VPNs & Internet in China: Everything you need to know

Internet censorship is an essential problem and people living in (or traveling to) China get to experience it directly. To bring you this article, we discussed with two users from China and also with two VPN providers who are experienced in getting around the Great Firewall of China.

The speed issues

One of the widely asked questions is: Why is the Internet so slow in China?
Domestic broadband connections in China can be quite fast, but one should not expect the same speed past the borders. Local and international connectivity are different things. In fact, Internet is usually extremely slow internationally. The reason for slow speed consists of a few factors that we will detail below.

Bad peering and routing

In China there is an ISP monopoly consisting of 3 state-owned communications companies: China Telecom, China Unicom and China Mobile. For international connectivity to be fast and reliable, the interconnection (or “peering”) between them and other network operators has to be solid. The problem is that they will not peer with international network carriers for free, and they charge a huge amount of money to peer with them. Peering costs are higher in regions near-by, meaning that a direct connection to Hong Kong is much more expensive than peering with the Chinese ISP monopoly overseas. That would inadvertently translate into low-bandwidth peering to neighbor countries, hence the  slowdowns when connecting to VPN servers near China, even if the latency is good.

Since Internet peering and transit costs to China are very high, many hosting/VPN companies won’t have direct routes to China ISPs, even though they are located in neighbor countries, and the connections would be routed all the way over the Pacific then back to the neighbor country due to the lack of direct peering.

Speed throttling and bandwidth manipulation

Not only that the peering is bad, but the Chinese ISP monopoly is known to manipulate bandwidth and throttle connection speeds. They are doing it to force corporations to pay more for extra bandwidth or special packages that would provide them with better international speed. The unreliable and slow Internet connections are causing huge business losses to companies that require reliable and fast Internet access in China. The Chinese ISPs know that, and exploit it for financial gains, and often the companies affected have no other choice but pay the extra price for better connections.

Network congestions and bottlenecks

China is the country with the most Internet users in the world, around 600 million users. That means that the the bandwidth capacity has to be large enough to provide them with a satisfactory Internet experience. As already pointed out – the capacity is just too low and it will result in network congestions, especially during peak hours (in the evening) when most users are online. These congestions occur for both international and local connectivity.

The Internet blocking/censorship issues

As if slow Internet wasn’t enough, get to know what’s even worse: the censorship.

china-internet-censorship

DNS censorship

DNS requests are censored by the ISP monopoly using a method called hijacking (or poisoning), resolving “blocked” hostnames into non-relevant IP addresses. For example, a DNS lookup for a VPN service in USA resolves to some IP address in Mexico. They aren’t blocking the DNS requests, meaning that you can still try to use various DNS services you want, but the replies coming from the DNS service are hijacked on-the-fly for the “blocked” domains/hostnames.

IP addresses blocking

When the DNS blocking is not fully effective, as people can use the IP addresses of blocked websites instead of DNS names (for example you access the IP address of a website directly instead of querying the DNS name of the website), the Great Firewall will block IP addresses. This type of blocking is common with VPN, Tor and proxy servers.

Protocol blocking

The Great Firewall is using a method called DPI (Deep Packet Inspection) to analyze all inbound and outbound traffic in real-time. The technology can be compared to an anti-virus, which relies on signatures and heuristic/behavior and statistic analysis to identify and flag protocols that are not allowed. VPN protocols are using encryption to secure the data transmitted over the Internet, and the DPI system can identify and block most types of VPN tunneling protocols. The most affected VPN protocol in China is OpenVPN in its default configuration. OpenVPN can still bypass the Great Firewall if its handshake is hidden so it can’t be seen and blocked by the GFC.

Other VPN protocols that still work in China quite well are PPTP and L2TP/IPsec.

blocking-mechanisms

The solutions

Traveling to China? Be prepared

If you are traveling to China, install a VPN before you leave. Once you get there, it will be hard to find one – as most VPN websites are blocked. Ask the VPN provider before you sign-up if the service is working in China, do some research online and see what their users in China say. Google Play is blocked in China, so if you have an Android device, install the VPN client before you go. Most VPN providers support OpenVPN, so install OpenVPN for Android. If you are already in China and you no longer have access to Google Play, ask a friend to download the APK file for you, or to install it on their phone and backup the application – this way will export it in APK format. iOS user? You are no exception: prepare your device before you leave for China.

VPNs and the international speed issues

As pointed out in the first part of the article, connection speeds are a big problem in China. Some VPNs can actually improve the Internet speed out of China, as long as their servers have good peering with the state-owned ISPs in China.

