Slashdot Mirror
Tunneling Under the Great Firewall?
An anonymous reader writes "I am traveling to China in the near future, and needless to say as a Slashdot reader I am going to require access to the Internet. The whole, unadulterated, unfiltered Internet. Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that). I will only be there for a few weeks, and will not be using the computer for much of that time, so I don't want to shell out a lot of money to a VPN service. However I also don't want to be hindered by extremely slow speeds such as those provided by the Tor network. I have experience implementing Web servers and work fairly often with Linux; however, many of my friends who also face the same dilemma don't. What would be the most cost-effective (free is best) method for me to subvert the Great Firewall during my travels while maintaining sufficient anonymity and enjoying sufficient speed?"
This fear of China is just WTF. "my lack of a nickname on this submission being testament to that", VPN's, Tor, all of that just to browse the regular Internet. Anyone who writes these things obviously have not been there or in the other Asian countries.
Most of the western quality hotels provide access to unfiltered Internet and you are most likely staying in one of those. Besides, the Chinese and Asian in general are quite relaxed people. Just think if American cops would be this patient and try to help the guy.
Seriously, the Chinese, Asian and rest of the world hate and fear by Americans is getting beyond ridiculous.
At my workplace we have people who travel to China. On occasion VPN connections from China just stop for hours or days at at time. No hits at our VPN endpoint from China at all; the traffic is stopped upstream somewhere while everything else that is unencrypted works.
That's the only country we have people visit where the VPN can be problematic.
Trolling is a art,
Have somewhere a computer with real IP, and start some proxy server. Or even some remote-control(vnc,rdp), if you have a good bandwidth.
SSH tunneling with SSH -D is trivial to set up. Make sure you forward DNS with network.proxy.socks_remote_dns set to true if you're using Firefox.
I think I read that SSH can even create a virtual network device that forwards all traffic over a tunnel. Haven't had time to play with that though. That would be a great solution for every app, even those that don't support SOCKS proxies.
Give me Classic Slashdot or give me death!
ssh -D $port $host -N
if not, do
ssh -D 9999 my.home.machine
then use localhost port 9999 as the SOCKS proxy.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Presumably you have broadband internet at home. Set it up as a gateway and encrypt all traffic through it.
Regardless, you are not likely to have fast internet access in China, or at least not *consistent*, fast internet access. In my experience, quality of internet connectivity there is very touch-and-go.
You don't need a weatherman to know which way the wind blows. - Bob Dylan "Subteranean Homesick Blue
Before leaving, set up a computer with decent upstream bandwidth and VNC / screen share. Pretty simple, and only shows a connection to that one IP address. If you use OSX it's a 30 second setup in sharing preferences, and I'm sure that there are windows and Linux equivalents. You may need to tweak the ports to get under the Great Firewall.
However, one significant drawback (with the OSX solution) is that audio is not streamed. Another is lag with slow / far connections.
But it will get you the full net.
__ Someday, but not this morning, I'll finally learn to use the preview button.
How about just suck it up and deal with it. Unless you need to look up "Tiananmen Square" every 10 minutes, it really shouldn't be a problem. They filter state secrets and political opinions, not your twitter traffic.
Just change your online name to "FreeTibet". They'll never notice.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I suggest that you play nice with China's laws if you are going to China. Trying to bypass their firewall as a foreigner traveling there is more likely to attract the sort of attention you don't want than anything else. As you said, you're just going to be there for a few weeks. Do you *really* need to search for the kind of stuff they filter out while you are there?
My wife travels regularly to China for work. We are very careful about our conversations on the phone when she's there, and about the emails we send when she's there. I sure as hell would never advise her to try to bypass their firewall.
If you are a Chinese freedom activist, by all means, you know what you're getting into, bypass away. I support the people of China in their efforts to access the whole internet, to speak their minds, to be as free as they care to be.
If you are a Westerner visiting, I'd suggest you just hold your horses there bucko and deal with the internet you can get from your hotel room and don't make yourself look more suspicious than you actually are. You really, really don't want anybody to think you are doing anything against Chinese interests while you're there. Seriously.
Keep your home computer run at home with SSH listening to a non-standard port (80 or 443 are good choices).
If you're going to be using Windows computers in China take a USB thumbdrive with you with a copy of PuTTY installed.
Forward ports 53 and 3128 and set your web browser proxy and DNS settings appropriately.
if on windows, set up your home computer to accept incoming rdp requests (and configure your router to pass that port to the right machine), and leave your home computer on the whole time
login remotely, and surf anywhere you want
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I am thinking that maybe a Tor client would be useful, but I do not know if this is allowed in China...
Anyone else know?
--Stak
Holy happy hippy crap!
it really shouldn't be a problem. They filter state secrets and political opinions
Have you ever been there?
I've spent a total of 3 months in the last several years. In actual practice they block tons of things you want. (e.g. Wikipedia, last time I was there in 2007).
___________________ I want to be free()!
The best solution may be to set up a private proxy such as CGIProxy on your own web server behind HTTP auth. Then access it via HTTPS only (on slashdot I think I read a story where someone's site was blocked for such a proxy... using HTTPS greatly reduces the chance of that). I think there was speculation on slashdot a while ago that the Chinese government could probably issue signed SSL certs if they wanted to and thus easily perform man-in-the-middle attacks. You should probably check to be sure the cert matches what you expect (especially the issuer) before using your proxy. Also if you know of a site that has a bad SSL cert (self-signed, etc) if it's suddenly valid while in China that could be another warning sign.
There's also Tor but it is quite blockable by blocking connections to its dictionary servers, so I'd be surprised if it worked in China.
This is a really simple problem to solve.
Keep a box at home, run Linux/*BSD/whatever on it. Have SSH on it. Run SSH on a "common" port that's not 22. 21, 23, 56, 69, 80, and 443 are good candidates. For good measure, keep a small web-based admin util on some other common port (with SSL!) in case you guessed the SSH port wrong.
Use SSH as a proxy. I forgot exactly how to acomplish this on *nix but on Windows... Use PuTTY. Connection -> SSH -> Tunnels. Set a random source port (which is what port you connect to on your local machine) and select the "Dynamic" option. IPv4/IPv6 option should stay to default "Auto". An entry in the list should read something like D12345 where 12345 is the port. Use localhost:port as a SOCKS proxy.
And for *nix, there's this guide that should for for all OSes with standard ssh: Guide!
So when China asks slashdot how best to catch people circumventing their firewall, how would they do it? They might pretend to be a western touron visiting their fair nation and asking some innocent questions about firewall circumvention. If any of these methods are effective, they are likely to cease being effective now that they are widely published. Either way, the anonymity of the poster prevents direct help and indicates perhaps a clever approach to hardening the firewall.
Meh, I'd just simply chalk it up to part of the cultural immersion, to experience the internet the same way the locals do. Ask the Chinese at internet cafes, they'll probably be more than happy to point you to the workarounds they use.
For my part, I'd simply run ssh back to my box and run "links" to do searches from home.
With a little more effort, you could do SSH+TightVNC or TigerVNC to extend your home desktop... performance is actually pretty decent even with modem-like uplinks.
With a bit more effort, you could create an ssh tunnel to your home squid proxy server. But then you start leaving traces on your client machine in China... unless you boot it from a LiveCD or LiveUSB something. Try Knoppix or Linux-Mint, though you might need to remaster them to make sure you have all the apps you want.
Also, if ssh is blocked for some reason but you still have web proxy access, you can try installing ajaxterm to get a shell on your machine via https.
Have fun!
You said you'd only be there for a few weeks, and you wouldn't be using the computer that often. Are you sure you can't live without some parts of the internet under those conditions? If it's really that important to you, then perhaps you should restrict your travels to Hong Kong and Taiwan instead of mainland China?
...
After all if the firewall is the law, subverting the firewall may be illegal; which could lead to your stay being longer than expected
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
"sufficient anonymity and enjoying sufficient speed"
Ummm? What is sufficient? In each case.
Also, I'd see someone about the paranoia. I doubt that China could give a rats about your browsing habits while visiting for a couple of weeks. Unless you plan on browsing some "dissident" sites that already have them in a huff I don't see it as an issue. Chill out.
I'm going on a porn hunt
I'm not a afraid.
I got some good business partners.
By my side.
Oh. Oh.
What do I see.
Oh look! It's a Chinese Firewall.
Can't go over it.
Can't go under it.
Can't go around it.
Got to go through it.
