So you’ve heard about China’s Total Surveillance State and the Great Firewall. Through their cunning schemes, the Chinese government has managed to take an emancipatory technology and turn it inward onto itself. What was supposed to be a sphere for the free exchange of ideas aided by anonymity has ultimately become a structure for total surveillance and control.

It’s easy to see the reality of this statement. For example, government authorities only allow services where citizens can be observed through backdoors or otherwise. Often, that information turns up in court hearings or private “tea drinking” sessions. Among manifestations of this are China’s most popular messaging app (WeChat), the local “Google in China” search engine (Baidu), and too many other services to name.

wechat and baidu logo

Combined with the social credit system and other realities this makes for an Orwellian (Black Mirror-ean?) picture. But while the Great Firewall is powerful and seemingly all-encompassing, it also stays true to the control tactics mentioned in our previous article. Modern China is not like the China of Mao, North Korea, or Stalin’s Soviet Union – thought crime is to be thwarted but not punished. China observes its citizens who are, in a sense, free… at least until they do something stupid.

As such, “climbing over the Wall” is possible if you know how to go about it. That’s what we’re here for. In Part III of our Dystopia Now series, we take a look at ways of circumventing Chinese online censorship and doing so safely. We’ll chat on the other side.

Schrödinger’s VPN service

Many VPN review and information sites function under the illusion that the status of VPN services in China is anything but ambiguous. Having spent time on hundreds of top500vpnreview.com sites, we’ve learned that China has banned the use of all VPN services, all unapproved VPN services, all use of VPN services by companies, by individuals, or no one at all. The truth is out there, it seems.

Our take on it is that we are dealing with a common state of affairs for authoritarian systems. All acts are simultaneously legal and illegal, depending on who you are, who you’re talking to, what else is known about you, and a wild constellation of other factors.

For example, if you belong to the Uighur Muslim minority in the autonomous region of Xinjiang, all circumvention tools, including VPN services, are apparently “terrorist software.”

China protests Then again, if you’re a Western businessman in Beijing, it is reportedly not much of an issue.

Nonetheless, there are certain facts about VPN services in China that we can state with some degree of confidence:

  • Back in January of 2017, the Chinese government announced that it would spend the following 14 months to crack down on unauthorized VPN services. The deadline for this was March 31, 2018, but there was a lot of disagreement over what would happen after this date.
  • In the end, there seems to have been a crackdown on cheap, China-based VPN services. A lot of them got closed and their operators got fines or even jail terms of up to 5 years. Hundreds of VPN apps were also removed from the Apple App Store at China’s request. As a result, users can be fairly certain that China-based VPN services operational after March 31 have been approved by the government (because of reasons, no doubt).
  • Day to day use of VPN services was/is still possible after March 31, 2018, although some foreign providers have mentioned that it became more difficult to access servers, VPN websites, and so forth. Regardless, some VPNs continue to offer a reliable service to users in China.

As it stands, Virtual Private Networks are the primary solution for users in China: they work, they’re affordable, and they are very easy to use. It’s your best bet to get Google, Reddit, the BBC, Facebook, Netflix or any other censored service in China.

What makes a good VPN for China?

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Before choosing a VPN service from some list on the internet, users may want to understand how the Great Firewall functions. This will help to determine what are the desirable features for bypassing it. What we give here is a simplified picture, which should nevertheless shed some light on the topic.

The censor’s arsenal

China blocks connections primarily using three different methods:

  • IP blocking

This is the basic level of censorship – China has an IP address blacklist and blocks connections to these IP addresses. However, IP blocking has problems, not least of which is keeping the blacklist up to date, especially considering that changing IP addresses is not difficult.

  • DNS-related methods

The Domain Name Server (DNS) is an essential part of internet infrastructure. Machines don’t understand domain names the same way people do, therefore, whenever you try to access a domain, your computer will contact a DNS to get the corresponding IP address.

DNS chinese network

This presents an opportunity for censors – what if you “tell” the DNS to filter domain names containing certain keywords? For example, the word “Winnie” or the word “Pooh.” China has a list of thousands of keywords that are affected by DNS-level blocking.

xi jinping looks at trophy of winnie pooh
Cartoon by Badiucao, image source: China Digital Times
  • Deep Packet Inspection (DPI)

A more advanced tool in China’s arsenal, involving an analysis of the packets of data traveling through the network. This works in at least a couple of ways, which we will try to explain in a newbie-friendly way.

Needless to say, there is content Chinese authorities don’t want people to see that can’t be filtered out through a combination of IP blocking and DNS-level blocking. This is where DPI makes an entrance. Network devices would take a sample of the data being transferred and inspect it in detail. By “in detail” we mean OSI Layer 2-7, which is a wide range of information types, including the data protocol structure and the packet contents. In this way, authorities are able to block content based on certain keywords, for example.

