China Blocking VPN’s and Google
On Saturday, November 10th 2012 several news websites including Yahoo and TechInAsia announced that the Chinese government had blocked access to all of Google’s online services including the Google Search Engine, Gmail, Google Analytics, Google Docs, Google Drive, Google Maps and Google Play. In addition, a number of VPN providers began receiving notifications from their customers that they were no longer able to connect to International based VPN servers from within mainland China.
Through additional testing it became apparent that websites belonging to Facebook, Twitter, parts of Wikipedia and parts of Yahoo were also being blocked using DNS Poisoning. DNS Poisoning allows a firewall (or Internet provider) to inject invalid DNS entries into their DNS resolvers in order to null route or black hole traffic, essentially making the websites and services inaccessible. As of Monday, November 19th these websites remain blocked.
VPN providers are experiencing a number of different types of Chinese blocks including:
IP Blocks – IP addresses belonging to some VPN providers are being blocked by China’s perimeter firewalls. Several IP’s are being null routed to non-existent systems within China. This effectively breaks the “route” between the client and the server.
DNS Blocks – A number of providers who utilize DNS based resolution for their VPN services are experiencing blocks caused by DNS Poisoning.
Connection Reset – Connections to VPN services (e.g. SSL VPN, PPTP, IPSEC, L2TP) experience a “Connection Reset” which attempting to negotiate a link. This is likely caused by Deep Packet Inspection (DPI) systems and/or Intrusion Detection Systems (IDS) carrying out content inspection and blocking VPN traffic based on signatures and/or protocol detection. Most commercial and open source VPN technologies utilize a standard protocol, port and signature so they are easily blocked.
TLS-AUTH, TLS-REMOTE Blocking – Several VPN services have customers experiencing connection failures during the Transport Layer Security (TLS) authentication validation process. Many VPN services use a TLS-AUTH or TLS-REMOTE setting in order to allow the VPN client to confirm that the VPN server they are connecting to is legitimate and so that the risk of a Man in The Middle (MiTM) attack is reduced.
Examples:
# tls-auth vpn-provider-ta.key 1
or
# tls-remote "/C=US/ST=FL/L=Miami/O=vpn.net/OU=S/CN=vpn.vpn.net/[email protected]"
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification based on a shared key. The tls-remote directive on the client is used to accept/reject the server connection based on the common name of the server certificate. If the TLS verification stream is interrupted or blocked then the VPN connection will fail.
The English edition of the GreatFire website, http://en.greatfire.org, provides additional insight into what’s being blocked and how.
Why?
Many are asking why this is filtering is occurring now, how long will it last and what are the long term implications.
Between November 8th and November 15th 2012 China hosted its 18th National Congress of the Communist Party of China during which a new leader for the ruling communist party was selected, Xi Jinping. In the days leading up to the Congress a number of media outlets were warning that China was tightening its communication security and increasing filtering ahead of the once-in-a-decade shuffle of Communist Party leaders. The “re-shuffle” was the first such transition in the era of social media, with half a billion Chinese newly empowered and swapping information through blogs and Chinese versions of Twitter. (Note: Facebook.com and Twitter.com remain blocked in China). The excessive blocking of western media sites, online social networking and blogs was a proactive attempt by the Chinese Internet Police under direction from the Public Security Bureau (PSB) to control information flow.
The Future?
There has been rumor of China moving to a fully separate “Chinanet” for some time. To date, China has operated its Internet services in a ‘black list’ style meaning the only only websites and services deemed a threat to national security are blocked. A Chinanet could potentially mean that all International, non-Chinese based websites are blocked and that a ‘white list’ is established for approved websites and services such as those belonging to multinational firms with operations in China.
On Thursday, November 14th China’s State Administration of Radio, Film and Television (SARFT) announced that in response to a State Council directive from 2 years ago they had put together what will be a state-owned and run Internet and Telecommunications company, financed primarily by the Chinese Ministry of Finance. The Chinese language announcement is available here with an English Google translation version available here. There idea is that the company will break the “monopoly” on telecom and broadband service held by China’s three major telecoms (China Mobile, China Telecom, and China Unicom) which, just for the record, are all state-owned too. The company will also be a new provider of cable television, thus unifying the “three networks” as defined by the State Council. Could this be a step towards a white-list only Chinanet? More information is available here.
Closing Thoughts
In the next 2-3 weeks we may see all of the recent filtering removed or it may be in place permanently. All of this may be something or it may be nothing but its also possible that in a decade we will be looking back on 2012 remembering when Chinese consumers still had their choice of ISP’s and the ‘Global’ internet was still more or less accessible. I strongly believe that SARFT represents an attempt by the Chinese government to further control all means of communication placing management and control into the hands of of the government.
Good article, thank you! Do you have any updated information? We have been without a VPN for 2 weeks now.
There are other VPN protocols that will and do work in China. SSTP is one and it uses ports 443.. 80, and 8642 the government can block it but it will also mean blocking all business and banks right across the country because all important services use these ports. and new technology is already being developed in the west to combat future threats from Chinese censorship. so look for a VPN service that offers SSTP and enjoy the freedom of the Internet as it was intended for everyone.
You can protect your DNS by using OPEN DNSCRYPT it’s free DNSCrypt for Windows Download DNSCrypt for Mac http://www.opendns.com/technology/dnscrypt/ and don’t forget to get the updater. it works fine. another bit of added protection is go into your services in your control panel and look for DNS catch. then set it to disabled. that way you do not have any dns catch . every little helps. good luck.