(First thing I thought of)
Another very good solution is to use this little multipurpose relay netcat++: http://www.dest-unreach.org/socat/ They are saying that you could tunnel even a VPN traffic, with just one simple command.
All 3 are linked together with a VPN.
And just after the planes struck the buildings on 911, the VPN with Detroit mysteriously went down. Unencrypted connections continued working as if nothing happened (so it's not a case of a router being located physically in WTC, or whatever). A couple of days later, all was back to normal. No explanation ever followed.
Sorry, but that's what this is. The internet is regulated by the Chinese government, it's kind of asinine to ask users how to circumvent and break Chinese laws.
When you're in another country or in someone else's home, you follow and abide by their rules. It's not just being respectful, its good manners.
The Great Firewall sucks, but that's how they roll. Just suck it up and deal with it.
Are you seriously willing to risk a stay in a Chinese prison just because you can't do without your internet fix for a few days? If you lived in China then trying to bypass the firewall might be conceived as a heroic gesture against oppression but for a tourist to risk it is just foolishness.
"I want something that has great performance but i don't want to pay any money for it"
Shell out for a VPN connection already.. iPredator is very cheap and encrypts your whole network connection.
Unless they've opened a few new trans-pacific pipe connections since I was last there, forget about speed. Maybe it was just my ISP (Great Wall, ha) but within China you can get nice (e.g. 750kb/s) speed but the moment you cross the pacific your latency is killer and you're crawling at 5-10kb/s. This is using corporate VPN or without. I suspect the actual throughput is a result of active throttling by the State. In terms of restricting general information, making something extremely painful is nearly the same as blocking it.
___________________ I want to be free()!
Go outside.
What you are asking is illegal there. If you get caught bad things will happen to you. Is it really worth the risk for a couple of weeks? Are you THAT addicted?
---- Booth was a patriot ----
Get yourself (if you don't already have) a cheap colo/virtual host. Then just use SSH with the-D option, and set your browsers proxy to a socks proxy on localhost.
Thats what I always do at when there are network issues (firewall, throttling, shaping).
I know of large US companies that do not allow executives to take their laptops into China, as they assume that its contents will be read (at the border or elsewhere). So, they get a sanitized laptop for the trip. Sounds extreme, but there have been cases of industrial espionage in the past.
I left a windows PC running at home and tunneled in using remote desktop over VPN to view the web. I used Hamachi but there are many other simple set-up VPN type software out there you could use.
You're going to a country with a ruthless authoritarian dictatorship, and which further is both the darling of the US government and willing and able to stand up to it if need be, and you're asking how to subvert one of the institutions beloved to its leaders? Here's an idea for you: don't. Best if you just don't go to China at all, but if you're going to go, don't do anything which might result in you being imprisoned indefinitely, particularly when the best the US embassy will do is put in some token protest.
True, by most reports, the government doesn't particularly care if foreigners evade the firewall. But if they change their mind, or if they think you're helping Chinese people do to the same, you could be in the shit in no time at all. Do you really want to spend the rest of your life at hard labor in a foreign country?
...so the Chinese government can make their Great Firewall better!
Seriously, does this person believe that /. readers are so gullible that they will lay out their best-kept secrets here? Or how do we know that you aren't a Chinese operative trying to mine the collective wisdom of /.?
In fact, if you need to ask, you probably don't need the "unadulterated, unfiltered" Internet as much as you think you do. Go, enjoy your trip. The Internet will be there when you return.
I advise you to also bring a 'throw-away' computer, unless you keep your current computer with you at all times. Depending on your business, if you leave your computer behind somewhere (hotel room, security) you may return to find it perfectly fine, maybe even with a bit extra hardware or software if you get my meaning.
At the very least, be prepared to wipe it clean when you get back home.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
But when the law unfairly restricts your natural rights, then the breaking of that law is completely justified, hell, armed revolution in the case of China is very much justified for the Chinese people.
That said, I'm not sure if I'd really do it in China as a tourist, not that they'd probably do much (China gets western businessmen all the time) but I just wouldn't want to take the risk unless.
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Taxation is legalized theft, no more, no less.
If you have only windows, install colinux. Setup ssh, forward all traffic from 443 (https port) to your 22 port (ssh) and voila.
Use putty and setup tunnel easy or tunnelier.
Regards,
-M
Need to balance cheap-as-hell with this-might-get-me-arrested? Activists do it all the time. Here's a snip from an internal manual:
Use a "Virtual Private Network" service to avoid some snooping and beat censorship. This is a lightweight program running on your computer that encrypts all your online activity locally. In effect, it appears as though you are surfing from somewhere else... Until then you can use a free VPN called "Hotspot Shield", which is supported by ads. This is annoying, so we recommend a Firefox plug-in called AdBlockPlus, which blocks the ads. HotSpot Shield also gives you a random IP address, which will defeat most local censorship.
* Download HotSpot Shield by AnchorFree: http://www.anchorfree.com/ Hotspot Shield
* AdBlockPlus ( a plug-in for Firefox browser ) https://addons.mozilla.org/en-US/firefox/addon/1865
A friend of mine is working for a supplier of automotive parts with (at the time) two branch offices in Luxembourg, and one in the United States (Detroit).
All 3 are linked together with a VPN.
And just after the planes struck the buildings on 911
Lets stop right there.
A single event, nine years ago, precipitated by an attack by foreign nationals on the United States.
You're using the example of (presumably) the US Government shutting down encrypted Internet traffic during a time of national emergency to support a claim that VPN traffic in the USA is unreliable.
That's just pathetic.
Several options: Setup an SSL proxy on 443. Setup sshd running on a non-standard port. Setup OpenVPN listening on 443. Blah blah blah. I've used all three of these when traveling to countries that heavily filter the 'tubes and met with little issue. I even run VoIP/VTC over them without issue.
If you have a computer at home with broadband Internet, install a SOCKS server there, open an SSH access. From your laptop create a SSH tunnel, and configure your OS and/or apps to use the SOCKS server (through the tunnel). You double or triple the ping, but you may get good bandwidth.
Is asking a question on how to circumvent the Chinese filtering system really appropriate? It's highly illegal, and you've been pretty blatent about what you want to do and that you don't care.
I'm surprised the question made it to the front page.
I was in China about a year back and had no real problems browsing the internet except for one site that I can guarantee had absolutely nothing to do with Tibet or state secrets or anything like that. I forget what it was now, but it really surprised me at the time. Logging into a VPN let me get there without problems.
If the requirements and restrictions on the Internet in China are enshrined in Law in China, you may be putting your visa at risk.
It's like a Australian 18 year old coming to the US and drinking alcohol and getting caught. In Australia, there no restriction above 18, in the US, it's 21. You get caught, you may not be able to enter the country again.
A local law is a local law, no matter what your views are. What you can do freely in your country may be illegal and carry harsh punishments in others.
If you're traveling for business that's one thing, but if you're traveling for pleasure I don't really see the point.
It's unlikely that the Chinese gov't will care what you do online if you're just surfing slashdot, but do you care enough about that(especially if you won't be using a computer most of the time) to put yourself in a position of vulnerability?
Maybe it's a principled notion. Something like "I'm a Westerner and entitled to a free internet", but again how far are you willing to go for that principle, especially if you're only going for a few weeks, and this internet freedom is really just for you.
You're going to be in the country just a few weeks and not using a computer that much. Yet you claim to need access to the entire Internet at high speed. Those two statements don't seem to make much sense. Really, if it's just a few weeks, you might be better off just playing by the Chinese government's rules. When in Rome do as the Romans do.
You also say you're going to China, but don't want to shell out for VPN service. Honestly, if you can afford to travel to China for two weeks, you should be able to afford a VPN service. Really, you're making this harder than it has to be.
This is all good advice.
As for your port advice, I agree to avoid port 22 -- I have this totally disabled on my FreeBSD system.
443 is a good alternative since it is the normal HTTPS port, but in my work as a consultant I've run into client networks where HTTPS works fine but SSH through port 443 doesn't work at all. I seldom get to the bottom of it, but usually its a filtering/transparent proxy device that works with normal HTTPS traffic.
My work around (that hasn't failed yet) has been to run my SSH server on a few random non-reserved ports. It's not unusual or unknown for apps to exchange encrypted/binary data on negotiated high number ports so most/many filtering systems & transparent proxies avoid it to keep from breaking those apps.
I personally would avoid using ports otherwise used for FTP, SMTP or other well-known unencrypted protocols since those are likely to be filtered/proxied or otherwise not be reliable with SSH proxy sessions.
