Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tunneling Under the Great Firewall?

Posted by kdawson on from the tiptoeing-around-dragons dept.

An anonymous reader writes "I am traveling to China in the near future, and needless to say as a Slashdot reader I am going to require access to the Internet. The whole, unadulterated, unfiltered Internet. Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that). I will only be there for a few weeks, and will not be using the computer for much of that time, so I don't want to shell out a lot of money to a VPN service. However I also don't want to be hindered by extremely slow speeds such as those provided by the Tor network. I have experience implementing Web servers and work fairly often with Linux; however, many of my friends who also face the same dilemma don't. What would be the most cost-effective (free is best) method for me to subvert the Great Firewall during my travels while maintaining sufficient anonymity and enjoying sufficient speed?"

36 of 403 comments (clear)

  1. Fear by sopssa · · Score: 3, Insightful

    This fear of China is just WTF. "my lack of a nickname on this submission being testament to that", VPN's, Tor, all of that just to browse the regular Internet. Anyone who writes these things obviously have not been there or in the other Asian countries.

    Most of the western quality hotels provide access to unfiltered Internet and you are most likely staying in one of those. Besides, the Chinese and Asian in general are quite relaxed people. Just think if American cops would be this patient and try to help the guy.

    Seriously, the Chinese, Asian and rest of the world hate and fear by Americans is getting beyond ridiculous.

    1. Re:Fear by grub · · Score: 5, Informative


      Besides, the Chinese and Asian in general are quite relaxed people.

      It isn't the general population causing the VPN problems we have with people travelling in China, it's the government.

      --
      Trolling is a art,
    2. Re:Fear by Moridineas · · Score: 4, Insightful

      Slashdot rails against DMCA, censorship, walled gardens, etc, and you expect the Chinese government to get a free pass? What a joke.

      You can raise frail strawmen all you want, but it's not about how "relaxed" Asians or anything else like "hate and fear" that you've just made up in your post. It's very specifically about the Chinese government. Exactly what part of "I am very leery of the government" have you completely failed to understand?

      Is this REALLY a conversation you want to get into?

    3. Re:Fear by Lumpy · · Score: 4, Insightful

      Yup. I dont understand also other parts of the question...

      "Shell out a lot of money for a VPN service..." $9.95US for 1 month is a Lot of money?

      He also claims he knows computers yet does not think of setting up his own VPN gateway at home? It's clear he is not moving there, just going there for a few weeks. Nobody I know terminates all their leases and sells all their stuff to go out of the country even for a few months....

      Pay $9.95 for VPN service each month, or set up a linux box as a VPN point. Call it done.

      --
      Do not look at laser with remaining good eye.
    4. Re:Fear by Anonymous Coward · · Score: 3, Funny

      Caution! The original questions at the top of this page might have been posted by an agent of the Chinese government, so that all answers offered could be used to eliminate holes in the Great Firewall.

    5. Re:Fear by socz · · Score: 3, Funny

      Lucky for them, they can still obtain GhettoBSD: 2010 GhettoBSD aquired by Chinese company who infiltrated Google.ch. Now more secure!

      --
      My abilities are only limited by my imagination
    6. Re:Fear by afabbro · · Score: 5, Insightful

      "Hi, I'm a college student who thinks computers are cool but I don't really get into code or anything. I run Linux because it's L33T and strikes a blow against THE MAN! BTW, I can't get the latest version of Fedora to boot, but that's another question. Anyway, when I get to China I want to connect to some site outside China that the firewall blocks. I will then come back and tell my friends how cool I am! How I am cyberpunk and stuff! Striking a blow for FREEDOM! I mean, yeah, I'd just be doing a search for Falun Gong on Google, even though I'm not really sure who they are, but still, it'd be SO L33T! I know that I'm a dangerous underground revolutionary because I'm posting anonymously on Slashdot out of FEAR OF THE CHINESE GOVERNMENT! Angela Davis ain't got nothing on me. I mean, I'm not crazy - I wouldn't invest $10 for VPN service for this, and your talk of setting up my own VPN gateway is confusing (can I just apt-get that and connect from a kiosk in the Beijing airport?). OK, actually about 95% of the time I dual boot to Windows except when progressive chicks might be walking by my dorm room, and then I switch to Linux with a big tux wallpaper..."

      --
      Advice: on VPS providers
  2. Good luck! by grub · · Score: 5, Interesting


    At my workplace we have people who travel to China. On occasion VPN connections from China just stop for hours or days at at time. No hits at our VPN endpoint from China at all; the traffic is stopped upstream somewhere while everything else that is unencrypted works.

