Code Blog

Displaying 1-1 of 1 result.
2016/02/20 VPN

So during the recent Chinese New Year it seemed the chinese government let whatever bureau that is in charge of internet censorship to have a go at all VPN providers. I've been running PureVPN for over a year, and I must say performance has gone downhill most of the time. PureVPN mac client is also really bad, not very user-friendly at all, its just a simply tool that set up mac vpn/dialup connections (using the Mac OS builtin functionality). Anyway, just before CNY the PureVPN stopped working 100%.

I decided to try Astrill as some friends of mine use it and seems happy with it. Had much better performance than PureVPN and also much better Mac OS client (same functions as the Windows client).

However, Astrill was only working 2 days before that one also was blocked! Luckily I managed to find out via a forum post that the "Sweden 2" server for some unknown reason was still available, which made my CNY youtube watching a lot better.

Anyway, all this made me think that it may be good to look for alternative solutions. After doing some research online I decided to give Shadowsocks a try. I used to use GoAgent before, which was working great, until Google servers all got blocked by China. Shadowsocks is pretty much the same thing as GoAgent.

Shadowsocks is a lightweight socks5 proxy, written in python. It's open source, supports many encryption algorithms, it's easy to install, and can be run from many hosting providers (I'm using Amazon Web Services). 

proxy auto-config (PAC) file: defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL.
This is quite handy because you can have a PAC file that lists URLs blocked by the Chinese firewall, so you can minimize the amount of traffic going through the VPN. The ShadowSocks Windows client comes with a local PAC file, and it can also update it's PAC online from GFWList.

Shadowsocks can use the ChaCha20 cypher (a variation of the older Salsa20 cypher) which seems quite popular (a relatively new cipher with fast performance), although the default AES-256-CFB should be plenty safe as well.

The Great Firewall of China (aka Golden Shield Project) is said to perform active probing of foreign servers and block them if they host VPN services. It is therefore important that the HTTP proxy is encrypted but even this may not be enough. GoAgent used a technique called "domain fronting", a way of hiding/tunneling the traffic inside large Content Delivery Networks (CDN) that China would not like to block for economic reasons. This means a client is also needed for http-tunneling, as the web browser don't have this functionality.

Next step will be to try to run the client from a OpenWRT router.

Astrill www.astrill.com
Shadowsocks shadowsocks.org
VPNdada Shadowsocks guide www.vpndada.com/how-to-setup-shadowsocks..
Great Firewall PAC (BASE64 encoded) github.com/gfwlist/gfwlist
OpenWRT client github.com/.../openwrt-shadowsocks