Slashdot Mirror
Tunneling Under the Great Firewall?
An anonymous reader writes "I am traveling to China in the near future, and needless to say as a Slashdot reader I am going to require access to the Internet. The whole, unadulterated, unfiltered Internet. Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that). I will only be there for a few weeks, and will not be using the computer for much of that time, so I don't want to shell out a lot of money to a VPN service. However I also don't want to be hindered by extremely slow speeds such as those provided by the Tor network. I have experience implementing Web servers and work fairly often with Linux; however, many of my friends who also face the same dilemma don't. What would be the most cost-effective (free is best) method for me to subvert the Great Firewall during my travels while maintaining sufficient anonymity and enjoying sufficient speed?"
This fear of China is just WTF. "my lack of a nickname on this submission being testament to that", VPN's, Tor, all of that just to browse the regular Internet. Anyone who writes these things obviously have not been there or in the other Asian countries.
Most of the western quality hotels provide access to unfiltered Internet and you are most likely staying in one of those. Besides, the Chinese and Asian in general are quite relaxed people. Just think if American cops would be this patient and try to help the guy.
Seriously, the Chinese, Asian and rest of the world hate and fear by Americans is getting beyond ridiculous.
At my workplace we have people who travel to China. On occasion VPN connections from China just stop for hours or days at at time. No hits at our VPN endpoint from China at all; the traffic is stopped upstream somewhere while everything else that is unencrypted works.
That's the only country we have people visit where the VPN can be problematic.
Trolling is a art,
Have somewhere a computer with real IP, and start some proxy server. Or even some remote-control(vnc,rdp), if you have a good bandwidth.
SSH tunneling with SSH -D is trivial to set up. Make sure you forward DNS with network.proxy.socks_remote_dns set to true if you're using Firefox.
I think I read that SSH can even create a virtual network device that forwards all traffic over a tunnel. Haven't had time to play with that though. That would be a great solution for every app, even those that don't support SOCKS proxies.
Give me Classic Slashdot or give me death!
if not, do
ssh -D 9999 my.home.machine
then use localhost port 9999 as the SOCKS proxy.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Presumably you have broadband internet at home. Set it up as a gateway and encrypt all traffic through it.
Regardless, you are not likely to have fast internet access in China, or at least not *consistent*, fast internet access. In my experience, quality of internet connectivity there is very touch-and-go.
You don't need a weatherman to know which way the wind blows. - Bob Dylan "Subteranean Homesick Blue
Before leaving, set up a computer with decent upstream bandwidth and VNC / screen share. Pretty simple, and only shows a connection to that one IP address. If you use OSX it's a 30 second setup in sharing preferences, and I'm sure that there are windows and Linux equivalents. You may need to tweak the ports to get under the Great Firewall.
However, one significant drawback (with the OSX solution) is that audio is not streamed. Another is lag with slow / far connections.
But it will get you the full net.
__ Someday, but not this morning, I'll finally learn to use the preview button.
How about just suck it up and deal with it. Unless you need to look up "Tiananmen Square" every 10 minutes, it really shouldn't be a problem. They filter state secrets and political opinions, not your twitter traffic.
Just change your online name to "FreeTibet". They'll never notice.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I suggest that you play nice with China's laws if you are going to China. Trying to bypass their firewall as a foreigner traveling there is more likely to attract the sort of attention you don't want than anything else. As you said, you're just going to be there for a few weeks. Do you *really* need to search for the kind of stuff they filter out while you are there?
My wife travels regularly to China for work. We are very careful about our conversations on the phone when she's there, and about the emails we send when she's there. I sure as hell would never advise her to try to bypass their firewall.
If you are a Chinese freedom activist, by all means, you know what you're getting into, bypass away. I support the people of China in their efforts to access the whole internet, to speak their minds, to be as free as they care to be.
If you are a Westerner visiting, I'd suggest you just hold your horses there bucko and deal with the internet you can get from your hotel room and don't make yourself look more suspicious than you actually are. You really, really don't want anybody to think you are doing anything against Chinese interests while you're there. Seriously.
Keep your home computer run at home with SSH listening to a non-standard port (80 or 443 are good choices).
If you're going to be using Windows computers in China take a USB thumbdrive with you with a copy of PuTTY installed.
Forward ports 53 and 3128 and set your web browser proxy and DNS settings appropriately.
if on windows, set up your home computer to accept incoming rdp requests (and configure your router to pass that port to the right machine), and leave your home computer on the whole time
login remotely, and surf anywhere you want
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
it really shouldn't be a problem. They filter state secrets and political opinions
Have you ever been there?
I've spent a total of 3 months in the last several years. In actual practice they block tons of things you want. (e.g. Wikipedia, last time I was there in 2007).
___________________ I want to be free()!
The best solution may be to set up a private proxy such as CGIProxy on your own web server behind HTTP auth. Then access it via HTTPS only (on slashdot I think I read a story where someone's site was blocked for such a proxy... using HTTPS greatly reduces the chance of that). I think there was speculation on slashdot a while ago that the Chinese government could probably issue signed SSL certs if they wanted to and thus easily perform man-in-the-middle attacks. You should probably check to be sure the cert matches what you expect (especially the issuer) before using your proxy. Also if you know of a site that has a bad SSL cert (self-signed, etc) if it's suddenly valid while in China that could be another warning sign.
There's also Tor but it is quite blockable by blocking connections to its dictionary servers, so I'd be surprised if it worked in China.
This is a really simple problem to solve.
Keep a box at home, run Linux/*BSD/whatever on it. Have SSH on it. Run SSH on a "common" port that's not 22. 21, 23, 56, 69, 80, and 443 are good candidates. For good measure, keep a small web-based admin util on some other common port (with SSL!) in case you guessed the SSH port wrong.
Use SSH as a proxy. I forgot exactly how to acomplish this on *nix but on Windows... Use PuTTY. Connection -> SSH -> Tunnels. Set a random source port (which is what port you connect to on your local machine) and select the "Dynamic" option. IPv4/IPv6 option should stay to default "Auto". An entry in the list should read something like D12345 where 12345 is the port. Use localhost:port as a SOCKS proxy.
