We crack open the technology that keeps 1.4 BILLION people walled in
Most people are familiar with Chinaâs widespread internet censorship. As VPNs are blocked there, itâs hard for people in China to access the âoutside worldâ online.
In this article, I share my personal experiences of trying to run a VPN service for users in China, as well as the general quality and speed of the internet there.
This is the first in a series of articles that dive deeper into the issues faced by internet users living in digitally oppressed regimes.
Is the Great Firewall of China a Great Myth?
We first launched our flagship desktop and mobile applications MysteriumVPN in 2018. The VPN was available to our Chinese users for 2 years following our launch.
This led me to the following conclusions:
- The Great Firewall (GFW), deep packet inspection and "learn, filter and block" for OpenVPN, UDP, or other restricted services don't really exist. Or, at least, they are not as sophisticated as we've been led to believe.
- Perhaps the reputation and mystery of the Great Firewall have been overestimated. Developers like to talk about it extensively, as itâs an interesting challenge.
If itâs the second point, the topic is likely wrapped up in a lot of rumors. This matters for our team as we build new, anti-censorship tech from scratch.
In fact, Mysterium Network p2p VPN builds across several emerging technologies. This meant that we needed to prioritise early on in our development.
We have been focused on bringing peer to peer payments into Mysterium Network as a core focus. Itâs easy to get caught up in rabbit holes onlineâââDHT & Kademlia, obfuscated transportsâââwhich is not ideal while building a VPN startup. We didnât place too much focus on fancy networking features, so as to avoid premature optimisation.
We stuck to a simple solutionâââOpenVPN server-client and REST APIs. This worked fine for our Chinese users, for more than a year.
Image: VPN throughput for China users
Until one day I noticed a big drop in Mysterium Network Testnet health metrics:
Image: Simultaneous sessions from China
Making requests from China
What happened? And how to fix (debug) this? To find out, I first needed a way to reproduce the VPN connection from China. The tool ping.pe came in handy:
Image: Our domain records are being black-holed to unreachable machines
Here we have a window into how the GFW works differently from the regular internet.
While the rest of the world follows a standard practice when it comes to how the internet works, China has decided to create its own standard. đ
The âGreat Firewallâ as we know it is causing the DNS server to return an incorrect IP address for Mysteriumâs domain [https://testnet.mysterium.network/], which results in traffic being diverted & black-holed to unreachable machines.
This technique is referred to as DNS interference, DNS poisoning or DNS spoofing.
Verify the blocking technique
So, I thought, letâs try to bypass DNS altogether and connect to our precious API via the IP address directly:
Image: The server is actually reachable via IPÂ address
From this, the blocking technique of the GFW is clearâââit is DNS poisoning and black-holing. It seems actual traffic can pass through our datacenter in Berlin.
Conclusion: When you are in China you canât trust DNS responses.
So, we know how to unblock ourselvesâââby bypassing the DNS altogether.
This creates clear steps for the Mysterium development team to be able to offer VPN service in China. All I have to develop is a feature to bypass a DNS...
Packet loss is 56%. Seriously?
But still, I noticedâââwhy did one of the requests from my previous debugging fail (Jiangsu â to Berlin)?
IMHO, thereâs nothing *wrong* here. Itâs actually the quality of the Internet itself. So I checked, by pinging this server:
Image: Quality of connectivity from Germany to various locations
Turns out my guess was right. While most of the world has good Internet connectivity to all locations, the exception is China, which has a packet loss of 56%âââseriously?
I canât even imagine how people are using such a slow service in our world of the â9-Second attention spanâ.
In my opinion, good Internet transport is important. It provides fast transactions for people and businesses, and enables overall economic growth. This is relevant across all public infrastructureâââroads, railroads, portsâââand the internet too.
It is time for us to recognise that the internet is public infrastructure.
Why were the VPN APIs targeted and blocked by GFW?
So why was Mysterium VPN targeted? Actually, it was not necessarily the VPN that was singled out. The DNS zone *.mysterium.network, together with VPN APIs, were all black-holed. This was due to the naming convention of our VPN APIs (i.e. using mysterium.network subdomains) more so than any fancy blocking technique.
At this point in time, our communications strategy had turned more political. My hypothesis is that this was the cause of our VPN service being temporarily banned in China. (The good news, weâll be back up and running soon.)
Examples of our content:
- An opinion piece on the coronavirus cover-up: a closer look at internet censorship in China
- A general overview of the centralized vs. decentralized Internet, and why censorship sucks
- Geoblocking and its role in politics and economics
- Tor vs. VPNâââwhatâs the difference?
It seems our content was picked up by Chinese censors. Then China got mad at us for sharing these opinions, so they blocked us all together.
Whatâs up with your internet China?
It might be that the Great Firewall of China is not so great. They censor sites for sure, but when it comes to sophisticated deep packet inspection, it might be that they just degrade the quality of service.
Wikipedia article on GFW blocking methods somewhat confirms this:
Quality of service filteringâââSince 2012, the GFW is able to âlearn, filter and blockâ users based on traffic behavior, using deep packet inspection.[47] This method was originally developed for blocking VPNs..
So, whatâs up with your internet China?
I will be sharing share my journey on unblocking our VPN connection for China. Stay tuned on Twitter @valdas_da_coderââin the next article I will cover the challenges of buying a hosting server in Mainland China and how I tested the quality of service there.