It is a well-known fact that the Government of China is fighting against censorship circumvention methods and some recent Great Firewall upgrades have made many VPN services essentially useless. Accessing the “free” Internet from China is much difficult that it was a few years ago and many users there are facing a hard time in this battle in order to find VPN protocols and services that would still allow them to get past the Great Firewall blocking. To find out more about how the Internet blocking works in China, check our detailed article: VPNs & Internet in China: Everything you need to know
Strictly speaking of VPN protocols that are still working in China, these are our findings and recommendations:
WireGuard is quite new but it’s being supported by several VPN services. It doesn’t support obfuscation and its handshakes can be recognized by the GFW, but it isn’t blocked yet. In case it’s blocked, that’s most likely because of using its default port 51820. Change port to a different one, if your VPN service provider allows it or if you run it on your own servers.
IPsec (L2TP, IKEv2)
Just like PPTP, it is not entirely blocked in China and it can be used as long as the VPN servers of your provider are not blocked per-IP/hostname basis.
The good thing about both PPTP and IPsec is that they are compatible with most operating systems including those for mobile devices. Setting up a connection is very easy and it’s good to try them if you use a smart phone or tablet in China.
OpenVPN (using obfuscation)
OpenVPN is usually blocked as the initial handshake, required to establish the VPN connection, can be identified by the Great Firewall and blocked instantly. To use OpenVPN in China, obfuscating methods are needed so that the handshake can’t be detected. This is possible by using TLS preshared keys, stunnel or SSH proxying and custom obfuscating methods. There are a few VPN service providers using obfuscating methods to hide the OpenVPN connections, such as: vpn.ac, , ExpressVPN, VyprVPN, Astrill
Using a SOCKS5 proxy over SSH still works well in China, and you can setup one on a personal VPS. Instructions: SSH & SOCKS5 tunnel howto. Some VPN services provide support for SSH/SOCKS5 but it’s likely better to use your own, if you are capable of setting it up.
Shadowsocks is a secure proxy protocol that works very well in China, but you need to set it up yourself: easy if you are a technical guy, not really an option otherwise. Though you can still find VPN services that provide ShadowSocks support and guides on how to use it.
SSTP is a Microsoft VPN protocol that works over port 443 and it’s hard to be blocked by the Great Firewall as “it looks” like normal HTTPS traffic. There are a few VPN services that support SSTP, and if you are a tech savvy able to setup your own server, you should use SoftEther which has built-in support for SSTP among other protocols.
If you are looking for a reliable VPN to use in China, ExpressVPN is rather good. See our recent testing article (February 2017) ExpressVPN in China. Unlike most review sites that recommend it but only list features, we tested it from China directly.
While it is an insecure protocol and can be easily compromised by 3rd parties able to snoop on traffic (the Chinese Government in this case), it is still working for many users in China. Considering the fact that it is insecure, don’t use it for sensitive transfer of information or, if you do, make sure that the services you use over PPTP, like webmail, always use HTTPS.