And for *nix, there's this guide that should for for all OSes with standard ssh: Guide!
So when China asks slashdot how best to catch people circumventing their firewall, how would they do it? They might pretend to be a western touron visiting their fair nation and asking some innocent questions about firewall circumvention. If any of these methods are effective, they are likely to cease being effective now that they are widely published. Either way, the anonymity of the poster prevents direct help and indicates perhaps a clever approach to hardening the firewall.
Meh, I'd just simply chalk it up to part of the cultural immersion, to experience the internet the same way the locals do. Ask the Chinese at internet cafes, they'll probably be more than happy to point you to the workarounds they use.
For my part, I'd simply run ssh back to my box and run "links" to do searches from home.
With a little more effort, you could do SSH+TightVNC or TigerVNC to extend your home desktop... performance is actually pretty decent even with modem-like uplinks.
With a bit more effort, you could create an ssh tunnel to your home squid proxy server. But then you start leaving traces on your client machine in China... unless you boot it from a LiveCD or LiveUSB something. Try Knoppix or Linux-Mint, though you might need to remaster them to make sure you have all the apps you want.
Also, if ssh is blocked for some reason but you still have web proxy access, you can try installing ajaxterm to get a shell on your machine via https.
Have fun!
You said you'd only be there for a few weeks, and you wouldn't be using the computer that often. Are you sure you can't live without some parts of the internet under those conditions? If it's really that important to you, then perhaps you should restrict your travels to Hong Kong and Taiwan instead of mainland China?
...
After all if the firewall is the law, subverting the firewall may be illegal; which could lead to your stay being longer than expected
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
As long as we are going with "things the original author specifically discounted in his post", I think he should purchase VPN service...
I'm going on a porn hunt
I'm not a afraid.
I got some good business partners.
By my side.
Oh. Oh.
What do I see.
Oh look! It's a Chinese Firewall.
Can't go over it.
Can't go under it.
Can't go around it.
Got to go through it.
(First thing I thought of)
Another very good solution is to use this little multipurpose relay netcat++: http://www.dest-unreach.org/socat/ They are saying that you could tunnel even a VPN traffic, with just one simple command.
All 3 are linked together with a VPN.
And just after the planes struck the buildings on 911, the VPN with Detroit mysteriously went down. Unencrypted connections continued working as if nothing happened (so it's not a case of a router being located physically in WTC, or whatever). A couple of days later, all was back to normal. No explanation ever followed.
Sorry, but that's what this is. The internet is regulated by the Chinese government, it's kind of asinine to ask users how to circumvent and break Chinese laws.
When you're in another country or in someone else's home, you follow and abide by their rules. It's not just being respectful, its good manners.
The Great Firewall sucks, but that's how they roll. Just suck it up and deal with it.
Are you seriously willing to risk a stay in a Chinese prison just because you can't do without your internet fix for a few days? If you lived in China then trying to bypass the firewall might be conceived as a heroic gesture against oppression but for a tourist to risk it is just foolishness.
"I want something that has great performance but i don't want to pay any money for it"
Shell out for a VPN connection already.. iPredator is very cheap and encrypts your whole network connection.
Unless they've opened a few new trans-pacific pipe connections since I was last there, forget about speed. Maybe it was just my ISP (Great Wall, ha) but within China you can get nice (e.g. 750kb/s) speed but the moment you cross the pacific your latency is killer and you're crawling at 5-10kb/s. This is using corporate VPN or without. I suspect the actual throughput is a result of active throttling by the State. In terms of restricting general information, making something extremely painful is nearly the same as blocking it.
___________________ I want to be free()!
What you are asking is illegal there. If you get caught bad things will happen to you. Is it really worth the risk for a couple of weeks? Are you THAT addicted?
---- Booth was a patriot ----
Get yourself (if you don't already have) a cheap colo/virtual host. Then just use SSH with the-D option, and set your browsers proxy to a socks proxy on localhost.
Thats what I always do at when there are network issues (firewall, throttling, shaping).
I know of large US companies that do not allow executives to take their laptops into China, as they assume that its contents will be read (at the border or elsewhere). So, they get a sanitized laptop for the trip. Sounds extreme, but there have been cases of industrial espionage in the past.
...so the Chinese government can make their Great Firewall better!
Seriously, does this person believe that /. readers are so gullible that they will lay out their best-kept secrets here? Or how do we know that you aren't a Chinese operative trying to mine the collective wisdom of /.?
In fact, if you need to ask, you probably don't need the "unadulterated, unfiltered" Internet as much as you think you do. Go, enjoy your trip. The Internet will be there when you return.
I advise you to also bring a 'throw-away' computer, unless you keep your current computer with you at all times. Depending on your business, if you leave your computer behind somewhere (hotel room, security) you may return to find it perfectly fine, maybe even with a bit extra hardware or software if you get my meaning.
At the very least, be prepared to wipe it clean when you get back home.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
But when the law unfairly restricts your natural rights, then the breaking of that law is completely justified, hell, armed revolution in the case of China is very much justified for the Chinese people.
That said, I'm not sure if I'd really do it in China as a tourist, not that they'd probably do much (China gets western businessmen all the time) but I just wouldn't want to take the risk unless.
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Taxation is legalized theft, no more, no less.
A friend of mine is working for a supplier of automotive parts with (at the time) two branch offices in Luxembourg, and one in the United States (Detroit).
All 3 are linked together with a VPN.
And just after the planes struck the buildings on 911
Lets stop right there.
A single event, nine years ago, precipitated by an attack by foreign nationals on the United States.
You're using the example of (presumably) the US Government shutting down encrypted Internet traffic during a time of national emergency to support a claim that VPN traffic in the USA is unreliable.
That's just pathetic.
