My brother was in Beijing for the summer, and he said the SSH tunnel I set up for him worked fine. It's possible that things have changed in the couple months since he's left, but I'd be surprised ...

If you want to go really overboard, tunnel IP over DNS, ICMP, or some other common protocol ;-) (e.g. http://thomer.com/howtos/nstx.html)

Oh, it's a long article, I'd try it later. Thanks for the link.

TOR still works fine -- you just need to configure it to use bridges. https://www.torproject.org/bridges

Thank you neilc, it works so good, though that took me a evening to setup. And I'd recommend this to peers, it makes GFW much much harder to block, thus free us ultimately.

Thanks, I will try this if I get free time, but Tor is difficult to configure.

And I can not even access the bridge link you gave.

Yeah, the TOR website is blocked by GFW, I believe. Basic idea:

1. Email bridges@torproject.org ; the body of the email should contain the line "get bridges".

2. In Vidalia Network Settings, click "My ISP blocks connections to the Tor network", and add the bridge IPs you got via email.

Maybe this link to a PDF version of the info will work: http://dl.getdropbox.com/u/34019/tor-bridges.pdf

If it doesn't, I'll send you the stuff per email.

It works, thank you so much for the stuff.

Their blocking vpn and ssh even on non standard ports?

Don't know much about the Great Firewall, but I usually keep a SSH server listening on port 80 on a box, sometimes those hotels and company networks don't let anything other than port 80 outbound, and it has yet to fail me.

Theoretically GFW can do that, because SSH handshake has fingerprints that can be identified. But it will irritate every administrator on this world.

From a reliable source I heard they only ban SSH/VPN service if they can get a free account for testing. So if you are going to use SSH/VPN, make sure the provider do not serve free trials.

You mean that ssh fingerprints are out of the encrypted data packets, aren't they?

Honest to say, I could not afford another premium VPN service.

Roll your own, start a EC2 box when ever you need one and start openVPN or use it as a SSH Tunnel :) Just consider it as a $0.1/hr charge.

Once a new method is found, people will flood to it, then it will be noticed, and banned. Since GFW was created, this process happened repeatedly. So IMHO, there's no silver bullet.

It's a coevolutionary arms race, it follows a predictable cycle of escalating attacks and defenses until a stable equilibrium is reached, or the environment changes.

The thing is that in this case the government of China appears to have decided that it cannot afford to do without the internet; and that means that they cannot 'win' in the ultimate sense, as by allowing filtered communication they are opening a channel on which illicit communication can be carried. And from what little I know of it, the chinese government isn't attempting to enforce a particular orthodoxy, they just don't want to be swept away by the social changes that are in progress. My sense is that a few foreigners looking at strange ideas doesn't bother the Chinese government, but large groups of young people getting exposed to new and exciting ideas all at once does.

It's an open secret in IT industry. And I think the policy will not help, but intensify the discontent under the ground, and it will harm the society in the long run. But given the flaws of the institution, I don't think it will change in the near future.

You do figure out the point.

I use witopia.net - great service - but make sure you get the more expensive ssl package (and play around trying the various nodes). As others have said, it is truly the best $60 bucks I've ever spent if you're a frequent traveler in China. I use it to watch hulu, youtube, facebook, etc. Sometimes it's a bit slower than I'd like but I often find that using it I can get foreign sites faster than even going direct.

If I could afford any premium vpn, it would be a great choice. Thanks any way.

Just in case it was ambiguous, that's $60/year... Granted, not entirely cheap but...

You can also consider http://hotspotvpn.com/ (I don't know anyone who has it but it was one of the ones that I researched before getting witopia) - $8.88 USD/month if it's the initial $60 that's an issue.

OpenVPN + NAT.

Unlike most VPN technologies which rely on additional encapsulation in Layer 3/4 like GRE and IPSec (which have signatures that can be filtered out easily without deep packet inspection), OpenVPN works over userspace TUN/TAP drivers and a UDP transport. So, it just looks like plain old application-layer UDP traffic. The standard port it uses (1194) can be changed easily.

Although not impossible, it would be very hard to block something like that without catching in the same rules many other ordinary applications that use UDP, such as most online games, Skype, etc.

It does, however, require that you tunnel to a concentrator outside the GFW.

A lot of feedbacks from kind hackers, I could only conclude that there is no silver bullet.

Though I think the best work-around is hosting a server outside of mainland china, and then tunnel through ssh or vpn. An EC2 might works here, but I've not tested it. If someone tested, please share us your hacking.

Thanks all.

I thought the GFW worked by sending a RST to any TCP connection that it didn't like. If you ignore the RST then the connection goes ahead. Has that changed?

http://www.cl.cam.ac.uk/~rnc1/talks/060628-Ignoring.pdf

Oh, I could not get the pdf, would please mail me a copy machese AT gmail, thanks.

All bypass methods can be categorized into two:

1. Methods that requires a 3rd-party server

2. Methods that do NOT requires a 3rd-party server

Currently mainland underground hackers focus on methods #2, and as far as I know 3 POC works fine through GFW on OSI level 3, 4, and 7, unless the target is an IP ban.

There is also now DNS poisoning of high profile sites like Facebook and Twitter. So be sure to use a DNS proxy that is outside China.

> So be sure to use a DNS proxy that is outside China.

This is where many people think wrong. GFW hijacks all UDP port 53 data, and OpenDNS fails like others. You MUST use a clean DNS server inside China or on localhost. Query DNS via IPv6/SSH/VPN/Socks/TOR/TCP.

Yes, I use OpenDNS now, but it fails like others.

What does "3 POC" mean? I'm interested in learning about methods that don't require a 3rd party.

3 proofs-of-concept. The idea is simple, use garbled protocol to make GFW confused but destination servers understand. And inject designed low TTL packets to GFW.

Just read a recent blog post about this:

http://zygote.egg-co.com/5-interesting-facts-about-the-inter...

ssh tunnel always works for me

You host your own ssh server, or a 3rd party's?