’s happening, but it’s still possible to make a pretty confident guess. Some VPN setups use “split-tunnel” where some traffic goes over VPN and some over the public Internet. (This is most common in corporate use where private company traffic goes in the tunnel, but browsing Lemmy would go over public.) Sometimes, DNS doesn’t go through the VPN which is a big give-away: you looked up “foo.com” and sent traffic to 172.67.137.159. Then you looked up “bar.org” and sent traffic to the same 172.67.137.159. Odds are that thing is a VPN (or other proxy).
    
    Finally, you can just look at more complex patterns in the traffic. If you’re interested, you could install Wireshark or just run tcpdump and watch your own network traffic. Basic web-browsing is very visible: you send a small request (“HTTP GET /index.html”) and you get a much bigger response back. Then you send a flurry of smaller requests for all the page elements and get a bunch of bigger responses. Then there’s a huuuuge pause. Different protocols will have different shapes (a MOBA game would probably show more even traffic back-and-forth).
    
    You wouldn’t be able to be absolutely confident with this, but over enough time and people you can get very close. Or you can just be a bit aggressive and incorrectly mark things as VPNs.
    
    source
  - Shimitar@downonthestreet.eu ⁨11⁩ ⁨months⁩ ago
    Deep level packet inspection, they detect patterns or whatever in encrypted traffic (and the lack of thereof) and ban the destination ip china-wide.
    
    How they do I have no idea, but they do, on my direct first hand experience. Its not based on domain names, directly straight and total ip ban. All ports, all domains on that ip get banned forever just because you started using a VPN (OpenVPN in my case, it was a few years ago).
    
    source
    -> View More Comments
solrize@lemmy.world ⁨11⁩ ⁨months⁩ ago
It’s possible for a while but there is a whack-a-mole game if you’re doing anything they would care about. So you will have to keep moving it around. VPS forums will have some info.

source
capc8m@lemmy.world ⁨11⁩ ⁨months⁩ ago
I don’t know if it will work, but it’s possible to tunnel all your traffic through a VPS using SSH and a piece of software called sshuttle.

source
- xylogx@lemmy.world ⁨11⁩ ⁨months⁩ ago
  You can tunnel over SSL with stunnel. TCP latency can be brutal though.
  
  source
Zwuzelmaus@feddit.org ⁨11⁩ ⁨months⁩ ago
They are prepared for such ideas, and you should assume that they are better than you.

source
- NaibofTabr@infosec.pub ⁨11⁩ ⁨months⁩ ago
  And there are hundreds if not thousands of them, plus a lot of automated tooling.
  
  source