Several options: Setup an SSL proxy on 443. Setup sshd running on a non-standard port. Setup OpenVPN listening on 443. Blah blah blah. I've used all three of these when traveling to countries that heavily filter the 'tubes and met with little issue. I even run VoIP/VTC over them without issue.
If the requirements and restrictions on the Internet in China are enshrined in Law in China, you may be putting your visa at risk.
It's like a Australian 18 year old coming to the US and drinking alcohol and getting caught. In Australia, there no restriction above 18, in the US, it's 21. You get caught, you may not be able to enter the country again.
A local law is a local law, no matter what your views are. What you can do freely in your country may be illegal and carry harsh punishments in others.
This is all good advice.
As for your port advice, I agree to avoid port 22 -- I have this totally disabled on my FreeBSD system.
443 is a good alternative since it is the normal HTTPS port, but in my work as a consultant I've run into client networks where HTTPS works fine but SSH through port 443 doesn't work at all. I seldom get to the bottom of it, but usually its a filtering/transparent proxy device that works with normal HTTPS traffic.
My work around (that hasn't failed yet) has been to run my SSH server on a few random non-reserved ports. It's not unusual or unknown for apps to exchange encrypted/binary data on negotiated high number ports so most/many filtering systems & transparent proxies avoid it to keep from breaking those apps.
I personally would avoid using ports otherwise used for FTP, SMTP or other well-known unencrypted protocols since those are likely to be filtered/proxied or otherwise not be reliable with SSH proxy sessions.
It also wouldn't surprise me if the Chinese didn't have some kind of pattern analysis software that LOOKED for tunneled data; SSH proxy traffic probably stands out like a sore thumb. It might make sense to use multiple ports on the SSH server end to avoid creating a pattern over time (eg, one session on port 6043 may not get detected, multiple sessions over time from the same place on that port might sound an alarm).
I've used CCProxy before when I didn't have access to my own linux box, or time, etc. It was fairly easy to guide my non-technical friends over the phone through installation and configuration. It's free for up to 3 users.
>> Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that).
You're just an overly paranoid neckbeard. Don't use the same Slashdot nickname twice and make sure all your equipment, plus your brain, is wrapped in tin foil to avoid atheist Chinese mind reading.
I agree with you about 99%.
Setting up your own VPN is probably fine. If their are problems just claim that you need it to access work or school. What I wouldn't do is "help" people in China do the same.
1. If you are asking on slashdot you probably lack the skills to do it well.
2. If you get caught as a US citizen they will probably just take your computer and kick you out. You are not worth the bad press they will get.
3. If you help Chinese citizens do the same you can become worth the trouble. Which is a very bad thing.
4. You may hurt those that you are trying to help. Trust me their a lot of bright folks in China that have the skills to get around the great firewall. They also probably know better who to trust.
You are a foreigner trust me odds are they may already be watching you a bit. If you are not a business person I expect they are watching for you to try and do this very thing. As much as people like to make fun of security people they are not dumb. Figure that they have a lot more skill at catching you than you have at evading them If you or your friends don't get caught it will be just because of luck.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Is it illegal? Connecting to your home computer from China? Obviously it's not hacking the firewall... if the firewall already allows a connection to your VPN, then is that illegal? As an American visitor, is it illegal to look at certain content online? Or perhaps this is only illegal for Chinese citizens... does anyone actually know? Do Chinese police respect the law anyway?
Fast, Easy, Secure. Pick any two.
Sorry, pal - it's those pesky laws of the universe or something gettin' in the way...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I travel quite frequently and often need to subvert the various restrictions of local ISPs (DNS redirection, throttling, censorship etc.). The method that works for me is:
1). Rent a cheap 512MB VPS (I use Linode and highly rate them but there are many other providers)
2). Grab a copy of OpenVPN and set it up in server mode on your VPS (make sure you push "redirect-gateway" to clients so that they send all their internet traffic through the VPN)
3). Install a copy of OpenVPN on the computer you'll be travelling with (set it up in client mode and configure it to point to your VPS).
That's it. All your traffic will now flow encrypted to your VPS where it will then break-out on to the open, unfiltered internet.
Additional tips:
- If you are using Windows on the computer you're travelling with, you need to make sure your DNS queries are going through the VPN (see: http://openvpn.net/archive/openvpn-users/2006-09/msg00020.html for what steps you need to take)
- To help obscure the fact you are using a VPN, set the server to use TCP rather than UDP (note: this will increase latency a bit) and set it to listen on a port normally associated with something else (e.g. TCP 993 which is normally used for secure imap or TCP 443 which is normally used for https traffic).
If you haven't got the cash for a VPS (frankly though you should, they are really cheap!), you could always setup the OpenVPN server on your home machine and point your travelling computer to that.....
Good luck!
When I lived in China, I subscribed to a SSH tunnel service. I would setup a small application on my machines that would open a tunnel and funnel that traffic out from America. Be careful trying things like Onion. My financial trading software blocked me when their IT department detected requests shifting from IP to IP from various countries. It looks very suspicious. It's worth the fee paid to the SSH tunnel operators because you don't have to pay for a network connection in the US and they handle all the technical junk on the backend. Also since these service offerings are not super clear on China's Radar, chances of getting the IPs and ports blocked are really small. There is an advantage to being a small fish.
Or more specifically, he should shell out a lot of money for one.
then install windows xp on an old junk machine just for browsing remotely
pay zero attention to security
then wipe the thing when you get home
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
"There are just laws and there are unjust laws. I would agree with St. Augustine that an unjust law is no law at all... One who breaks an unjust law must do it openly, lovingly...I submit that an individual who breaks a law that conscience tells him is unjust, and willingly accepts the penalty by staying in jail to arouse the conscience of the community over its injustice, is in reality expressing the very highest respect for law."
- Martin Luther King, "Letter from the Birmingham Jail," April 16, 1963.
Choose any two.
I would suggest Tor. (Good and Cheap.)
