Slashdot Mirror
Tunneling Under the Great Firewall?
An anonymous reader writes "I am traveling to China in the near future, and needless to say as a Slashdot reader I am going to require access to the Internet. The whole, unadulterated, unfiltered Internet. Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that). I will only be there for a few weeks, and will not be using the computer for much of that time, so I don't want to shell out a lot of money to a VPN service. However I also don't want to be hindered by extremely slow speeds such as those provided by the Tor network. I have experience implementing Web servers and work fairly often with Linux; however, many of my friends who also face the same dilemma don't. What would be the most cost-effective (free is best) method for me to subvert the Great Firewall during my travels while maintaining sufficient anonymity and enjoying sufficient speed?"
This fear of China is just WTF. "my lack of a nickname on this submission being testament to that", VPN's, Tor, all of that just to browse the regular Internet. Anyone who writes these things obviously have not been there or in the other Asian countries.
Most of the western quality hotels provide access to unfiltered Internet and you are most likely staying in one of those. Besides, the Chinese and Asian in general are quite relaxed people. Just think if American cops would be this patient and try to help the guy.
Seriously, the Chinese, Asian and rest of the world hate and fear by Americans is getting beyond ridiculous.
At my workplace we have people who travel to China. On occasion VPN connections from China just stop for hours or days at at time. No hits at our VPN endpoint from China at all; the traffic is stopped upstream somewhere while everything else that is unencrypted works.
That's the only country we have people visit where the VPN can be problematic.
Trolling is a art,
Have somewhere a computer with real IP, and start some proxy server. Or even some remote-control(vnc,rdp), if you have a good bandwidth.
SSH tunneling with SSH -D is trivial to set up. Make sure you forward DNS with network.proxy.socks_remote_dns set to true if you're using Firefox.
I think I read that SSH can even create a virtual network device that forwards all traffic over a tunnel. Haven't had time to play with that though. That would be a great solution for every app, even those that don't support SOCKS proxies.
Give me Classic Slashdot or give me death!
Before leaving, set up a computer with decent upstream bandwidth and VNC / screen share. Pretty simple, and only shows a connection to that one IP address. If you use OSX it's a 30 second setup in sharing preferences, and I'm sure that there are windows and Linux equivalents. You may need to tweak the ports to get under the Great Firewall.
However, one significant drawback (with the OSX solution) is that audio is not streamed. Another is lag with slow / far connections.
But it will get you the full net.
__ Someday, but not this morning, I'll finally learn to use the preview button.
Just change your online name to "FreeTibet". They'll never notice.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
http://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_People's_Republic_of_China Those definitely all sound like sites chock full of state secrets.
I suggest that you play nice with China's laws if you are going to China. Trying to bypass their firewall as a foreigner traveling there is more likely to attract the sort of attention you don't want than anything else. As you said, you're just going to be there for a few weeks. Do you *really* need to search for the kind of stuff they filter out while you are there?
My wife travels regularly to China for work. We are very careful about our conversations on the phone when she's there, and about the emails we send when she's there. I sure as hell would never advise her to try to bypass their firewall.
If you are a Chinese freedom activist, by all means, you know what you're getting into, bypass away. I support the people of China in their efforts to access the whole internet, to speak their minds, to be as free as they care to be.
If you are a Westerner visiting, I'd suggest you just hold your horses there bucko and deal with the internet you can get from your hotel room and don't make yourself look more suspicious than you actually are. You really, really don't want anybody to think you are doing anything against Chinese interests while you're there. Seriously.
if on windows, set up your home computer to accept incoming rdp requests (and configure your router to pass that port to the right machine), and leave your home computer on the whole time
login remotely, and surf anywhere you want
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
My political opinions are state secrets that I communicate over twitter, you insensitive clod!
XML is like violence. If it doesn't solve the problem, use more.
This is a really simple problem to solve.
