China Cuts Off Some VPNs

jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.

Well

[Sir_Substance]

That's one way to keep international business out of china, I guess...

Re:Well

[Etherwalk]

Right. International business will be kept out of China because it's required to conform to local laws regarding internet access.

In other news, international business will be kept out of EU because of customer protection legislation and out of US because of danger posed by gun culture and gun laws.

Said no one with a clue, ever. On any of those points. Internationally ran businesses judge their presence in the target country based on profits and risks. Thing mentioned above are categorised as "risks", and as long as profits are greater than risks, which they will be in China for foreseeable future, risks will be mitigated through things like usage of local services that aren't blocked in China, providing the necessary support to users in EU and so on.

It depends on exactly what they are blocking. If they're blocking corporate VPNs, it will just make companies even less willing to trust the security of systems in China. Hint: they're not willing to trust that security now. Any major foreign corporation that keeps source code in China now is nuts.

Re:Well

[Zontar+The+Mindless]

Where I work, you don't do anything with company-owned data unless it's on the corporate VPN.

It's one of the world's 5 largest software companies, does billions in business in the PRC annually, and it's not Microsoft or Apple.

I do not think when I visit China next month that I will find the corporate VPN blocked. It certainly isn't being blocked right now for my colleagues who live there.

Re:Well

[Zontar+The+Mindless]

Hi, kids! It's time once again for that old Slashdot favourite, Meme #537, "[citation needed]".

A casual Google search for "crime rate new york city vs london" yields indicators that NYC has about 4 times the rate of homicides and other violent crime than London, as of last year.

The TL;DR version: "I think you're making stuff up."

Re:Well

[thegarbz]

Greetings from China. I don't live here, just working here for a few months.

Corporate VPNs work just fine.
Many non corporate VPNs work just fine too.

Actually I'm not seeing any problem. Both my OpenVPN connection on TCP port 443 (good luck blocking something like that without breaking the internet), and my PPTP connections to a Canadian VPN I subscribed to before I left still work just fine. L2TP has been sketchy from the get go but that was listed in the VPN's FAQ as well. Also China appears to throttle UDP traffic quite heavily so TCP based connections to the USA seem to be most reliable for me.

Basically I haven't seen any change in the past month or so.

Defective by design.

[dgatwood]

It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

Re:Defective by design.

[KiloByte]

I envision an SSL hack which connects to a valid SSL server but then turns into a VPN connection.

You mean, http[s] CONNECT? With openvpn as the payload (double encryption might be wasteful, but I'd keep it). You can then multihome over those connections with existing tools to your heart's content.

Re:Defective by design.

[whoever57]

It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

The last time that I was in China (a couple of years ago), OpenVPN using non-standard ports to my private server was blocked. In the end, I ran OpenVPN over tcp/22 (yes, ugly and slow, but it worked). I don't understand why VPN's were blocked but not SSH. OpenVPN uses UDP (by default), so no obvious protocol numbers to block.

Re:Defective by design.

[thegarbz]

I'm here now. OpenVPN over TCP/443 works just fine, as does connections on various other ports like TCP/8333 (my current connection).
PPTP is curently not working (but it was about an hour ago), and L2TP currently IS working. But it hasn't really worked reliably since I got here.

Basically I'm not seeing anything new. VPN connections and internet connections to the outside world have been haphazard at best and it's been a guessing game of what protocol and which server will work best on any given day. Though I have had by far the greatest success with OpenVPN over TCP.

Re:What's the difference between China and EU?

[Luckyo]

Help me understand your point of view. We run liberal democracies here in EU. We do block some things based on cultural expectations, and in some cases, because certain foreign power that shall not be named forces us to do so typically through government corruption on high level as shown in leaks by certain man who now resides in Russia.

But on the principle, we still consider freedom of speech to be of paramount importance, and unblocked internet access to be an important cornerstone of this principle. As you point out we do make some deviations from the principle, but these deviations tend to be based on rather awful historic facts and are very much targeted.

Chinese model is about denying large portions of free speech, such as political non-threatening free speech of political dissidents to improve social cohesion of their society. How is it hypocritical to criticize this aspect of Chinese society from European point of view? We very clearly differ here, and there is no hypocrisy at play. Our blocking is targeted, specific and based on history. It specifically makes a point to avoid suppressing political dissent when at all possible. Chinese is pre-emptive, overly broad and its main intent is suppression of political and social dissent.