It also wouldn't surprise me if the Chinese didn't have some kind of pattern analysis software that LOOKED for tunneled data; SSH proxy traffic probably stands out like a sore thumb. It might make sense to use multiple ports on the SSH server end to avoid creating a pattern over time (eg, one session on port 6043 may not get detected, multiple sessions over time from the same place on that port might sound an alarm).
I've used CCProxy before when I didn't have access to my own linux box, or time, etc. It was fairly easy to guide my non-technical friends over the phone through installation and configuration. It's free for up to 3 users.
>> Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that).
You're just an overly paranoid neckbeard. Don't use the same Slashdot nickname twice and make sure all your equipment, plus your brain, is wrapped in tin foil to avoid atheist Chinese mind reading.
Fast, Easy, Secure. Pick any two.
Sorry, pal - it's those pesky laws of the universe or something gettin' in the way...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I travel quite frequently and often need to subvert the various restrictions of local ISPs (DNS redirection, throttling, censorship etc.). The method that works for me is:
1). Rent a cheap 512MB VPS (I use Linode and highly rate them but there are many other providers)
2). Grab a copy of OpenVPN and set it up in server mode on your VPS (make sure you push "redirect-gateway" to clients so that they send all their internet traffic through the VPN)
3). Install a copy of OpenVPN on the computer you'll be travelling with (set it up in client mode and configure it to point to your VPS).
That's it. All your traffic will now flow encrypted to your VPS where it will then break-out on to the open, unfiltered internet.
Additional tips:
- If you are using Windows on the computer you're travelling with, you need to make sure your DNS queries are going through the VPN (see: http://openvpn.net/archive/openvpn-users/2006-09/msg00020.html for what steps you need to take)
- To help obscure the fact you are using a VPN, set the server to use TCP rather than UDP (note: this will increase latency a bit) and set it to listen on a port normally associated with something else (e.g. TCP 993 which is normally used for secure imap or TCP 443 which is normally used for https traffic).
If you haven't got the cash for a VPS (frankly though you should, they are really cheap!), you could always setup the OpenVPN server on your home machine and point your travelling computer to that.....
Good luck!
When I lived in China, I subscribed to a SSH tunnel service. I would setup a small application on my machines that would open a tunnel and funnel that traffic out from America. Be careful trying things like Onion. My financial trading software blocked me when their IT department detected requests shifting from IP to IP from various countries. It looks very suspicious. It's worth the fee paid to the SSH tunnel operators because you don't have to pay for a network connection in the US and they handle all the technical junk on the backend. Also since these service offerings are not super clear on China's Radar, chances of getting the IPs and ports blocked are really small. There is an advantage to being a small fish.
but the Chinese eat anything that moves, and a load of wierd stuff that doesn't so YMMV.
then install windows xp on an old junk machine just for browsing remotely
pay zero attention to security
then wipe the thing when you get home
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"There are just laws and there are unjust laws. I would agree with St. Augustine that an unjust law is no law at all... One who breaks an unjust law must do it openly, lovingly...I submit that an individual who breaks a law that conscience tells him is unjust, and willingly accepts the penalty by staying in jail to arouse the conscience of the community over its injustice, is in reality expressing the very highest respect for law."
- Martin Luther King, "Letter from the Birmingham Jail," April 16, 1963.
Choose any two.
I would suggest Tor. (Good and Cheap.)
--Pathway
SSH proxy traffic probably stands out like a sore thumb
SSH proxy traffic doesn't look any different from regular ssh traffic. It might involve more data transfer but the packets themselves are no different from normal ssh traffic.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
You be sure and tell them that at the Peking police station.
I have never seen more drivel in my life. If you don't want to follow the laws of the country, then *don't go*. Same with any country including the good old USA. Do otherwise and you are looking for trouble. Not going is a far better protest than going in and trying to sneak around, anyway.
set up openvpn on a machine at home. use xinit.d to enable two listen ports one on port 53 and another on port 443. be sure to reroute all of your traffic over the tunnel. you will need a dns server internal to your network at home.
this is an example of an xinit.d/ovpn-file to listen on port 53
service anon-reader53 /usr/sbin/openvpn /etc/openvpn/keys/anon-reader.key --redirect-gateway --replay-persist /etc/openvpn/persist-files/anon-reader --inactive 60 --user nobody
{
type = UNLISTED
port = 53
socket_type = dgram
protocol = udp
wait = yes
user = root
server =
server_args = --inetd --disable-occ --dev tap2 --secret
}
use the following for your ovpn config for the port 53 connection
openvpn --disable-occ --dev tap --remote ip.of.your.server --port 53 --ifconfig an.ip.on.remote.network remote.network.netmask --redirect-gateway --route-gateway gateway.ip.of.remote.network --dhcp-option DNS remote.network.dns.ip --secret shared-key-if-you-use-one.key --inactive 60000 --verb 4
an example with ips
openvpn --disable-occ --dev tap --remote 63.97.226.206 --port 53 --ifconfig 10.10.10.20 255.255.255.0 --redirect-gateway --route-gateway 10.10.10.1 --dhcp-option DNS 10.10.10.2 --secret anon-reader.key --inactive 60000 --verb 4
Having to work for a living is the root of all evil.
remote desktop.
Only a very few, large western companies have unfettered access to the 'real' internet in the PRC, and only the foreign national employees have access to it. If you're going to China as an employee of one of these companies, then you may have access. If you are going as a tourist, then you should pretty much expect that whatever surfing you do is being monitored, anonymizers will either be problematic or nonfunctional, and remember there is no such thing as 'freedom'. I would be extremely hesitant to set up my home or office PC with LogMeIn or RDP or any other kind of remote access solution, as it will most assuredly be targeted for hacking by the PLA, which runs the intelligence apparatus. You best be happy with the Disney-rated, government approved Red Internet, otherwise if you need your YouPorn fix, or want to check on WikiLeaks or research Falun Gong, you may wind up being 'interviewed' at an undisclosed location at 2AM. It's not prudent to spit in the eye of your friendly neighborhood communist dictatorship.
Nothing to see here but us trolls...move along...
It is not THAT bad. The whole nation is NAT'ed. You will not have a proper IP address. almost certainly 10.x.x.x. I use the web a lot, and the vast majority of sites work. Groklaw did not work for me, or BBC. But Tor gets around all of that. BitTorrent is slow due to no inbound connections.
To me the bigger problem is dumbass companies trying to 'help' me by detecting my location and localizing.. Just because I am in Whereveristan does not mean I can read the language. My http headers specify us-en. Do not redirect to chinese, or whatever. Annoying.
Time zones are also a PITA because you are awake and they are asleep, or vice versa.
All that aside, screw the internet, and have fun, eat some new foods, meet some locals, wander around aimlessly. Say "Hello", smile. Many do not speak english, but they all studied it from grade school on up. Write it down. But one of those calculator translator things, and have somebody show you the buttons to put it into english mode. Better ones have sound. About $20-30.
Buy a phone with a SIM card. 110 is like 911 in the states. 114 is tourist help. Free. Everywhere. They speak multiple languages. Tell them what you want, hand the phone to the taxi driver, solved.
The law is a weapon of the government, not a protection for the likes of you. Surely you understand that.
So what you're saying is that accessing every single website on the internet is a natural right?
I assume you're going on vacation or you'd just use whatever system your IT department has set up. If I'm right and this is a vacation, then freakin' GO ON VACATION. If you get all shaky and twitchy if you go more than a couple hours with a direct neural feed, you need to address your addiction before you leave. You can access everything you'll need while on vacation. You don't NEED to look up "subversive" things while you're on vacation.
If you want to see what the Great Firewall blocks, go to websitepulse (or one of the many other test sites) and use a "test behind the great firewall" tool to see if your favorite sites are being blocked or modified.
If you absolutely must have unfiltered access, get a router that runs dd-WRT and set yourself up the VPN. In fact, get several friends to do the same. Then you can connect to those routers via VPN and surf through those connections. Unless China cuts off your VPN service. As others have noted, this happens regularly.
Bottom line: When you're on vacation, part of being on vacation is immersing yourself in the local culture. In this case, part of the culture involves filtering and sanitizing information. Go with it. I think you'll be surprised at how little the Great Firewall impacts your trip.
