What's up with China?

[gavstah]

Is anyone else having problems with connections from China?

All of a sudden I have a slew of users in China (different locations) who were previously able to connect, but now appear to be getting blocked?

I was under the impression that the SoftEther folks had the GFW problem solved? What's the story?

Please advise.

All good wishes,

Gavin

[Inverted Phase]

GFW may have blocked vpn gate server list according to chinese user's post.

[gavstah]

How does one go about getting their server(s) off of the vpngate list?

[rollingscissors]

You can still get the server list via mirrors. If you can't get in to subscribe, visit"

http://bunkerbustervpn.com/vpngate.html

There's a mirror list there, updated at the top and bottom of each hour. The GFW is quite fast these days! The Chinese are blocking OpenVPN servers within an hour of them going on line, mostly because OpenVPN developers have been slow to implement some form of protocol obfuscation. The GFW recognizes it, hits the server with a bunch of packets to check it, then hits all of the users with reset packets.

[internet freedom]

i tell you what's up with China. The CCP hates truth, criticism, and does everything it can to prevent it's people from seeing what it is really like. hiding the truth and denying people the right to use the internet as it was meant to be will never succeed.
A dying breed of out of touch cave men and women who want to stop Chinese people from knowing to much and becoming too knowledgeable. That is dangerous for the communist party, it threatens their total control. They will never win. Never ever give up your rights as free men and women. We pay a price for everything in life. That is why I am one of many many around the world who continue to help other in out own ways to beat OPPRESSION.

[gavstah]

Er, . . . . duh.

Pretty sure we're all aware of that, which is why china's such a huge market for vpn services.

Thanks for the rant though.

[gavstah]

+1 x 1000 to have an option to not get on the vpngate server list to begin with during server setup.

[Gene475]

I'm having some interesting problems too. Of course the OpenVPN connections don't work. I keep getting "connection reset" messages. L2TP doesn't work on most devices, but I'm having trouble tracking down a log file on my phone to see what the problem is. I also noticed a couple of times when I used the VPN Server Manager for longer than about 30 minutes I lost the connection. Then I found that my IP address was blocked. I know it was blocked in China because I tried pinging it from a Stateside SSH connection and had no problem. In China, "destination unreachable." The IP address of the server remains unreachable for a good 15 minutes, then it's fine. I tried this several times with the same result. Oh, I'm not using the domain name provided by SoftEther. I'm only using the actual IP address.

When I use the Windows SoftEther client I can't get a connection normally. I have another router set up with a PPTP connection and when I connect thorugh that router I have no problem getting through.

[maclag]

It's not just the servers list.
I receive the servers list mirror list by email and so I can see the servers list.

But it seems like the GFW also uses that list to block every single IP on it!

On the main page, it is written the list may purposely contain wrong IP addresses in order to prevent mass blocking. Is that done or is it just bluffing?
How about adding in IP from large Chinese companies, institutions and strategic partners with wrong descriptions, so that the blockers get slammed internally?

[suntzu_2010]

Yes, PLEASE. Add services like Sina, QQ, and Alibaba to the list randomly. The obfuscation process of the list needs to by dynamic enough that "no one" is confident to add it to the global ban list. Randomly populating the list with "high value sites and services" that are important to Beijing may help...

+1,000,000,000 to the please obfuscate the list...


suntzu

[rollingscissors]

suntzu_2010 wrote:
> Yes, PLEASE. Add services like Sina, QQ, and Alibaba to the list randomly.
> The obfuscation process of the list needs to by dynamic enough that
> "no one" is confident to add it to the global ban list. Randomly
> populating the list with "high value sites and services" that are
> important to Beijing may help...
>
> +1,000,000,000 to the please obfuscate the list...
>
>
> suntzu

I got a kick out of that. Yes, let that dumbass GFW pummel the hell out of billion dollar internet businesses in China. But there's one flaw: the GFW probably has a whitelist / blacklist system where certain IPs are immunized against blocking. Perhaps you can make them block Weibo for a while, then Weibo gets whitelisted.

If you really want to beat those denisovan clowns, put up so many new servers that they can't keep up with them. Change to new IPs after a couple of hours and make them work very hard to keep up. Obfuscate the connections to make it hard for the GFW to recognise VPN packets. Kill the GFW with complexity beyond its capabilities.

[suntzu_2010]

This project looks interesting:
https://github.com/bigeagle/gohop

Perhaps SoftEther can add some concepts like these?

/s

[maclag]

> If you really want to beat those denisovan clowns, put up so many new servers that
> they can't keep up with them. Change to new IPs after a couple of hours and make
> them work very hard to keep up. Obfuscate the connections to make it hard for the
> GFW to recognise VPN packets. Kill the GFW with complexity beyond its capabilities.

Won't work.

Let's not be naive. The system now most likely use the very same servers list as legit users. Therefore it will be able to track any new IP address and block it at once.
The project stipulates you can't get the list from all servers in the world at once, just some of them, in order to prevent mass censorship of all servers.
This actually plays against users (us) and in favor or large organization (GFW).

China has embassies all around the world and can easily setup a script that fetches the list every 5 min from all countries at once. So China has an easy access to the full list of servers with a very quick update.

If they also maintain a white list, then VPNGate folks need to be creative about what IP they may have forgotten that could be a real harm to highly ranked people and large local companies.

That said, another characteristic of the GFW is it's split and decentralized: the list of blocked servers may be different from one ISP to another, and from one city to the next with the same ISP. It's difficult to figure out what is centralized and what's not. So maybe they don't block VPNGate the same way everywhere, and all tactics will work on some location and not others.

We need to try!

[suntzu_2010]

What about obfsproxy being built into SoftEther? Or should this be kept separate? If separate does anyone have any idea about best practice setup with SoftEther to prevent blocking of VPN access?

/s

[thisjun]

Please close default port and disable NAT-T , L2TP/IPsec and OpenVPN.

[suntzu_2010]

What has been tried and is now being blocked actively by Topway in Shenzhen:

- Tried with NAT-T disabled (no longer working)
- Tried with L2TP and with it disabled (no longer working)
- Tried with L2TP and OpenVPN distabled only using SSL/HTTPS (no longer working)
- Tried with SSL/HTTPS (no longer working)
- Tried with port 443 (no longer working)
- Tried with port 8888 (no longer working)
- Tried with port 992 (no longer working)
- Tried with port 5555 (no longer working)
- Tried with IPV4 over IPV6 tunnel (no longer working)

Any more ideas?

[neoe]

suntzu_2010 wrote:
> This project looks interesting:
> https://github.com/bigeagle/gohop
>
> Perhaps SoftEther can add some concepts like these?
>
> /s
I tried gohop yesterday, It not work at all.

[gavstah]

What should be an option during setup is to disable the DDNS feature right away. Right now, you're forced to add your new server as a DDNS host.

Granted, I disable DDNS as soon as I can in the setup process. But no way of telling if the damage has already been done.

Unfortunately, there's no command line option for this either - if they'd add something like ServerDDNSEnable for the command line, this would make it quite simple to do during installation.

[thisjun]

I think that you should un-plug your network cable when you install Softether.

[fun69]

Hmm. what are you saying? Each time Soft ether client is installed IP is added to that list?

Kinda makes 0 sense. Or you saying that chinese firewall soft can somehow detect VPN traffic?

I used open vpn soft from china works slow but does work :D

Pls share more details especially fixes.