Tunneling Under the Great Firewall?

An anonymous reader writes "I am traveling to China in the near future, and needless to say as a Slashdot reader I am going to require access to the Internet. The whole, unadulterated, unfiltered Internet. Also needless to say, I am very leery of the government there (my lack of a nickname on this submission being testament to that). I will only be there for a few weeks, and will not be using the computer for much of that time, so I don't want to shell out a lot of money to a VPN service. However I also don't want to be hindered by extremely slow speeds such as those provided by the Tor network. I have experience implementing Web servers and work fairly often with Linux; however, many of my friends who also face the same dilemma don't. What would be the most cost-effective (free is best) method for me to subvert the Great Firewall during my travels while maintaining sufficient anonymity and enjoying sufficient speed?"

Make a proxy.

[stanlyb]

Have somewhere a computer with real IP, and start some proxy server. Or even some remote-control(vnc,rdp), if you have a good bandwidth.

SSH

[Hatta]

SSH tunneling with SSH -D is trivial to set up. Make sure you forward DNS with network.proxy.socks_remote_dns set to true if you're using Firefox.

I think I read that SSH can even create a virtual network device that forwards all traffic over a tunnel. Haven't had time to play with that though. That would be a great solution for every app, even those that don't support SOCKS proxies.

Re:Really?

[flippy10]

http://en.wikipedia.org/wiki/List_of_websites_blocked_in_the_People's_Republic_of_China [wikipedia.org] Those definitely all sound like sites chock full of state secrets.

Re:Fear

[grub]

Besides, the Chinese and Asian in general are quite relaxed people.

It isn't the general population causing the VPN problems we have with people travelling in China, it's the government.

Re:SSH

[leuk_he]

Yup.

-Setup a ssh server outside of china, always on. for windows use some port like copsshd.
-Set ip up at an alternate port (not 22, use 443), it will obfuscate it a little bit.

In china run ssh client, putty can do this, tunnelier has some more options
https://calomel.org/firefox_ssh_proxy.html [calomel.org]
Then use proxy options of firefox to send traffic over this proxy. Be careful no to leak too much dns info.

SSH as a solution

[segin]

This is a really simple problem to solve.

Keep a box at home, run Linux/*BSD/whatever on it. Have SSH on it. Run SSH on a "common" port that's not 22. 21, 23, 56, 69, 80, and 443 are good candidates. For good measure, keep a small web-based admin util on some other common port (with SSL!) in case you guessed the SSH port wrong.

Use SSH as a proxy. I forgot exactly how to acomplish this on *nix but on Windows... Use PuTTY. Connection -> SSH -> Tunnels. Set a random source port (which is what port you connect to on your local machine) and select the "Dynamic" option. IPv4/IPv6 option should stay to default "Auto". An entry in the list should read something like D12345 where 12345 is the port. Use localhost:port as a SOCKS proxy.

And for *nix, there's this guide that should for for all OSes with standard ssh: Guide! [embraceubuntu.com]

Re:Is ssh blocked?

[DoctorNathaniel]

I have done this from Beijing and it worked the week I was there.

FoxyProxy is a nice add-on to use for this, since it allows you to either whitelist specific sites for use through the proxy, or to simply switch back and forth to the proxy as you need.

Re:Good luck!

[Anonymous Coward]

I live in China. I access the Internet unhindered. I've never, in nine years, encountered a situation where only encrypted links are shut down (for even MINUTES at a time!) while everything else went through. I have experienced situations where specific backbones get so badly clogged up that *all* traffic (including, sadly, my link to my VPS) is screwed up, but never one where just the link to my VPS was down.

That's almost a decade, folks. I'm not quite calling "bullshit" on grub here. I'm sure he's seen this problem with VPNs. I just think his techies (or grub himself) are using the Great Firewall as an excuse and not bothering to actually test things. "Oh, it's from China. Obviously the Great Firewall."

Forget About Speed

[malloc]

... while ... enjoying sufficient speed?"

Unless they've opened a few new trans-pacific pipe connections since I was last there, forget about speed. Maybe it was just my ISP (Great Wall, ha) but within China you can get nice (e.g. 750kb/s) speed but the moment you cross the pacific your latency is killer and you're crawling at 5-10kb/s. This is using corporate VPN or without. I suspect the actual throughput is a result of active throttling by the State. In terms of restricting general information, making something extremely painful is nearly the same as blocking it.

Re:Good luck!

[Amouth]

i run a VPN server for several friends of mine - the whole use is to get around what ever they run into - be it China (rare but they do go there) or some lame ass university's filter..

one of the more often used services for really locked down places is a good old SOCKS server running on 443..

Re:SSH

[Nerdfest]

TSocks may be the application you're looking for. I haven't gone through the setup of it yet but it looks like it will tunnel any traffic through ssh.

Re:Are you out of your fucking mind?