I fail to see hypocrisy. Please point out the mistake in my logic and explain how exactly this critique is hypocritical.

Re:Weekend Project

[MobSwatter]

Nah, lets build on their firewall and let them go back to being communist and keep that crap on their side of the pond. Maybe our side will wise up not having a cheap manufacturing alternative and creating sweat shops in China, all while lowering the US unemployment rate.

Re:What's the difference between China and EU?

[TheMiddleRoad]

What kind of vile scum are you to equate free speech for political change with videos of people chopping heads off and incitement to murder?

Re:What's the difference between China and EU?

Transmitting data is communicating, so yes. Rather than spewing forth nonsense like "X isn't free speech," why not just admit you want to restrict people's freedoms so you can get the government to censor content you don't like/find harmful?

Re:What's the difference between China and EU?

[hawkingradiation]

There is an interesting irony in this. In China, which to my own opinion has been historically more oppressive, now you have the engineers and the scientists in charge of government (true) while as in Europe and the Americas, we have lawyers and businessmen in charge. It appears as though China is taking a technological approach to solving its perceived problems, such as searching for keywords, blocking, defeating TOR and the like, while in the West, our governments appear to be bent on passing laws and ordinances that tell companies and ourselves what we can install and use and how we must use it so we can justify charges c.f. recent attempts to codify in law backdoors into tech companies products and hiding what they are doing. The overly broad laws in China do not change but the technology is not as well hidden and grows. For example, China has setup fake Apple stores (this should be a warning) so that once an iPhone is jailbroken, it becomes easier to install malware on that person's iPhone in order to spy on the user to see if they have broken these laws. The government puts much effort into catching people without knowing they have committed a crime. In the West, laws are changing too fast and laws have become overly specific instead of broad. Nobody likes being told over and over which task to do and nobody likes being told how to do a task. The Chinese know that what they are doing is unpopular, but here, the government has to hide because perception will be that they are not doing the right thing if they are discovered, which says a lot about what they are doing. The government here seems to care more that they are doing the same unpopular things, but that have a history of goodwill which they are destroying, so we can continue to say "Here in the West". This should be a warning sign.

The noob is you

[dbIII]

Look up packet inspection.
You don't have to look at much of a packet to see if it belongs to one of the common VPN implementations. You may not even have to go that far, a lot of volume on a port that doesn't belong to expected traffic is a bit of a giveaway.
Yes you could do something weird and roll your own VPN protocol, based on email traffic or whatever way you hide, but that's a lot harder than just changing ports.

Then think of the mindset of who you are dealing with. It's not so hard to deny everything you don't recognise so long as you don't care about blocking legit traffic by mistake.

Re:What's the difference between China and EU?

[Slashjones]

When free speech threatens innocent lives

It doesn't. Actions threaten innocent lives. Rape, physical assault, believing and acting on baseless rumors in harmful ways, and murder are harmful. A video or picture is only subjectively offensive at most.

these things should not be allowed in a free society for damned good reasons.

The society you want is not free at all, as it places restrictions upon one of the most fundamental rights based on completely flawed reasoning.

And if anyone thinks they should be, let them and their loved ones be the first victims

Victims of freedom of speech? You need to learn the difference between action and speech.

All I can say is that as long as authoritarians such as yourself exist, we'll need to continuously improve technologies that help us keep our privacy to reduce the risk of being harassed for saying things that you don't like.

I was just there, can verify this is the case.

[ZackSchil]

I was just in China a few days ago. Was there for 3 weeks prior to that. I have a VPN setup in my apartment back in the US and I typically dial in to it. It was great for the first two weeks and a half weeks. After that, it would fail to authenticate or work really slowly, randomly drop traffic, then disconnect after a minute. I was using a relatively insecure PPTP system with 128 bit encryption. I wasn't worried about getting spied on, I just wanted news, youtube, and social media unblocked.

Frustrated, I had a friend set up a PPTP link at his apartment, using different keys and a different IP. That worked perfectly for the last few days I was in the country. So they're definitely doing some kind of long-term traffic analysis over many days, and then blocking close to real time after that (30-60 seconds).

