My War With the Great Firewall of China
Updated: 04/01/2020, Comments.
The Great Firewall of China, sometimes called "Project Golden Shield" will be defeated and destroyed. I intend to not just witness it, but participate in its downfall. Easy VPN Technology is the weapon that will cause failure of China's censorship machine.
My first encounter with censorship enforced by the People's Republic of China (PRC) happened in the year 2001 while in the United States of America. I was at home, tuning the shortwave broadcast bands in search of the BBC World Service and its hourly news updates. I was curious about developments overseas involving war against the Taliban in Afghanistan and other notable issues. On several frequencies, there was a weak and fluttery music program obviously from the Far East. It had the characteristics of something transmitted at high power and propagating over the north pole, picking up auroral flutter on the way to my location in the city of Chicago. It was the infamous Firedrake Jammer. With its wild, pounding, squawking, screeching and whistling music, it seemed to be a depiction of a great parade or celebration. In truth, it was jamming broadcasts from Taiwan with political viewpoints sharply contradictory to those of the PRC government. I later learned that the Firedrake Jammer was an agile but centrally controlled broadcast distributed by satellite and retransmitted on selected HF frequencies to prevent reception within the PRC. The Communist Party was going to great lengths to detect and suppress alternative social and political discourse inside China. Indeed, the Firedrake Jammer was the tip of the iceberg.
A few years later, I found myself working for a corporation in Macau, a former Portugese colonial territory taken back as a Special Administrative Region (SAR) of China. Nearby was Hong Kong, another SAR in which the people, culture, and language are Chinese - but with rules allowing a free press, elections of political leaders, and little censorship. From these SARs, one could access Facebook, Twitter, blogs, and any sort of social media. Some banks, government, and media websites in my home country would not allow access from foreign IP addresses, so my colleagues and I began to use VPN services to connect to these useful (and sometimes very essential) internet resources. Connections were easy and fast, with no problems.
After changing to a job inside the PRC itself, and out of the Special Administrative Regions, I came to realize that VPNs are a required tool for anyone intending to get secure and free access to internet resources outside of China. Many Western websites block access from Chinese IP addresses due to risks associated with Chinese government sponsored hacking. Furthermore, the PRC exercises strict "control and management" of newspapers, radio, television, and internet sites. Chinese social networking sites are scoured for so-called "sensitive terms" and purged of anything conveying dissent or "politically unfriendly" viewpoints. Foreign sites, especially news and social media, are blocked by a sophisticated system the PRC calls the "Golden Shield Project." Everyone else calls it the dirty, rotten, and annoying "Great Firewall of China." I simply subscribed to a VPN service, connected to sited I needed to access, and enjoyed a level of access more open than others not using a VPN. The GFW was porous and laughable in my opinion.
A study of forum and usenet posts shows that from 2008 through mid 2012, simply subscribing to a VPN service was enough to maintain unrestricted connectivity to the internet. There were brief periods of hampered access during the Olympic Games, after a serious earthquake, and during certain high-profile political events involving China. Then, in 2012, the PRC tightened its choke hold on information.
October of 2012 marked the start of an all-out war on VPNs. Realizing that Chinese people and foreigners, with access to uncensored internet, were exposed to a world sharply at odds with the world depicted by the Communist Party, the government unleashed a more potent GFW. It now had the capability to use deep packet inspection to identify and block VPN traffic. It caused chaos among individuals and businesses which relied on secure connections based on VPN technology. They lost the ability to protect their private communications, access to home-country government sites, financial institutions, news sources, and various social media. Google services were very hard hit. Others, such as Yahoo!, were not far behind in losing connectivity with China. Porn is easily accessible on the Chinese internet despite the sociopolitical censorship. I don't know how much the censorship costs China's economy, but this impeded connectivity has a non-zero cost - and it may be significant.
My VPN providers used OpenVPN, which was initially an easy target for the GFW. It came with default server configuration using port 1194. When the GFW scanned my traffic and found high volumes of encrypted data on port 1194, it blocked access to the server on port 1194. When I changed the configuration to use port 443 (a standard for SSL encrypted web pages), that port worked initially, but was blocked after several hours. When I complained to the VPN provider, they gave me a set of special IP addresses for new servers and alternative ports used by all sorts of other computer applications (instant messaging, file transfers, remote desktop programs, and so forth). OpenVPN traffic would hide on the information superhighway in a large volume of similar looking data. Yet these new servers would be found and blocked by the Chinese sensors, then unblocked again several hours later. I also tried looking up the VPN service's regular gateways' IP addresses and connecting directly, without DNS lookups. They were blocked by China's great firewall.
Believing that address diversity is a strong weapon against the GFW, I began experimenting with a virtual-private-server configured as an OpenVPN gateway. It worked nicely, providing at least as much secure broadband as commercial VPN providers and being small enough, initially to escape notice by the Golden Shield Project. Eventually, the GFW's deep packet inspection system was upgraded to the point where it could find any server running OpenVPN and block it. Surprisingly, I could still connect to the server for file transfers. Yes, FTP on port 21 still worked. Other randomly chosen ports would work for about a day before being blocked. Eventually, my method of using a VPN in China revolved around the 10 Tips for Effective Web Unblocking With A VPN.