Keep a box at home, run Linux/*BSD/whatever on it. Have SSH on it. Run SSH on a "common" port that's not 22. 21, 23, 56, 69, 80, and 443 are good candidates. For good measure, keep a small web-based admin util on some other common port (with SSL!) in case you guessed the SSH port wrong.
Use SSH as a proxy. I forgot exactly how to acomplish this on *nix but on Windows... Use PuTTY. Connection -> SSH -> Tunnels. Set a random source port (which is what port you connect to on your local machine) and select the "Dynamic" option. IPv4/IPv6 option should stay to default "Auto". An entry in the list should read something like D12345 where 12345 is the port. Use localhost:port as a SOCKS proxy.
And for *nix, there's this guide that should for for all OSes with standard ssh: Guide!
So when China asks slashdot how best to catch people circumventing their firewall, how would they do it? They might pretend to be a western touron visiting their fair nation and asking some innocent questions about firewall circumvention. If any of these methods are effective, they are likely to cease being effective now that they are widely published. Either way, the anonymity of the poster prevents direct help and indicates perhaps a clever approach to hardening the firewall.
As long as we are going with "things the original author specifically discounted in his post", I think he should purchase VPN service...
I have done this from Beijing and it worked the week I was there.
FoxyProxy is a nice add-on to use for this, since it allows you to either whitelist specific sites for use through the proxy, or to simply switch back and forth to the proxy as you need.
All 3 are linked together with a VPN.
And just after the planes struck the buildings on 911, the VPN with Detroit mysteriously went down. Unencrypted connections continued working as if nothing happened (so it's not a case of a router being located physically in WTC, or whatever). A couple of days later, all was back to normal. No explanation ever followed.
Sorry, but that's what this is. The internet is regulated by the Chinese government, it's kind of asinine to ask users how to circumvent and break Chinese laws.
When you're in another country or in someone else's home, you follow and abide by their rules. It's not just being respectful, its good manners.
The Great Firewall sucks, but that's how they roll. Just suck it up and deal with it.
Unless they've opened a few new trans-pacific pipe connections since I was last there, forget about speed. Maybe it was just my ISP (Great Wall, ha) but within China you can get nice (e.g. 750kb/s) speed but the moment you cross the pacific your latency is killer and you're crawling at 5-10kb/s. This is using corporate VPN or without. I suspect the actual throughput is a result of active throttling by the State. In terms of restricting general information, making something extremely painful is nearly the same as blocking it.
___________________ I want to be free()!
What you are asking is illegal there. If you get caught bad things will happen to you. Is it really worth the risk for a couple of weeks? Are you THAT addicted?
---- Booth was a patriot ----
But when the law unfairly restricts your natural rights, then the breaking of that law is completely justified, hell, armed revolution in the case of China is very much justified for the Chinese people.
That said, I'm not sure if I'd really do it in China as a tourist, not that they'd probably do much (China gets western businessmen all the time) but I just wouldn't want to take the risk unless.
But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.
Taxation is legalized theft, no more, no less.
While not necessarily the best tone in the world, I actually agree with DJ Jones here.
Here's your decision tree:
1) Is the website you want to see worth defying the laws of your hosting nation?
2) Is absolutely no way you can do without it until you come home?
3) Do you have some kind of diplomatic immunity, wealthy connections, etc that can extract you from a sticky situation?
You get the picture.
Imagine this post on the Arabian Slashdot:
I am getting ready to travel to the United States and don't want it to interrupt my terrorist training. Can you guys recommend a way around the DHS's websniffing protocols, eavesdropping, cellular tracking, etc?
And what would your advice be??
Opportunistically, if you gave advice about methods, would you feel bad if he landed in Gitmo?
Think about the implications. After all, it is only the internet and you don't live there. Think deeply.
If the requirements and restrictions on the Internet in China are enshrined in Law in China, you may be putting your visa at risk.
It's like a Australian 18 year old coming to the US and drinking alcohol and getting caught. In Australia, there no restriction above 18, in the US, it's 21. You get caught, you may not be able to enter the country again.
A local law is a local law, no matter what your views are. What you can do freely in your country may be illegal and carry harsh punishments in others.
