Slashdot linked to an article on China restricting VPN access, in particular OpenVPN clients. (Also: OpenVPN’s forums has a similar report) The problem seems to be they’ve implemented some sort of protocol detection that’ll flag and block OpenVPN connections after a while. Unfortunately, this is no longer an academic problem for me, since I’ve got a good friend who’s going to be spending a few months in China on a university exchange program; and Facebook/Skype/possibly FaceTime are all blocked.
I originally planned on setting up TunnelBlick (since said friend is using OS X) with the same OpenVPN profile that I’m using, but the changes to the Firewall means that I need to implement some sort of workaround beyond changing the port to something other than the default (which I anticipated they’d already be blocking the default 1194 – if they weren’t I’d be surprised).
The fixes that I’ve found seem to center around two things: move OpenVPN to a random port, or use TCP, or a combination of both. The best ‘source’ I’ve found is, surprisingly, a VPN provider’s page. (It’s surprising because I’d consider this to be a unique selling point, and so they wouldn’t publish it, but thankfully they’re using it to communicate with their customers.) Another VPN provider also has China-specific config files using TCP on port 443, so that’s something I’ll likely be doing. (Even though tunneling TCP within TCP is a bad idea, I’ll take slow connectivity over no connectivity.)
So I’ve ended up with two things to try: Run OpenVPN on TCP, and have OpenVPN listen on multiple ports. Right now I’m planning to get a second instance of OpenVPN running using TCP (I’m hoping it’s just copying the conf file and changing proto udp to proto tcp, but there’s probably a bit more to it), and get iptables to redirect incoming connections on all ports higher than, say, 10000, to the respective OpenVPN UDP/TCP ports. (I’m still not sure how to do this, it’ll be an exercise in Google-fu and experimentation.)
Thankfully, on the client side, ServerFault has an answer that looks good – namely, defining a bunch of IP address:port combinations in the OpenVPN config file using the syntax, and switching between them with –remote-random, so if one is blocked, it’ll fall through to another hopefully unblocked ip/port combination.
I’ll also look at varying the MTU settings so if it is protocol based, individual packets shouldn’t look like the OpenVPN protocol, and hopefully will escape detection. Also, running everything through stunnel. And as a final alternative, free VPN services like VPNBook, though I doubt they have the time & staff capable of changing stuff for residents of China.
I’m also hoping that this will blow over, and China will revert to a more relaxed stance after the leadership transition, but it never hurts to be prepared…