Web in China
May 25, 2005 11:11 PM Subscribe
Much to my surprise, I have been given a visa to visit ol' zhongguo (china) for a few months (i'll be doing research on minorities).
I would like to be able to surf the net anonymously but I'm a bit of a nOOb when it comes to proxy servers and what not. I remember seeing a similar question on slashdot but answers said things like "Just ssh into ..." I know what ssh is, etc. but i'm not sure how to use a proxy through ssh. can anyone give me some basic instructions?
I would appreciate help. Comments like "Don't go to China if you don't want to obey their rules!!!" or whatever are less appreciated.
Thanks!
Response by poster: Yes.
No penalty for non citizens. doing any political activity, etc. is gets you a free stay at the public security bureau for a couple days and an escort to the airport :>
posted by hurting.the.feelings.of.thechinesepeople at 11:55 PM on May 25, 2005
No penalty for non citizens. doing any political activity, etc. is gets you a free stay at the public security bureau for a couple days and an escort to the airport :>
posted by hurting.the.feelings.of.thechinesepeople at 11:55 PM on May 25, 2005
I live in China and i used to use Anonymouse. but that seems to have been blocked itself in the past few days. This looks like a good list of web based proxies. It's not to hard to find a proxy list if you google "anomyous proxy" which might be necessary since the chinese government is always actively blocking new proxy sites.
It's hard to tell what exactly the gov't's plan is, lately they seem to be blocking just for specific content they find dangerous while they used to block whole sites. For instance last year all of the BBC's sites were blocked but now it is readable. All blogspot sites are still blocked.
Do you really need to use a proxy in China? If you go to an internet bar they are supposed to ask for your passport, but outside of beijing nobody is very strict about this and even in Beijing I was able to play the "i'm a stupid foreigner " card and pretend i didn't have my passport. So you can usually surf anonmously anyway.
Furthermore, unless you really want to check up on your friends blog or read up on some fa l*n gong news, you aren't going to have very much trouble. The CCP is much more worried about keeping it's own citizen in check then watching over brief visitors.
posted by afu at 6:00 AM on May 26, 2005
It's hard to tell what exactly the gov't's plan is, lately they seem to be blocking just for specific content they find dangerous while they used to block whole sites. For instance last year all of the BBC's sites were blocked but now it is readable. All blogspot sites are still blocked.
Do you really need to use a proxy in China? If you go to an internet bar they are supposed to ask for your passport, but outside of beijing nobody is very strict about this and even in Beijing I was able to play the "i'm a stupid foreigner " card and pretend i didn't have my passport. So you can usually surf anonmously anyway.
Furthermore, unless you really want to check up on your friends blog or read up on some fa l*n gong news, you aren't going to have very much trouble. The CCP is much more worried about keeping it's own citizen in check then watching over brief visitors.
posted by afu at 6:00 AM on May 26, 2005
Best answer: do you have a computer outside china that is permanently connected to the net, and on which you can run software? if so, i would:
i don't know how you can use just ssh to solve your problem. it seems to me you need a proxy as well. but i'm just thinking on my feet. someone else might have a better idea.
posted by andrew cooke at 6:36 AM on May 26, 2005
- if the external machine is on a cable modem connection, get it registered with dyndns,org (free) so that you can connect to it even when the dhcp address changes (the ip address of computers on cable modems changes from time to time, so you can't just use the numeric address. dyndns provide a way to work round this).
- if you know you will be using windows xp on both machines (the one outside china and the one you are using directly), using remote desktop to log in to the external machine and then open a browser there. you need to configureremote desktop on the external machine correctly before going to china. this gives you a "screen" on the computer's display in china that is the desktop of the external machine. check that remote desktop uses secure encryption!
- if you know you will be using unix on both machines, try using X across the nextwork. i'm unsure how well this will work and unsure how secure it is. i suspect you could use ssh to make it secure.
- if you have unix on the external machine, learn how to use lynx and ssh across. surf the web using lynx (text only).
