VPN and China

stoofa · 22 Jan 2013 at 09:39

We have an OpenVPN server sat in our UK office. People on their travels connect to this and it has proven to be absolutely excellent.
People connect to it from all over the world.....or rather they did.....until recently.
China have basically closed their borders down to VPN connections and people visiting China can no longer connect.

Has anyone else run into similar problems and if so what was your solution?
Anyone know of any other VPN services/packages that we could use for people who are in China and need a VPN connection to our offices?

Ta

MasterPlan1 · 22 Jan 2013 at 10:02

I'm sure the chinese have thought of this, but I'm not up to date on the latest on the great firewall... But can they connect through 443 to OVPN whilst there?

stoofa · 22 Jan 2013 at 10:36

I think the issue is that the latest developments with the firewall means that UDP traffic is detected and then blocked.
I've found a company called "Strong VPN" who still have their services working, however I cannot get a straight answer from them with regards:

Establishing a China > UK link to their VPN server
Launch OpenVPN so it's "in effect" running over their VPN connection.

I don't think they are avoiding my question, rather not exactly answering what I want to know

I may have to buy their 7 day trial and see how it goes.

ruffneck · 22 Jan 2013 at 10:54

SSL VPN should work as its essentially just TCP 443 traffic

MasterPlan1 · 22 Jan 2013 at 11:02

That's what I thought... It's also what I use at work to connect to my home network, slightly naughty split tunneling, but oh well!

stoofa · 28 Jan 2013 at 15:03

Hummm, still no go on this one.
Our VPN link from China to Sweden has now gone down - been running for two weeks but the firewall has now blocked it.
We are already running OpenVPN over TCP443 - so trying to piggy back onto the standard SSL port is not working - the China firewall is just too clever for that!
So I guess it's time to see if we can create a VPN tunnel inside a VPN tunnel - we're just running out of options now.

Skidilliplop · 29 Jan 2013 at 22:06

ruffneck said:
SSL VPN should work as its essentially just TCP 443 traffic

Used to be, most next gen firewalls can SSL Decrypt and see that it's tunnelled traffic and block it. Given the level of cheap resource china has to throw at tech, you can bet this is well within their means.

One thing you could try is see if it's a complete blockade or just vs the west, and rent a dedi box in somewhere more friendly with the chinese in political terms. Then leapfrog your VPNs from there.

Another thing you could try is IPv6 with IPSec enabled. That doesn't actually need to tunnel thus might be ok.
I suspect the main reason for blocking tunnels out is people using it to proxy traffic from the west to view sites they don't want them to.

richard smith · 30 Jan 2013 at 06:34

Weird this. We have two offices out there (Beijing and Shanghai) and we can access them fine (well, as good as normal - drops are common as is unexplained packet loss).

We're using Cisco DMVPN.