    That's the only country we have people visit where the VPN can be problematic.

    --
    Trolling is a art,
    1. Re:Good luck! by Anonymous Coward · · Score: 3, Informative

      I live in China. I access the Internet unhindered. I've never, in nine years, encountered a situation where only encrypted links are shut down (for even MINUTES at a time!) while everything else went through. I have experienced situations where specific backbones get so badly clogged up that *all* traffic (including, sadly, my link to my VPS) is screwed up, but never one where just the link to my VPS was down.

      That's almost a decade, folks. I'm not quite calling "bullshit" on grub here. I'm sure he's seen this problem with VPNs. I just think his techies (or grub himself) are using the Great Firewall as an excuse and not bothering to actually test things. "Oh, it's from China. Obviously the Great Firewall."

    2. Re:Good luck! by Aqualung812 · · Score: 4, Insightful

      If you use a SSL proxy, make sure you note the fingerprint of the one you want to use BEFORE you go. Compare it when there to make sure you don't get a man in the middle attack.

      --
      Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
    3. Re:Good luck! by Amouth · · Score: 3, Informative

      i run a VPN server for several friends of mine - the whole use is to get around what ever they run into - be it China (rare but they do go there) or some lame ass university's filter..

      one of the more often used services for really locked down places is a good old SOCKS server running on 443..

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    4. Re:Good luck! by Cimexus · · Score: 5, Informative

      Yep, mod parent up.

      Even better, make one yourself. Grab an old box you have lying around, whack a copy of Ubuntu on it (or other Linux distro of your choice), enable SSH server and leave it running on your net connection at home. Then using PuTTY or whatever on your laptop you're taking to China, make SOCKS proxy/SSL tunnel to your home box and you are good to go.

      Free software and simple to do. Speeds are limited by the speed of your connection in China, and obviously the upstream speed of your net connection back home. But should be enough for basic browsing.

  3. SSH by Hatta · · Score: 5, Informative

    SSH tunneling with SSH -D is trivial to set up. Make sure you forward DNS with network.proxy.socks_remote_dns set to true if you're using Firefox.

    I think I read that SSH can even create a virtual network device that forwards all traffic over a tunnel. Haven't had time to play with that though. That would be a great solution for every app, even those that don't support SOCKS proxies.

    --
    Give me Classic Slashdot or give me death!
    1. Re:SSH by leuk_he · · Score: 4, Informative

      Yup.

      -Setup a ssh server outside of china, always on. for windows use some port like copsshd.
      -Set ip up at an alternate port (not 22, use 443), it will obfuscate it a little bit.

      In china run ssh client, putty can do this, tunnelier has some more options
      https://calomel.org/firefox_ssh_proxy.html
      Then use proxy options of firefox to send traffic over this proxy. Be careful no to leak too much dns info.

    2. Re:SSH by richardellisjr · · Score: 4, Insightful

      I'm not sure if this is what your referring to but I use a SSH socks proxy and tsocks under linux quite a bit to allow proxy unaware apps to be use it (like RDP). The only issue I have with this setup is DNS. Since it primarily uses UDP not TCP for lookups they are all performed against the locally configured name servers not the remote. I haven't found an elegant solution for this yet but your network.proxy.socks_remote_dns config may help a lot (I've never heard of that before).

      For the original submitter, I understand your reluctance to being restricted and object to the idea of the great firewall as much as the next guy, however is completely open access really worth breaking the law there and potentially being imprisoned in China. Also keep in mind that while you may object to the concept of the firewall but you are a guest in the country and breaking any countries laws while as such is really disrespectful. If you really don't like the law don't travel there, if your trying to make some sort of political statement (which I doubt) then best of luck to you... China isn't well know for being good sports about that sort of thing.

    3. Re:SSH by norminator · · Score: 4, Insightful

      While the traveler is in China it's probably not a good idea to risk legal issues with the Chinese government.

    4. Re:SSH by WNight · · Score: 4, Insightful

      respect and saving face is a huge part of the culture

      And in other places they eat live eels. There's a lot of stupid shit in the world.

      While what you say may be true, to say it like that is like saying we should give them a pass for their obnoxious behavior simply because they're used to it... Shall we give racists in our home countries a free pass on their idiocy simply because it's cultural for them to be hating?

      flip the tables and say some guy wanted to view CP in the US

      Oh please do drag that stupid CP argument out here so we can kick it to death.

      The US allows brutal degradation of actresses for porn, depictions of rape and murder, actual footage of such (usually), depictions of infants being cooked and fed to dogs, etc, etc, etc. And in the middle of that they want to draw a fence around CP.