--Pathway
SSH proxy traffic probably stands out like a sore thumb
SSH proxy traffic doesn't look any different from regular ssh traffic. It might involve more data transfer but the packets themselves are no different from normal ssh traffic.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I wouldn't be in any doubt that the Chinese would decide that it's illegal. You can't really just call it "Connecting to your home computer from China" when the only reason you're doing that is to circumvent their filter. It'd be a pretty feeble defence!
You be sure and tell them that at the Peking police station.
I have never seen more drivel in my life. If you don't want to follow the laws of the country, then *don't go*. Same with any country including the good old USA. Do otherwise and you are looking for trouble. Not going is a far better protest than going in and trying to sneak around, anyway.
set up openvpn on a machine at home. use xinit.d to enable two listen ports one on port 53 and another on port 443. be sure to reroute all of your traffic over the tunnel. you will need a dns server internal to your network at home.
this is an example of an xinit.d/ovpn-file to listen on port 53
service anon-reader53 /usr/sbin/openvpn /etc/openvpn/keys/anon-reader.key --redirect-gateway --replay-persist /etc/openvpn/persist-files/anon-reader --inactive 60 --user nobody
{
type = UNLISTED
port = 53
socket_type = dgram
protocol = udp
wait = yes
user = root
server =
server_args = --inetd --disable-occ --dev tap2 --secret
}
use the following for your ovpn config for the port 53 connection
openvpn --disable-occ --dev tap --remote ip.of.your.server --port 53 --ifconfig an.ip.on.remote.network remote.network.netmask --redirect-gateway --route-gateway gateway.ip.of.remote.network --dhcp-option DNS remote.network.dns.ip --secret shared-key-if-you-use-one.key --inactive 60000 --verb 4
an example with ips
openvpn --disable-occ --dev tap --remote 63.97.226.206 --port 53 --ifconfig 10.10.10.20 255.255.255.0 --redirect-gateway --route-gateway 10.10.10.1 --dhcp-option DNS 10.10.10.2 --secret anon-reader.key --inactive 60000 --verb 4
Having to work for a living is the root of all evil.
I'm surprised the question made it to the front page.
Consider the /. editor that posted it, then re-evaluate your initial sense of surprise.
Only a very few, large western companies have unfettered access to the 'real' internet in the PRC, and only the foreign national employees have access to it. If you're going to China as an employee of one of these companies, then you may have access. If you are going as a tourist, then you should pretty much expect that whatever surfing you do is being monitored, anonymizers will either be problematic or nonfunctional, and remember there is no such thing as 'freedom'. I would be extremely hesitant to set up my home or office PC with LogMeIn or RDP or any other kind of remote access solution, as it will most assuredly be targeted for hacking by the PLA, which runs the intelligence apparatus. You best be happy with the Disney-rated, government approved Red Internet, otherwise if you need your YouPorn fix, or want to check on WikiLeaks or research Falun Gong, you may wind up being 'interviewed' at an undisclosed location at 2AM. It's not prudent to spit in the eye of your friendly neighborhood communist dictatorship.
Nothing to see here but us trolls...move along...
It is not THAT bad. The whole nation is NAT'ed. You will not have a proper IP address. almost certainly 10.x.x.x. I use the web a lot, and the vast majority of sites work. Groklaw did not work for me, or BBC. But Tor gets around all of that. BitTorrent is slow due to no inbound connections.
To me the bigger problem is dumbass companies trying to 'help' me by detecting my location and localizing.. Just because I am in Whereveristan does not mean I can read the language. My http headers specify us-en. Do not redirect to chinese, or whatever. Annoying.
Time zones are also a PITA because you are awake and they are asleep, or vice versa.
All that aside, screw the internet, and have fun, eat some new foods, meet some locals, wander around aimlessly. Say "Hello", smile. Many do not speak english, but they all studied it from grade school on up. Write it down. But one of those calculator translator things, and have somebody show you the buttons to put it into english mode. Better ones have sound. About $20-30.
Buy a phone with a SIM card. 110 is like 911 in the states. 114 is tourist help. Free. Everywhere. They speak multiple languages. Tell them what you want, hand the phone to the taxi driver, solved.
The law is a weapon of the government, not a protection for the likes of you. Surely you understand that.
So what you're saying is that accessing every single website on the internet is a natural right?
I assume you're going on vacation or you'd just use whatever system your IT department has set up. If I'm right and this is a vacation, then freakin' GO ON VACATION. If you get all shaky and twitchy if you go more than a couple hours with a direct neural feed, you need to address your addiction before you leave. You can access everything you'll need while on vacation. You don't NEED to look up "subversive" things while you're on vacation.
If you want to see what the Great Firewall blocks, go to websitepulse (or one of the many other test sites) and use a "test behind the great firewall" tool to see if your favorite sites are being blocked or modified.
If you absolutely must have unfiltered access, get a router that runs dd-WRT and set yourself up the VPN. In fact, get several friends to do the same. Then you can connect to those routers via VPN and surf through those connections. Unless China cuts off your VPN service. As others have noted, this happens regularly.
Bottom line: When you're on vacation, part of being on vacation is immersing yourself in the local culture. In this case, part of the culture involves filtering and sanitizing information. Go with it. I think you'll be surprised at how little the Great Firewall impacts your trip.
Looks like you get a kick out of imagining yourself to be some kind of spy. The risk is not worth it. There is a 99% chance that you'll go scott free even if you take no precautions. But OTOH, it's also possible that you get into trouble even with all your precautions. The internet isn't going anywhere. Just visit China and behave like a normal tourist would. You can access the 'whole, unadulterated, unfiltered Internet' to your heart's content when you return!
I spent a few years in different cities in China. Here's my take: in order to balance speed and access, you really only want to tunnel/proxy/vpn what you absolutely have to. Most sites aren't going to be blocked so using something like FoxyProxy is pretty essential. If you'll have VPN access, set up rules so that just the traffic that needs to go through the VPN (plus DNS) is getting tunneled.
Also, multiple workarounds for access is important too: you could very well get stuck somewhere where everything but ports 80, 443 are blocked, ruling out your ssh tunnel (unless you've thoughtfully set your ssh server to listen on a different port) and having a web proxy might save the day. Or one proxy goes down, get blocked, is too slow, etc.
