Tunneling Through the Great Firewall of China

Among the things that the People’s Republic of China is known for is the Great Wall of China, however, we tech nerds also associate the country with the Great Firewall of China (GFW). The GFW, officially known as the “Golden Shield Project,” is an ever-growing effort by the Chinese government to implement strict censorship of the Internet content accessible to its citizens. Sites that are or have previously been blocked include Google, Facebook, YouTube, and WordPress, plus many more.

Chinese flagRecently, a friend of mine was planning a trip to China in order to teach an ESL course. In addition to his understandable desire for some level of privacy in his internet access, he also needed access to YouTube in order to do some of the segments in his curriculum. When he asked for recommendations on how best to circumvent the GFW, my first thought was to use a VPN, but, after doing some reading, I discovered that the GFW has added technology in recent years to detect and block IPs associated with VPNs (see here and here).

With a true VPN no longer a reliable option, the next best thing I could think of was to use an SSH tunnel as a VPN alternative. Instructions for running an SSH tunnel on a Windows OS using PuTTY are scattered over the web, including here and here. The “gotcha” that you may well run into (as my friend did), is that you must enable remote DNS lookup, otherwise the URLs you are requesting will be visible to the GFW.

In order to do this, you only need to navigate to about:config in your Firefox browser (unfortunately, no other popular browsers currently support SOCKS5, which is required). In config, search for “dns” and double click on the line called “network.proxy.socks_remote_dns.” Once this value is set, Firefox will resolve all queries through your SSH tunnel, returning the encrypted content for your viewing pleasure.

So that was my experience tangling with the GFW. This great technological wonder is ever-evolving and has begun to defend against VPNs, one of the newer forms of secure access to the web. It is possible that the GFW could also detect and block the SOCKS5 protocol in the future, but for now at least SSH tunnels are still a viable option for tunneling through the GFW.

5 thoughts on “Tunneling Through the Great Firewall of China”

  1. > It is possible that the GFW could also detect and block the SOCKS5 protocol in the future

    Shouldn’t the SOCKS-Protocol only be used between Firefox and SSH which are both on the same machine? Then the only protocol that is spoken through the Great Firewall of China is SSH.

    1. Yes. The traffic visible to GFW is all encrypted. It will be sent encrypted to your SSH server, then from your server to the target unencrypted (and the same coming back from the target). The concern is that the encryption could be detected, not that the traffic could be read (the same concern as what has already happened with standard VPNs). One way this could be done is by looking at the target port. If you’re making an outgoing connection to port 22, GFW could assume it’s SSH and block that connection. There are probably other heuristics that could be used to detect this encryption.

      The short answer is, this method may stop working in the future, but it will never reveal what is being sent. Worst case, you’ll stop being able to freely communicate over the GFW.

      1. Right. I’ve heard about several heuristics concerning encrypted traffic at Port 22:
        – Many different Client access the same server → doesn’t look like legitimate traffic by a single admin.
        – High traffic from server to client → doesn’t look like normal shell usage / deployment to the server
        – Technically, they might (port) scan whether VPN connections are accepted by the server → looks more like a “second entrance” of a VPN service
        – Tools like psiphon even obfuscate the SSH handshake to prevent it from being detected: https://psiphon3.com/en/faq.html#ssh-plus

        1. Very interesting. I had not heard of Psiphon before.

          But yes, the big threats of detection are addressed by having your own server to keep traffic at an insignificant level.

Leave a Reply