Ask HN: How would you tunnel through GFW?
I think there would be thousands of hackers who're working from Mainland China. So, I'm wondering how could you get through GFW?
I've known that GFW has been upgraded recently, and it becomes more sophisticated in filtering the web. Tor nodes, lots of vpn networks, as well as SSH don't work around now.
I (or we) appreciate if someone here could come up a good and reliable solution.
32 comments
[ 3.0 ms ] story [ 71.5 ms ] threadIf you want to go really overboard, tunnel IP over DNS, ICMP, or some other common protocol ;-) (e.g. http://thomer.com/howtos/nstx.html)
The thing is that in this case the government of China appears to have decided that it cannot afford to do without the internet; and that means that they cannot 'win' in the ultimate sense, as by allowing filtered communication they are opening a channel on which illicit communication can be carried. And from what little I know of it, the chinese government isn't attempting to enforce a particular orthodoxy, they just don't want to be swept away by the social changes that are in progress. My sense is that a few foreigners looking at strange ideas doesn't bother the Chinese government, but large groups of young people getting exposed to new and exciting ideas all at once does.
And I can not even access the bridge link you gave.
1. Email bridges@torproject.org ; the body of the email should contain the line "get bridges".
2. In Vidalia Network Settings, click "My ISP blocks connections to the Tor network", and add the bridge IPs you got via email.
If it doesn't, I'll send you the stuff per email.
Don't know much about the Great Firewall, but I usually keep a SSH server listening on port 80 on a box, sometimes those hotels and company networks don't let anything other than port 80 outbound, and it has yet to fail me.
From a reliable source I heard they only ban SSH/VPN service if they can get a free account for testing. So if you are going to use SSH/VPN, make sure the provider do not serve free trials.
Honest to say, I could not afford another premium VPN service.
1. Methods that requires a 3rd-party server
2. Methods that do NOT requires a 3rd-party server
Currently mainland underground hackers focus on methods #2, and as far as I know 3 POC works fine through GFW on OSI level 3, 4, and 7, unless the target is an IP ban.
This is where many people think wrong. GFW hijacks all UDP port 53 data, and OpenDNS fails like others. You MUST use a clean DNS server inside China or on localhost. Query DNS via IPv6/SSH/VPN/Socks/TOR/TCP.
You can also consider http://hotspotvpn.com/ (I don't know anyone who has it but it was one of the ones that I researched before getting witopia) - $8.88 USD/month if it's the initial $60 that's an issue.
http://www.cl.cam.ac.uk/~rnc1/talks/060628-Ignoring.pdf
http://zygote.egg-co.com/5-interesting-facts-about-the-inter...
Unlike most VPN technologies which rely on additional encapsulation in Layer 3/4 like GRE and IPSec (which have signatures that can be filtered out easily without deep packet inspection), OpenVPN works over userspace TUN/TAP drivers and a UDP transport. So, it just looks like plain old application-layer UDP traffic. The standard port it uses (1194) can be changed easily.
Although not impossible, it would be very hard to block something like that without catching in the same rules many other ordinary applications that use UDP, such as most online games, Skype, etc.
It does, however, require that you tunnel to a concentrator outside the GFW.
Though I think the best work-around is hosting a server outside of mainland china, and then tunnel through ssh or vpn. An EC2 might works here, but I've not tested it. If someone tested, please share us your hacking.
Thanks all.