I personally used a combination of ssh tunnels, web proxies, a paid VPN service and Tor.
Also, note that the great firewall isn't just a blacklist. It also performs packet inspection for keywords/phrases before issuing TCP resets to both parties, so your proxies definitely should be SSL enabled, even if it's just with a self-signed cert.
Isn't this why http://www.peacefire.org/ exists? They are devoted to helping folks get around stupid internet filters, including those of nations, companies, schools, and parents.
I recently spent 1 month in China and was unsure of what to expect about internet access. It was better than I expected. I think it is not worth the trouble to try to dodge any firewalling. I was able to use ssh to connect to computers back home and generally able to surf the internet. I think youtube and google video were blocked, but for a short trip this is not much to worry about. I was able to use gmail and google. The news under google/ig sometimes linked to blocked sites. However, there were always related links with the same information which were not blocked. So, for me, the only problem was not viewing videos for a few weeks. This did not matter to me, though I think there are alternative video sources which are not blocked.
The net result is that access is nearly unfettered, so it is probably pointless and perhaps unwise to try to subvert the firewall. Freedom seems to be increasing in China. Enjoy your trip!
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
You might want to look into dropping RST packets at BOTH ends under certain circumstances, because the Chinese spams those around almost randomly.
Using the internet in China is very flaky and unreliable, because what they've set up isn't this all powerful, stateful firewall; as maybe they'd like you to believe, but a b0rk-the-internet pile of RST spewing shit.
$ cat ~/bin/socksproxy_to
#!/bin/sh
ssh -D 8080 -Nf $* && \
echo "Configure your browser to use a socks proxy on localhost port 8080"
For every problem, there is at least one solution that is simple, neat, and wrong.
Our company does business in China and even has an office there. We have to constantly remind our employees that it is illegal to use VPN in China. Using SSH is also disallowed.
You could, however, setup a unencrypted SOCKS proxy on some random port.
Here's how I'd do it:
Notes:
Dear Slashdot,
I go to a high school in which internet access is heavily filtered so that students cannot visit websites that are deemed containing questionable content. How can I subvert the filters and firewalls so I can reach sites that aren't questionable like National Geographic, The Library of Congress and the US Constitution online?
Whatever happened to respecting the rules of your hosts? Maybe we forgot what happened to Michael P. Fay in Singapore. He required Bill Clinton to literally save his ass.
What law would this person be breaking? As far as I can tell there is no such explicit law in China forbidding people from circumventing the Great Firewall of China, although nothing would stop them from trumping up some charges against you using one of their many loosely defined laws, such as distribution of 'state secrets' which can be virtually anything (but they could do that regardless).
Instigate a revolution, successfully overthrow the government, and instate a new government with more liberal social policies.
Once the power comes back on, and telecommunication services have recovered (and reconfigured) enjoy free western-style Internet access!
... the biggest risk you face is showing off your capability to the locals.
My own experience and the opinion of those (business people) I spoke to is that the Chinese don't really care if you are using VPN of some sort, as long as they don't suspect you are involve in some kind of dissidence or other "subversive" activity.
For what it's worth, I have used SSH tunnelling to my own tinyproxy installation. I enjoyed moderately high speed from my hotel rooms and from Starbucks.
Incidentally, I didn't set this up to bypass censorship. I use the proxy any time I am at a wireless hotspot for obvious security reasons. It also enables me to use my credit card overseas without being flagged as a risk because as my IP address always jives with my credit card postal address.
Life- everyone is entitled to live once they are created.
Liberty- everyone is entitled to do anything they want to so long as it doesn't conflict with the first right.
Estate- everyone is entitled to own all they create or gain through gift or trade so long as it doesn't conflict with the first two rights.
And the founders of the USA thought so, just look at the Declaration of Independence
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
Such thought isn't limited to post-1600s thought either,
NO Freeman shall be taken or imprisoned, or be disseised of his Freehold, or Liberties, or free Customs, or be outlawed, or exiled, or any other wise destroyed; nor will We not pass upon him, nor condemn him, but by lawful judgment of his Peers, or by the Law of the land. We will sell to no man, we will not deny or defer to any man either Justice or Right
According to the Magna Carta signed in 1215.
So yes, it is a natural right because its liberty, you have a natural right to have property, part of that is a computer I'm sure we can all agree, if you have property then no one should deprive you of your use of said property unless it violates the rights of others. Considering that accessing various internet sites don't infringe on the rights of others, I'd say its a natural right to use the internet if you pay for it and a violation of natural rights for the government to control it.
Now, of course western thought doesn't mean shit in China.... But that doesn't mean that natural laws don't exist because China doesn't believe in them.
Taxation is legalized theft, no more, no less.
Most ISP in China will not be able to provide you a connection better than about say 1 Mbits/s. Even if you have an ssl encrypted proxy or vpn set up at home, your connection to your home network in the States will be unbearably slow. But the openvpn suggestion is going to be your best bet.
See "How to Break Out from Inside a Draconian Firewall": http://technotes-fran.blogspot.com/2009/11/how-to-break-out-from-inside-draconian.html
Download a copy of Server 2008 demo is good for 60 days. Set it up on a VM and enable TS gateway functionality. Basically it will let you tunnel remote desktop to any computer on your local network over SSL to the internet. Or use logmein, not sure if thats blocked there?
Nuclear war would really set back cable. - Ted Turner
Which is, like I stated previously, why China really needs a revolution, probably an armed revolution to restore a government that actually is by the people. Plus, if you look at a lot of the world, the military can act as a check against governmental power, it only takes a rogue wing of the army which has become enlightened to start over the restoration of basic rights.
Taxation is legalized theft, no more, no less.
SSH's -D option activates the built-in SOCKS proxy in the SSH client, so all you have to do is:
then configure your browser to use a SOCKS5 proxy on localhost:8080 (and also to use the proxy for DNS lookups, otherwise you leak the DNS names of the sites you browse to).
