Blog

The current state of penetrating the Great Firewall is basically what you'd expect: a bunch of half-abandoned projects with partially written documentation. As a bonus, some of it is in Chinese.

The current set of projects worth looking at are

• v2ray
• shadowsocks
• trojan

You'll generally see support for these in client apps. On iOS in particular, I settled on OneClick, which supports all 3 (v2ray's primary protocol is "vmess").

I have not messed with trojan at all. Also, v2ray supports the shadowsocks protocol, so I would recommend just dealing with v2ray. If you go the shadowsocks route, see GFW Report's configuration advice.

Other projects of interest include

• geneva (no mobile support)
• Jigsaw/Outline (shadowsocks wrapper)
• gfwlist (client list for split tunneling)
• ShadowsocksX-NG (macOS ss client with gfwlist integration)
• Clash (macOS ss and vmess client; no out-of-the-box gfwlist support)

This is a great line from the gfwlist README:

don't ask us what a wall is, it's not a continuous vertical brick or stone structure that encloses or divides an area of land

Options you should not consider are

• an SSH tunnel
• OpenVPN/wireguard/strongswan

See mrb's famous blog post to understand why. In particular,

the GFW is unmistakably able to exploit side-channel leaks in TLS such as packet sizes in order to detect the "TLS within TLS" characteristic of secure web proxies

Remember that your goal is evading detection. The goal of SSH and most VPNs is to protect your data through encryption. You are generally not worried about this because the websites you access with sensitive data use TLS anyway. (Even outside China, you wouldn't want to type a password into a plain HTTP website.) For this reason, using a paid VPN service like ExpressVPN is an acceptable solution from a security perspective, despite the fact that the CPC may be able to see your traffic. In my personal experience, it dropped all the time, so I'd only consider it a backup.

Testing

I set up v2ray and shadowsocks-libev on a VPS. To test my configuration before going to China, I spun up an instance on Aliyun and confirmed that I couldn't hit Google.

# curl https://google.com/
curl: (35) OpenSSL SSL_connect:
Connection reset by peer in connection to google.com:443

I struggled to get a shadowsocks client running. I initially installed the shadowsocks python implementation

# pip3 install shadowsocks
Looking in indexes: http://mirrors.cloud.aliyuncs.com/pypi/simple/
Collecting shadowsocks
  Downloading http://mirrors.cloud.aliyuncs.com/pypi/packages/02/1e/
  e3a5[...]b4a/shadowsocks-2.8.2.tar.gz (36 kB)

Deciding I probably didn't want to use that package, I downloaded it locally from pip and scped it over. However, that led to

# sslocal -v -s [...] -p 8388 -l 1080 -k [...]
2022-07-16 04:41:10 INFO     loading libcrypto from libcrypto.so.1.1
Traceback (most recent call last):
  File "/usr/local/bin/sslocal", line 8, in <module>
    sys.exit(main())
  [...]
  File "/usr/lib/python3.9/ctypes/__init__.py", line 392, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1:
undefined symbol: EVP_CIPHER_CTX_cleanup

Giving up on that, I downloaded v2ray-linux-64.zip locally and scped that over. After configuring it to be a client, it seemed to basically work.

# curl --proxy socks5h://localhost:1080 https://google.com/
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

2024-02-23 Update

The v2ray worked for a while but then connectivity became spotty. My server probably got probed (see the GFW Report link above).

Google Fi was very reliable the whole time and I'd strongly recommend that if you're coming from the US.

In the future, I'd probably try Hysteria. I heard it worked with Streisand.