Privately hosted VPN for china?

[hardwarenuts0]

I'm going to China and wants to get around the firewall at the best possible speeds. How can I do that?

I understand that most VPNs are blocked at an IP level, although the recent blocking of Astrill has been reported to be at the protocol level.

Assuming this latest clampdown passes, would it be better if I rent some virtual private server hosted geographically close to China (e.g. HK, Taiwan, Korea, Japan), and piped my traffic through this? At leas this way, it's unlikely that my IP address would be blocked.

I tried commercial services like Astrill, and their speeds are very unreliable. In my home on the west coast of the US, I have a computer that I run VPN service on. I tried on this solution in the past when I visited China, but the latency is very long.

 

[bill001g]

Problem is finding a vpn service that china can not also find. If you had say a friend in taiwan that would work but is unrealistic. You could rent a generic server at a hosting center and load vpn/router software on it. It would be less likely they block a hosting service.

They can and do block by protocol, I am surprised you could get it to work to your house but maybe they do not have it on as strict.

IPSEC and PPTP use different protocol numbers (ie not tcp or udp) so are easy to block. The more common OPENVPN pretends it uses SSL ie https but it doesn't fully and can be detected. The only ones that work and can not be detected are true SSL. These are a little harder to find because of all the misinformation about openvpn using SSL. Since I only need a tiny number of session I have used the free license in a cisco 2800 series router that allows 2 but I am told there are free things that use OPENSSL which is not the same as OPENVPN.

Still I never bothered to dig since I was mostly doing this to see if we correctly blocked vpn at work.

If you just need web surfing HTTPS proxy are trivial to host in a hosting center and nothing will stop those.

 

[hardwarenuts0]

Problem is finding a vpn service that china can not also find. If you had say a friend in taiwan that would work but is unrealistic. You could rent a generic server at a hosting center and load vpn/router software on it. It would be less likely they block a hosting service.

They can and do block by protocol, I am surprised you could get it to work to your house but maybe they do not have it on as strict.

IPSEC and PPTP use different protocol numbers (ie not tcp or udp) so are easy to block. The more common OPENVPN pretends it uses SSL ie https but it doesn't fully and can be detected. The only ones that work and can not be detected are true SSL. These are a little harder to find because of all the misinformation about openvpn using SSL. Since I only need a tiny number of session I have used the free license in a cisco 2800 series router that allows 2 but I am told there are free things that use OPENSSL which is not the same as OPENVPN.

Still I never bothered to dig since I was mostly doing this to see if we correctly blocked vpn at work.

If you just need web surfing HTTPS proxy are trivial to host in a hosting center and nothing will stop those.

Thanks for your reply! It was very thorough. For my own server, it seems IPsec works the best, though it's often unreliable.

Can you talk more about your experience with The 2800 series router and Open SSL? How does that work for you, and what kinds of speeds can you get with it?

 

[bill001g]

The 2800 series router is a very special thing. It loads a activex client dynamically so you can even run it on a public computer. It will even run though a corporate proxy undetected. The huge issue is getting the software. Of course you can buy the device from a official channel and pay a lot. If you get them used you need to have the security bundle on them and then you still need the files that it downloads to the client.

It is quite a pain to setup but I was partially doing this when I was work on some cisco security certifications. A new problem is this line of routers is now end of life and I do not think the newer 2900 series supports it. They of course still sell a number of VPN appliance that do this but even the ones with only 10 license tend to not be cheap.

These appliance based solution both from cisco and juniper we have found pass though just about anything. There are VPN providers that actually use these devices.....then again a public vpn provider will be on a blacklist for those wanting to prevent vpn.

I really wish I could give you info on openssl without a lot of google searching. Someone else on the team I was working on had loaded the vpn at his house. We were testing a new firewall at work and as expected it could not detect the appliance based ones or true ssl. Pretty much they decided it would stop the vast majority of users since it also has a vpn blacklist of sites.

Last I heard they were working on a certificate server so they could intercept and monitor all https traffic with a man in the middle attack. A government could do the same thing and not have the concerns a business does that attempts that method.