- install a proxy on the external machine, password protected and accepting ssl connections. configure the machine in china to use the external machine as a gateway.
i don't know how you can use just ssh to solve your problem. it seems to me you need a proxy as well. but i'm just thinking on my feet. someone else might have a better idea.
posted by andrew cooke at 6:36 AM on May 26, 2005
Best answer: So, I actually wrote OpenSSH's proxy support system. The best way to do what you describe involves:
1. Having a server in the states you can communicate with over TCP/22
2. Running: ssh -D1080 user@host
3. Setting the SOCKS proxy on your local system to 127.0.0.1:1080. Now, almost all traffic will route through the SSH session. This works for IM and a couple other things.
However.
1. I can't guarantee it's possible to SSH at all out of China. There are stunts you can pull involving SSH over HTTP, or (much) worse, but you're behind the Great Firewall. Don't mess with it.
2. I can guarantee that the above solution (still) leaks DNS traffic, so the firewall will still know what sites you're going to. Blame Firefox; they still refuse to fix this.
If you're on a Windows machine, the best way to get SSH up and running is to install Cygwin (http://www.cygwin.com/setup.exe is your friend). Specifically check off that you want OpenSSH installed -- it's not downloaded by default. Alternatively, you can use the dynamic forwarding support thats been added to PuTTy, a native SSH client for Windows. It's in the tunnel screen -- just set a dynamic forward on port 1080; you don't need to specify a destination (that's why it's dynamic).
At many internet cafes, this link pops up PuTTy for you. Heh, if ActiveX is going to be insecure, we can at least make it useful.
Hope this helps, and feel free to ask further questions.
posted by effugas at 7:06 AM on May 26, 2005
1. Having a server in the states you can communicate with over TCP/22
2. Running: ssh -D1080 user@host
3. Setting the SOCKS proxy on your local system to 127.0.0.1:1080. Now, almost all traffic will route through the SSH session. This works for IM and a couple other things.
However.
1. I can't guarantee it's possible to SSH at all out of China. There are stunts you can pull involving SSH over HTTP, or (much) worse, but you're behind the Great Firewall. Don't mess with it.
2. I can guarantee that the above solution (still) leaks DNS traffic, so the firewall will still know what sites you're going to. Blame Firefox; they still refuse to fix this.
If you're on a Windows machine, the best way to get SSH up and running is to install Cygwin (http://www.cygwin.com/setup.exe is your friend). Specifically check off that you want OpenSSH installed -- it's not downloaded by default. Alternatively, you can use the dynamic forwarding support thats been added to PuTTy, a native SSH client for Windows. It's in the tunnel screen -- just set a dynamic forward on port 1080; you don't need to specify a destination (that's why it's dynamic).
At many internet cafes, this link pops up PuTTy for you. Heh, if ActiveX is going to be insecure, we can at least make it useful.
Hope this helps, and feel free to ask further questions.
posted by effugas at 7:06 AM on May 26, 2005
wow. ok, sorry - i didn't know openssh actually included a proxy.
note that you still need the dyndns thing if you're hoping to use a machine on a cable modem as the server.
posted by andrew cooke at 7:21 AM on May 26, 2005
note that you still need the dyndns thing if you're hoping to use a machine on a cable modem as the server.
posted by andrew cooke at 7:21 AM on May 26, 2005
incidentally, if you're worried that port 22 is going blocked, and control your own server, you can configure your ssh server to listen on a different port.
posted by andrew cooke at 7:23 AM on May 26, 2005
posted by andrew cooke at 7:23 AM on May 26, 2005
Response by poster: thanks guys, especially to andrew and effugas.
I'm going to be doing research on sensitive topics and i'll be in contact with dissidents, and i'll need to access sites that are strictly verbotten, so this will be helpful.
i'm going to do some trial runs here in the states.
posted by hurting.the.feelings.of.thechinesepeople at 2:34 AM on May 27, 2005
I'm going to be doing research on sensitive topics and i'll be in contact with dissidents, and i'll need to access sites that are strictly verbotten, so this will be helpful.
i'm going to do some trial runs here in the states.
posted by hurting.the.feelings.of.thechinesepeople at 2:34 AM on May 27, 2005
This thread is closed to new comments.
posted by Jairus at 11:28 PM on May 25, 2005