This post was updated on .
Many people have been asking me about recent news that VPNs might be blocked completely in China and I thought it would be useful to post a thread on the subject, especially since these questions tend to come up periodically whenever VPNs and China are mentioned together in the news.
What’s the story?There has been several news articles claiming that China will block all non-government-approved VPNs by February 1st 2018. Newer articles say that it is going to happen in March, and recently, in April.
As you can see, the date keeps getting pushed further and further. So, is there any substance behind these stories? Let’s see.
China has been trying to block VPNs for a long time and has indeed stepped up it’s efforts during the past year. They got Apple to remove all VPN apps from the Chinese App Store back in July of 2017, and they have been much more aggressive in blocking VPN companies' IP addresses. In addition, many popular encrypted messaging apps have been blocked, most notably WhatsApp, in August of 2017.
However, through all this, VPNs continue to be accessible. The question is, will they remain accessible? It all depends on how far China wants to push their crack down.
First, let us see what methods China has been using to block VPNs. Then, we will consider what additional steps they could take, how effective these steps could be, and how likely it is that China will implement them. Finally, we will analyze the news stories in the light of the data we have gathered.
How China Currently Blocks VPNs
China’s great firewall (GFW) currently uses 2 main ways of blocking VPNs. They block them (1) by protocol and (2) by IP address. Let’s consider how the GFW does that.
Each VPN protocol, such as PPTP, L2TP, and OpenVPN, have identifying marks. Computers can analyze internet traffic patterns to detect whether a person is using a VPN or not. This is the primary way the GFW blocks VPNs, and why so many normal VPNs don’t work in China.
One way around this block is to disguise the VPN connection as something that isn't blocked, usually as a http or https connection. Another way to hide, or obfuscate, the VPN is by randomizing traffic patterns to make it seem as junk data instead of a VPN.
In response, the GFW tries to create better algorithms for detecting VPN protocols and obfuscation patterns. Therefore, VPN companies have to continually find new ways of disguising traffic. This struggle to keep ahead of each other is often called an “arms race”. So far, several VPN companies have succeeded in evading protocol censorship.
By IP Address:
In case the VPN connection itself cannot be identified, the GFW’s computers will then try to analyze the server. It can use traffic statistics (for example, huge data being downloaded by thousands of users from a single location) and other mechanisms to guess whether a server is actually running a VPN. Once it identifies it as such, it can add the server’s IP address to a blacklist and then block any subsequent connection to that server.
The main way around this is by changing the VPN server’s IP address each time it gets blocked. This is sometimes called a “whack-a-mole” approach. Each time a server is blocked, just spin up another one and keep going.
So far, none of these methods have been successful in blocking VPNs. In other words, unless China finds new ways to stop people from using VPNs, VPNs will continue to exist. Let us now consider what additional steps China can take against VPNs, and the likelihood of it happening.
What Additional Steps China Could Take to Block VPNs
Basically, a port is like a gate for different applications (software) to run through. Each type of application is assigned a port. For example, websites typically run on port 80 (http) and 443 (https). The domain name system (DNS) runs on port 53, and e-mail runs on port 25 and 995. Blocking a port will usually block the services that tend to use that port. VPN protocols tend to also use specific ports, such as port 1723 for PPTP connections, and port 500 for IPSec connections. Blocking these ports can block many standard VPN connections and can be an effective way of blocking some VPNs.
How effective is it?
The problem with blocking ports is that blocking important ports like port 80 or 443 would effectively break the internet. So China can not afford to block these important ports.
In addition, even though apps tend to run on specific ports, they can be configured to run on any port. So the VPN server administrator can choose to run the VPN on port 443 for example, and since China cannot afford to block port 443, it can’t do anything about it.
How likely is China going to implement it?
They may implement a block of non-essential ports, but will likely never block the important ones.
Instituting a Whitelist:
Currently, China runs on a blacklist of banned sites and IP addresses. This means that the GFW has to search for each VPN server and make sure it is really a VPN server (and not a legitimate site like yahoo or bing or apple) before adding it to the blacklist and blocking it. There are over 4 billion IP addresses in the world. That means that VPN companies will always be able to find an IP address that’s not on the blacklist and use it.
A whitelist, on the other hand, blocks everything by default, and only allows selected sites and services through. To be able to run a VPN connection through that, you will need to get a server that is on the whitelist, which is much harder, as you have to trick the censors into adding you to the white list manually.
How effective is it?
Extremely effective. This is similar to what North Korea does, and why no VPN service works there. If China goes this route, VPNs will likely die overnight, and so will many smaller sites and overseas servers (like bank servers, etc.).
How likely is China going to implement it?
A whitelist will have a huge impact on the internet, and is very difficult to correctly implement without breaking important services. For example, most big websites run on multiple IP addresses and change IP addresses frequently. How can the GFW make sure that the sites they like remain accessible? In addition, many companies and banks run overseas servers, including for backup purposes. It will be difficult to make sure all these IP addresses remain accessible and on the whitelist. A whitelist will also greatly hinder business as many of the smaller business sites will likely not be on the whitelist.
Because of the huge impact it would have on the internet, and because of the many issues associated with a whitelist, I think it is highly unlikely that China will implement one, at least not anytime soon.
So, in conclusion, what can we say of all the recent news stories?
They are likely just unverified rumors. Even though China has ramped up their efforts in blocking VPNs, they still have some way to go. China has even denied that they have ever announced to ban VPNs by 2018.
Many of these news articles come from little known outlets, which are then republicized and reshared over social media. Likely, these news outlets are just out for views, as these articles always seem to get lots of attention. But they are just rumors. The fact that the date of the blocking has been changed multiple times from February, to March, and now to April, should tip us off that they are not based on concrete evidence.
The fight to maintain a pathway to the outside world goes on, and VPNs will live to see another day.
|Free forum by Nabble||Edit this page|