China Cracks Down On International VPN Usage

An anonymous reader writes: China's government has announced a 14-month crackdown on the use of unauthorised Virtual Private Networks (VPNs), commonly used by visitors and native activists, amongst others, to communicate with the world beyond the Great Firewall of China. Sunday's announcement [Chinese] from the Ministry of Industry and Information Technology reiterated regulations first outlined in 2002, but which have since been subject to sparse, selective or lenient enforcement. The new announcement promises a 'clean up' regarding the VPN situation in China, beginning immediately and running until March of 2018.

So... SSH and HTTPS tunnels then?

Guess we'll have to switch to SSH and HTTPS tunnels instead of brazenly using IPSec and OpenVPN. Got the message loud and clear. :D

OpenVPN port tcp/443

[jawtheshark]

OpenVPN port tcp/443. How are you going to stop that? I have one of those for... reasons, I keep bandwidth usage low to avoid volume based detectors.

Re:OpenVPN port tcp/443

[v1]

It's actually not all that difficult to spot vpn traffic. Run some DPI and just simply look at the size of the packets being exchanged. L2TP/IPSEC/etc will all have very regular size exchanges that virtually uniquely identify them. Doesn't matter how you encrypt or tunnel it if you don't change the payload sizes.

It's like saying "You can't block my bittorrent client if I just change my port!" Actually, yes we can. And we do. Quiet easily actually.

I haven't looked closely into TOR to see if it pads with random size data, (betting they DO) but that's what they need to do with vpn to seriously defend against traffic analysis.

Even with that, it's still not bulletproof, but it dramatically increases the work and false positives on the detection side of the fence.

Re:OpenVPN port tcp/443

[MightyMartian]

To be fair, OpenVPN isn't really designed to obfuscate the nature of the traffic any more than IPSec does. Both are about creating secure tunnels, with OpenVPN being very easy to configure and maintain as opposed to the pain that is IPSec. I use OpenVPN a lot, both for our road warriors, and to create the secure tunnels between our locations. In that role it really is an incredibly nice piece of software. But if I were looking at making something whose intent was to disguise that I was encrypting traffic at all, it's not the tool to use. Now as I understand it OpenVPN is pretty modular, so I would imagine if someone were to come up with some other encryption mechanism meant more to get around deep pack inspection, that would probably work, but as I said, such methods will inevitably make for a slower tunnel, and as OpenVPN is more of an infrastructure VPN, I'm not sure it's quite the right tool for that job.

Another reason to avoid business trips to China

[Ritz_Just_Ritz]

When I used to go to China, I often found that access to sites I need to use to do my work were blocked in whole or in part. Without setting up a vpn, I can't do my work. And even then, it was always a cat and mouse game as the connections were randomly terminated.

So now I just avoid going there at all if I can help it.

 

Re:Another reason to avoid business trips to China

[sims+2]

What you mean like this guy?
https://yro.slashdot.org/story...

Wonder if this applies to TMobile

[magarity]

A couple of years ago visiting China my TMobile phone's plan included unlimited data at 2G speeds. I got sites that were normally banned to Chinese users as if I were in the US, so I suspect it routed straight to TMobile somehow but never got the details. I wonder if this crackdown will stop that access?

Re:So... SSH and HTTPS tunnels then?

Guess we'll have to switch to SSH and HTTPS tunnels

Yes, but you can't win that game.

If that would ever become popular, it too can be blocked. Also that is beyond the ability of the average person to do. If they "solve" the problem for 99.9% of the population, that's what matters.

The end game is bigger and bigger swaths of the open internet being blocked, until what's left is a white list of approved web destinations, with maybe some special exceptions being made for companies, exceptions not available to the average person.

The internet once held the promise of freedom for all. Now it holds the chains of oppression for all. With each passing year we have seen more and more control, monitoring, and lockdown, not just in China, but all over the world. Some of that was imposed externally, like from the Chinese government, and some we freely signed up for by re-centralizing the decentralized network handed to us by its creators. It is simply too succulent a target for those who would be your masters to ignore.

Governments want it for power over the population. Corporations want it so you are locked into their portals. People want it because in mass they are stupid and cheerfully walk into their own cages.

We are not winning the war on internet freedom. We are losing it, badly. It is more heavily censored, controlled, and monitored than at any time in its history, and that shows no signs of slowing down.

Captcha: prevails.

Re:I wonder if the realize...

The quicker my generation dies, the better.

Dunno how you are, but I may be similar (late 57 here).

So yeah, most of our gen are technical ignoramuses, I'll agree with that. But I disagree it's any better among the younger folks, and in fact in some ways it's worse. Our generation built a free and open internet, on open standards and open protocols. You wanted to run your own IRC or XMPP server, go ahead. It was not a locked down internet. It took the younger set like Zuckerberg to destroy that ethos. And not just him, but masses of people have eschewed those open standards in favor of golden jails like Instagram and Facebook that facilitate centralized censorship and control.

In our generation there were two categories: technically literate people, and people who were not using technology so were not having adverse impact upon its evolution. In the current generation there are two categories: technically literate people, and people who are technically clueless but ARE having an adverse impact on its evolution. Sadly, in both generations the technically clueless outnumber the technically aware by magnitudes, but in our generation the clueless weren't changing the direction with their choices, since they weren't involved at all.

Re:So... SSH and HTTPS tunnels then?

Yep, get used to it. Because there isn't anything you can do about it. Sure the 0.0001% may be free to use what they want, (That 0.0001% being the people who can mess with ASM, and do hardware glitching to meet their own ends.) but the vast 99.9998% of people just made a new master for them to bow down to. Even better is what happens when we get hard AI that will ensure continuous monitoring and oppression.

So why the grim future? Well because as history shows, people don't give a fuck about something until it bites them hard enough in the ass, and by then it takes a monumental effort to even try to correct the problem. Sadly, that "we don't give a fuck" attitude may very well usher in a new dark ages this time.

You won't get people to care before then. They want it to be cheap, easy to use and forget about, and not to need to use that 10lbs of dead weight that they keep in their skulls while messing with it. That combination (Ignorance, Arrogance, and Apthy) will always result in being taken advantage of, being coerced, and being used. People just don't look out for their own safety when using the damn things. So they are blind and death to attempts to protect them as well as attempts to do them harm.

We have no-one to blame but ourselves. We allowed them to use the things without a care in the world. We allowed them to goof off and not learn how to do basic maintenance, or even basic concepts. We gave them the fish instead of teaching them how to fish. Now we have no choice. Now we must bear the consequences of our actions and our inaction.

Find a better VPN

[AHuxley]

A few of the better VPN providers might not have as many issues.
Due to skill and cash flow they can try to avoid deep packet inspection.
The deep packet inspection is looking for any use of an encrypted VPN protocol.
Deep packet inspection is the result of a few vendors that sell into China. Deep packet inspection can be understood.
Any quality VPN provider could look at what deep packet inspection is sold to China and then protect its VPN users.