In A Nutshell
The easiest way to bypass the Chinese Firewall is to buy a VPN that serves China. I recommend these VPN services:
- ExpressVPNExpressVPN: Servers in Hong Kong and the US West Coast. Many apps available. 30 days money-back offer.
- VPN.AC: They have many optimization for Chinese users, and they have three servers in Hong Kong, one in Singapore and three on the US West Coast, with peering with China Telecom and China Unicom.
Many people mention these VPN services for China, but I do not recommend them:
- Astrill: Unreliable VPN service, especially recently. Poor customer support. Requires a phone number during registration.
- VyprVPN by GoldenFrog: Expensive. Unreliable connections, slow& argumentative customer service.
A VPN or “virtual private network” is a service that encrypts and redirects all your internet connections. The Chinese government has never stated that using a VPN to circumvent the Great Firewall is illegal, and nobody has been prosecuted for using a VPN. Despite this, China blocks the websites of most major VPNs.
When in China, you want to connect to VPN server in Asia (e.g. in China, Hong Kong, Bangkok). The next best option is to connect to a server on the West Coast of the US (e.g. Los Angeles, San Francisco).
Which VPN Protocols To Use?
- OpenVPN: Strangely, this is the least reliable protocol/client to use — you’ll find most ports are currently blocked (connection reset). The main cause appears to be spoofed RST packets.
- L2TP: This is a fast protocol for China — it appear to working well currently
- PPTP: Use only if L2TP doesn’t work for you — it’s slower and less reliable than L2TP
- SSTP: Establishes a connection over secure HTTPS (Port 443) — this allows clients to securely access networks behind NAT routers, firewalls and web proxies, without the concern for typical port blocking issues
For a more details on hiding your VPN connections from Deep Packet Inspection, see my article How To Hide Your VPN Connections In China, Iran, United Arab Emerites, Oman and Pakistan.
Here are more details on the VPN providers I recommend for China:
ExpressVPN is optimized for China — it has servers Hong Kong and the US West Coast. Many people like their 30-day money back offer. They are slightly more expressive than other VPNs, but worth it if you want reliability. The monthly rate is $12.95.
Private Internet Access
Private Internet Access is a VPN service that is highly regarded by privacy advocates. The company has servers in Hong Kong. They remain our top choice for a privacy-oriented VPN service, and they received a PC Magazine Editor’s Choice Award for VPN services.
The service costs $6.95 per month, or $40 per year.
VPN.AC has three servers in Hong Kong, one in Singapore and three on the US West Coast, with peering with China Telecom and China Unicom. They have many other optimization for China — the detail are sent via email when you sign up . VPN.AC is owned by Netsec Interactive Solutions – a company with ten years of experience in internet security. They provide a self-hosted DNS (domain name service), which is quite useful in China.
They accept Chinese-friendly payments such as Alipay and Unionpay. They also accept Paypal, BitCoin, CashU, Paysafecard and UKash.
More Tips On Avoiding The Firewall
Don’t use a Chinese DNS server (i.e. your local ISP provided DNS server). China loves to mess with DNS and implements a lot of filtering through their DNS servers, returning bad data or no data at all for a lot of requests.
You can check what DNS servers you are using here:
If you’re still using a Chinese DNS, change your DNS settings to use either the servers provided by your VPN, or one of the many public DNS servers. I recommend the following:
If just want to browse the uncensored internet in the short term, you can use the free Tor Browser. Note that, while using Tor, your web page will be somewhat slow to load, and your other internet connections will still be blocked. Also, make sure you use a Tor Bridge.
These are some more tips I’ve gleaned from forums online:
I worked in China last year, specifically for networking (new factory for an American company). Here’s my basic findings: SSH, IPsec, SSL VPN all can and will be messed with. Firewalls on both sides can be configured to block a RST packet. When I needed outside I used a host in Bangkok, Los Angeles, and Houston as options. Usually at least one worked. These were my gotos for laptop and cell phone usage.
For a more permanent office network solution I set up an IPsec tunnel to USA via Hong Kong, which appears to be very stable and less messed with.
Be aware that your Skype usage without a VPN is likely monitored. “TOM” is Skype’s China affiliate. Skype.com redirects to their servers and likely your client goes through their Chinese servers as well.
Hello. Network Engineer here. I also live in China. If you want outside access, you are going to have to tunnel via SSH or use VPN. No other way around it. If you have the cash to spend, get a small server in Rackspace Hong Kong. .cn <—> hk is very fast. From there you VPN and you’ll have near western speeds. Also, you could try setting up a micro instance on EC2 Japan. OpenVPN seems to work well from China to there. On your home router, or machine, you could download a list of Chinese CIDR routes, and have them point to your routers internal IP while pointing everything else down the tunnel. I have used that method for almost 3 years. It’s slow, but works.
You want to avoid using a VPN for all traffic. The internet in China is slow when going international, either in or out. This may or may not be extra internet filtering at the border, but even if a VPN is connected well it makes things pretty slow when your VPN comes out in (say) LA. For example Skype works without a VPN, when I want to Skype someone I have to disconnect my VPN or it’s almost always unusable, but if during the Skype conversation they send me a vimeo link I have to wait till after the call to checkout the link. For this reason you only really want to use a VPN when you actually need it (the site/service is blocked). Also the government seems to firewall connections that are “always” channeling traffic internationally. I’ve found that if you connect in an institution/hotel you seem to have better luck sustaining a long continuous VPN connection, rather than at home or in a small business. 100% international traffic is a sure sign that you’re on a VPN.
VPN connections get terminated all the time. Every protocol, every location, most days, it’s up/down/up/down. Sometimes the government, sometimes the internet. it’s really hard to tell what’s causing it. On bad days you spend quite a lot of time cycling different connections.
I’ve got a huge 6TB bittorrent file sync running on a NAS so my offices in and out of china can get at least all the offline files on Google Drive and Dropbox (Installed on server in Canada, sync using Bittorrent Sync to China). God help me if they figure out how to block bittorrent sync though!
List Of Some Websites That Are Blocked
You can search to see if a particular website is blocked in China here.
|Website Name||Block Status||Website Address|
|Internet Movie Database||BLOCKED||www.imdb.com|
|Reporters Without Borders||BLOCKED||www.rsf.org|