Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Censorship China Communications Encryption Government Networking

China Cuts Off Some VPNs 222

jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.
This discussion has been archived. No new comments can be posted.

China Cuts Off Some VPNs

Comments Filter:
  • Comment removed based on user account deletion
    • by Luckyo ( 1726890 )

      Right. International business will be kept out of China because it's required to conform to local laws regarding internet access.

      In other news, international business will be kept out of EU because of customer protection legislation and out of US because of danger posed by gun culture and gun laws.

      Said no one with a clue, ever. On any of those points. Internationally ran businesses judge their presence in the target country based on profits and risks. Thing mentioned above are categorised as "risks", and as

      • Right. International business will be kept out of China because it's required to conform to local laws regarding internet access.

        In other news, international business will be kept out of EU because of customer protection legislation and out of US because of danger posed by gun culture and gun laws.

        Said no one with a clue, ever. On any of those points. Internationally ran businesses judge their presence in the target country based on profits and risks. Thing mentioned above are categorised as "risks", and as long as profits are greater than risks, which they will be in China for foreseeable future, risks will be mitigated through things like usage of local services that aren't blocked in China, providing the necessary support to users in EU and so on.

        It depends on exactly what they are blocking. If they're blocking corporate VPNs, it will just make companies even less willing to trust the security of systems in China. Hint: they're not willing to trust that security now. Any major foreign corporation that keeps source code in China now is nuts.

        • by Luckyo ( 1726890 )

          Certainly. Which is a risk. Which needs to be mitigated, just like the other example I provide, exposure to support and warranty claims made in EU.

        • Re:Well (Score:5, Informative)

          by Zontar The Mindless ( 9002 ) <plasticfish@info.gmail@com> on Saturday January 24, 2015 @01:58AM (#48891387) Homepage

          Where I work, you don't do anything with company-owned data unless it's on the corporate VPN.

          It's one of the world's 5 largest software companies, does billions in business in the PRC annually, and it's not Microsoft or Apple.

          I do not think when I visit China next month that I will find the corporate VPN blocked. It certainly isn't being blocked right now for my colleagues who live there.

          • Re:Well (Score:4, Informative)

            by thegarbz ( 1787294 ) on Saturday January 24, 2015 @10:39AM (#48892753)

            Greetings from China. I don't live here, just working here for a few months.

            Corporate VPNs work just fine.
            Many non corporate VPNs work just fine too.

            Actually I'm not seeing any problem. Both my OpenVPN connection on TCP port 443 (good luck blocking something like that without breaking the internet), and my PPTP connections to a Canadian VPN I subscribed to before I left still work just fine. L2TP has been sketchy from the get go but that was listed in the VPN's FAQ as well. Also China appears to throttle UDP traffic quite heavily so TCP based connections to the USA seem to be most reliable for me.

            Basically I haven't seen any change in the past month or so.

            • OpenVPN is trivially identifiable on port 443, and has been for some time. Im not sure why theyre not blocking you-- perhaps you're using a site-to-site tunnel with static keys. Certificate-based OpenVPN is notoriously unreliable in China because they fingerprint it within about 20 minutes and kill the connection.

              Part of the reason I know it can be fingerprinted-- aside from the fact that Im well aware of what works and doesnt behind the GFW-- is that Im good buddies with my employer's security team, and

      • out of US because of danger posed by gun culture and gun laws

        This "danger" keeps violent crime at less than 1/7 the level of UK, comparing New York to London (similar population, similar percentage of "bad" minorities, etc).

        • Re: (Score:2, Insightful)

          by whoever57 ( 658626 )

          This "danger" keeps violent crime at less than 1/7 the level of UK, comparing New York to London (similar population, similar percentage of "bad" minorities, etc).

          Where did you get that BS from? Fox News?

          Hint, I think that you have the ratio the wrong way round.

          • It's probably to do with a difference in standards.

            UK: violent crime is someone bumping too hard into someone else on the street.

            US: unless someone is killed, it doesn't even make the statistics.

            So that ratio of London 7 vs New York 1 sounds about right.

            • US "violent crime" includes Robbery, Rape, Assault, and Homicide. Note that guns, in and of themselves, are not relevant to "violent crime". It can be "violent" with a gun, a knife, or a pillow over the face of the victim....

              I'm curious, what else does the UK count as "violent crime" ?

        • Hi, kids! It's time once again for that old Slashdot favourite, Meme #537, "[citation needed]".

          A casual Google search for "crime rate new york city vs london" yields indicators that NYC has about 4 times the rate of homicides and other violent crime than London, as of last year.

          The TL;DR version: "I think you're making stuff up."

          • Interestingly enough, when I used your search terms, I didn't get the results you got.