There is one particular critical weakness in the Great Firewall of China. It is ineffective against data coming from multiple IP addresses at once, as in bit torrent downloads. When the government cracked down on foreign TV shows and movies on Chinese video sites, viewers migrated to torrent streaming applications to continue viewing the banned shows. Flixtor and Popcorn Time would stream a video in better quality, and faster, than the sites affected by the crackdown. The GFW cannot choke off a well seeded bit torrent download.
Update: July 04, 2014. Since Google has been completely blocked in China, I have had to resort to using my VPN nearly all of the time. As an experiment, I have added new data to my computer and Android phone's hosts file to restore access to Google services. Gmail now works without a VPN. YouTube doesn't. Play works, but it is slow. Search works, but not as fast as Google via Collateral Freedom Methods. The GFW is speeding up, and can suppress unobfuscated VPN traffic within minutes. It is necessary to change servers much more often than in the past. L2TP/IPSec still works and I reaffirm that it works because it is a honeypot for the Chinese.
SAMPLE HOSTS FILE DATA FOR ACCESSING GOOGLE SERVICES FROM CHINA: 220.127.116.11 apps.google.com 18.104.22.168 books.google.com 22.214.171.124 drive.google.com 126.96.36.199 0.drive.google.com 188.8.131.52 1.drive.google.com 184.108.40.206 2.drive.google.com 220.127.116.11 3.drive.google.com 18.104.22.168 4.drive.google.com 22.214.171.124 5.drive.google.com 126.96.36.199 groups.google.com 188.8.131.52 play.google.com 184.108.40.206 scholar.google.com 220.127.116.11 mail.google.com 18.104.22.168 www.google.com 22.214.171.124 google.com.hk 126.96.36.199 google.com.hk 188.8.131.52 www.youtube.com 184.108.40.206 youtube.com
Update: June 01, 2014. Another upgrade has been installed in the Great Firewall of China. It operates more silently: data packets from filtered IP addresses are intercepted and pulled out of the data stream flowing inside China. It is possible to see this by pinging a prohibited site and seeing no response, whereas pinging an allowed site indicates normally. In a web browser, connections to forbidden sites were broken by reset packets, now they simply don't load due to no reply coming back. The GFW, however, still checks foreign IP addresses for the presence of VPNs, proxies, or other shunned content. Regarding content, Google is now completely blocked in China.
robert@barrelhouse:~$ ping 220.127.116.11 PING 18.104.22.168 (22.214.171.124) 56(84) bytes of data. 64 bytes from 126.96.36.199: icmp_req=2 ttl=47 time=46.1 ms 64 bytes from 188.8.131.52: icmp_req=3 ttl=47 time=45.9 ms 64 bytes from 184.108.40.206: icmp_req=5 ttl=47 time=45.4 ms 64 bytes from 220.127.116.11: icmp_req=6 ttl=47 time=45.7 ms ^C --- 18.104.22.168 ping statistics --- 7 packets transmitted, 4 received, 42% packet loss, time 6012ms rtt min/avg/max/mdev = 45.475/45.825/46.126/0.330 ms robert@barrelhouse:~$ ping 22.214.171.124 PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data. ^C --- 184.108.40.206 ping statistics --- 9 packets transmitted, 0 received, 100% packet loss, time 8064ms
Currently, I continue to use one commercial VPN service and operate my own cloud based VPN server. I change my server's IP and port on a daily basis and use Stunnel to hide the data packets from deep packet inspection. I often write to my commercial provider and complain about their servers being blocked, getting replies a day later suggesting new ports and IP addresses. Thus, the war against China's Great Firewall has evolved into "whack-a-mole" or "cat-and-mouse" antics. Eventually, the Party will lose the information war and see its internet censorship system fade to irrelevance. Too many people similar to me, with stuborn attitudes and totally unwilling to surrender, will defeat the Great Firewall of China.
Update: January 30, 2014. The GFW seems to be modular in nature, and is more restrictive in some geographical areas than others. Apparently, hotels, certain corporations, and some academic institutions get favorable treatment and may use VPNs. In other locations, the GFW will detect and block VPNs within 10 to 20 minutes. There are more servers available for internet users, so the free world is winning the battle against the Great Firewall of China. Though the current regime is tightening its grip on the media, it is failing to effectively censor adversaries with deeper knowledge of circumvention tools. BunkerbusterVPN affirms that the GFW will be defeated within a year or two. Today, novice internet users are, for short periods, able to access the open internet using a wide array of transparent VPN services.
Update: April 28,2016. The Great Firewall of China has done nothing but improve its ability to recognize and block circumvention technology within munutes of first use. China is experiencing a second cultural revolution, blocking foreign content and heavily censoring dommestic content. Only cleverly obfuscated VPNs are functional, and they are in high demand. Fortunately, they seem to have plenty of capacity for circumvention activity within China.
A Chinese VPN Reprimand letter. November, 2012.
Another Chinese VPN Reprimand letter. November, 2012.
Update: April 1,2020. The Great Firewall of China continues to receive upgrades, now using artificial intelligence to detect and block "high entropy traffic." Circumvention methods continue to evolve; reducing bandwidth and cutting off access appears to be the impending final measure to bolster oppression with information warfare.