It’s worth noting that the geographical location of VPN servers is not too relevant when it comes to peering quality and bandwidth speed. Essentially, that means that even if a VPN has many servers in countries near China, peering to those servers can be worse than it could be from China to USA. Due to high peering costs, many hosting companies near China (for example in Hong Kong) would not peer directly with China ISPs so the traffic would be routed even to US and back to Hong Kong, resulting in worse speed than you’d normally expect.

Run some ping and traceroute tests from China to the VPN servers that you want to use, and see if the latency is good. For example, if the ping reply from Hong Kong or Taiwan VPN servers is over 100ms, it means that the peering is bad and the packets may be routed via US and Japan first. Direct peering from China to a neighbor country should result in ping replies of around 50-70 ms. Packet loss indicates congested networks and other issues. Use WinMTR on Windows or run the `traceroute` command directly from the terminal on Linux and macOS.

Ping replies indicating network quality/issues 

China to US West:
150ms to 180ms – very good, 180ms to 230ms – good/average, over 230ms -bad

China to Europe:
250ms to 330ms – very good, 330ms to 360ms good/average, over 360ms – bad

China to Japan:
30ms to 100ms – very good, 100ms to 200ms good/average, over 200ms – bad

China to Hong Kong:
30ms to 80ms – very good, 80ms to 130ms good/average, over 130ms – bad

The expats in China that we talked to have said they can get the best speed with VPN servers in Japan, Singapore and West Coast USA. OpenVPN with TCP ports and obfuscating methods work better than UDP ports as it seems that UDP traffic would often get throttled or blocked completely.

Also note that not all West Coast is the same. There are many international network carriers and only a few of them have good peering with China. The best locations to use in USA are those where the hosting providers have direct peering with China Telecom/Unicom and large transit providers with very good peering in Asia such as NTT, PCCW, Level 3. You can check the providers based on the server IP’s AS number at bgp.he.net. Results in traceroute also reveal what carrier is used for traffic transport.

Using VPNs with good peering is not the ultimate solution to get a faster connection. Even those can be affected by the usual network problems and congestions. Try using the VPN at different times of day and if the speed is better around certain hours of the day, change your daily routine so you can benefit from that time frame.

VPNs and DNS/IP blocking

Some VPNs that work in China will use other addresses for their websites and the VPN servers, in case the main ones get blocked by the Chinese government. Ask before you sign-up if they provide separate addresses for users in China and what they can do if their service gets blocked (like rotating IP addresses and changing hostnames).

Use non-standard VPN protocols to by-pass the Great Firewall

OpenVPN doesn’t work in China if it is configured in default mode. You have to use tools that will hide its traffic signatures. If you are a technical person and run your own VPN, look into setting it up with obfsproxy, over SSH or over stunnel.

Non technical users should be looking for VPN services that use techniques to hide the VPN handshaking and use OpenVPN on ports normally used by other protocols, like HTTP, HTTPS, IMAPS.

Standard protocols that may work very well for some users in China are PPTP and IPsec. Try them.
Jump through protocols, servers and ports from time to time. It may work well.

“Paying money” vs. “wasting money”

Don’t sign-up with a VPN by paying for a full year in advance just because they claim it works in China or because it worked well during the first days. Forget the attractive discount for yearly payments. The GFC is being constantly improved to block encryption and many VPN services that have been working great in the past years in China are blocked today. It’s common sense to expect this trend to continue in the near future and this is a reason why you might need to change the VPN provider in a few months.

Final words

Unfortunately, the government of China seems quite determined in effectively cutting China off the Internet. For each big international service (Google, Facebook, Twitter etc.), there is a Chinese equivalent that works within the mainland. By blocking foreign Internet services, they are forcing people to use the alternatives that are controlled by them. VPNs still work in China and it is the only way to reach the “real” Internet, but you shouldn’t expect the same experience from other country. Connections in China can be blocked, slow, unreliable and cause lots of frustration and there is not much to do about it. Ask around, read opinions, stay up to date with methods to unblock content in China. Remember that the only one to blame for the bad Internet experience in China is the Chinese government. Not the VPN providers, not the hosting companies, not the international network carriers.

Do you have any tips for VPN users in China? share them in the comment section.

