If you live in China, you are probably having hard times trying to log into popular search engines, social networks and media streaming websites; such as: Google, Facebook, Twitter and Youtube. In the wake of a new year, the Chinese government has tightened internet censorship across the country and started cracking down on virtual private networks (VPNs) as well. A Chinese newspaper called The Global Times reported that China announced it is “upgrading” its Internet censorship to disrupt VPN services inside the nation of 1.3 billion people. The Golden Shield Project, usually referred to as “The Great Firewall of China“, has recently been targeting VPN services used by millions of internet users in China to unblock Facebook, Twitter, Gmail and Youtube.
This is shocking news not only for Chinese residents who depend on VPNs to get access to their favourite websites, but mostly to foreigners who expect to connect with their friends and family overseas via Facebook and Twitter, or follow the news on major newspapers; such as: The New York Times, The Wall Street Journal and Bloomberg.
“The Chinese government has attempted to curtail the use of VPNs that its citizens use to escape the Great Firewall for a couple years,” said Sunday Yokubaitis, president of Golden Frog, a VPN popular in China.
All VPNs have been blocked at the protocol level (including corporate VPNs). So, if you are using OpenVPN in China, even on port 443, you may notice that your internet connection is shaky. This is because China’s Great Firewall is now able to detect and distinguish packet types using Data Packet Inspection (DPI) technique; i.e: know the difference between “normal” SSL encryption and VPN encryption.
However, many VPN services have accepted the challenge and managed to get around the Great Firewall’s filtering using a variety of stealth settings. One of the most effective solutions for an OpenVPN in China to bypass the Great Firewall is by masking your OpenVPN connection with an additional layer of encryption that cannot be recognized and blocked by the SPI.
What is Deep Packet Inspection?
“Deep Packet Inspection” is an advanced form of internet content filtering used by a government’s ISP (internet service provider). What an internet service provider basically does is called “Packet Inspection” which not only enables it to track down your location and prevent you from accessing restricted web content, but it also examines your data traffic and find out exactly what you are doing online. For example, an ISP using packet inspection protocol can detect that you are using a VPN to access blocked web content, which is the case in Iran and China.
In order to avoid this, you need to hide the fact that you are using a VPN at all. While forwarding your OpenVPN traffic through port 443 (instead of the default 8080 port) will most likely camouflage your data because port 443 is the default port for HTTPS (an internet protocol used by browsers to secure connections); it isn’t advisable to use it in countries like China and Iran due to their use of traffic detection protocol that will recognize the difference between “normal” SSL encryption and VPN encryption. Therefore, in order to and safely use an OpenVPN in China, you need a much more advanced encryption technique to trick that will keep your traffic undetected by the Great Firewall.
How to avoid Data Packet Inspection
There are several ways to bypass the Great Firewall and slip through Data Packet Inspection without being detected for using a VPN to access blocked content. You can use Obfsproxy or go for the most commonly relied on method which is using an OpenVPN in China tunnelled through other encryption protocols; such as: SSL and SSH.
Obfsproxy is a tool created by Tor network when China started blocking Tor nodes. You don’t have to use Obfsproxy with Tor only, but you can use it normally with other VPNs as well. Obfsproxy is designed to make VPNs impossible to detect by ISPs and SPIs as it wraps your already VPN-encrypted data in a foggy layer of obfuscation, hence the name “Obfsproxy”. Since Obfsproxy doesn’t in fact provide an extra layer of “encryption”, but merely camouflages your already encrypted data, it might not be as secure as other encryption methods; such as: OpenVPN tunnelling over SSL or SSH, but not having an additional encryption layer makes Obfsproxy a fast tool with low bandwidth that can be more effective in countries, like: Syria or Ethiopia.
Tunnelling OpenVPN in China through SSL
Although on its own, a Secure Socket Layer (SSL) is an effective way to maintain online security, it can be used with OpenVPN to add an extra layer of protection in order to completely hide the fact that you are using a VPN and become a ghost able to slide through Data Packet Inspection without any worries. If you are going to use OpenVPN in China through SSL tunnel, you must keep in mind that an additional encryption layer causes your internet connection to slow down. Moreover, since SSL tunnels are created using a multi-platform software, you will need to coordinate with your VPN service provider if you want SSL tunnelling and receive the configuration settings necessary to tunnel OpenVPN in China through SSL.
OpenVPN through SSH tunnel
Another way to effectively use OpenVPN in China is to tunnel your OpenVPN over an SSH protocol. Similarly to tunnelling OpenVPN through SSL, OpenVPN over SSH tunnelling involves wrapping an OpenVPN connection within an additional layer of encryption, but inside a Secure Shell (SSH) encryption instead. OpenVPN in China through an SSH encryption can be carried out either through SSH clients, such as: Putty or automatically which is far more easier through some VPN services which include this feature within their application.
Countries like: China and Iran are resilient to control internet access without giving obvious explanation and VPNs are now being deemed as illegal as hacking. Therefore, regardless to what VPN service you are using now or attempting to use a VPN service, if you’re using a Chinese DNS or planning to visit China and want to remain in contact with your Facebook friends and watch your favourite Netflix shows, you need to be prepared for some rough internet times and arm your computer with anti-DPI software. Also, if you are going to tunnel OpenVPN in China over SSL or SSH, you need to make sure that you coordinate this process with your VPN provider, first.