DPI server chinese internet

More to the point, DPI can be used to deal with unwanted traffic types, such as OpenVPN traffic. If the Firewall encounters suspicious traffic, it will do a couple of things. Firstly, it will terminate the connection by sending the host spoofed TCP reset (RST) packets. Secondly, it will probe the suspicious server, sending it requests using different protocols and looking for a response. If it is determined to be a VPN server, the Firewall will ban it (allegedly for several hours only).

Running the gauntlet

VPN users may have to jump through lots of hoops before getting to the point where they can actually use a decent VPN service. Here they are from start to finish.

  • Downloading the software

The easy part, right? Well, as a matter of fact, this may actually be very difficult because if you’re already in China, you will likely find the VPN website blocked.

Blocked website

Therefore, if you’re just a visitor to the country, it’s best to download and subscribe while you’re still at home. If you’re already in China, you’ll have to look for a mirror site – most VPN services operate these for just this sort of situation.

  • Paying

The act of paying itself may not be a big problem, but the privacy aspect certainly is. You would rather not have a VPN down payment on your bank records, especially if you’re climbing the wall to engage in “subversive acts.”

Your second hoop is thus finding a VPN service that offers anonymous payment methods, such as crypto.

  • Connecting to and using a VPN service

As we explain in the section above, China has lots of ways to prevent users from establishing a connection. Users should thus focus on VPN services with feature suites that will let them bypass the blocking measures. Furthermore, they should also choose privacy-conscious and leak-free services because the price of not doing so may simply be too high.

The grappling hooks of VPN services

While determining which VPN service is actually good in China can be difficult, some features mean a VPN is better positioned for success. Some are features of the VPN service, while others are “features” of the provider. Here are a few:

  • Tunneling protocol variety

Since China has ways to distinguish the data protocol used for data transfers and block connections based on this factor, more protocols mean better chances of getting over the Firewall. Particularly important are protocols that are secure against attacks. Examples of this are OpenVPN, IKEv2, SSTP, WireGuard, to a certain extent – L2TP/IPsec, and some others.

  • Stealth protocols

Many VPN services have reported issues with using OpenVPN in China. However, some have found an answer to the DPI problem – the stealth protocol. If you look at the marketing of various VPN services with stealth protocols – NordVPN or VyprVPN, etc. – you’ll think this is some sort of super-secret proprietary technology. Usually, that’s not so. Most VPN services take OpenVPN and add an XOR patch. In simple terms, this means further scrambling the encrypted data to fool DPI.

Some VPN services offer a different way of bypassing DPI, like Stunnel/SoftEther/Obfsproxy.

Whether it’s called a “stealth protocol,” “obfuscated servers,” “Chameleon,” or something even more exotic, the point is, you’ll need it to surf freely in China.

  • A suitable server list

Your connection speed when using a VPN depends on a number of things, not least of which is your distance from the server you’re connecting to. It can also be impacted by the server load. Adding these two factors together allows us to look for certain things in the VPN server list.

Firstly, you want as many servers around China as possible. This reduces the physical distance your data will travel and also, presumably, the load on nearby servers (not an exact science, ladies and gentlemen).

expressvpn servers asiaExpressVPN has lots of servers in Asia.

Of particular importance to VPN users are servers in the USA. That’s because the US has lots of geo-blocked content only available with an American IP address. In the case of China, users should look for servers on the West Coast of the US because that’s where speeds will be the least punishing.

Perhaps more important than the sheer number of servers is the rate at which the number rises. The reason is IP blocking – the more significant the rate of server rotation, the better the chance that the Chinese government will be unable to keep up with blocking efforts.

Practice caution in your choices

Besides the VPN features, there are also other, more abstract things to consider, particularly related to where the VPN service is registered and where its servers are. As previously mentioned, there‘s no doubt that China-based VPN service providers will not protect your data from the Chinese government. However, we would argue that suspicions should extend to other countries in the Chinese sphere of influence as well. Realpolitik offers an accurate description of how things work.

Take this with a grain of salt – there‘s no way we could claim the following as fact. Regardless, considering these aspects is crucial, especially if you belong to a group of users whose activities are highly sensitive. Journalists, political activists, dissidents – we‘re talking to you.

Here‘s a good example of a high-risk VPN jurisdiction: Hong Kong. Plenty of VPN services are registered in Hong Kong due to its laissez-faire attitude, but there should be no illusions about autonomy when China really wants to get something done. To a lesser extent, the same may apply to some other countries in the Far East as well.

China map

And here‘s another thing – logging. When in China, it‘s best not to take any risks where privacy is concerned and choose a VPN service that has a favorable logging policy, i.e., one that clearly states what information the service keeps and for how long. VPN services with minimal logging are the most desirable, but figuring out which ones fit that bill is far from a straightforward proposition. Since there‘s no way to know for sure which VPNs are truthful in their claim of not keeping any user data, it‘s a good idea to choose services where those claims have been proven in some way.

A few examples of VPN services who have facts to back up the integrity of their logging claims

ExpressVPN logo

At the beginning of 2017, Turkish authorities seized an ExpressVPN server in search of information on the perpetrator behind the assassination of Russian Ambassador Andrei Karlov. They failed to find anything useful.