I agree with you about 99%.
Setting up your own VPN is probably fine. If their are problems just claim that you need it to access work or school. What I wouldn't do is "help" people in China do the same.
1. If you are asking on slashdot you probably lack the skills to do it well.
2. If you get caught as a US citizen they will probably just take your computer and kick you out. You are not worth the bad press they will get.
3. If you help Chinese citizens do the same you can become worth the trouble. Which is a very bad thing.
4. You may hurt those that you are trying to help. Trust me their a lot of bright folks in China that have the skills to get around the great firewall. They also probably know better who to trust.
You are a foreigner trust me odds are they may already be watching you a bit. If you are not a business person I expect they are watching for you to try and do this very thing. As much as people like to make fun of security people they are not dumb. Figure that they have a lot more skill at catching you than you have at evading them If you or your friends don't get caught it will be just because of luck.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I travel quite frequently and often need to subvert the various restrictions of local ISPs (DNS redirection, throttling, censorship etc.). The method that works for me is:
1). Rent a cheap 512MB VPS (I use Linode and highly rate them but there are many other providers)
2). Grab a copy of OpenVPN and set it up in server mode on your VPS (make sure you push "redirect-gateway" to clients so that they send all their internet traffic through the VPN)
3). Install a copy of OpenVPN on the computer you'll be travelling with (set it up in client mode and configure it to point to your VPS).
That's it. All your traffic will now flow encrypted to your VPS where it will then break-out on to the open, unfiltered internet.
Additional tips:
- If you are using Windows on the computer you're travelling with, you need to make sure your DNS queries are going through the VPN (see: http://openvpn.net/archive/openvpn-users/2006-09/msg00020.html for what steps you need to take)
- To help obscure the fact you are using a VPN, set the server to use TCP rather than UDP (note: this will increase latency a bit) and set it to listen on a port normally associated with something else (e.g. TCP 993 which is normally used for secure imap or TCP 443 which is normally used for https traffic).
If you haven't got the cash for a VPS (frankly though you should, they are really cheap!), you could always setup the OpenVPN server on your home machine and point your travelling computer to that.....
Good luck!
Or more specifically, he should shell out a lot of money for one.
"There are just laws and there are unjust laws. I would agree with St. Augustine that an unjust law is no law at all... One who breaks an unjust law must do it openly, lovingly...I submit that an individual who breaks a law that conscience tells him is unjust, and willingly accepts the penalty by staying in jail to arouse the conscience of the community over its injustice, is in reality expressing the very highest respect for law."
- Martin Luther King, "Letter from the Birmingham Jail," April 16, 1963.
My buddy lived in China (Beijing) for two years. At least as of 2008, accessing the english internet was either a) slow as hell or b) largely firewalled off. Major news sites, useful tools (particularly to a power-user) and a whole host of things we take for granted either had limited availability or simply couldn't connect to the US server. As I understand it, it's gotten worse, not better since then.
Case in point: Appreciate what you have here in the US of A. You have it really, really good here.
moox. for a new generation.
I recently spent 1 month in China and was unsure of what to expect about internet access. It was better than I expected. I think it is not worth the trouble to try to dodge any firewalling. I was able to use ssh to connect to computers back home and generally able to surf the internet. I think youtube and google video were blocked, but for a short trip this is not much to worry about. I was able to use gmail and google. The news under google/ig sometimes linked to blocked sites. However, there were always related links with the same information which were not blocked. So, for me, the only problem was not viewing videos for a few weeks. This did not matter to me, though I think there are alternative video sources which are not blocked.
The net result is that access is nearly unfettered, so it is probably pointless and perhaps unwise to try to subvert the firewall. Freedom seems to be increasing in China. Enjoy your trip!
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
You are aware that even mail.google.com gets blocked once in a while?
Risk/reward would still apply. All you're doing with this use-case is increasing the value of the website. The calculation still needs to happen in your head.
"seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .
My experience might be a bit outdated (October 2008 was the last time I was in China), but I didn't see much of a firewall there. The only sites that I couldn't reach (occasionally!) were zh.wikipedia.org (which I tried out of curiosity) and a sourceforge download site in Taiwan. And I tried a lot of sites, including the ones that you mention and other usual suspects.
My Chinese colleagues told me that generally only Chinese-language sites and sites located in Taiwan are blocked. They also told me that anyone with basic computing literacy can circumvent the firewall anyway without so much of an effort. I can't tell you much about the details because I didn't need to and my colleagues didn't seem to want to speak about it. My impression was that the Chinese DNS server just didn't resolve some site names.
At times I had the impression that the SSL connection to my webmail service in Germany and the VPN connection to my company's intranet was a bit slow and unreliable (which made me paranoid of a man-in-the-middle attack), but when I was in the US recently the connection was even more slow and unreliable. Draw your own conclusions.
Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
See http://www.dyndns.org for getting around dynamic IPs from your ISP.
Given that you're losing out on "secure", you might want to think twice about that. I hear the viruses you can get are quite a pain to deal with.
How are sites slashdotted when nobody reads TFAs?
If you have a linux box in the US, install NX Server (free) on that box, then install NX Client on your laptop or USB memory stick with whatever distro you want to use. Secure remote browsing done easy. Marco
At a western hotel I'm sure 95% of your needs will be met. If you want free-roaming unfettered internet access and speeds throughout china... well... I would ask why you would need such access and if that access would be worth a stay in a Chinese prison.
My daughter is living in Beijing for a year so before she left I got her a notebook and set it up with everything she'd need. For a brief moment I considered installing an SSH tunnel or VPN access back here to home, but then I thought about what my ex-wife's voice would sound like when she said, "they are detaining our daughter because they found military grade encryption software on her computer. How did that get there?" and decided against it.
Seriously, if you disagree with their policy don't go. In your own country you have the right to civil disobedience against unjust laws. In another country you are a guest and should act appropriately.
I'm an Aussie, our countries fought together in many wars (some still ongoing) and about as peaceful a partner as the US can get. Despite having travelled to the US about a dozen times and even lived over there for a couple of years, I have refused to return because you want to fingerprint me on entry now.
If you disagree with a requirement of entry. Don't go. It is astonishing that you would premeditate to break China's laws because of your political views when your own country has a bunch that you have not fought against.
Sheesh.
--M
# grep slashdot access.log | grep html | sort | uniq | wc -l 2604
How about just suck it up and deal with it. Unless you need to look up "Tiananmen Square" every 10 minutes, it really shouldn't be a problem. They filter state secrets and political opinions, not your twitter traffic.
Actually, when I was there Facebook and Youtube were the big site being blocked. Twitter has been blocked, off and on, for the last 8 months or so.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
I wonder if the AC who posted the question might be a lazy network tech in China trying to close holes?
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
For god sake some of you make it sounds like the OP's never gonna be seen alive again. He's just going to China, not the goddamn Death Star. I guess you can say there's always the risk of being detained, but you risk being detained just coming back to the US! Any halfway savvy Chinese net user knows how to browse blocked sites. The laws are intentionally vague and nebulous. Enforcement against you is unlikely unless you really try to start something.
That is exactly why I won't visit the USA.
"You have no possible reply that is not hypocritical so I won't be responding any more" screams TROLL and is a cheap cop-out screaming you are so unsure of your position you can't defend it, but I'll feed it anyways...
Exactly. How is this hypocritical, at all? You have no entitlement to healthcare, because if you were entitled to it, it must be forcefully taken from someone else. It's not that hard to understand, really. I just gave you the definition of human/natural rights as used in law... it has a definition, how can you contradict it? "Rights" in general has various meanings, sure. Natural rights is a pretty specific concept that says you have a right to not be coerced, this includes not being held up for money with the threat of being held up at gunpoint by the IRS or any other government. Just because no government recognizes this doesn't mean that it's not the definition of natural rights!
Wonder what the public key field is for?