Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Cuts Off Some VPNs

Posted by timothy on from the we-see-what-you-did-there dept.

jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.

7 of 222 comments (clear)

  1. Defective by design. by dgatwood · · Score: 4, Informative

    It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re:Defective by design. by whoever57 · · Score: 3, Informative

      It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

      The last time that I was in China (a couple of years ago), OpenVPN using non-standard ports to my private server was blocked. In the end, I ran OpenVPN over tcp/22 (yes, ugly and slow, but it worked). I don't understand why VPN's were blocked but not SSH. OpenVPN uses UDP (by default), so no obvious protocol numbers to block.

      --
      The real "Libtards" are the Libertarians!
  2. Re:Well by Zontar+The+Mindless · · Score: 4, Informative

    Where I work, you don't do anything with company-owned data unless it's on the corporate VPN.

    It's one of the world's 5 largest software companies, does billions in business in the PRC annually, and it's not Microsoft or Apple.

    I do not think when I visit China next month that I will find the corporate VPN blocked. It certainly isn't being blocked right now for my colleagues who live there.

    --
    Il n'y a pas de Planet B.
  3. The noob is you by dbIII · · Score: 4, Informative

    Look up packet inspection.
    You don't have to look at much of a packet to see if it belongs to one of the common VPN implementations. You may not even have to go that far, a lot of volume on a port that doesn't belong to expected traffic is a bit of a giveaway.
    Yes you could do something weird and roll your own VPN protocol, based on email traffic or whatever way you hide, but that's a lot harder than just changing ports.

    Then think of the mindset of who you are dealing with. It's not so hard to deny everything you don't recognise so long as you don't care about blocking legit traffic by mistake.

  4. I was just there, can verify this is the case. by ZackSchil · · Score: 4, Informative

    I was just in China a few days ago. Was there for 3 weeks prior to that. I have a VPN setup in my apartment back in the US and I typically dial in to it. It was great for the first two weeks and a half weeks. After that, it would fail to authenticate or work really slowly, randomly drop traffic, then disconnect after a minute. I was using a relatively insecure PPTP system with 128 bit encryption. I wasn't worried about getting spied on, I just wanted news, youtube, and social media unblocked.

    Frustrated, I had a friend set up a PPTP link at his apartment, using different keys and a different IP. That worked perfectly for the last few days I was in the country. So they're definitely doing some kind of long-term traffic analysis over many days, and then blocking close to real time after that (30-60 seconds).

    Basically I got to witness the blockage go into effect. Yes it's real. Yes it's general purpose, not a high level block on specific free websites. Yes it was a huge pain the the ass.

  5. Re:Well by thegarbz · · Score: 3, Informative

    Greetings from China. I don't live here, just working here for a few months.

    Corporate VPNs work just fine.
    Many non corporate VPNs work just fine too.

    Actually I'm not seeing any problem. Both my OpenVPN connection on TCP port 443 (good luck blocking something like that without breaking the internet), and my PPTP connections to a Canadian VPN I subscribed to before I left still work just fine. L2TP has been sketchy from the get go but that was listed in the VPN's FAQ as well. Also China appears to throttle UDP traffic quite heavily so TCP based connections to the USA seem to be most reliable for me.

    Basically I haven't seen any change in the past month or so.

  6. In China right now using a VPN by Anonymous Coward · · Score: 2, Informative

    I'm a Canadian expat and I've been in China almost 3 years now. They started blocking VPNs over 2 years ago.

    I've tried StrongVPN, Astrill, and PIA and found StrongVPN with PPTP usually works pretty well.

    OpenVPN will work for about 10 min before becoming unusably slow. L2TP sometimes works but recently (in the last year) becomes too slow.

    My guess is they like PPTP because it's flawed and they can break it easily, which I don't care about as long as I can access youtube, facebook, ect. The PRC doesn't care about what expats are doing as long as it's not harming them.