[LWATCDR]

I agree with you about 99%.
Setting up your own VPN is probably fine. If their are problems just claim that you need it to access work or school. What I wouldn't do is "help" people in China do the same.
1. If you are asking on slashdot you probably lack the skills to do it well.
2. If you get caught as a US citizen they will probably just take your computer and kick you out. You are not worth the bad press they will get.
3. If you help Chinese citizens do the same you can become worth the trouble. Which is a very bad thing.
4. You may hurt those that you are trying to help. Trust me their a lot of bright folks in China that have the skills to get around the great firewall. They also probably know better who to trust.
You are a foreigner trust me odds are they may already be watching you a bit. If you are not a business person I expect they are watching for you to try and do this very thing. As much as people like to make fun of security people they are not dumb. Figure that they have a lot more skill at catching you than you have at evading them If you or your friends don't get caught it will be just because of luck.

Re:remote desktop

[TheLink]

Opening up RDP to the world isn't a good idea:

http://www.google.com/search?num=100&hl=en&q=%22remote+desktop%22+vulnerability+site%3Amicrosoft.com&btnG=Search [google.com]

http://louwrentius.blogspot.com/2008/11/did-you-know-that-rdp-is-s-secure-as.html [blogspot.com]

http://secunia.com/advisories/15605/ [secunia.com]

Re:Fear

[sdiz]

"seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .

What Firewall?

[Dr. Hok]

"seditious Chinese website" -- like wikipedia, dropbox, archive.org, google cache, blogspot, sourceforge, freebsd.org, youtube, twitter, foursquare and facebook .

My experience might be a bit outdated (October 2008 was the last time I was in China), but I didn't see much of a firewall there. The only sites that I couldn't reach (occasionally!) were zh.wikipedia.org (which I tried out of curiosity) and a sourceforge download site in Taiwan. And I tried a lot of sites, including the ones that you mention and other usual suspects.

My Chinese colleagues told me that generally only Chinese-language sites and sites located in Taiwan are blocked. They also told me that anyone with basic computing literacy can circumvent the firewall anyway without so much of an effort. I can't tell you much about the details because I didn't need to and my colleagues didn't seem to want to speak about it. My impression was that the Chinese DNS server just didn't resolve some site names.

At times I had the impression that the SSL connection to my webmail service in Germany and the VPN connection to my company's intranet was a bit slow and unreliable (which made me paranoid of a man-in-the-middle attack), but when I was in the US recently the connection was even more slow and unreliable. Draw your own conclusions.

Re:Run your own secure proxy

[alieneye]

See http://www.dyndns.org [dyndns.org] for getting around dynamic IPs from your ISP.

Re:SSH

[SwedishPenguin]

1. ssh -ND 8080 anyserverwithssh
2. Direct Firefox to use localhost:8080 as a socks5 proxy

Confirmed to work in China by a friend who was recently there.

Re:Good luck!

[Cimexus]

Yep, mod parent up.

Even better, make one yourself. Grab an old box you have lying around, whack a copy of Ubuntu on it (or other Linux distro of your choice), enable SSH server and leave it running on your net connection at home. Then using PuTTY or whatever on your laptop you're taking to China, make SOCKS proxy/SSL tunnel to your home box and you are good to go.

Free software and simple to do. Speeds are limited by the speed of your connection in China, and obviously the upstream speed of your net connection back home. But should be enough for basic browsing.

Re:SSH

[Anonymous Coward]

With SSH you can setup L3 OR L2 VPNs. In the latter case, you can use UDP over SSH with no problems (i used it once to make calls with a SIPphone via my work's gateway).

Re:Fear

[BrokenHalo]

It isn't the general population causing the VPN problems we have with people travelling in China...

No. It's the fact that some people are cheapskates. Anyone can subscribe to an offshore VPN for less than US$10/month. Given that the OP is only in China for a few weeks, I don't see what he's whining about. After all, he will probably have to spend that amount on a power adaptor for his laptop.

Re:SSH

[Anonymous Coward]

This is the way I got access to Facebook and other places while I was there as a liaison between our company and our Chinese team.

ssh -D [local port] user@host

Firefox with FoxyProxy (so DNS requests are passed through the ssh SOCKS tunnel). Just check the "Use this proxy for all DNS lookups" box and you'll be all good.

You can then use whatismyip.com to double-check that your requests are passing through said host.

Obviously, make sure you know the server fingerprint before you go. And turn on your firewall if you normally keep it off because you're behind a NAT/Firewall and you're lazy like I am.

Re:Fear

[icebraining]

Even cheaper: $19 for three months, by the IPREDator: https://www.ipredator.se/ [ipredator.se]

Re:Really?

[fishexe]

How about just suck it up and deal with it. Unless you need to look up "Tiananmen Square" every 10 minutes, it really shouldn't be a problem. They filter state secrets and political opinions, not your twitter traffic.

Actually, when I was there Facebook and Youtube were the big site being blocked. Twitter has been blocked, off and on, for the last 8 months or so.

Re:Fear

[QuantumRiff]

Or, if you have a linux web server (as he claims he can setup) setup SSL on there, and redirect all web traffic over the SSL Tunnel. Bonus points if he authenticates to his linux box using keys, instead of a password.

Re:Fear

[QuantumRiff]

Oh goodness.. I have been dealing with SSL all morning.. Of course, I meant SSH.. grr

http://www.ubuntu-unleashed.com/2008/03/howto-create-ssh-tunnel-for-firefox-to.html [ubuntu-unleashed.com]

Add squid if you are nervous about other web based tools, besides a single browser window.