Bypassing the big Chinese firewall
René Dohmen
January 10, 2014
2 min

I made a couple of preparations to make sure I could use internet in China in a reliable way. I did some investigations on fora to find out what possible problems it could expect. Due to the new Google Profiles policy users seem to have problems with Google apps and Gmail login. Youtube and Facebook are impossible to use without some preparation. Downloading attachments in Gmail won’t work in a reliable way.

So I decided to install some OpenVPN addons on one of my pfsense firewalls, purchased a month’s license to BreakWall VPN Pro Pack Medium for a fallback and created some handy SSH scripts so I could use a SSH tunnel as a SOCK based webproxy. Here we go.


Breakwall claims to give me access to Facebook an Youtube if my own VPN solution fails. http://blog.stefcho.eu/?p=492 I think you should only use this if you don’t have access to servers outside China.


Although ipsec is better OpenVPN is easier and very stable. With the coolness of pfsense you can configure it via a wizard.

Schermafbeelding 2013-12-24 om04.05.33
Schermafbeelding 2013-12-24 om04.05.33

It can be configured in 2 ways: normal OpenVPN and Redirect OpenVPN; the last one is ideal for this situation; it will, once it’s active, send all network traffic of your laptop or other internet device over the VPN tunnel so you can visit Youtube and Facebook from a dutch IP number. The problem with OpenVPN is that it can be detected. I did find some articles about VPN being illegal in China. I was able to use this in 80% of the cases.

SSH Tunneling

SSH tunneling allows you to securely route traffic through a SSH server you own using an encrypted tunnel. SSH tunnels can be used to prevent network monitors on your local network from monitoring what sites you visit, or to bypass overly restrictive web filters. They are also useful for trackers that require users to log in from an IP before being able to seed from it. The nice thing about SSH tunnels is that the traffic looks almost the same as normal https traffic making it almost impossible to detect especially when connecting to a 443 port. It’s also easy to setup when you know what you are doing. SOCKS is built in to OpenSSH, so it’s a trivial matter to set up a local SOCKS proxy with the -D flag. For example

Or when using a non standard SSH port (to avoid script kiddies from brute force probing your port 22 all the time):

In Chrome you can use the excellent Falcon proxy extension to setup the SOCKS proxy; so you switch proxies fast:

Screenshot from 2014-01-10 22:30:59
Screenshot from 2014-01-10 22:30:59

In Firefox you can use the buildin proxy support with setting to manual:

Screenshot from 2014-01-10 22:39:59
Screenshot from 2014-01-10 22:39:59

For a more permanent setting you can use the systems settings for a proxy; at least this is working fine on Ubuntu:

Screenshot from 2014-01-10 22:37:16
Screenshot from 2014-01-10 22:37:16


I didn’t need the BreakWall but if you don’t own any fancy VPN boxes outside of China; it’s would probably be the only way to have decent internet. The VPN solution is the easiest one; as it tunnels all traffic trough the VPN connection without further setup. The SSH tunnel is also very easy; but you need a good OS, and some SSH knowledge to get it going.

Related Posts

Deploy FastAPI on Amazon Serverless
May 15, 2021
5 min
© 2021, All Rights Reserved.
Powered by formatics

Quick Links

Advertise with usAbout UsContact Us

Social Media