Looks like you get a kick out of imagining yourself to be some kind of spy. The risk is not worth it. There is a 99% chance that you'll go scott free even if you take no precautions. But OTOH, it's also possible that you get into trouble even with all your precautions. The internet isn't going anywhere. Just visit China and behave like a normal tourist would. You can access the 'whole, unadulterated, unfiltered Internet' to your heart's content when you return!
I spent a few years in different cities in China. Here's my take: in order to balance speed and access, you really only want to tunnel/proxy/vpn what you absolutely have to. Most sites aren't going to be blocked so using something like FoxyProxy is pretty essential. If you'll have VPN access, set up rules so that just the traffic that needs to go through the VPN (plus DNS) is getting tunneled.
Also, multiple workarounds for access is important too: you could very well get stuck somewhere where everything but ports 80, 443 are blocked, ruling out your ssh tunnel (unless you've thoughtfully set your ssh server to listen on a different port) and having a web proxy might save the day. Or one proxy goes down, get blocked, is too slow, etc.
I personally used a combination of ssh tunnels, web proxies, a paid VPN service and Tor.
Also, note that the great firewall isn't just a blacklist. It also performs packet inspection for keywords/phrases before issuing TCP resets to both parties, so your proxies definitely should be SSL enabled, even if it's just with a self-signed cert.
Isn't this why http://www.peacefire.org/ exists? They are devoted to helping folks get around stupid internet filters, including those of nations, companies, schools, and parents.
I recently spent 1 month in China and was unsure of what to expect about internet access. It was better than I expected. I think it is not worth the trouble to try to dodge any firewalling. I was able to use ssh to connect to computers back home and generally able to surf the internet. I think youtube and google video were blocked, but for a short trip this is not much to worry about. I was able to use gmail and google. The news under google/ig sometimes linked to blocked sites. However, there were always related links with the same information which were not blocked. So, for me, the only problem was not viewing videos for a few weeks. This did not matter to me, though I think there are alternative video sources which are not blocked.
The net result is that access is nearly unfettered, so it is probably pointless and perhaps unwise to try to subvert the firewall. Freedom seems to be increasing in China. Enjoy your trip!
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
You might want to look into dropping RST packets at BOTH ends under certain circumstances, because the Chinese spams those around almost randomly.
Using the internet in China is very flaky and unreliable, because what they've set up isn't this all powerful, stateful firewall; as maybe they'd like you to believe, but a b0rk-the-internet pile of RST spewing shit.
$ cat ~/bin/socksproxy_to
#!/bin/sh
ssh -D 8080 -Nf $* && \
echo "Configure your browser to use a socks proxy on localhost port 8080"
For every problem, there is at least one solution that is simple, neat, and wrong.
Our company does business in China and even has an office there. We have to constantly remind our employees that it is illegal to use VPN in China. Using SSH is also disallowed.
You could, however, setup a unencrypted SOCKS proxy on some random port.
Here's how I'd do it:
Notes:
Great in theory. Here in the US, people worry "Oh, you might get sent to Gitmo", but everyone knows that the media watches, the Govt watch, and the people watch the Govt, no matter HOW bad you think things are
Ask yourself - The guy in front of the tank at T Square? Where is he now? Where are a LOT of protestors? There are a LOT of places in the world where you piss off the Govt enough, you end up dead
It's up to you - but screaming "I want my universal rights" at a lot of places in the world just get you laughed at
Dear Slashdot,
I go to a high school in which internet access is heavily filtered so that students cannot visit websites that are deemed containing questionable content. How can I subvert the filters and firewalls so I can reach sites that aren't questionable like National Geographic, The Library of Congress and the US Constitution online?
Whatever happened to respecting the rules of your hosts? Maybe we forgot what happened to Michael P. Fay in Singapore. He required Bill Clinton to literally save his ass.
What law would this person be breaking? As far as I can tell there is no such explicit law in China forbidding people from circumventing the Great Firewall of China, although nothing would stop them from trumping up some charges against you using one of their many loosely defined laws, such as distribution of 'state secrets' which can be virtually anything (but they could do that regardless).
Instigate a revolution, successfully overthrow the government, and instate a new government with more liberal social policies.
Once the power comes back on, and telecommunication services have recovered (and reconfigured) enjoy free western-style Internet access!
... the biggest risk you face is showing off your capability to the locals.
My own experience and the opinion of those (business people) I spoke to is that the Chinese don't really care if you are using VPN of some sort, as long as they don't suspect you are involve in some kind of dissidence or other "subversive" activity.
For what it's worth, I have used SSH tunnelling to my own tinyproxy installation. I enjoyed moderately high speed from my hotel rooms and from Starbucks.
Incidentally, I didn't set this up to bypass censorship. I use the proxy any time I am at a wireless hotspot for obvious security reasons. It also enables me to use my credit card overseas without being flagged as a risk because as my IP address always jives with my credit card postal address.
Life- everyone is entitled to live once they are created.
Liberty- everyone is entitled to do anything they want to so long as it doesn't conflict with the first right.
Estate- everyone is entitled to own all they create or gain through gift or trade so long as it doesn't conflict with the first two rights.
And the founders of the USA thought so, just look at the Declaration of Independence
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
Such thought isn't limited to post-1600s thought either,
NO Freeman shall be taken or imprisoned, or be disseised of his Freehold, or Liberties, or free Customs, or be outlawed, or exiled, or any other wise destroyed; nor will We not pass upon him, nor condemn him, but by lawful judgment of his Peers, or by the Law of the land. We will sell to no man, we will not deny or defer to any man either Justice or Right
According to the Magna Carta signed in 1215.
So yes, it is a natural right because its liberty, you have a natural right to have property, part of that is a computer I'm sure we can all agree, if you have property then no one should deprive you of your use of said property unless it violates the rights of others. Considering that accessing various internet sites don't infringe on the rights of others, I'd say its a natural right to use the internet if you pay for it and a violation of natural rights for the government to control it.
Now, of course western thought doesn't mean shit in China.... But that doesn't mean that natural laws don't exist because China doesn't believe in them.
Taxation is legalized theft, no more, no less.
Most ISP in China will not be able to provide you a connection better than about say 1 Mbits/s. Even if you have an ssl encrypted proxy or vpn set up at home, your connection to your home network in the States will be unbearably slow. But the openvpn suggestion is going to be your best bet.
See "How to Break Out from Inside a Draconian Firewall": http://technotes-fran.blogspot.com/2009/11/how-to-break-out-from-inside-draconian.html
Download a copy of Server 2008 demo is good for 60 days. Set it up on a VM and enable TS gateway functionality. Basically it will let you tunnel remote desktop to any computer on your local network over SSL to the internet. Or use logmein, not sure if thats blocked there?
Nuclear war would really set back cable. - Ted Turner
Run a DD-WRT router with SSH forwarding enabled on your home inet connection (assuming home is in a free country) using DDNS is you don't have a fairly static IP (DSL). Fire up putty, ssh to the router. fire up your favorite browser that support SOCKS proxy and you are surfing...
look into I2P in my experience its faster and more secure then tor. and it can be booted off a flash drive on a windows computer and it has a outproxy that can send its data through the tor network AND I2P. only thing is its slower to start up then tor but not by much
Which is, like I stated previously, why China really needs a revolution, probably an armed revolution to restore a government that actually is by the people. Plus, if you look at a lot of the world, the military can act as a check against governmental power, it only takes a rogue wing of the army which has become enlightened to start over the restoration of basic rights.
Taxation is legalized theft, no more, no less.
The problem is that in 99% of the cases in which the military becomes "enlightened" you end up with a fascist dictatorship.
In soviet russia the government regulates the companies.
Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/6415) watches for changes in SSL certificates and alerts you to those changes, so you can decide if someone is pulling an SSL MITM attack on you. If the Chinese routers are running SSL interceptors (e.g., Cisco's IronPort or Bluecoat's ProxySG), then you will see alerts that the SSL certs you last got from within the US are different in China.
Seriously, ssh -D is your friend:
-D port
Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine. Currently the SOCKS4 and SOCKS5 protocols are
supported, and ssh will act as a SOCKS server. Only root can
forward privileged ports. Dynamic port forwardings can also be
specified in the configuration file.
My prior job required me to travel to China for a few weeks every 2-3 months & I found it invaluable. Fire it open on the command line, and set your browser to use that local port as a SOCKS proxy.
(Note, however, this will not help you deal with shitty bandwidth to sites outside china. On that front, you're pretty much just fucked until you leave China. Even "off hours" don't help that much.)