Read our full ExpressVPN Review

NordVPN logo

In late 2018, NordVPN revealed that their no logging claims were audited by a big 4 accounting firm (PwC). Soon the report on the audit was leaked, confirming that NordVPN keeps the absolute minimum of information – much too little to be personally identifiable.

Read our full NordVPN Review

VyprVPN

Golden Frog also submitted to an independent audit, confirming their newly-implemented no-logging policy (albeit not by a big 4 accounting firm).

Read our full VyprVPN Review

PIA services

US law enforcement has sought user data from PIA in a number of cases and has thus far always come back empty-handed.

Read our full Private Internet Access Review

Finally, a word to the wise – don‘t be tempted into downloading one of the thousands of free VPN services out there. The overwhelming majority of them expose users to various compromising situations, such as getting their browsing habits tracked and sold to marketers. As we‘ve mentioned in our first Dystopia Now article, many of the ones available on Android, for example, are Chinese apps anyway.

Research is paramount if you want to be a VPN user in China. However, if you want a recommendation, the top three VPN services on the list above (ExpressVPN, NordVPN, and VyprVPN) cover all the bases we want out of a VPN service for China.

Beyond Virtual Private Networks

VPN is merely the most popular and one of the most effective means of circumventing comprehensive internet censorship in China. Users may also be interested in other choices, some of which are potentially cheaper than buying a top VPN service subscription. While there are many that may be effective in specific situations, we will look only at those that can compete with VPNs. In other words, Tor and most types of proxies are out of the question.

With that being said…

Shadowsocks Logo  Shadowsocks

Unlike its brother (Cousin? Uncle?) the SOCKS proxy, Shadowsocks has some advantages over VPN. Firstly, it encrypts data, while SOCKS only does so in conjunction with SSH. Secondly, SSH is vulnerable to DPI and to the active probing of servers, whereas Shadowsocks is not. A Shadowsocks server will not reply unless connecting with login credentials. Third, Shadowsocks allows UDP traffic, not just TCP.

Perhaps the best way to illustrate the usefulness of Shadowsocks in China is to recount the story of its creator, clowwindy. In short, after 3 years of uninterrupted work on Shadowsocks, clowwindy was visited by the Chinese police in 2015 and told to discontinue the project (which he did). Clearly, the authorities found Shadowsocks too much to handle!

Fortunately, this is an open source project and is thus still being developed by others.

The difficulty with using Shadowsocks is that it requires more know-how and patience than the regular user is known for. Firstly, it requires getting a server or VPS somewhere outside the country. Secondly, it requires a lot more configuration than pressing “Next” and clicking on a map.

Obfsproxy

Tor China

This is an extension of Tor and intended to hide SSL-based Tor traffic from DPI. What Obfsproxy does in a basic sense is it changes what the traffic looks like. Instead of disguising the traffic as HTTPS traffic, which is what Shadowsocks does or what VPN “envelopes” like Stunnel do, Obfsproxy gives it an encryption wrapper of an unrecognizable appearance.

The approach is imperfect, as the developers of Tor admit right at the outset, but it does hinder the work of censors.

Although initially Obfsproxy was created for Tor, it has come to be used to hide other traffic from DPI as well, including VPN trafficTunnelBear is a good example of a service that has adopted Obfsproxy into its suite.

tunnelbear ghostbear

Tor is notoriously slow so Tor with Obfsproxy will also have that issue.

Comparing VPN and proxy-based circumvention methods

Various proxy types have various issues when it comes to their suitability for use against censorship and repression in China. HTTP and HTTPS proxies only work on the web and the former doesn’t even provide encryption. SOCKS can work with other traffic types (not just web traffic) and can provide encryption through the use of SSH, but it’s no good against DPI.

Well, Shadowsocks has none of these issues and is reportedly even better than stealth-enhanced VPN services at evading DPI, but it does have a different issue.

Most proxies have the issue that they function at the app level. This means you’ll need to separately set up proxies on your browser and torrent client, for example. Moreover, many apps don’t support proxies, leaving some of your traffic unprotected. Although Shadowsocks can apparently be implemented as part of a VPN suite, this practice has not been widespread.

Proxy vs VPN

Meanwhile, VPN works at the system level (or even at the network level), encrypts all your traffic regardless of origin and sends it through a VPN server. The most important benefit of this is that you’re less likely to leave holes in your defense using a VPN, which is very important if the consequences of carelessness can be grave as they are in China.

Final word

Hopefully our Dystopia Now series has given you an informative overview of surveillance and online censorship in China, as well as a few weapons against it. It seems that the capabilities of the Chinese control mechanism will only grow, but it will never be powerful enough to stifle everything. And who knows how the digital arms race will progress – technology is moving way too fast to predict even the near future.

So we may as well end with a demonstration of the human spirit – here’s $ANHU with “Give my VPN back.”