Basically I got to witness the blockage go into effect. Yes it's real. Yes it's general purpose, not a high level block on specific free websites. Yes it was a huge pain the the ass.

Re:I was just there, can verify this is the case.

[linuxrocks123]

I was in China last summer. Essentially exactly the same thing happened to me, although I was using SOCKS5/ssh not PPTP. My girlfriend and I subsequently had a hell of a time playing Heroes 3 for Linux remotely even when not using ssh, so they must have shit-listed my IP address. Then, a few months later, everything magically started working again and the ssh proxy my girlfriend was using worked fine. So did Heroes 3, thankfully.

During the shit-listed time, I came across this list: https://www.torproject.org/doc...

Another option might be this: http://www.nocrew.org/software...

One of these options might be enough into fooling them the traffic isn't encrypted. Ultimately, if there's a way of exchanging data, there's a way of getting around the block. It's just a question of obfuscation.

Re:What's the difference between China and EU?

[circletimessquare]

you've listed a bunch of red herrings, tangential topics, and pointless observations to say nothing valid or interesting at all on the topic

it's as if you lack the capacity for critical thought... or you are demonstrating a weak timid mind taught that to approach certain taboo topics and verboten observations leads to punishment

hmmm...

so here we see the mediocre fruitless mental quality of someone raised in a walled garden of a "harmonious" society of cotton headed propaganda tools

Re:What's the difference between China and EU?

[circletimessquare]

like what? child porn? incitement to murder? sure. i live in the West and i support suppression of that

like political criticism? religious satire? no. i do not support that

the country that limits a few vicious topics is not at all like the country that locks down all political speech threatening the political status quo

the former is very much a free country, the latter very much not a free country, and the difference is substantive and real and very serious

if you think a country that censors child porn is exactly the same as one that censors political speech, you're only announcing yourself as a moron who doesn't understand the topic

Re:What's the difference between China and EU?

[thegarbz]

Defamation is a civil case in most countries of the world. The right to free speech guarantees protection from prosecution by the government. They are two very different things.

In China right now using a VPN

I'm a Canadian expat and I've been in China almost 3 years now. They started blocking VPNs over 2 years ago.

I've tried StrongVPN, Astrill, and PIA and found StrongVPN with PPTP usually works pretty well.

OpenVPN will work for about 10 min before becoming unusably slow. L2TP sometimes works but recently (in the last year) becomes too slow.

My guess is they like PPTP because it's flawed and they can break it easily, which I don't care about as long as I can access youtube, facebook, ect. The PRC doesn't care about what expats are doing as long as it's not harming them.

Re:What's the difference between China and EU?

[Luckyo]

I didn't make any of these broad claims. I wanted to specifically address the claim that this particular criticism of Chinese policy is hypocritical from European point of view. Nothing else.

I fully agree that Chinese may have a system in place that is socially stable enough to make a successful state. Historians in the far future rather than people today will judge that. We simply do not know which system is better, and we know for a fact that democracy in the way it's practised across the West has serious problems with social stability after barely a hundred years behind it. Introducing similar democracy in formerly dictatorial states has shown to produce catastrophic consequences as well.

I would however make a point that Chinese model has the same problem that it always had - too much emphasis on the certain clique of people, making top leadership inbred, all while strangling criticism that would remind said leadership of their own flaws. This is what keeps Western democracy competitive in the long run in spite of its massive laundry list of flaws, and we already know how that ended up for China. They went from country that almost conquered the world to a country with no naval power almost overnight because of failure at top leadership level.

Re:What's the difference between China and EU?

[circletimessquare]

so you're ok with child porn and death threats?

can i take photos of you having sex with your significant other and put it on a billboard in your hometown? it's just free speech dude

everything has limits. including free speech. not because i say so, but because of simple logic and reason: it ends where it impinges on the freedoms of others. classic example: yelling fire in a crowded theatre

the fact that i recognize that freedoms are not boundless, but logically constrained by other people's freedoms, does not make me an authoritarian, it just makes me smarter than you

Re:What's the difference between China and EU?

[circletimessquare]

so you're ok with child porn and death threats?

What part of my position is not clear? Yes.

i stopped reading there. you're a hopeless moron