Best VPN protocol for China

Hello everyone, here I am again, Nicholas Cuts of Switcherry VPN. In my new article, we will talk about how to bypass online censorship in China.

The Chinese segment of the Internet is nothing like we see in the rest of the world. In China everything is its own – its own search engines, its own social networks, its own messengers, its own files and video hosting services, etc. At the same time, access to Western Internet resources is severely limited or even completely suppressed. Millions of Chinese people who actively use the Internet are not even aware of the existence of such super popular platforms in the West as Facebook and Instagram. And even the Internet resources that try to take a neutral position are blocked. The system that restricts or blocks access to the prohibited sites has been dubbed by the West the “Great Firewall of China”. This system is constantly being improved and updated. This article will discuss whether it is possible to bypass the Great Firewall of China with a VPN, and if so, what VPN protocols should be used for this.

What is the Great Firewall of China

“The Great Firewall of China” is the name coined by journalists for a multi-level system for tracking and filtering Internet traffic, created in China under the “Golden Shield Project”. The project was launched in 1998, and five years later the system was operating at full capacity. The “Golden Shield” was created not only and not so much to block access to prohibited foreign Internet resources, as many people think. Its main function is to monitor and analyze internal information flows in order to identify dissidents and prevent the spread of ideas among the local population that are at odds with the general line of the Chinese Communist Party. At least 50 (and according to some estimates, more than 100) thousand people daily monitor all publications in the Chinese segment of the Internet, removing prohibited content and suppressing any attempts to bypass censorship restrictions.

China blocks most of the Internet resources that the rest of the world is accustomed to
China blocks most of the Internet resources that the rest of the world is accustomed to

However, for foreigners visiting China or permanently residing in it the main problem is the inability to access the world’s most important online resources. For people accustomed to unlimited online freedom, life becomes an ordeal without communicating with relatives and friends on their favorite social networks or using a messenger and without daily visits to popular online media.

Every Chinese ISP is required to install software on their servers that analyzes traffic and blocks access to sites banned in the country by order of the authorities. Here is a list of some of the most popular websites blocked in China:

  • Facebook;
  • Facebook Messenger;
  • Instagram;
  • Google – all services of the company without exception (Gmail, Google Play, Google Apps, etc.);
  • YouTube;
  • Vimeo;
  • Wikipedia;
  • Twitter;
  • WhatsApp;
  • Telegram;
  • Microsoft OneDrive;
  • Pinterest;
  • Snapchat;
  • Reddit;
  • Quora;
  • Tumblr;
  • Spotify;
  • Twitch.

Naturally, the list is far from complete; only the most popular Internet resources are shown. In fact, tens of thousands of sites are blocked, including virtually all Western electronic media without exception. And the list of Internet resources prohibited in China is constantly growing. You can find out if a particular resource is blocked in China without coming to this country by using the GreatFire Analyzer website. Here is a screenshot of the results of testing whether Wikipedia is blocked in China:

Blocking Wikipedia
Blocking Wikipedia

There are different blocking rules in different provinces in China. Sites that can be accessed in one region may be blocked in another. Hong Kong and Macau have no blocks at all! It means that in these cities the authorities disable the Internet only during events of social unrest and turmoil.

Is it legal to use a VPN in China?

This question cannot be answered unequivocally. On one hand, the use of VPNs is strictly regulated by the authorities. Only VPN providers that accept and comply with government censorship policies can legally operate in China. On the other hand, the Chinese government strongly encourages the inflow of foreign capital and innovation into the country. Therefore, the authorities simply avert their eyes when foreign citizens try to use this or that VPN service to bypass the Great Firewall of China.

Note that there have been no cases of foreigners being prosecuted for using an independent VPN in China.The authorities only block (or try to block) the operation of all unauthorized VPN services.

How Chinese authorities are fighting independent VPN providers

Unauthorized VPN providers are barred from operation in China. That’s why the websites of the world’s most famous VPN providers are not accessible from China. (By the way, this is why you must download and install the VPN clients of your chosen VPN provider on all devices that you take with you before traveling to China.) Every ISP is required to block all unauthorized VPN connections. In other words, if the ISP discovers that the client is using an unfamiliar VPN, then all traffic coming from their device is cut off, and the client cannot even visit sites located in China. At the same time, no warnings appear in the browser window – the client sees only a blank white page.

How does the ISP know you are using a VPN

As we mentioned above, every Chinese Internet provider is obliged to install special software on their equipment that analyzes and filters customer traffic. How the Great Firewall of China actually works is not known for certain, but we assume that direct blockings of VPN server IP addresses and the Deep packet inspection technology is at play here.

 Simplified principle of the Chinese firewall how china blocks the internet
Simplified principle of the Chinese firewall how china blocks the internet

Direct blocking of IP addresses

The staff of the “Golden Shield” project monitors the Internet every day and blacklists the IP addresses of the discovered VPN servers. Naturally, the IP addresses of the VPN servers of the most famous VPN providers are monitored and blocked first.

Deep packet inspection

Deep packet inspection technology allows you to determine what type of traffic the scanned data packet belongs to. Oddly enough, it’s not hard to identify VPN traffic using deep packet analysis technology. You can usually even determine which VPN protocol the analyzed VPN connection is using.