SlashSig Karma: Excellent (mostly affected by moderatio
I have been to China for a month. I can honestly say that I doubt bypassing the firewall would be a major cause for concern, they do not go after most people trying to get around it especially not foreigners. That and I doubt very much they are monitoring every connection at once and trying to track down every person that attempts to connect to a forbidden website. What WOULD get you in trouble is attempting to teach many people how to bypass the firewall while in China. That I would not recommend.
That being said though, do you really need to bypass it when there for a few weeks? I was there for a month, and I considered myself on vacation - so i didn't bother testing the waters. I doubt you come across any sites that are blocked (besides facebook). Facebook and a few others being the lone exceptions, the only real way to even get blocked is to test the waters with something obvious. Do you do much searching for "freedom, tibet, falun gong" etc. while you are in the US? No (i would think). Then why search them in China?
I hope you have fun there, I certainly did. It is a very rapidly developing country with a lot of hope for change - my general impression as far as politics and economics is they have been becoming more and more lax when it comes to acting as a totalitarian state. I think it is very possible that they will become more lax in the internet area as well within the coming years.
I've traveled in China several times, and as a "rich white guy" you won't have serious problems even if you make loud political statements that the party disagrees with. (E.g. here is a short list of forbidden words).
What you should be careful about is discussing politics with the locals. At worst you'll be asked to leave the country, but they can be thrown in jail or "disappeared" if they say, criticize party leaders.
In other words, using a ssh proxy is fine. There is probably even no law against it, except for the general "don't do things not in the interest of the Party".
But it leads to instability which provides an opportunity for the Chinese people to form a government that actually supports their rights, they'd need to act quickly but it is possible.
Taxation is legalized theft, no more, no less.
Software specifically designed for this use (I took their class in first year)
http://www.civisec.org/software/psiphon
You may be able to get a several-month shell account on a machine that has ssh or a virtual server. With low usage you should be able to find something for tens of dollars a month or less, a lot less if it's not a true virtual machine. Get several in different countries if you can afford it.
Don't know if the firewall blocks the ssh ports or not. If it does, open sshd on port 80, that might work. If they deep-packet-inspect for encryption you may be boned but if TOR goes through this should as well.
With sshd in a virtual machine you can set up a tunnel to encrypt traffic between your laptop and your virtual server and use your web browser and other applications through a "local proxy."
OpenVPN is very easy to setup. Just setup openVPN on your home computer and get a dyndns hostname for it. The rest is easy.
MLK was not a tourist in Birmingham. He was a US citizen, in a US jail.
"seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .
My experience might be a bit outdated (October 2008 was the last time I was in China), but I didn't see much of a firewall there. The only sites that I couldn't reach (occasionally!) were zh.wikipedia.org (which I tried out of curiosity) and a sourceforge download site in Taiwan. And I tried a lot of sites, including the ones that you mention and other usual suspects.
My Chinese colleagues told me that generally only Chinese-language sites and sites located in Taiwan are blocked. They also told me that anyone with basic computing literacy can circumvent the firewall anyway without so much of an effort. I can't tell you much about the details because I didn't need to and my colleagues didn't seem to want to speak about it. My impression was that the Chinese DNS server just didn't resolve some site names.
At times I had the impression that the SSL connection to my webmail service in Germany and the VPN connection to my company's intranet was a bit slow and unreliable (which made me paranoid of a man-in-the-middle attack), but when I was in the US recently the connection was even more slow and unreliable. Draw your own conclusions.
Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
Be aware, current security best practices suggest that you physically destroy whatever computer you use while you're in China. It is highly likely to be subverted while there. Seriously. Think about buying a cheap netbook while you're there, or get a used one here that you're going to sell before you leave.
Seems like most of you are too dumb to realize that the issue isn't setting up a connection. That should be trivial for anyone. The issue is that they do not let your encrypted traffic out of the country if they recognize it as such. Next time don't just start typing. Learn something about what you are commenting on *before* you comment.
Went there a lot of times. The great firewall is not as hard as it seems. You'll be able to access most major US newspaper websites, without any censorship. Although using User Generated Content platform (YouTube, Blogspot, ...) may be harder. But anyway, as long as you don't try to bypass the law and/or wear a free tibet shirt at the border, you'll see that China is not the third reich and I'm really happy to go there every time. You'll probably go back with a different impression
But if you are only there for a few weeks, better abstain from using these sites than having troubles with the local Police Bureau because you just wanted to see some shitty video on Youtube. It's probably not worth it.
Instead, enjoy the food (really far better than what you'll find and Chinese restaurant in the West. In fact every time I go, I refuse to go in a chinese restaurant for at least a month after my return since everything will taste awful comparatively), profit from a foreign but astonishing culture (try Chinese Opera in Beijing, Ping Tan if you are near Shanghai, visit the gardens in Suzhou, try real dimsums in Guangzhou, ...) and try to have contact with the population. (Well don't speak about Tian An Men incidents the first time you meet someone, but once you have a friendship you may learn a lot of things about the country, good and bad without having to ask for it. And you'll discover a completely Alien way of thinking about things and seeing life. And this will explain a lot of question you may have about this country). Especially if you are going there for the first time, you may have no time to go on the web as there are so much things to do.
If you go in Shanghai, don't forget to try the "Bar Rouge" on the Bund. Expensive, but amazing view on the skyline. In the North, be careful with Maotaijiu (alcool at 65 degrees), but try it.
Enjoy your stay and you'll quickly forget a few restrictions on Youtube and other sites with bad user generated content.
Hrmph. I don't have anything to add, except the possibility just hit me that the reason I am suddenly not getting answers back from the person I've been emailing back and forth in China is I am using gmail... what're the odds?
Just tunnel,nobody care if you are bypassing the GFW.In fact there is no such a LAW say it's illegalonly rules and regulations.
How is internet access a natural right?
What a retarded mindset. I have a natural right to avoid places that impinge on what I see are natural rights, and that's about it.
The Ironkey flash drive ( https://www.ironkey.com/ ) was developed for the military. It features DOD standard encryption on the hardware level and a pre-installed version of firefox with a vpn tunnel provided by Ironkey itself. A.D.B.
Your use of the word 'restore' suggests that you believe that, sometime in the past, China had some form of democratic government. The larger assumption is that the Chinese people, as a whole, *want* government by the people. The historical and cultural evidence indicates otherwise.
Setup a linux box at home. Run squid proxy. SSH tunnel to your linux box at home and now you have an encrypted proxy inside the US to connect too.
There is no need for this at all
I was in china a few years back, and just stopped in any internet cafe and was able to browse everything at high speeds
so you are over thinking this as well as you read into to much of the hype.
You can run an openvpn daemon on your home network and have the traffic routed to the wider internet from there.
See: Encryption restrictions in China.
"If you encrypt data in China, you have to provide the Chinese government the ability to access the keys. By this regulation, the Chinese should be able to get access to [Secure Sockets Layer]-encrypted traffic, too."
It's basically one big Charlie-Foxtrot over there. But if you want to avoid being found out and thrown into a Chinese jail cell, you had better play it safe.
www.overplay.net do a great free VPN server in the US (as well as servers just about everywhere else)
I'm not sure that the ability to view websites blocked by Chine while your visiting their country constitute a natural right. Even granting that you do have a responsibility to break laws you feel are unjust, you must still face the consequences of breaking that law. A responsible adult must look at their obligations and determine if the consequences of breaking the law and being punished outweigh the benefits of breaking the law.
Is making this statement worth going to a chinese jail over? Is making this statement worth leaving your child without a parent, or your parent without a child over? Will the good that you do for society by this act outweigh the harm you cause to those who love you?
Paranoia! Pathetic... I've been living here for many years and I've never had any trouble at all with the Government. Maybe you all should stop watching so many movies.
I'm Chinese, but live in the UK - I've used various methods to tunnel under the wall, and the most successful were SSH tunnels to a home server, and openVPN. China seems to have blocked free web proxies over the last two years
HOWEVER one word of warning: China appears to have blocked a lot of DDNS services, so even though I could SSH, I couldn't reach the DDNS domains set up for the home server.
Since then, I've used a Cron job to send its IP address to a web server periodically, so that I could access from China
Most SSL proxies don't make you anonymous, nor do they encrypt incoming communication. If you truly understand how SSL works, then you would know, most SSL implemented on the internet are only one way encryption, not two way. Unless you use client cert, all communication the server sends you are unencrypted. The great firewall of China filters site content. So if you use an SSL proxy, the Chinese government still are able to nab your IP address by filtering incoming packets from your proxy to your host. The safest way to not get caught is to use ssh tunneling using two way encryption.