      Many token arguments are made, such as it encouraging real abuses, but they could be made for any of the rest of that cesspool. Ultimately they all fail to the brutal reality that censorship and FUD aren't security. The blind panic around CP is growing old, we can see it's not actually doing anything to protect anyone. And the censorship not only wouldn't help, and is immoral to implement, but is impossible.

      I'd support someone looking up communism when it was the panic word. How could I draw the line at some other panic word? And even if I could, how could I know I wasn't just panicking? So no. For practical and ethical reasons we can't censor even if the content disgusts, scares us, or reveals our war-crimes.

      circumventing the laws of a nation of which you are not a citizen is not only illegal

      Tautologically, circumventing any law is legal. And just as meaninglessly, breaking a law is always illegal. But is the law right? Is the nation valid?

  4. Screenshare by bobdotorg · · Score: 4, Interesting

    Before leaving, set up a computer with decent upstream bandwidth and VNC / screen share. Pretty simple, and only shows a connection to that one IP address. If you use OSX it's a 30 second setup in sharing preferences, and I'm sure that there are windows and Linux equivalents. You may need to tweak the ports to get under the Great Firewall.

    However, one significant drawback (with the OSX solution) is that audio is not streamed. Another is lag with slow / far connections.

    But it will get you the full net.

    --
    __ Someday, but not this morning, I'll finally learn to use the preview button.
    1. Re:Screenshare by ckthorp · · Score: 3, Insightful

      I vote for this strategy because then no contraband will ever be present on your computer in China. Nothing on the computer, nothing for authorities to find in your cache or via deleted file recovery.

  5. Anonymous? by Hoi+Polloi · · Score: 4, Funny

    Just change your online name to "FreeTibet". They'll never notice.

    --
    It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    1. Re:Anonymous? by DMUTPeregrine · · Score: 3, Funny

      ...Only with purchase of second Tibet of equal or greater value.

      --
      Not a sentence!
  6. Re:Really? by flippy10 · · Score: 5, Informative

    http://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_People's_Republic_of_China Those definitely all sound like sites chock full of state secrets.

  7. Ummmm... by Anonymous Coward · · Score: 5, Insightful

    I suggest that you play nice with China's laws if you are going to China. Trying to bypass their firewall as a foreigner traveling there is more likely to attract the sort of attention you don't want than anything else. As you said, you're just going to be there for a few weeks. Do you *really* need to search for the kind of stuff they filter out while you are there?

    My wife travels regularly to China for work. We are very careful about our conversations on the phone when she's there, and about the emails we send when she's there. I sure as hell would never advise her to try to bypass their firewall.

    If you are a Chinese freedom activist, by all means, you know what you're getting into, bypass away. I support the people of China in their efforts to access the whole internet, to speak their minds, to be as free as they care to be.

    If you are a Westerner visiting, I'd suggest you just hold your horses there bucko and deal with the internet you can get from your hotel room and don't make yourself look more suspicious than you actually are. You really, really don't want anybody to think you are doing anything against Chinese interests while you're there. Seriously.

    1. Re:Ummmm... by tthomas48 · · Score: 3, Insightful

      Yes. Remember the US government is under no obligation to get you out of prison for trying to subvert their firewall. Most of the time if you commit an obvious crime in another country, the US is more than happy to let you serve your time.

  8. China asks Slashdot how to catch hungry minds by Sleen · · Score: 3, Funny

    So when China asks slashdot how best to catch people circumventing their firewall, how would they do it? They might pretend to be a western touron visiting their fair nation and asking some innocent questions about firewall circumvention. If any of these methods are effective, they are likely to cease being effective now that they are widely published. Either way, the anonymity of the poster prevents direct help and indicates perhaps a clever approach to hardening the firewall.

    1. Re:China asks Slashdot how to catch hungry minds by Tsunayoshi · · Score: 4, Insightful

      Hey, if all information wants to be free, it will be free for everyone, including the "bad guys".

      --
      "Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
  9. Re:Tor, maybe? by tomz16 · · Score: 4, Funny

    As long as we are going with "things the original author specifically discounted in his post", I think he should purchase VPN service...

  10. Re:Is ssh blocked? by DoctorNathaniel · · Score: 4, Informative

    I have done this from Beijing and it worked the week I was there.

    FoxyProxy is a nice add-on to use for this, since it allows you to either whitelist specific sites for use through the proxy, or to simply switch back and forth to the proxy as you need.

  11. Forget About Speed by malloc · · Score: 3, Informative

    ... while ... enjoying sufficient speed?"