What VPN Providers Do to Break through the Great Firewall of China

It would seem that independent VPN services have no chance of breaking through the multi-layered security of the Chinese Internet. In fact, the rivalry between VPN providers and the “Golden Shield” is like a game of cat and mouse. Sometimes the employees of the “Golden Shield” manage to completely block all traffic of a certain VPN-provider, but after that the programmers of this VPN-service, by changing the code, make holes in the “Golden Shield”. To overcome the Great Firewall of China, programmers now mainly use two methods: masking and obfuscation of VPN traffic.

VPN traffic masking

The essence of this method is to disguise the VPN protocol as another, widespread protocol, which does not arouse suspicion from the ISP even after the deep packet analysis technology is used. As a rule, HTTPS is chosen as the masking protocol, since it is currently one of the most widespread and indispensable ones. Accordingly, the VPN server masquerades as an HTTPS server.

VPN traffic obfuscation

Obfuscation deliberately introduces distortions into data packets, making it impossible to determine what type of traffic and protocol they belong to.

Which VPN protocol should you use to break through the Great Firewall of China

VPN protocols are continually being improved and developed. Programmers regularly modify old, effective protocols and create new ones. My article about cryptographic protocols used in VPNs describes the most popular VPN protocols. However, not all of them are able to breach the “Golden Shield”. According to recent studies, only four VPN protocols are able to overcome the Great Firewall of China: SSTP, OpenVPN, WireGuard, and SoftEther’s SSL VPN.

SSTP

The SSTP protocol developed by Microsoft is part of the Windows OS core. An SSTP VPN connection is indistinguishable from HTTPS, with both SSTP and HTTPS using the same TCP-443 port. Due to these factors, SSTP VPN protocol is not detected by deep packet inspection (or rather, defined as HTTPS) and is not blocked. Thus, SSTP is by far the best protocol for traversing the Great Firewall of China. Unfortunately, SSTP is relatively uncommon and poorly suited for mobile devices due to the high demands on the computing power of the device.

OpenVPN

OpenVPN in its pure form is easy to detect and block. However, obfuscation and masking techniques make this VPN protocol invisible even to deep packet inspections. This modernized OpenVPN protocol is able to overcome the Great Firewall of China.

WireGuard

Before, WireGuard easily passed the Great Firewall of China, but over time, as the technology of deep packet analysis improved, this protocol became just as easy to detect and block. However, since WireGuard is a relatively young protocol, you can expect developers to make changes in the future to overcome blockages.

SoftEther SSL VPN

SoftEther is the latest free VPN client and VPN server. There are versions of SoftEther for all popular operating systems. SoftEther can work under OpenVPN, SSTP, L2TP/IPsec protocols. In addition to these long-known VPN protocols, the creators of SoftEther have developed their own SSL VPN protocol, which, like SSTP, is disguised as HTTPS, making it easy to penetrate the “Golden Shield”.

Conclusions

Of all the VPN protocols described above, SSTP is without a doubt the strongest, as modern methods of analyzing network traffic cannot distinguish it from HTTPS. The SSL VPN protocol for SoftEther also looks very promising. OpenVPN and WireGuard have been struggling with the blockings with varying degrees of success and need to be further developed and refined.

How to Choose the Right VPN Provider for China

When choosing a VPN provider for China, you need to make sure it uses VPN protocols that can penetrate the Great Firewall of China. In addition to a reliable protocol, the VPN connection must be secure from all types of leaks (in China it is especially important not to leak DNS) and have a Kill Switch. To find out whether the VPN client has any leaks, read my article “How to check if your VPN connection is secure?

It is highly recommended that you try the VPN from our own company – SwitcherryVPN. As a reminder, you must install VPN clients on your devices before traveling to China, as access to our site from China may be blocked.

FAQ

1. I’m American and planning a business trip to China. What happens if the Chinese authorities discover that I am using a VPN?

1. I’m American and planning a business trip to China. What happens if the Chinese authorities discover that I am using a VPN?

As practice shows, absolutely nothing happens in this case. The Chinese authorities block access to discovered VPN servers, but do not punish foreigners trying to bypass the Great Firewall of China.

2. I downloaded and installed the VPN client and set it up to work over SSTP protocol. However, upon arriving in China, I discovered that my VPN was unable to penetrate the Great Firewall of China. What's the matter?

2. I downloaded and installed the VPN client and set it up to work over SSTP protocol. However, upon arriving in China, I discovered that my VPN was unable to penetrate the Great Firewall of China. What's the matter?

Most likely, your VPN client has some kind of leak. To find out how to identify and fix leaks, read the article “How to check if your VPN connection is secure?”

3. Is there a free VPN operating in China?

3. Is there a free VPN operating in China?

No, a completely free VPN does not exist there. However, our company Switcherry VPN has a free tariff plan as well.

Author: Nicolas Cuts

Product Managers at SwitcherryVPN. Have 5 years background in management and marketing. I never stop learning!

Leave a Reply

Your email address will not be published. Required fields are marked *