            Three times the rate of HOMICIDES for New York, but about the same for rape and vehicle theft.

            Of course, vehicle theft is NOT "violent crime" in the USA.

            And the other links shown on the first page of your search don't seem to agree with you that New York had "about 4 times the rate of homicides and other violent crime than London, as of last year"...

        • in London, you get in a fight and you get a broken arm or a broken nose

          in New York City, you get in a fight and you get a body bag

          whenever the homicide rate of the USA is compared to other Western countries, NRA propagandized morons change the subject and counter about *violence*. as if *violence* is the same as *homicide*

          frankly, i'd love the violence rate in the usa to go up and the homicide rate to go down. because a broken arm is not a body bag

          and you get that with better gun control

          but too many of my f

        • Dude, all of England (aka: 56 million people) had 560 murders last year in 2013. NYC (8-9 million range) was crowing about 333.

          I don't know where you got that number from, but I suspect it was from somebody who was skilled at the art of BS.

          • You're cherry-picking a single crime where NYC leads. In every other field, London wins handily. Compare: 1 [wikipedia.org] vs 2 [wikipedia.org].

            I'd take a tiny chance to get murdered over not being able to walk in the middle of the city without being robbed or assaulted. Living in Poland, I have so far been robbed twice and assaulted 7 times (once with an injury), and murdered... still not even a single time. And by statistics, my chances to do so are really, really slim.

            And these stats ignore the fact that murders happen predominant

            • You can't compare anything but murder because the categories are different. I personally have been the victim of two crimes which would be reported as violent crime in England, which I reported to the local cops, but were not included in these statistics. In addition to these two crimes I mentioned, my sister has been mugged three times in DC and NYC.

              If you want a anti-gun-control person's takedown of this particular statistic I refer you to:
              http://blog.skepticallibertari... [skepticallibertarian.com]

      • risks will be mitigated through things like usage of local services that aren't blocked in China, providing the necessary support to users in EU and so on.

        You're probably right. That being said, all my developer friends in China use VPNs to access things like Github.

        I know there are alternatives to Github, but really this is becoming an annoyance for them. It's not like they're artists or political activists, they're just using paid VPN access to get their job done and/or viewing the occasional Hollywood movies.

        That's an entire class of people that were already pacified. There was nothing for China to gain by doing that. Blocking the free VPNs should have bee

        • by Luckyo ( 1726890 )

          I strongly suspect that one of the point behind this is to move business and create jobs in China instead of allowing foreign dominant services to take hold. In which case, this is very much successful.

      • AFAIK its technically illegal to have an encrypted laptop in China. Any guesses as to whether my employer, or federal employees, or other major companies just go "oh gee, better turn off disk encryption"?

        Businesses arent going to just sacrifice a market, but theyre also not going to blithely let their secrets be stolen upon entry into China or on net usage.

  • Defective by design. (Score:5, Informative)

    by dgatwood ( 11270 ) on Saturday January 24, 2015 @01:01AM (#48891197) Homepage Journal

    It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

    • by whoever57 ( 658626 ) on Saturday January 24, 2015 @01:42AM (#48891333) Journal

      It doesn't help that most VPNs are so easy to detect and block at the IP header level. PPTP depends on the GRE IP protocol (47), and L2TP is usually tunneled over IPSec, which depends on the ESP IP protocol (50). By using different protocol numbers in the IP headers, the designers of these protocols made it mindlessly easy to block them, and made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

      The last time that I was in China (a couple of years ago), OpenVPN using non-standard ports to my private server was blocked. In the end, I ran OpenVPN over tcp/22 (yes, ugly and slow, but it worked). I don't understand why VPN's were blocked but not SSH. OpenVPN uses UDP (by default), so no obvious protocol numbers to block.

      • by drolli ( 522659 )

        Two year ago: Openvpn was fine, but webpages of providers were blocked (not a bad strategy...).

        Last year: private Openvpn server worked, but connections dropped after ~1Gbyte was transferred, and well known providers were blocked

        This year: openvpn was detected (not sure how!) and private server seems to have ended on some "gray" list, ssh connectionsafter that were very slow (although that could coincide with slow internet); sshing to singapore AWS cloud was fine, but i had the feeling that switching betwe

      • I'm here now. OpenVPN over TCP/443 works just fine, as does connections on various other ports like TCP/8333 (my current connection).
        PPTP is curently not working (but it was about an hour ago), and L2TP currently IS working. But it hasn't really worked reliably since I got here.

        Basically I'm not seeing anything new. VPN connections and internet connections to the outside world have been haphazard at best and it's been a guessing game of what protocol and which server will work best on any given day. Though

    • by jaa101 ( 627731 )

      By using different protocol numbers in the IP headers, the designers of these protocols [...] made them harder to support, because routers have to explicitly know how to handle those nonstandard protocol numbers.

