8

Here's the problem https://www.theguardian.com/technology/2017/jan/23/china-vpn-cleanup-great-firewall-censorship

10-12 weeks pr. year I'll be in China and I need to access Google and Facebook.

My neighbour in China has been kind enough to let me use his Wifi so I'll connect to it and then connect to a VPN server I run on my ASUS RT-AC68U router in Europe.

Question 1: Can chinese authorities easily identify this traffic (like encrypted PPTP traffic to same IP for several hours every day)?

I don't want my neighbour to get in trouble.

HPF
  • 81
  • 3
  • Check out this question: http://security.stackexchange.com/questions/17855/is-it-possible-to-identify-a-vpn-user-by-finding-relations-in-traffic When I was in China I used shadowsocks btw, worked like a charm. – akg Mar 04 '17 at 20:25
  • You could always resort to Tor browser in a combination with proxy chains. Should be harder to keep track on the destination in comparison to a VPN where it's easy to tell when you are using one. You should take a look at tor buddy: https://sourceforge.net/projects/linuxscripts/files/Tor-Buddy/... This, however, could make you suspicious at the very least though, especially since we are talking about China. But so does a VPN which they want to restrict anyway. – user633551 Mar 04 '17 at 20:56
  • PPTP? That is ancient protocol compared to OpenVPN most services use, isn't it? – NoBugs Mar 05 '17 at 03:26
  • Thanks for replies. As for using Tor Browser, which I believe also is illegal in China, I can set it to identify as for instance Chrome and everything will be fine? – HPF Mar 05 '17 at 23:14

2 Answers2

4

Encrypted traffic is very easy to spot but determining what it's being used for is not always so easy. China does still allow some encrypted traffic so you may want to dig into what they actually allow first and see if you can find a solution that isn't a problem. Supposedly they are ok with large businesses using VPN for actual work but are cracking down on smaller home-made solutions and VPN providers known more for anonymous connections rather than for corporate use.

You may want to read the comments in the following article which discuss what types of traffic are actually blocked and what is allowed.

https://www.schneier.com/blog/archives/2012/12/china_now_block.html

In any case, the answer to your question is YES it is super easy to identify and block PPTP traffic.

There are ways to setup a secure web-server with a hidden web-proxy behind it or leverage Secure-Shell for tunneling in a manner that looks like shell access but you need to be very careful how you handle DNS and potential IPv6 leaks which could potentially allow them to know what you are doing.

Basically, if you can you want to make it look like you are just working occasionally.

You may also want to look at the following web page which shows details on what they block and why.

https://en.wikipedia.org/wiki/Internet_censorship_in_China

Do understand that you may be breaking laws which may have punishments at a greater cost than the value of your Facebook and Google communications. The trade-off may not be worth the risk.

Trey Blalock
  • 14,109
  • 6
  • 43
  • 49
  • And if you want to use PPTP check this out first: http://security.stackexchange.com/questions/45509/are-there-any-known-vulnerabilities-in-pptp-vpns-when-configured-properly – akg Mar 04 '17 at 20:35
2

As far I know, the Chinese authorities reduce the network speed for encrypted connections, but most of them work.

Your neighbor probably knows very well the risks.

If he is not associated with activities considered unwanted by the Chinese government (Falun Gong, Tibet, Taiwan, Catholicism, rule of the Communist Party), you are nearly free.

They also tend to be much more lenient with foreigners, because they know very well, that you will soon leave and you are anyways totally incapable to incite a revolution. Of course if you are sent by a Christian church to find converts, then start the investigation by your church and leave out your neighbour from the whole thing.

What you should check: if you are on the VPN, all of your communication should be done there. It is particularly about the DNS requests, it happens often that all of the communication happens on the VPN, but the DNS isn't. Thus, the network eavesdrop will have a quite good impression, what could you do.

In your case I would use OpenVPN with a home server, but you know, opinions are like a...e: everybody has one, but nobody is really curious to the others :-)

And, you will have to live with a little network bandwidth reduction.

Note: it is pretty well visible, if your network communication is encrypted. To hide even that it is encrypted, you would have to use some tricky network steganography. You don't need it, chinese allows the encrypted traffic, only they reduce its bandwidth.

peterh
  • 2,958
  • 6
  • 26
  • 32