Where is the "Ignorant" mod tag?
If you have a linux box in the US, install NX Server (free) on that box, then install NX Client on your laptop or USB memory stick with whatever distro you want to use. Secure remote browsing done easy. Marco
You could use OpenVPN with static key, on some random port, which basically has no signature and therefore is hard to be identified. The normal mode makes it easily identifiable, therefore easily blocked.
You probably need your own server for this, or at least the help of a friend.
See this:
http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
But when the law unfairly restricts your natural rights, then the breaking of that law is completely justified, hell, armed revolution in the case of China is very much justified for the Chinese people.
That said, I'm not sure if I'd really do it in China as a tourist, not that they'd probably do much (China gets western businessmen all the time) but I just wouldn't want to take the risk unless.
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Those are brave words. Most people, however, are chicken.
Even you admit that you wouldn't do it "as a tourist." If not as a tourist, when you can at least claim ignorance and hope that they let you go, then when? Would you do it if you were a Chinese citizen?
I bet not.
Why not just obey the law while in China and stay out of jail/alive?
You have no idea of what you are fucking with. If you don't think they will be watching everything a foreign national is doing and itching for a reason to arrest you, you are naive, bordering on stupid.
It's one thing to espouse freedom like we have in the US. That's a noble pursuit.
It's quite another to be thrown in a Chinese jail for no other reason other than "Look at me, I'm getting through the great firewall of china :-p"
Get a grip. Go over there, do what you gotta do, and come home.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
At a western hotel I'm sure 95% of your needs will be met. If you want free-roaming unfettered internet access and speeds throughout china... well... I would ask why you would need such access and if that access would be worth a stay in a Chinese prison.
A friend traveled to PRC about 6 months ago. You have to use an outside DNS server, preferably over SSL and an outside proxy over SSL. I was giving him the DNS records over IRC (or MSN), so that he entered them manually in the local lookup table and then he routed all the traffic over a proxy I've set which was SSL only. I must stress that if you just make one single request without SSL over an outside proxy, the IP of the proxy gets banned. Also sites (e.g. Facebook) aren't resolved by local DNS servers IIRC, plus the IPs of these sites are blocked. Funny thing is that IRC (or MSN, i don't remember exactly) worked normally. :)
I am honest American myself not complete satisfied with policies of Great Republic. It is good you tell grievance to all very publicly. When you arrive my friend Mr. Lee will visit and he will adjust your computer for maximum benefit, and help educate you on proper Chinese customs.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
My daughter is living in Beijing for a year so before she left I got her a notebook and set it up with everything she'd need. For a brief moment I considered installing an SSH tunnel or VPN access back here to home, but then I thought about what my ex-wife's voice would sound like when she said, "they are detaining our daughter because they found military grade encryption software on her computer. How did that get there?" and decided against it.
Seriously, if you disagree with their policy don't go. In your own country you have the right to civil disobedience against unjust laws. In another country you are a guest and should act appropriately.
I'm an Aussie, our countries fought together in many wars (some still ongoing) and about as peaceful a partner as the US can get. Despite having travelled to the US about a dozen times and even lived over there for a couple of years, I have refused to return because you want to fingerprint me on entry now.
If you disagree with a requirement of entry. Don't go. It is astonishing that you would premeditate to break China's laws because of your political views when your own country has a bunch that you have not fought against.
Sheesh.
--M
# grep slashdot access.log | grep html | sort | uniq | wc -l 2604
Why spend your money in a country where it's just going to end up in the censor's hands (ie., the Chinese government)?
Yes. Echoing the statements of many people throughout history. According to Locke there are three major natural rights (as in rights given to everyone at birth simply because they are human)
Life- everyone is entitled to live once they are created.
Liberty- everyone is entitled to do anything they want to so long as it doesn't conflict with the first right.
Estate- everyone is entitled to own all they create or gain through gift or trade so long as it doesn't conflict with the first two rights.
OK, then I'm going to punch you in your face. It doesn't threaten your life (I won't punch that hard), therefore rule 1 doesn't apply, and therefore rule 2 tells me I'm entitled to do it.
The Tao of math: The numbers you can count are not the real numbers.
1: Set up a *nix server at yours or a buddy's house (the latter is best, because your buddy can turn it back on if the power goes out)
2: install OpenSSH on the server
3: Learn to use SSH tunneling.
The Internet has given stupid people the resources of intelligent people.
I was in China for a summer and was able to access anything, uncensored through this free vpn service. http://hotspotshield.com/
= better performance than any other (secure, anonymous) remote desktop solution.
You see it as perfectly innocent. To "the authorities" it might look like a good cover. Oldest trick in the book, perhaps?
You may have forgotten that China is currently cracking down on porn. The man can't live without his porn!
If it's unencrypted, what's the point?
Get a free 1 month trial account on GoToMyPC and use that to connect to your home computer to do your browsing. Bingo, instant secure proxy.
I wonder if the AC who posted the question might be a lazy network tech in China trying to close holes?
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
For god sake some of you make it sounds like the OP's never gonna be seen alive again. He's just going to China, not the goddamn Death Star. I guess you can say there's always the risk of being detained, but you risk being detained just coming back to the US! Any halfway savvy Chinese net user knows how to browse blocked sites. The laws are intentionally vague and nebulous. Enforcement against you is unlikely unless you really try to start something.
Unhindered access to the intertubes is a natural right now?
How about you just respect the laws and culture of the country you're visiting, you enormous cretin!
What's next on your world tour? Hey the UK has some pretty stringent firearms control. Why don't you go over and take some guns? Or how about you visit an Islamic country under sharia law, take along some female friends and have them dressed in bikinis the whole time! Yeaah!
Oh no, then maybe you might experience some forgein culture. And you surely couldn't do that.
A satellite modem.
I'm surprised this answer didn't come up earlier. At the very least, set up an SSL proxy back home. If you do/can run a web server in your house, with an ISP that doesn't make it difficult, this is the obvious solution. I did this as a favor for a nephew living in the Middle Country, and he was able to surf freely.
If you're carrying your own laptop, and can ssh into your server, then with port redirection, truly you are powerful, and will be limited only by the bandwidth between you and home plate.
Luke, help me take this mask off
Tunneled traffic looks different than keystrokes and occasional bursts of text, unless you are some kind of heroic typist.
It's pattern analysis. Packet counts, inter packet temporal spacing, data volume, etc.
Now it may be that ssh is used often enough for tunneling/file transfer/etc that tunnel sessions are common, but it still will look a lot different on the wire than a terminal session.
I lived in China for a year in 2008, and here is my advice.
Get a VPN service or set up your own. You won't find that too many websites are blocked, but there are some doozies: Blogspot, YouTube, Facebook, Twitter and some other blog and social media sites. Probably nothing you can't live without if you're only going for a couple of weeks. And if some politically sensitive event happens while you're in China, the filter might get dialed up a notch.
These people who think you might get arrested for circumventing the blocks are nuts. Unless you are involved in some sort of criminal or political activity, or you have an erstwhile business partner in China who wants to make your life hard, you've got nothing to worry about from the police.
So somebody from a repressive religious state has the "natural right" to exact deathly punishment on women who dress too skimpily. That's respecting the order of the universe. Any law against that is unjust and violates their natural rights. Would you support their right to break murder laws in western nations?
People with strong beliefs willing to stand against a government in the name of change must expect conflict, not appeasement.
VPN service can start as low as $20/year. You'd be hard-pressed to spend over $100 for a year of full-speed access via OpenSSL or something. (I'd recommend that, something where the certificate and key are exchanged before you go China, just to be sure there's no MITM going on.)
I doubt your time is so worthless that you would be better served by setting up your own method on Linux, than by skipping Starbucks for a week before you leave and putting that money into a turnkey solution.
The Chinese Government is not worried about what your wife accesses via the Internet when she's there.
The Chinese Government is worried about the entire population of the country having access to material on topics related to the three T's: Tibet, Taiwan, Tiananmen.
They might care if your wife tried to provide Internet access to an entire community/village via a VPN connection but maybe not.
I used to work in China, for an American company. Our Intranet was VPN'd back to the USA. All I had to do in order to access material blocked by the Great Firewall Of China was to point my web browser at a proxy in a country outside of China (USA, Europe, etc.) Any of the 300 employees were able to do that. I've never heard of there being any issues with this.