      How do nonstandard protocol numbers make it harder for routers to route the packet? You have the destination IP: just forward the packet already. Oh, you want to be a firewall and block selected traffic or even do deep packet inspection? That's not routing.

      • by dgatwood ( 11270 )

        Okay, fair enough. I usually lump firewalls and routers in the same bucket, because outside of backbone hardware, most routers also act as firewalls. The point is that a lot of (badly designed) consumer routers (firewalls) do stupid things like routing only TCP and UDP, or treating those other protocols as "special" under the assumption that VPNs will always be used from the inside out, never from the outside in, resulting in all sorts of fun.

  • by ZackSchil ( 560462 ) on Saturday January 24, 2015 @05:10AM (#48891827)

    I was just in China a few days ago. Was there for 3 weeks prior to that. I have a VPN setup in my apartment back in the US and I typically dial in to it. It was great for the first two weeks and a half weeks. After that, it would fail to authenticate or work really slowly, randomly drop traffic, then disconnect after a minute. I was using a relatively insecure PPTP system with 128 bit encryption. I wasn't worried about getting spied on, I just wanted news, youtube, and social media unblocked.

    Frustrated, I had a friend set up a PPTP link at his apartment, using different keys and a different IP. That worked perfectly for the last few days I was in the country. So they're definitely doing some kind of long-term traffic analysis over many days, and then blocking close to real time after that (30-60 seconds).

    Basically I got to witness the blockage go into effect. Yes it's real. Yes it's general purpose, not a high level block on specific free websites. Yes it was a huge pain the the ass.

    • I was in China last summer. Essentially exactly the same thing happened to me, although I was using SOCKS5/ssh not PPTP. My girlfriend and I subsequently had a hell of a time playing Heroes 3 for Linux remotely even when not using ssh, so they must have shit-listed my IP address. Then, a few months later, everything magically started working again and the ssh proxy my girlfriend was using worked fine. So did Heroes 3, thankfully.

      During the shit-listed time, I came across this list: https://www.torprojec [torproject.org]

    • Not sure if I'm getting lucky or not but they seem to be pretty haphazard in their approach. For the past few weeks I've been having no problems with PPTP though L2TP has been an issue. Today I can't even connect over PPTP but L2TP seems to be blazingly fast.

      In any case OpenVPN over 443 seems to be the most reliable connection which has worked pretty much every time without issue.

  • If China blocks US VPNs (our exports), why isn't the US considering blocking Chinese goods in return?
    If nothing else, it is our own long-term best interests to force China to become more free, as it is the only thing that will prevent them winning a race-to-the-bottom competition on wages.

    • why isn't the US considering blocking Chinese goods in return?

      Yeah because policy to suddenly raise the cost of goods in America is exactly what is needed during times of economic trouble. I'm sure the general populace would stand behind their president all in the names of improving freedoms in a different country.

    • by silfen ( 3720385 )

      If China blocks US VPNs (our exports), why isn't the US considering blocking Chinese goods in return?

      Because, fortunately, even the moron-in-chief seems to have more sense than that.

      If nothing else, it is our own long-term best interests to force China to become more free, as it is the only thing that will prevent them winning a race-to-the-bottom competition on wages.

      Oh, we can easily prevent the race to the bottom. In fact, you can do it yourself: just look at your paycheck in cents instead of dollars. Se

      • What I mean is that, any country which has no democracy has no workers' rights. Therefore, Chinese workers will never effectively demand decent working conditions. This makes them more competitive than the EU/US, and our workers (who rightly expect decent treatment) will be out-competed by cheap labour from contries that abuse their workers. The result is unemployment in the West, and "slave"-labour in the East.

  • ... the United States government wants to prohibit encryption.

  • by Anonymous Coward

    I'm a Canadian expat and I've been in China almost 3 years now. They started blocking VPNs over 2 years ago.

    I've tried StrongVPN, Astrill, and PIA and found StrongVPN with PPTP usually works pretty well.

    OpenVPN will work for about 10 min before becoming unusably slow. L2TP sometimes works but recently (in the last year) becomes too slow.

    My guess is they like PPTP because it's flawed and they can break it easily, which I don't care about as long as I can access youtube, facebook, ect. The PRC doesn't care

  • TFA says:

    VPN services that wish to operate within China are required to register with Ministry of Industry and Information Technology for permission

    Would it make sense for corporate VPN to register? I mean the situation where the VPN service is only accessible for non Chineese employees visiting mainland for business purpose.

    And if it makes sense, what is the procedure?

No spitting on the Bus! Thank you, The Mgt.

Working...