The problem is that in 99% of the cases in which the military becomes "enlightened" you end up with a fascist dictatorship.
In soviet russia the government regulates the companies.
Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/6415) watches for changes in SSL certificates and alerts you to those changes, so you can decide if someone is pulling an SSL MITM attack on you. If the Chinese routers are running SSL interceptors (e.g., Cisco's IronPort or Bluecoat's ProxySG), then you will see alerts that the SSL certs you last got from within the US are different in China.
Seriously, ssh -D is your friend:
-D port
Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine. Currently the SOCKS4 and SOCKS5 protocols are
supported, and ssh will act as a SOCKS server. Only root can
forward privileged ports. Dynamic port forwardings can also be
specified in the configuration file.
My prior job required me to travel to China for a few weeks every 2-3 months & I found it invaluable. Fire it open on the command line, and set your browser to use that local port as a SOCKS proxy.
(Note, however, this will not help you deal with shitty bandwidth to sites outside china. On that front, you're pretty much just fucked until you leave China. Even "off hours" don't help that much.)
SlashSig Karma: Excellent (mostly affected by moderatio
I've traveled in China several times, and as a "rich white guy" you won't have serious problems even if you make loud political statements that the party disagrees with. (E.g. here is a short list of forbidden words).
What you should be careful about is discussing politics with the locals. At worst you'll be asked to leave the country, but they can be thrown in jail or "disappeared" if they say, criticize party leaders.
In other words, using a ssh proxy is fine. There is probably even no law against it, except for the general "don't do things not in the interest of the Party".
But it leads to instability which provides an opportunity for the Chinese people to form a government that actually supports their rights, they'd need to act quickly but it is possible.
Taxation is legalized theft, no more, no less.
OpenVPN is very easy to setup. Just setup openVPN on your home computer and get a dyndns hostname for it. The rest is easy.
MLK was not a tourist in Birmingham. He was a US citizen, in a US jail.
"seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .
My experience might be a bit outdated (October 2008 was the last time I was in China), but I didn't see much of a firewall there. The only sites that I couldn't reach (occasionally!) were zh.wikipedia.org (which I tried out of curiosity) and a sourceforge download site in Taiwan. And I tried a lot of sites, including the ones that you mention and other usual suspects.
My Chinese colleagues told me that generally only Chinese-language sites and sites located in Taiwan are blocked. They also told me that anyone with basic computing literacy can circumvent the firewall anyway without so much of an effort. I can't tell you much about the details because I didn't need to and my colleagues didn't seem to want to speak about it. My impression was that the Chinese DNS server just didn't resolve some site names.
At times I had the impression that the SSL connection to my webmail service in Germany and the VPN connection to my company's intranet was a bit slow and unreliable (which made me paranoid of a man-in-the-middle attack), but when I was in the US recently the connection was even more slow and unreliable. Draw your own conclusions.
Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
Be aware, current security best practices suggest that you physically destroy whatever computer you use while you're in China. It is highly likely to be subverted while there. Seriously. Think about buying a cheap netbook while you're there, or get a used one here that you're going to sell before you leave.
The Ironkey flash drive ( https://www.ironkey.com/ ) was developed for the military. It features DOD standard encryption on the hardware level and a pre-installed version of firefox with a vpn tunnel provided by Ironkey itself. A.D.B.
Your use of the word 'restore' suggests that you believe that, sometime in the past, China had some form of democratic government. The larger assumption is that the Chinese people, as a whole, *want* government by the people. The historical and cultural evidence indicates otherwise.
Setup a linux box at home. Run squid proxy. SSH tunnel to your linux box at home and now you have an encrypted proxy inside the US to connect too.
See: Encryption restrictions in China.
"If you encrypt data in China, you have to provide the Chinese government the ability to access the keys. By this regulation, the Chinese should be able to get access to [Secure Sockets Layer]-encrypted traffic, too."
It's basically one big Charlie-Foxtrot over there. But if you want to avoid being found out and thrown into a Chinese jail cell, you had better play it safe.
I'm not sure that the ability to view websites blocked by Chine while your visiting their country constitute a natural right. Even granting that you do have a responsibility to break laws you feel are unjust, you must still face the consequences of breaking that law. A responsible adult must look at their obligations and determine if the consequences of breaking the law and being punished outweigh the benefits of breaking the law.
Is making this statement worth going to a chinese jail over? Is making this statement worth leaving your child without a parent, or your parent without a child over? Will the good that you do for society by this act outweigh the harm you cause to those who love you?
Most SSL proxies don't make you anonymous, nor do they encrypt incoming communication. If you truly understand how SSL works, then you would know, most SSL implemented on the internet are only one way encryption, not two way. Unless you use client cert, all communication the server sends you are unencrypted. The great firewall of China filters site content. So if you use an SSL proxy, the Chinese government still are able to nab your IP address by filtering incoming packets from your proxy to your host. The safest way to not get caught is to use ssh tunneling using two way encryption.
Where is the "Ignorant" mod tag?
If you have a linux box in the US, install NX Server (free) on that box, then install NX Client on your laptop or USB memory stick with whatever distro you want to use. Secure remote browsing done easy. Marco
Why not just obey the law while in China and stay out of jail/alive?
You have no idea of what you are fucking with. If you don't think they will be watching everything a foreign national is doing and itching for a reason to arrest you, you are naive, bordering on stupid.
It's one thing to espouse freedom like we have in the US. That's a noble pursuit.
It's quite another to be thrown in a Chinese jail for no other reason other than "Look at me, I'm getting through the great firewall of china :-p"
Get a grip. Go over there, do what you gotta do, and come home.
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
At a western hotel I'm sure 95% of your needs will be met. If you want free-roaming unfettered internet access and speeds throughout china... well... I would ask why you would need such access and if that access would be worth a stay in a Chinese prison.
