Chinaunix首页 | 论坛 | 博客
  • 博客访问: 109483
  • 博文数量: 71
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 670
  • 用 户 组: 普通用户
  • 注册时间: 2015-07-12 19:56
文章分类

全部博文(71)

文章存档

2018年(1)

2017年(4)

2016年(37)

2015年(29)

我的朋友

分类: LINUX

2016-01-18 14:33:20

Internet censorship is an essential problem and people living in (or traveling to) China get to experience it directly. To bring you this article, we discussed with two users from China and also with two VPN providers who are experienced in getting around the Great Firewall of China.

The speed issues

One of the widely asked questions is: Why is the Internet so slow in China?
Domestic broadband connections in China can be quite fast, but one should not expect the same speed past the borders. Local and international connectivity are different things. In fact, Internet is usually extremely slow internationally. The reason for slow speed consists of a few factors that we will detail below.

Bad peering and routing

In China there is an ISP monopoly consisting of 3 state-owned communications companies: China Telecom, China Unicom and China Mobile. For international connectivity to be fast and reliable, the interconnection (or “peering”) between them and other network operators has to be solid. The problem is that they will not peer with international network carriers for free, and they charge a huge amount of money to peer with them. Peering costs are higher in regions near-by, meaning that a direct connection to Hong Kong is much more expensive than peering with the Chinese ISP monopoly overseas. That would inadvertently translate into low-bandwidth peering to neighbor countries, hence the  slowdowns when connecting to VPN servers near China, even if the latency is good.

Since Internet peering and transit costs to China are very high, many hosting/VPN companies won’t have direct routes to China ISPs, even though they are located in neighbor countries, and the connections would be routed all the way over the Pacific then back to the neighbor country due to the lack of direct peering.

Speed throttling and bandwidth manipulation

Not only that the peering is bad, but the Chinese ISP monopoly is known to manipulate bandwidth and throttle connection speeds. They are doing it to force corporations to pay more for extra bandwidth or special packages that would provide them with better international speed. The unreliable and slow Internet connections are causing huge business losses to companies that require reliable and fast Internet access in China. The Chinese ISPs know that, and exploit it for financial gains, and often the companies affected have no other choice but pay the extra price for better connections.

Network congestions and bottlenecks

China is the country with the most Internet users in the world, around 600 million users. That means that the the bandwidth capacity has to be large enough to provide them with a satisfactory Internet experience. As already pointed out – the capacity is just too low and it will result in network congestions, especially during peak hours (in the evening) when most users are online. These congestions occur for both international and local connectivity.

The Internet blocking/censorship issues

As if slow Internet wasn’t enough, get to know what’s even worse: the censorship.

china-internet-censorship

DNS censorship

DNS requests are censored by the ISP monopoly using a method called hijacking (or poisoning), resolving “blocked” hostnames into non-relevant IP addresses. For example, a DNS lookup for a VPN service in USA resolves to some IP address in Mexico. They aren’t blocking the DNS requests, meaning that you can still try to use various DNS services you want, but the replies coming from the DNS service are hijacked on-the-fly for the “blocked” domains/hostnames.

IP addresses blocking

When the DNS blocking is not fully effective, as people can use the IP addresses of blocked websites instead of DNS names (for example you access the IP address of a website directly instead of querying the DNS name of the website), the Great Firewall will block IP addresses. This type of blocking is common with VPN, Tor and proxy servers.

Protocol blocking

The Great Firewall is using a method called DPI (Deep Packet Inspection) to analyze all inbound and outbound traffic in real-time. The technology can be compared to an anti-virus, which relies on signatures and heuristic/behavior and statistic analysis to identify and flag protocols that are not allowed. VPN protocols are using encryption to secure the data transmitted over the Internet, and the DPI system can identify and block most types of VPN tunneling protocols. The most affected VPN protocol in China is OpenVPN in its default configuration. OpenVPN can still bypass the Great Firewall if its handshake is hidden so it can’t be seen and blocked by the GFC.

Other VPN protocols that still work in China quite well are PPTP and L2TP/IPsec.

blocking-mechanisms

The solutions

Traveling to China? Be prepared

If you are traveling to China, install a VPN before you leave. Once you get there, it will be hard to find one – as most VPN websites are blocked. Ask the VPN provider before you sign-up if the service is working in China, do some research online and see what their users in China say. Google Play is blocked in China, so if you have an Android device, install the VPN client before you go. Most VPN providers support OpenVPN, so install OpenVPN for Android. If you are already in China and you no longer have access to Google Play, ask a friend to download the APK file for you, or to install it on their phone and backup the application – this way will export it in APK format. iOS user? You are no exception: prepare your device before you leave for China.

