OpenVPN & China’s Firewall


Ended up choosing an SSH SOCKS proxy + Tunnelblick because it had the fewest moving parts.

Combined with a passwordless SSH key, I saw this status on Facebook today:

Kyle is truly a computer wizard! as in, his Tunnelblick thingy is working!

Location? China.

Success.

  1. #1 by tony on June 17, 2013 - 4:49 am

    Hi,

    Can you elaborate on your setup for getting vpn access in China? I’ve been using a ssh tunnel, but it’s not always sufficient for my needs.

    Openvpn is blocked in general in China. Do you use stunnel or anything else to get openvpn to work?

    Thanks!

  2. Kyle Lexmond

    #2 by Kyle Lexmond on June 22, 2013 - 2:30 pm

    Yep, SOCKS proxy (SSH) + OpenVPN was the simplest way I found.

    Alternatively, you can use OpenVPN over stunnel, I covered using that here.

  3. #3 by mise on June 30, 2013 - 7:47 am

    Standard openvpn is blocked, but you can add a patch to get it working again.
    github.com/clayface/openvpn_xorpatch
    Its means you gotta use github to load the patch and then compile and install. Its a fair bit of labour but its the best solution.

    openvpn over SSH is the most simple

    openvpn over stunnel is another option
    tryapi.wordpress.com/2013/04/04/wrapping-openvpn-with-stunnel/

    openvpn over httptunnel worked for me,
    but some have had it blocked.

    openvpn obfuscation works also, but I have not tried it.

  4. Kyle Lexmond

    #4 by Kyle Lexmond on June 30, 2013 - 6:14 pm

    Yep, openvpn over stunnel worked, but openvpn over SSH/SOCKS was a bit simpler to handle on the client side, since the system was using OS X, so I just used the built in terminal instead of needing to install stunnel.

  5. #5 by tony on July 20, 2013 - 4:26 am

    mise :
    Standard openvpn is blocked, but you can add a patch to get it working again.
    github.com/clayface/openvpn_xorpatch
    Its means you gotta use github to load the patch and then compile and install. Its a fair bit of labour but its the best solution.
    openvpn over SSH is the most simple
    openvpn over stunnel is another option
    tryapi.wordpress.com/2013/04/04/wrapping-openvpn-with-stunnel/
    openvpn over httptunnel worked for me,
    but some have had it blocked.
    openvpn obfuscation works also, but I have not tried it.

    Are there any pre-compiled binaries for Windows anywhere? I looked at the instructions on openvpn.net and it’s quite a bit of stuff. python, perl, VS environment, etc.. 8:

    Thanks

  6. #6 by tony on July 30, 2013 - 9:51 pm

    Looks like ssh tunneling is finally being blocked… the entire IP. 2 of my vps’s have been blocked over the last 2 days. I was using both for ssh tunneling as SOCKS proxies… now I have to cancel those products as they’re useless. I’m worried any other method will get blocked too. They don’t seem to care what kind of traffic.. if it’s encrypted and being used everyday, it’ll get blocked.

  7. #7 by Andrew on January 4, 2014 - 10:10 pm

    Does anyone have any current information about whether or not SSH SOCKS proxy + Tunnelblick is still working? Kyle, can your friend still use your server through this method? I have a friend going to China next month for a year, and am trying to set up a similar system on my own server.

  8. Kyle Lexmond

    #8 by Kyle Lexmond on January 8, 2014 - 8:26 pm

    Unfortunately they’re not China anymore to test it, but I haven’t heard of any changes in the GFW that would make it not work…
    Wrapping OpenVPN in SSH or just using a straight SSH SOCKS proxy would be your best bet by far though.
    I think they mentioned that my first method of connecting to random ports didn’t work all the time, but doing everything through SSH worked every time they had to resort to it.

(will not be published)