36 thoughts on “VPNs & Internet in China: Everything you need to know”

  1. The “Paying money” vs. “wasting money” section might be most useful to non-tech lay users in China. For example, VPNinja used to work great a couple years ago, but now their servers can barely stay connected for more than a minute at a time. Astrill, the most popular VPN among China expats, has a hundred servers to choose from, and many of them work in China. But the downside to Astrill is that it is being abused by international spammers, so now many western sites (e.g. Google) treat any login via an Astrill server as suspicious and make you jump several verification hoops, or simply block it (like Yelp has).

    Reply
  2. Thank you for explaining into detail. I always thought Hong Kong is the best VPN to connect in China but now I tested and indeed there are better locations! I use Astrill. What are other VPNs that work in China?

    Reply
  3. Thanks for the article, I find L2TP/IPSec works well for me, for some reason it didn’t work with HMA/PIA or PureVPN but it works with TorGuard. Shadow socks also works well but can be a little slow at times.

    Reply
      • I might add that Cisco any connect also works great (after all Cisco helped them build the GFW) along with ikev2, i use Torguard’s Ikev2 that’s listed for the Windows Phone but works great in china on Android with strongswan in all parts of china i have visited.

        Reply
        • Really, your strongswan IKEv2 VPN is working?

          Here I have strongswan server successfully and other clients from other countries tested with it and confirmed its working greatly.

          But just I couldn’t have it working.
          I could connect to the server successfully, but after that, my traffic is blocked.

          One person from other part in China told me his connection is working well and I confirmed it.

          Could you advise me why its happening?
          Maybe, its my ISP issue?

          I also tried to use other working servers but they are never working for me.
          I look forward your help
          Ding

          Reply
  4. Does anyone have experience with Doujia VPN? I installed and used for two days and it worked great, but then disappeared. Apparently McAfee found that it had an Artemis trojan. After searching online, it’s not clear if this is a false positive. Any knowledge out there?

    Reply
  5. There is a Facebook group: Google in China – https://www.facebook.com/googleinchina
    They publish some up-to-date information for the connectivity. The VPN solutions are always viral because it’s a never ending cat and mouse game. If it even works from China, then the other services block you (or make extended verification every single day you try to use it – because as it was already said in comments here, all the VPN servers are extensively used by spammers and cheaters).

    Reply
  6. Very insightful article! I wish I knew all of this before jumping from one VPN to another, expecting speed to be better lol
    Astrill worked fine for almost a year, PureVPN was terrible during my one month service. PIA couldn’t connect a single time. I am using ExpressVPN since November and has been working quite well both on my Mac and iPhone.

    Reply
    • not working too well for me lately, it’s been hit & miss. 2 years ago it was better, but they had many problems in times of major VPN crackdowns. I see they are still advertised on all sites as the “best VPN in China”

      Reply
  7. I am doing my homework before taking the plunge into the VPN world.
    I am already in China but am going to Hong Kong in coming days.
    What is the best VPN currently at 18 April 2018. Can I organize it while in HK.

    Reply
  8. Try lethean. Its a decentralized marketplace for Vpn providers. You can select from a list of individual host from different places. They do not keep logs so are more anonnymous than other Vpn solutions.

    Try it today. Visit lethean.io and check the project out.

    Reply
  9. First of all very nice article, i like some details i hadn’t read before. It’s old but gold 😀

    About VPNs now, the blockchain eruption brought some nice utility coins. Few of them are offering/planing to offer decentralized p2p VPN. Few of their advantages against commercial VPNs is that the exit nodes are operated by random users around the world so IP blocking is almost impossible. Moreover the exit nodes are customizable so you can hide the VPN handshaking that is mentioned in the article.
    I personally use Lethean VPN (im not in china) which now has a browser VPN and i’m very pleased from the experience. One extra advantage is that because the technology is new, the price is ridiculously low.

    Reply
  10. I’m going to China next week. Already sorted myself out with a NordVPN subscription. I’m positive it’s gonna be working as expected. Anyone else looking to get Nord can use a discount code ‘HAPPYNORD’, that’s what I’ve used. You’re welcome and stay safe!

    Reply
    • If by “expected” you mean: will not work well, then, yes, it’ll work like that.

      NordVPN is not good for China. ExpressVPN and Astrill would be better choices. Better still would be setting up a Trojan or any of the other methods discussed here.

      Reply
  11. Excellent resource! I always thought that my local speed should be the same when connecting to a VPN out of China. I am now disappointed but more knowledgeable at the same time lol.
    Weekends are most terrible. I checked with no VPN enabled visiting sites in the US that aren’t blocked and they are so sloooow

    If you have more info on what is the internet and VPN situation in China, I’ll be grateful. Cheers and stay safe wherever you are!

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.