VPN in China: The Ultimate Cat-and-mouse Game
A friend from college asked me about how to access Instagram from China. I felt I have come across a giant hidden industry, after some research.
Last week my college roommate sent me a message on WeChat, asking me if I knew any reliable VPN service providers so that he could check his Instagram feed during his stay in China.
My friend Ryan went back to Shenzhen after graduation. Despite his degree in Hotel Administration, he picked up his career in the Finance & Securities Industry. He has a solid daily routine: Every morning he goes to work, spend a few hours staring at monitors and maybe complete a few stock transactions assigned by his manager. After lunch, there is a lunch break — usually a few hours. During the lunch break, he usually spends some time browsing his social media, including Instagram and Facebook. After work, he goes to the gym, and then he heads home and spends 5 hours on Overwatch. Then he goes to bed and waits for the next day.
Long story short — He used to have a working VPN tunnel so he could just connect on his phone and start posting photos on Instagram. Recently that tunnel stopped working, most likely that maybe the service provider got banned by the firewall. All the IP addresses from the provider also became unreachable. Therefore I was asked to figure out a way to build a network that is accessible from his phone and also in some way the network can reach servers of Google, Facebook, and Instagram.
But wait… How does VPN work in the first place?
I don’t have much experience with system infrastructure or building servers, but I did take Operating Systems during four years of college. I could still vaguely remember a bunch of network related buzzwords from OS class such as TCP, IP, ARP, DNS, etc. Therefore I thought it might be best to skip the technical details first and think about the overall problem first.
Let’s just assume that VPN is a magic connection that connects your computer to a remote server and therefore your computer looks like it’s just sitting next to the remote server connected to the Local Area Network (LAN). Let’s also assume that the firewall by default blocks all kinds of network traffic between the Mainland and all the well-known malicious (In China’s perspective, and tbh, it’s true) US web services.
So how do we get to access those web services? The solutions are usually based on trying to relay the connections through some intermediate services that are green-flagged by the firewall and can be reached from both ends. Years ago my high school roommate bought a Virtual Private Server (VPS) service in Japan. It was really just a server that he could log onto and do cool stuff with it. He set up a remote Linux instance that ran an SSH daemon so he could
ssh into the instance and simply
curl any website that he wanted to access. Moreover, he could open up a SOCKS proxy with:
ssh -D 12345 username@host
With a SOCKS proxy at port 12345 locally, he could simply configure his browser to route all HTTP traffic through the proxy and therefore access web contents without any restrictions.
The Modern VPN Culture
Not everyone is as tech-savvy as my high school roommate, but every Chinese international student would like to check their Instagram feed while they are back home for Christmas break — without worrying about what VPS is. In fact, sometimes you just have to access Gmail from China to pay your tuition or even get your immigration documents.
So how do most people get around the firewall? They use established VPN services. There are a lot of existing VPN service providers who already set up all the remote servers for you. If you get on App Store and simply search for “VPN”, you can see dozens of VPN service providers. To use the VPN service, you just have to download that service provider’s App and simply press connect (or maybe you have to register an account first). Right after you press connect, the App will automatically attempt to connect your phone to one of its established VPS services outside of the country. Once it finds a stable connection, you will see a small “VPN” sign on the top of your screen, meaning that you can get Internet access.
Most VPN service providers will provide a free tier option where you can just click connect and instantly get low-bandwidth internet access (you might have to watch a few Ads). This might be enough if you just want to explore the outside world, wondering how Facebook works or trying to Google your most favorite actor. However, this bandwidth is just not good enough for heavy users who want to stream YouTube videos or click through every single Instagram story. Therefore most VPN providers will offer a paid membership (in fact, a lot of the VPNs now ONLY offer paid membership option) so you can spend $10 a month getting unlimited bandwidth from any of their provided servers.
My high school roommate enjoyed several months of undisturbed VPN service by just paying the operation cost of his VPS instance. By the time that particular Japanese VPS service was still pretty new — the firewall didn’t know about its existence yet. Months later the firewall sensed an unusual amount of encrypted network traffic going through that VPS’s IP Address. It suspected that people might be trying to proxy their internet traffic and access malicious web contents from there.
We all know the end to that story: that web service was then permabanned from the Mainland.
The Cat-and-mouse Game
Just like the mythical Hydra. You cut off one head, it may grow some more.
What will happen if AWS gets banned from the Mainland? People will switch over to DigitalOcean, Azure, or any other third-world web service providers whose names are yet to be known. And if those web services go down, people will start their own web services and keep challenging the firewall. As long as there is still a margin for profit, the Hydra never dies.
Nearly all the later VPN service providers are playing the same game — they open up a few servers with brand-new IP addresses (not much browsing or serving history). Then they set up VPN services on the servers and start to sell membership in China to those who crave to see the outside world.
Eventually, the firewall will discover all the mysterious traffic going to these foreign IP addresses and start to limit/shut down connections going to those servers. The providers are also smart — they will then switch to different servers and redirect all their previous users to the new servers. This week they could be in Singapore, next week all the traffic would get rerouted to Malaysia, the Philippines or Korea. It’s the ultimate cat-and-mouse game that every provider is playing, but all against the same cat — the firewall.
Even if the firewall bans every single foreign IP address eventually, the providers would already have made so much profit and it wouldn’t hurt if they just walk away. However, if any of the people involved in providing and profiting from VPN services are Chinese nationals, that means jail for them, unfortunately.
Second Wind: Can we find another way out?
If we strip away all the technical details and social impact of the VPN services, down on the bottom what people are really trying to solve is simply about how to convey information across a boundary that has a set of restrictions on the source or destination of the information.
If the root problem we are trying to solve is about conveying information, now we can apply a different context to it to make it more understandable and related. Imagine an ancient empire that prohibits any outgoing envelopes (REAL text written on Parchment papers) that are addressed to someone from a known list of troublesome recipients. How can one manage to write a letter to someone on that list, or even ask them how they are doing these days?
A typical solution would be, another third-party agency, most likely for profit, opens up a post office outside the country. People from the empire then wraps their original envelope in another envelope that is addressed to the post office. When their letters arrive at the post office, the letters will get unwrapped and redirected to their true destinations. Sounds a bit like the Trojan Horse. Moreover, if people are afraid that someone at the customs might open up the envelope and inspect the contents, they can simply obfuscate their message content under the post office’s instruction. So later the post office will decrypt the encoded text inside before rerouting them to the destinations. Even better.
However, let’s just assume the customs is getting more strict and actively inspecting the content in every envelope. The customs will find out that an increasing number of people have been writing letters to the same address (the address of the post office), and the inner content of those letters are just gibberish. This will definitely raise suspicion and eventually resulting in the post office’s address getting on that banned list.
You can begin to see the similarity between the post office and the current VPN service providers now. Eventually, this method will use up all the possible addresses out there and bring despair.
So what is the way out?
Although the ancient empire has a strict outgoing traffic policy, it has an extremely friendly tourism policy — all the foreigners are welcomed to browse and explore contents from the empire. They are also allowed to write letters to people from the inside. What if, instead of the inside asks for information from the outside, the outside can actively talk to the inside and asks whether they have anything to ask?
Let’s circle back from the analogy to the actual problem here: Anyone in the US won’t have much problem accessing Chinese web contents, such as WeChat, Weibo or Baidu. What if we actively connect to a Chinese server and that server brokers the connection to its local users? If this is possible, what we need to do is to reverse tunnel their network requests back to us and we can establish a complete connection between both sides.
I’ll pause my thought experiment right here for now. But let’s reconvene next time.