A friend traveled to PRC about 6 months ago. You have to use an outside DNS server, preferably over SSL and an outside proxy over SSL. I was giving him the DNS records over IRC (or MSN), so that he entered them manually in the local lookup table and then he routed all the traffic over a proxy I've set which was SSL only. I must stress that if you just make one single request without SSL over an outside proxy, the IP of the proxy gets banned. Also sites (e.g. Facebook) aren't resolved by local DNS servers IIRC, plus the IPs of these sites are blocked. Funny thing is that IRC (or MSN, i don't remember exactly) worked normally. :)
I am honest American myself not complete satisfied with policies of Great Republic. It is good you tell grievance to all very publicly. When you arrive my friend Mr. Lee will visit and he will adjust your computer for maximum benefit, and help educate you on proper Chinese customs.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
My daughter is living in Beijing for a year so before she left I got her a notebook and set it up with everything she'd need. For a brief moment I considered installing an SSH tunnel or VPN access back here to home, but then I thought about what my ex-wife's voice would sound like when she said, "they are detaining our daughter because they found military grade encryption software on her computer. How did that get there?" and decided against it.
Seriously, if you disagree with their policy don't go. In your own country you have the right to civil disobedience against unjust laws. In another country you are a guest and should act appropriately.
I'm an Aussie, our countries fought together in many wars (some still ongoing) and about as peaceful a partner as the US can get. Despite having travelled to the US about a dozen times and even lived over there for a couple of years, I have refused to return because you want to fingerprint me on entry now.
If you disagree with a requirement of entry. Don't go. It is astonishing that you would premeditate to break China's laws because of your political views when your own country has a bunch that you have not fought against.
Sheesh.
--M
# grep slashdot access.log | grep html | sort | uniq | wc -l 2604
Yes. Echoing the statements of many people throughout history. According to Locke there are three major natural rights (as in rights given to everyone at birth simply because they are human)
Life- everyone is entitled to live once they are created.
Liberty- everyone is entitled to do anything they want to so long as it doesn't conflict with the first right.
Estate- everyone is entitled to own all they create or gain through gift or trade so long as it doesn't conflict with the first two rights.
OK, then I'm going to punch you in your face. It doesn't threaten your life (I won't punch that hard), therefore rule 1 doesn't apply, and therefore rule 2 tells me I'm entitled to do it.
The Tao of math: The numbers you can count are not the real numbers.
1: Set up a *nix server at yours or a buddy's house (the latter is best, because your buddy can turn it back on if the power goes out)
2: install OpenSSH on the server
3: Learn to use SSH tunneling.
The Internet has given stupid people the resources of intelligent people.
I was in China for a summer and was able to access anything, uncensored through this free vpn service. http://hotspotshield.com/
You may have forgotten that China is currently cracking down on porn. The man can't live without his porn!
I wonder if the AC who posted the question might be a lazy network tech in China trying to close holes?
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
For god sake some of you make it sounds like the OP's never gonna be seen alive again. He's just going to China, not the goddamn Death Star. I guess you can say there's always the risk of being detained, but you risk being detained just coming back to the US! Any halfway savvy Chinese net user knows how to browse blocked sites. The laws are intentionally vague and nebulous. Enforcement against you is unlikely unless you really try to start something.
Unhindered access to the intertubes is a natural right now?
I'm surprised this answer didn't come up earlier. At the very least, set up an SSL proxy back home. If you do/can run a web server in your house, with an ISP that doesn't make it difficult, this is the obvious solution. I did this as a favor for a nephew living in the Middle Country, and he was able to surf freely.
If you're carrying your own laptop, and can ssh into your server, then with port redirection, truly you are powerful, and will be limited only by the bandwidth between you and home plate.
Luke, help me take this mask off
Tunneled traffic looks different than keystrokes and occasional bursts of text, unless you are some kind of heroic typist.
It's pattern analysis. Packet counts, inter packet temporal spacing, data volume, etc.
Now it may be that ssh is used often enough for tunneling/file transfer/etc that tunnel sessions are common, but it still will look a lot different on the wire than a terminal session.
So somebody from a repressive religious state has the "natural right" to exact deathly punishment on women who dress too skimpily. That's respecting the order of the universe. Any law against that is unjust and violates their natural rights. Would you support their right to break murder laws in western nations?
People with strong beliefs willing to stand against a government in the name of change must expect conflict, not appeasement.
VPN service can start as low as $20/year. You'd be hard-pressed to spend over $100 for a year of full-speed access via OpenSSL or something. (I'd recommend that, something where the certificate and key are exchanged before you go China, just to be sure there's no MITM going on.)
I doubt your time is so worthless that you would be better served by setting up your own method on Linux, than by skipping Starbucks for a week before you leave and putting that money into a turnkey solution.
proxytunnel (and cntlm if you need NTLM authentication to your local proxy) will get through just about any stateful filter/proxy that only allows ports 80 and 443 outgoing and tries to block proxies with packet inspection. Listen on yourhost:443 with an SSL proxy (e.g. encrypted HTTPS proxy server) and allow CONNECT 127.0.0.1:22 via that proxy. Use proxytunnel with the option to connect through the local proxy using cntlm if necessary, then through your own encrypted proxy and finally connect to 127.0.0.1:22 for the SSH connection. In your ssh config set up the host you will use with the ProxyCommand to invoke proxytunnel with the required options. It works because the deep inspection firewall only sees a plain vanilla SSL connection to yourhost, with no evidence of HTTP proxying or SSH being tunneled through it. Tunnel through SSH as necessary.
If you're using Apache as your SSL proxy, you will have to patch proxytunnel to turn off SSL once the proxy connection to sshd is established because for one reason or another Apache thinks it's a good idea to hand the raw socket over to the proxied connection instead of keeping it running through SSL. That might let an exceptionally paranoid firewall see the SSH exchange and block it, but it's still secure if you tunnel everything else through the SSH session.