VPNs and the international speed issues

As pointed out in the first part of the article, connection speeds are a big problem in China. Some VPNs can actually improve the Internet speed out of China, as long as their servers have good peering with the state-owned ISPs in China.

It’s worth noting that the geographical location of VPN servers is not too relevant when it comes to peering quality and bandwidth speed. Essentially, that means that even if a VPN has many servers in countries near China, peering to those servers can be worse than it could be from China to USA. Due to high peering costs, many hosting companies near China (for example in Hong Kong) would not peer directly with China ISPs so the traffic would be routed even to US and back to Hong Kong, resulting in worse speed than you’d normally expect.

Run some ping and traceroute tests from China to the VPN servers that you want to use, and see if the latency is good. For example, if the ping reply from Hong Kong or Taiwan VPN servers is over 100ms, it means that the peering is bad and the packets may be routed via US and Japan first. Direct peering from China to a neighbor country should result in ping replies of around 50-70 ms. Packet loss indicates congested networks and other issues. Use WinMTR on Windows or run the `traceroute` command directly from the terminal on Linux and OS X.

Ping replies indicating network quality/issues 

China to US West:
150ms to 180ms – very good, 180ms to 230ms – good/average, over 230ms -bad

China to Europe:
250ms to 330ms – very good, 330ms to 360ms good/average, over 360ms – bad

China to Japan:
30ms to 100ms – very good, 100ms to 200ms good/average, over 200ms – bad

China to Hong Kong:
30ms to 80ms – very good, 80ms to 130ms good/average, over 130ms – bad

The expats in China that we talked to have said they can get the best speed with VPN servers in Japan, Singapore and West Coast USA. OpenVPN with TCP ports and obfuscating methods work better than UDP ports as it seems that UDP traffic would often get throttled or blocked completely.

Also note that not all West Coast is the same. There are many international network carriers and only a few of them have good peering with China. The best locations to use in USA are those where the hosting providers have direct peering with China Telecom/Unicom and large transit providers with very good peering in Asia such as NTT, PCCW, Level 3. You can check the providers based on the server IP’s AS number at bgp.he.net. Results in traceroute also reveal what carrier is used for traffic transport.

Using VPNs with good peering is not the ultimate solution to get a faster connection. Even those can be affected by the usual network problems and congestions. Try using the VPN at different times of day and if the speed is better around certain hours of the day, change your daily routine so you can benefit from that time frame.

VPNs and DNS/IP blocking

Some VPNs that work in China will use other addresses for their websites and the VPN servers, in case the main ones get blocked by the Chinese government. Ask before you sign-up if they provide separate addresses for users in China and what they can do if their service gets blocked (like rotating IP addresses and changing hostnames).

Use non-standard VPN protocols to by-pass the Great Firewall

OpenVPN doesn’t work in China if it is configured in default mode. You have to use tools that will hide its traffic signatures. If you are a technical person and run your own VPN, look into setting it up with obfsproxy, over SSH or over stunnel.

Non technical users should be looking for VPN services that use techniques to hide the VPN handshaking and use OpenVPN on ports normally used by other protocols, like HTTP, HTTPS, IMAPS.

Standard protocols that may work very well for some users in China are PPTP and IPsec. Try them.
Jump through protocols, servers and ports from time to time. It may work well.

“Paying money” vs. “wasting money”

Don’t sign-up with a VPN by paying for a full year in advance just because they claim it works in China or because it worked well during the first days. Forget the attractive discount for yearly payments. The GFC is being constantly improved to block encryption and many VPN services that have been working great in the past years in China are blocked today. It’s common sense to expect this trend to continue in the near future and this is a reason why you might need to change the VPN provider in a few months.

Final words

Unfortunately, the government of China seems quite determined in effectively cutting China off the Internet. For each big international service (Google, Facebook, Twitter etc.), there is a Chinese equivalent that works within the mainland. By blocking foreign Internet services, they are forcing people to use the alternatives that are controlled by them. VPNs still work in China and it is the only way to reach the “real” Internet, but you shouldn’t expect the same experience from other country. Connections in China can be blocked, slow, unreliable and cause lots of frustration and there is not much to do about it. Ask around, read opinions, stay up to date with methods to unblock content in China. Remember that the only one to blame for the bad Internet experience in China is the Chinese government. Not the VPN providers, not the hosting companies, not the international network carriers.

Do you have any tips for VPN users in China? share them in the comment section.

阅读(621) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~
评论热议
请登录后评论。

登录 注册