So I suspect that many folks already do exactly what the person posting the question is contemplating and we don't hear stories about their laptops being impounded or the people being arrested, leading me to conclude that this does not happen.
proxytunnel (and cntlm if you need NTLM authentication to your local proxy) will get through just about any stateful filter/proxy that only allows ports 80 and 443 outgoing and tries to block proxies with packet inspection. Listen on yourhost:443 with an SSL proxy (e.g. encrypted HTTPS proxy server) and allow CONNECT 127.0.0.1:22 via that proxy. Use proxytunnel with the option to connect through the local proxy using cntlm if necessary, then through your own encrypted proxy and finally connect to 127.0.0.1:22 for the SSH connection. In your ssh config set up the host you will use with the ProxyCommand to invoke proxytunnel with the required options. It works because the deep inspection firewall only sees a plain vanilla SSL connection to yourhost, with no evidence of HTTP proxying or SSH being tunneled through it. Tunnel through SSH as necessary.
If you're using Apache as your SSL proxy, you will have to patch proxytunnel to turn off SSL once the proxy connection to sshd is established because for one reason or another Apache thinks it's a good idea to hand the raw socket over to the proxied connection instead of keeping it running through SSL. That might let an exceptionally paranoid firewall see the SSH exchange and block it, but it's still secure if you tunnel everything else through the SSH session.
I'm pretty sure that your daughter's laptop still has "military grade" crypto on it to support https (amongst other things), it just doesn't have applications installed that use it to support tunneling data. What's more, I'm pretty sure that if she wanted, she could download and install the right software whilst she's in Beijing and go at it from there. If this was a serious problem then a lot of business travelers would be at risk. I'm not sure your perspective is because you're overly paranoid, just don't understand the risk that China is trying to mitigate or have an il-formed sense of self importance.
Using your train of thought here, does your daughter therefore agree with all of China's policies? (I presume that she didn't need your approval to go there or otherwise your own logic implies that you approve of China's policies but disapprove of those in the USA?)
But clearly China's stance has won when it comes to comments like yours (there is more than one comment saying "do nothing" like you) because they've made you afraid. Afraid to expect and demand a way of life (unfiltered Internet access) that you can have elsewhere.
Think about this for a second. Do you suppose that employees of large companies that use VPN software for roaming simply don't use VPNs when they're in China? Give it a break. Having functional VPNs is important for China so that it can support business travel. Can you imagine if every business traveler was arrested because they used a VPN with AES from their hotel room? Yeah... not going to happen, is it?
Might be different if they used said VPN to provide unfiltered Internet to local residents, but that's not likely to be in anyone's best interests so it doesn't happen.
I've been to China. I've used the Internet there. Unless you are looking at things specifically about things they don't like, Tibet, Tienanmen and such, you won't have a problem. What are you planning on doing that you think might be a problem? After all, I'm presuming you are going there from the US, so you have no problem with the federal government listening to everything you send (so far, no one has ever actually denied that AT&T feeds 100% of all Internet traffic that touches their network to the feds). So you must think that you'll be missing something from the "full Internet." I'm curious what you think that will be. I haven't been there in a couple years, but I could get to the Wikipedia entry for Tienanmen Square. But a google.cn search on it wouldn't give "full" results. They actually block very little. And most of what they aim to block are sites in Chinese.
It's like going to a country with child porn filters. If you aren't planning on doing porn or child porn, it will likely be something you won't ever hit even once, so planning on work arounds for them would be a silly waste of time. I'm not asking to make you justify not wanting to be filtered, but just trying to see if the cost benefit scenario actually leans towards an answer other than "don't do anything, you'll never notice it."
Learn to love Alaska
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Tunneling under the firewall may be an act of rebellion but is not civil disobedience as Thoreau or Gandhi or Martin Luther would have understood it.
Civil disobedience is open and public.
Civil disobedience means paying the price of disobedience - no matter how high.
Civil disobedience means nothing to a regime that operates in secret and fundamentally does not care how many people have to die to achieve its objectives.
The lone tourist might be ignored - but he could go to trial.
The repeat visitor who routinely breaks the rules begins to look like more like a spy, a courier or agent provocateur.
In which case, he might meet with an unfortunate accident.
When I was in China in 2004 I was surprised to find that internet access appeared completely unfettered. I stayed in both Beijing and Xi'an and had no trouble accessing both secure and non-secure sites including my bank, CNN, etc. from hotels, coffee shops, and people's homes. I didn't go out of my way to look for something I could not access, but I never ran into anything either.
Why are you posting here and basically informing the Chinese government how their firewall can be circumvented? STFU and tell the OP to use google!
Yes, get a vps, use ssh sock proxy tunneling with dns read up, with firefox and foxyproxy. it works like a charm.
The way he shoved that cop. Would he have survived that in any major american city?
That is exactly why I won't visit the USA.
The chinese government couldn't care less about you accessing those sites. Just their own citizenry.
I travel to China for business all the time, and here is my 2c. The internet in China splits in to two main carriers, China Telecom and China Unicom (formally China NetCom). CT is much larger than CU, but has much worse out of country connectivity. Since switching from CT to CU at my apartment (10m line) I get on average 2m when connecting to US with latency of about 240ms to my proxy server located on the West coast. However, expect speeds to take a crap at peak usage times (around 5pm to 10pm).
As far as the dirty work, you can't get away without some form of remote machine. Easiest way as some peeps mentioned is to use ssh dynamic level port forwarding (ssh -D localhost:8080 you@destination) + socket proxy in Firefox with socks_remote_dns set to true (or start Chrome with --proxy-server="socks5://127.0.0.1:8080" to allow DNS proxy as well). And yes, China does do DNS query injections when connecting to any out-of-country DNS server, so keep that in mind. For better transfer speeds use openvpn. The setup takes few minutes and you can use udp (which will allows for much faster transfer speeds than ssh proxy, which uses tcp). Alternatively, search for hosted vpn services and blow some $ (some VPN providers offer $ back within 30 days so it might end up being free, depending how long you stay there).
As far as legality, no one cares if you vpn. As long as you don't run around the streets and yell "viva vie revolution," or ask guards where the tanks rolled around back in '89, you'll be fine. You'll find that the locals are quite nice and respectful, besides the times when they try to rip you off or deposit a loogie right in front of you (and some of the sprinkle hits your face). Oh, and lastly... if you need to surf some pron, double check your vpn is on because that's a 2000rmb ticket in China (hear stories all the time how ppl get busted) and you get kicked out of the country if you're a foreigner. Instead, feel free to visit a local chicken coop which are so abundantly available pretty much all around the country (j/k, don't do it... you'll get aids).
Cheers!
SOCKS over SSH over HTTPS is nice. You'll need Apache with mod_proxy enabled (and probably stunnel due to Bug 29744), plus an SSH server. On the client, Putty or OpenSSH, using proxytunnel (or equivalent) via proxy command setting.
Maybe put your keys and clean portable versions of putty or OpenSSH, proxytunnel, proxifier, firefox with foxyproxy, etc. inside a hidden truecrypt volume and keep your truecrypt key somewhere innocuous to collect later (32GB microSD in your phone?). Better yet, put your whole environment on a VM (e.g. using VirtualBox) in there too and keep it clean and locked down.
If you're not using FoxyProxy, or on *nix and using tsocks (without --enable-socksdns compile option), beware of DNS lookups.
Also maybe consider changing CNNIC CA root certificate in your browser to Untrusted (to remove one MITM attack vector).
Alternatively, if you're really stuck, you could just buy some (Windows?) hosting anywhere overseas and remote desktop to it with TLS enabled.
I travel to China for business all the time, and here is my 2c. The internet in China splits in to two main carriers, China Telecom and China Unicom (formally China NetCom). CT is much larger than CU, but has much worse out of country connectivity. Since switching from CT to CU at my apartment (10m line) I get on average 2m when connecting to US with latency of about 240ms to my proxy server located on the West coast. However, expect speeds to take a crap at peak usage times (around 5pm to 10pm).
As far as the dirty work, you can't get away without some form of remote machine. Easiest way as some peeps mentioned is to use ssh dynamic level port forwarding (ssh -D localhost:8080 you@destination) + socket proxy in Firefox with socks_remote_dns set to true (or start Chrome with --proxy-server="socks5://127.0.0.1:8080" to allow DNS proxy as well). And yes, China does do DNS query injections when connecting to any out-of-country DNS server, so keep that in mind. For better transfer speeds use openvpn. The setup takes few minutes and you can use udp (which will allows for much faster transfer speeds than ssh proxy, which uses tcp). Alternatively, search for hosted vpn services and blow some $ (some VPN providers offer $ back within 30 days so it might end up being free, depending how long you stay there).