    Unless they've opened a few new trans-pacific pipe connections since I was last there, forget about speed. Maybe it was just my ISP (Great Wall, ha) but within China you can get nice (e.g. 750kb/s) speed but the moment you cross the pacific your latency is killer and you're crawling at 5-10kb/s. This is using corporate VPN or without. I suspect the actual throughput is a result of active throttling by the State. In terms of restricting general information, making something extremely painful is nearly the same as blocking it.

    --
    ___________________ I want to be free()!
  12. Dear Slashdot " how do i commit a crime" by nurb432 · · Score: 4, Insightful

    What you are asking is illegal there. If you get caught bad things will happen to you. Is it really worth the risk for a couple of weeks? Are you THAT addicted?

    --
    ---- Booth was a patriot ----
  13. Re:Ask Slashdot: Civil Disobedience by Darkness404 · · Score: 3, Insightful

    But when the law unfairly restricts your natural rights, then the breaking of that law is completely justified, hell, armed revolution in the case of China is very much justified for the Chinese people.

    That said, I'm not sure if I'd really do it in China as a tourist, not that they'd probably do much (China gets western businessmen all the time) but I just wouldn't want to take the risk unless.

    But really, if a law is unjust and violates natural rights, you have every right to break it, some may say you even have a responsibility to break it because by not breaking it you in essence prop the law up.

    --
    Taxation is legalized theft, no more, no less.
  14. Re:Really? by BobMcD · · Score: 5, Insightful

    While not necessarily the best tone in the world, I actually agree with DJ Jones here.

    Here's your decision tree:

    1) Is the website you want to see worth defying the laws of your hosting nation?

    2) Is absolutely no way you can do without it until you come home?

    3) Do you have some kind of diplomatic immunity, wealthy connections, etc that can extract you from a sticky situation?

    You get the picture.

    Imagine this post on the Arabian Slashdot:

    I am getting ready to travel to the United States and don't want it to interrupt my terrorist training. Can you guys recommend a way around the DHS's websniffing protocols, eavesdropping, cellular tracking, etc?

    And what would your advice be??

    Opportunistically, if you gave advice about methods, would you feel bad if he landed in Gitmo?

    Think about the implications. After all, it is only the internet and you don't live there. Think deeply.

  15. Re:Are you out of your fucking mind? by LWATCDR · · Score: 3, Informative

    I agree with you about 99%.
    Setting up your own VPN is probably fine. If their are problems just claim that you need it to access work or school. What I wouldn't do is "help" people in China do the same.
    1. If you are asking on slashdot you probably lack the skills to do it well.
    2. If you get caught as a US citizen they will probably just take your computer and kick you out. You are not worth the bad press they will get.
    3. If you help Chinese citizens do the same you can become worth the trouble. Which is a very bad thing.
    4. You may hurt those that you are trying to help. Trust me their a lot of bright folks in China that have the skills to get around the great firewall. They also probably know better who to trust.
    You are a foreigner trust me odds are they may already be watching you a bit. If you are not a business person I expect they are watching for you to try and do this very thing. As much as people like to make fun of security people they are not dumb. Figure that they have a lot more skill at catching you than you have at evading them If you or your friends don't get caught it will be just because of luck.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  16. Re:Tor, maybe? by LordSkout · · Score: 3, Funny

    Or more specifically, he should shell out a lot of money for one.

  17. What Firewall? by Dr.+Hok · · Score: 3, Informative

    "seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .

    My experience might be a bit outdated (October 2008 was the last time I was in China), but I didn't see much of a firewall there. The only sites that I couldn't reach (occasionally!) were zh.wikipedia.org (which I tried out of curiosity) and a sourceforge download site in Taiwan. And I tried a lot of sites, including the ones that you mention and other usual suspects.

    My Chinese colleagues told me that generally only Chinese-language sites and sites located in Taiwan are blocked. They also told me that anyone with basic computing literacy can circumvent the firewall anyway without so much of an effort. I can't tell you much about the details because I didn't need to and my colleagues didn't seem to want to speak about it. My impression was that the Chinese DNS server just didn't resolve some site names.

    At times I had the impression that the SSL connection to my webmail service in Germany and the VPN connection to my company's intranet was a bit slow and unreliable (which made me paranoid of a man-in-the-middle attack), but when I was in the US recently the connection was even more slow and unreliable. Draw your own conclusions.

    --
    Say out loud: I'm an Aspie and I'm somewhat proud, I guess. Uh. Can I write an email in all caps instead? Hm...
  18. LOL by Demena · · Score: 4, Insightful

    That is exactly why I won't visit the USA.