Help me bypass the great firewall of China?
September 14, 2007 1:51 PM   Subscribe

I'm having trouble with people accessing my server from within China. Maybe you can help me bypass the great firewall?

The full scoop:

I run the web/email server for my wife's small family business. There are some employees here in the states, and some in China. The server itself is located in Texas. The folks here in the states never have any trouble accessing the server for email/web/etc, but the folks in China have intermittent access to the server in general. I'm most concerned about the email access, for what it's worth. I run pop3 off ports 25 and 26, with SSL available. I have tried using both with SSL and without on the china clients with no difference in performance.

During the times when it's down, I can't even ping the server from the computers in china. Doing a traceroute just shows stars (timeout) after the first hop or so. I'm guessing we're running into the "great firewall of China".

The server has it's own (4) dedicated IP's, so we're not sharing with any other website that may be controversial - although there may be some websites in our local subnet that are being blocked (i'm not sure).

The employees in china aren't very technically adept, so I can't have any solutions that require technical knowledge on a frequent basis - but i do have access to their computers remotely and can setup any kind of software/settings as needed. The computers over in china are running Windows XP.
posted by escher to Technology (6 answers total)
posted by nitsuj at 2:01 PM on September 14, 2007

The chinese firewall is dynamic. One of things its does, which is most likely happening, is that your traffic has an unapproved keyword. When the routers detect this keyword they send reset packets which break the TCP connection. Once detected they will update their firewall dns to block the site for x amount of hours. This is how it works according to 2600 magazine. I imagine this is happening to you.

Your only solution is to setup some kind of encrypted tunnel between the two sites. There are some hacks like using a different character set, but its probably a lot easier to just setup a VPN.
posted by damn dirty ape at 2:31 PM on September 14, 2007

A work around is to go through a third party. Make an email account on China's yahoo site. Have them send you email there. Maybe have them encrypt their email before sending.
posted by damn dirty ape at 2:32 PM on September 14, 2007

posted by autojack at 2:38 PM on September 14, 2007

damn dirty ape: Not that I know much about this thing, but isn't SSL blocking any sort of keyword matching? My understanding is that SSL encrypts all of the traffic between the two computers. How would an encrypted tunnel be any different?

Don't tell me that the firewall does some sort of automated man-in-the-middle SSL interception, because that would be crazy (crazy cool and crazy scary!).
posted by philomathoholic at 10:10 PM on September 14, 2007

What damn dirty ape said is correct, at least for port 80 and instant messaging, so probably for all readable protocols. The OP didn't say whether they were actually running the POP with SSL all the time (for data, not just passwords). Using the SSL for the data should take care of the keyword filtering.

If that doesn't work, full VPN would be the way to go. The Chinese govt. doesn't like the idea of people using overseas mail servers and people running into these types of issues have speculated they are just killing POP3 access at random.

Another issue is that the internet in China is just plain unreliable, with all kinds of short-lived service issues that may or may not be related to filtering. If your employees are from the U.S., they might not be used to this. Running a local DNS server or using an overseas DNS server (slower) can help with some of the timeouts, as local DNS servers are overloaded and filtered / hijiacked for the GFW.

I would not recommend moving mail to a local provider, they are very unreliable and difficult to deal with if you have any issues.
posted by ihyperion at 2:51 AM on September 17, 2007

« Older My toaster went fritzzz   |   How to recover Outlook Notes without Outlook Newer »
This thread is closed to new comments.