As far as legality, no one cares if you vpn. As long as you don't run around the streets and yell "viva vie revolution," or ask guards where the tanks rolled around back in '89, you'll be fine. You'll find that the locals are quite nice and respectful, besides the times when they try to rip you off or deposit a loogie right in front of you (and some of the sprinkle hits your face).
Cheers!
I have seen a number of comments warning against using a VPN to subvert the GFW, but there are perfectly legitimate reasons as to why one would need to use an encrypted connection out of the country. If the government really sees VPN as such a huge threat, then they would block all encrypted connections out by default, or require that those who need VPN for work to get special permission or some other such stuff. I've never heard of anything like that going on in China and I know people who regularly subvert the GFW using VPN to access wikipedia, facebook, etc. As long as you're not a political activist, I think the risk is minimal.
You're obviously too cool to bother with social networking or photo sites, but both Facebook and Flickr.com (and at least one site I can't recall) were blocked when we were staying with friends in Beijing recently. PPTP connection to StrongVPN.com made my traffic emerge in a San Fransisco POP and nothing was blocked. So depending on what kind of cocoon you live in, maybe the wall never hits you but it's there.
Doesn't seem like a big deal to me (from http://www.chinaeclaw.com/english/readArticle.asp?id=2384 ):
Article 24 Where foreign organizations or individuals use encryption products or equipment containing encryption technology without approval, the State Cryptographic Administration Authority, in conjunction with the public security departments, shall issue an official warning and order rectification, and may also confiscate the encryption products or equipment containing encryption technology.
Sorry to reply a second time, but the punishment for this 'crime' is:
Article 24 Where foreign organizations or individuals use encryption products or equipment containing encryption technology without approval, the State Cryptographic Administration Authority, in conjunction with the public security departments, shall issue an official warning and order rectification, and may also confiscate the encryption products or equipment containing encryption technology.
From http://www.chinaeclaw.com/english/readArticle.asp?id=2384
Seems like the worst possible thing they can do is confiscate his laptop. Big deal.
Ultrasurf...it was designed for china..I've been using it for a couple years to get around content filtering at my school. Its just a proxy, so you might want to take other privacy measures.IE only.
Hamachi and squid proxy....
what if it it is china asking the question?
stop giving them more ideas.... stupid slashdot a-holes. Now ill never get to search for sexy hello kitty Taiwanese chicks on google china....
As a foreigner who has lived and worked in China for the best part of the last two decades, my strongest and best advice is to get a VPN service. I use StrongVPN but I understand that there are a range of others that work well in China.
I do not consider US$15 per month to be an onerous expense when it comes to being able to access the whole of the web and watch the occasional show on Hulu.
A dream is good. A plan is better.
No-IP + Proxy Server + Firefox = no great firewall
No universal health care, appalling wealth distribution, limited unemployment aid, expensive education, over a million Iraqi dead, The School of the Americas, Guantamo etc, etc. Yes, you are right. No care for human rights there...
had no problems accessing the internet. There are a few issues:
If you're there only a few weeks, I'm assuming you're touring the country.
If that's the case, you won't have a lot of free time for net surfing.
There are many things to see in China and normal tours will take up a lot of your time.
You will barely have enough time to sleep. Trust me.
Hotels in major cities have decent internet connection and you should
have no problems accessing what you need. I was using ssh into linux boxes
in the US to handle support calls. No problem.
Hotels out in the country do not have fast connection speeds.
So if you're trying to transfer files, wait until you get to a big city.
Although, they say the Beijing airport has free wifi, I was NOT able to connect
to it. In fact, all airports have wifi but are linked to China Mobile and you
need a CM account to use.
So you can't depend on wifi at the airports.
In actuality there is no such thing as rights. Rights are what we, collectively, decide them to be.
Most civilised countries have healthcare as a right. Primitive ones don't. If you want to be primitive, that is ok by me.
Additionally the UN has a declaration of human rights to which the US subscribes (but does not practice) and is thereby supposed to adhere to (see The Constitution of the United States of America) but fails to uphold.
So, but me no buts. The United States of America cares little for human rights and even less so if those humans are not US citizens.
You have no possible reply that is not hypocritical so I won't be responding any more.
When I worked in China, I just used Tor. Quick, easy, and worked perfectly. Even works for torrents, since all your client needs to do is connect to the tracker over http, and then you don't need a proxy after that point.
I'm posting this through an SSH tunnel to a machine I have an account on. SSH seems unfiltered. Without tunneling, Google.co.uk seems to work fine, Facebook and some other stuff is blocked.
Build a virtual PC on Rackspace, whichever OS you wish, Fedora or Windows Server 2008 R2 among several others, and remote to it. A dollar a day buys you a whole lot of power, and you can buy it by the day.
J.E.B.
Joshua Corps
Having just traveled to china, i can say the following: a direct ssh tunnel to my home linux server using foxy proxy worked perfectly when connect via IP. When using no-ip.org, it worked in beijing, upon arriving in shanghai, no-ip.org was man in the middled. (classic SSH connection warning worrying about a man in the middle) Switching back to a direct IP connection to my home ubuntu box bypassed "the great firewall of fail".
you are a chinese government official who's smart enough to ask the people who might actually know a way to get through so you can plug the last hole and make your people suffocate in an intellectual vacuum?
beware he who denies you access to information for in his mind, he already deems himself to be your master (SMAC-ish)
Having lived in China for a couple of years I have always used different ways to bypass the firewall. I have never heard of any foreigner getting into trouble for doing so and find it very unlikely. As far as I know, bypassing the firewall is itself not a crime. Several companies do it for all their employees. It becomes a crime only when you use the freedom to do something that in itself would be a crime, eg organize a political group against the government etc. Accessing eg Youtube is in it self not a problem.
You can check an updated list of websites blocked in China at http://www.greatfirewall.biz
Dude, you shouldn't of asked! Their spies are everywhere. You are pretty much already in China. They're going to arrest you at customs. Chairman Mao gonna git' ya.
Thanks for everything,
Julie Newmar
My company FirewallFox is currently beta testing a new product "Over The Wall" which makes full internet browsing using Firefox in China very easy and browsing speed is very fast for all sites. It's not exactly a VPN or secure tunnel but rather a Firefox plug-in which does some secure magic with our servers in US and Europe, similar to the Tor button, but much much much faster and easier to setup.
Anyone who wants to try it for free (since we haven't yet launched the commercial version) just needs to fill out the contact form on www.firewallfox.com and request they be added to the beta testers.
From personal experience, your attempt to call 'almost bullshit' on the claim that VPN's have connectivity problems in China that are specific to China is completely false.
I run the IT dept for an Australian company, and one staff member is currently living in China. We use OpenVPN to give her access to our Australian office LAN.
It works fairly reliably BUT only if we run it over UDP. Exactly the same configuration over TCP fails regularly.
Furthermore, recently I can no longer remotely access the China-based staffers computer via a VNC reverse connection. Just won't work anymore. Thank you great firewall of China.
The further irony is that my company runs projects for the BENEFIT of china. But the Great Firewall is agnostic to this.
I was able to get remote access to my China-based staffers computer via Teamviewer (this obviously has the official sanction of the Great Firewallers).
I was recently on a business trip to China and had no end of trouble navigating the Great Firewall. So much stuff I regularly access was blocked. It is quite bizarre how they insist on blocking such broad-based content. I suspect the existence of the Great Firewall today is more about stubborness that the whole Firewall is even still necessary - the classical Asian "face saving" social hangup...
But rest assured that if you want to Bittorrent absolutely anything at all in China you can do so without any problem at all ;-)
Since when does anyone have a "natural right" to access the fucking internet?
To have a right to do a thing is not at all the same as to be right in doing it
Simply asserting that there are "natural rights" and quoting various passages which agree with that opinion (which is just the logical fallacy of arguing from authority) is not a philosophically valid line of argument.
Human beings only have "rights" because they have developed language and can communicate the ideas of law, moralitay and shared societal beliefs with each other. To be honest, I'd rather have someone just come out and say that these rights were given by God, as then you know there's no point in arguing about their delusions with them.
To have a right to do a thing is not at all the same as to be right in doing it