top | item 45057360

(no title)

ykl | 6 months ago

This doesn't work anymore; the GFW no longer detects VPN connections by port but instead by performing deep packet inspection to characterize the type of traffic going over every connection. Using this technique in combination with some advanced ML systems, they're able to detect any encrypted VPN connection and cut it off; it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore, and it's usually not even possible to _tunnel_ a VPN connection through some other protocol because the GFW now detects that too.

Stepping back and looking at it from a purely technical perspective, it's actually insanely impressive.

Here's a USENIX paper from a few years ago on how it is done: https://gfw.report/publications/usenixsecurity23/en/

discuss

rglynn|6 months ago

So there's a disconnect between what you're saying and what others and myself have experienced in China even recently. You appear to be saying that it's not possible to use a VPN to bypass the GFW, but I apologise if I have misunderstood.

The comments have multiple examples of people successfully bypassing the firewall. I personally just used Mullvad with wireguard + obfuscation (possibly also DAITA) and it just worked. No issues whatsoever.

ikurei|6 months ago

This changes, not only over time, but also from region to region.

A close friend of mine travels to China often, and they use Mullvad because of my recommendation. Last year it worked great for them, but earlier this year they went back to China, and it really didn't work.

What I found most interesting is that they had different results in different places. Apparently, in the business areas of Shanghai and Beijing, were they had meetings and events, they could get Whatsapp and Slack messages; when they went back to the hotel, in a residential area where there were almost no offices or tourists, it didn't. In Chongqing even less stuff worked.

I was very skeptical of this when they told me, but they could replicate this consistently over a couple of weeks. It wasn't related to hotel Wifi (that's a different can of worms), this was on mobile data.

Everything worked when they switched to using https://letsvpn.world, at the recommendation of some chinese colleagues of them.

This was with a basic Mullvad install on iOS and Mac, they're not technical enough to harden their VPN connection further; may be they could've easily obfuscated it more and it would've worked.

Quiark|6 months ago

It's possible it worked in the past and doesn't work any more.

eqvinox|6 months ago

This is what IPsec TFS is for [https://datatracker.ietf.org/doc/rfc9347/]

> the focus in this document is to enhance IP Traffic Flow Security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP-encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-size, constant-send-rate IPsec tunnel

(If they block a constant rate stream, that'll hit a whole ton of audio/video streaming setups)

kimixa|6 months ago

So they'll just block any constant rate stream that isn't containing AV data or a whilelisted streaming service.

Marsymars|6 months ago

Aren't many/most audio/video streaming services variable bitrate now?

anonzzzies|6 months ago

When I lived in China 10 years ago, GFW had a pretty effective way by slowing constant traffic that goes to an outside china ip address more and more over time. I had about 6 hours per ip (it starting to get slower and slower during that time) before having to rotate because even basic webpages didn't get through and ssh was unusable.

ranger_danger|6 months ago

> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore

This is not true anymore, and your own link says so:

> all circumvention strategies adopted by these tools are reportedly still effective in China

And while this paper is not the most up to date, there are actually many new kinds of obfuscating VPN/proxy/tunnel technologies out now, and they are currently not blocked. Some methods can even disguise themselves as unencrypted, plaintext legitimate-looking HTML and still tunnel traffic (slowly) through it.

wulfstan|6 months ago

That is impressive. Beyond bonkers, but impressive.

tracker1|6 months ago

Assuming they don't MITM SSH, you should still be able to use something like wireguard over an SSH tunnel. At least I would think.. it's all SSH traffic as far as any DPI listener is concerned, you'd of course need to ensure the connection signature through another vector though.

77pt77|6 months ago

> it's basically not possible to run any kind of output VPN connection (even to private servers) from inside of China anymore.

What if you run your own HTTPS server that look semi-legitimate and just encapsulate it in that traffic?

Can they still detect it?

What about a VPS in HK? Is this even doable?

tossit444|6 months ago

v2ray and similar servers do exactly that, and I would assume they're still working as they're actively developed.

IshKebab|6 months ago

> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore.

Really? Because the paper you linked says they don't block any TLS connections so you can just run a VPN over TLS:

> TLS connections start with a TLS Client Hello message, and the first three bytes of this message cause the GFW to exempt the connection from blocking.

ykl|6 months ago

Give it a try if you want; it doesn't work. For TLS traffic they track what the connection looks like over time; a TLS connection for normal web traffic versus a VPN connection tunneling through TLS apparently look different enough that they can detect and cut it off.

moduspol|6 months ago

Worth noting is that OpenVPN’s TCP TLS mode does not work that way. It’s essentially the UDP protocol messages except wrapped into TCP. The initial handshake is not a normal TLS client hello.

Not sure about other SSL VPNs.