I've been to China. I've used the Internet there. Unless you are looking at things specifically about things they don't like, Tibet, Tienanmen and such, you won't have a problem. What are you planning on doing that you think might be a problem? After all, I'm presuming you are going there from the US, so you have no problem with the federal government listening to everything you send (so far, no one has ever actually denied that AT&T feeds 100% of all Internet traffic that touches their network to the feds). So you must think that you'll be missing something from the "full Internet." I'm curious what you think that will be. I haven't been there in a couple years, but I could get to the Wikipedia entry for Tienanmen Square. But a google.cn search on it wouldn't give "full" results. They actually block very little. And most of what they aim to block are sites in Chinese.
It's like going to a country with child porn filters. If you aren't planning on doing porn or child porn, it will likely be something you won't ever hit even once, so planning on work arounds for them would be a silly waste of time. I'm not asking to make you justify not wanting to be filtered, but just trying to see if the cost benefit scenario actually leans towards an answer other than "don't do anything, you'll never notice it."
Learn to love Alaska
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Tunneling under the firewall may be an act of rebellion but is not civil disobedience as Thoreau or Gandhi or Martin Luther would have understood it.
Civil disobedience is open and public.
Civil disobedience means paying the price of disobedience - no matter how high.
Civil disobedience means nothing to a regime that operates in secret and fundamentally does not care how many people have to die to achieve its objectives.
The lone tourist might be ignored - but he could go to trial.
The repeat visitor who routinely breaks the rules begins to look like more like a spy, a courier or agent provocateur.
In which case, he might meet with an unfortunate accident.
When I was in China in 2004 I was surprised to find that internet access appeared completely unfettered. I stayed in both Beijing and Xi'an and had no trouble accessing both secure and non-secure sites including my bank, CNN, etc. from hotels, coffee shops, and people's homes. I didn't go out of my way to look for something I could not access, but I never ran into anything either.
Yes, get a vps, use ssh sock proxy tunneling with dns read up, with firefox and foxyproxy. it works like a charm.
The way he shoved that cop. Would he have survived that in any major american city?
That is exactly why I won't visit the USA.
The chinese government couldn't care less about you accessing those sites. Just their own citizenry.
You're obviously too cool to bother with social networking or photo sites, but both Facebook and Flickr.com (and at least one site I can't recall) were blocked when we were staying with friends in Beijing recently. PPTP connection to StrongVPN.com made my traffic emerge in a San Fransisco POP and nothing was blocked. So depending on what kind of cocoon you live in, maybe the wall never hits you but it's there.
Doesn't seem like a big deal to me (from http://www.chinaeclaw.com/english/readArticle.asp?id=2384 ):
Article 24 Where foreign organizations or individuals use encryption products or equipment containing encryption technology without approval, the State Cryptographic Administration Authority, in conjunction with the public security departments, shall issue an official warning and order rectification, and may also confiscate the encryption products or equipment containing encryption technology.
Sorry to reply a second time, but the punishment for this 'crime' is:
Article 24 Where foreign organizations or individuals use encryption products or equipment containing encryption technology without approval, the State Cryptographic Administration Authority, in conjunction with the public security departments, shall issue an official warning and order rectification, and may also confiscate the encryption products or equipment containing encryption technology.
From http://www.chinaeclaw.com/english/readArticle.asp?id=2384
Seems like the worst possible thing they can do is confiscate his laptop. Big deal.
As a foreigner who has lived and worked in China for the best part of the last two decades, my strongest and best advice is to get a VPN service. I use StrongVPN but I understand that there are a range of others that work well in China.
I do not consider US$15 per month to be an onerous expense when it comes to being able to access the whole of the web and watch the occasional show on Hulu.
A dream is good. A plan is better.
No-IP + Proxy Server + Firefox = no great firewall
No universal health care, appalling wealth distribution, limited unemployment aid, expensive education, over a million Iraqi dead, The School of the Americas, Guantamo etc, etc. Yes, you are right. No care for human rights there...
In actuality there is no such thing as rights. Rights are what we, collectively, decide them to be.
Most civilised countries have healthcare as a right. Primitive ones don't. If you want to be primitive, that is ok by me.
Additionally the UN has a declaration of human rights to which the US subscribes (but does not practice) and is thereby supposed to adhere to (see The Constitution of the United States of America) but fails to uphold.
So, but me no buts. The United States of America cares little for human rights and even less so if those humans are not US citizens.
You have no possible reply that is not hypocritical so I won't be responding any more.
When I worked in China, I just used Tor. Quick, easy, and worked perfectly. Even works for torrents, since all your client needs to do is connect to the tracker over http, and then you don't need a proxy after that point.
You are a foreigner trust me odds are they may already be watching you a bit.
I have never heard of foreigners being watched extra well in China - at least not the regular visitors or business people. With the thousands if not millions of foreign visitors in China at any one time this is quite a Herculean job to do, even for China.
However I hear North Korea is doing that much better. It makes the country one of the safest to visit as a foreigner. Over there you will always have at least one police keeping an eye on you.
Back on topic I have never had any issues with inaccessible web sites when in China. Not that I use the web too much there anyway; and if anything was blocked well not likely it's so important it can not wait until later.
Build a virtual PC on Rackspace, whichever OS you wish, Fedora or Windows Server 2008 R2 among several others, and remote to it. A dollar a day buys you a whole lot of power, and you can buy it by the day.
J.E.B.
Joshua Corps
you are a chinese government official who's smart enough to ask the people who might actually know a way to get through so you can plug the last hole and make your people suffocate in an intellectual vacuum?
beware he who denies you access to information for in his mind, he already deems himself to be your master (SMAC-ish)
Since when does anyone have a "natural right" to access the fucking internet?
To have a right to do a thing is not at all the same as to be right in doing it
Simply asserting that there are "natural rights" and quoting various passages which agree with that opinion (which is just the logical fallacy of arguing from authority) is not a philosophically valid line of argument.
Human beings only have "rights" because they have developed language and can communicate the ideas of law, moralitay and shared societal beliefs with each other. To be honest, I'd rather have someone just come out and say that these rights were given by God, as then you know there's no point in arguing about their delusions with them.
To have a right to do a thing is not at all the same as to be right in doing it