Jump to content
Not connected, Your IP: 35.172.193.238
submergency

HADAR Hong Kong blocked by the Great Firewall

Recommended Posts

Do you notice how low the utilisation is on HADAR?  It has the best ping times and lowest utilisation of any server close to mainland China, yet seems to never have very many users. 

 

I'm a developer and tech supporter who commutes in and out of China. Ever since I started spending a significant part of my working life in China, a couple of years back, I've been using various VPN offerings.  I've watched the Darwinian struggle between the Great Firewall and VPN providers with interest.  As a developer, I need access to GitHub and Google infrastructure, both of which are generally pretty comprehensively blocked on the mainland.  So being able to find VPNs that work is a very important health factor for my stomach-lining.

 

I have come to realise that the issues with VPN-use in China are considerably more nuanced than most people (and VPN solution providers) often understand.  It depends very much on your ISP, for instance. Especially if you are using mobile cellular or mobile wifi,  it will be easier to get at the outside world than if you are on a large corporate, academic or government network. Also your geographic area influences things a lot.  There are different policies on net access say in Shenzhen or Shanghai than in many other areas.

 

The GFW isn't really a firewall.  Traffic doesn't traverse a minimal set of GFW gateways in and out of China.  There is enormous central logging.  Some of the best big data work is being done in China today for not totally unrelated reasons.  But that is an asynchronous data feed that is analysed later, not in real time, and not in a way that impacts the performance of the traffic in and out of China.  

 

The GFW is mostly implemented in a distributed fashion at the local ISP / POP / gateway router-level, through DNS poisoning and routing rules, which are updated based on automated and manual research, based on the outputs of a range of tools, including deep packet inspection and other techniques, carried out by a large and clever and competent group of people.

 

The GFW uses deep packet inspection out of a desire for maximum control and minimum disruption.  For instance, the way that un-stealthed OpenVPN connections are generally blocked is through DPI detection of OpenVPN starting a TLS authentication negotiation.  There is an idiosyncratic signature that identifies the traffic as an OpenVPN session starting up.  Depending on local policies, routers may be programmed to temporarily block source ips that offend.

 

The problem is, the other favourite method of blocking VPNs is through protocol / port / ip address specific blocks.  If you look, HADAR, the Hong Kong-based natural choice for AirVPN users in China, is usually very lightly loaded.  This is because it is generally impossible to successfully establish an SSH session to either the primary or alternate IP addresses associated with HADAR from within mainland China.  Same with the Singapore-based ANTARES. AirVPN will quite happily try over and over to open the SSH session, taking ages to time out of the SSH set-up, but never moving down the list.  You have to manually block the ones that don't work, hence, I suggest, the low load on HADAR. As far as I can see, at least for the geographic locations available to me, no-one on the mainland can successfully use SSH / OpenVPN into HADAR.  I bet the majority of actual HADAR users are Hong-Kong-based.

 

AirVPN currently has a major competitive advantage.  To the best of my knowledge, nobody else effectively automates the use of OpenVPN inside an SSH or SSL tunnel.  VPN use in China is enormous.  So much of China's economy relies on export and international trade.  These businesses are very extensive users of VPN connections.  Business VPN use hasn't a lot to do with politics, it's to do with international trade and finance.

 

In the mainland Chinese context, AirVPN also has a major competitive disadvantage.  Because of AirVPN's POP selection strategy, as a GFW target, AirVPN POPs keep very, very still. Entry IPs are public and few, and also apparently stable.  They don't change.  They are easy to find out - just look in the DNS.  The result is that for mainland China AirVPN users, HADAR and ANTARES are old and well-known GFW targets and consequently largely useless.  

 

This is why DSIBAN in South Korea was important.  For various reasons, mostly to do with entertainment and media, there is enormous bandwidth between mainland China and South Korea.  So DSIBAN performed beautifully for users coming from inside China.  Because it was new, the GFW apparently hadn't been updated yet to block it.  

 

I re-examined the problems with HADAR, and confirmed that from several major cities in China, HADAR use through SSH is currently blocked.  It's sooo frustrating! The best VPN for use in mainland China, at the moment, is crippled performance-wise, because you have to go half way around the world to find an accessible server!  As far as I can find out, most VPN users in China use VPN POPs in Hong Kong, Taiwan, Japan, South Korea, Singapore and Malaysia.  So it seems to me that AirVPN must be losing out on a major piece of the very very large market for VPNs in mainland China.

 

I wish that AirVPN would find a way of having a much more dynamic and extensive set of alternate entry IPs for its POPs.  Also, consider the possibility of not making it so easy to find out what IPs are currently in use, like via the public DNS.  That would make it a much more difficult target, and therefore much more resilient and useful for users in China.

 

If AirVPN wanted to try an experiment, it could find a way of changing the primary and alternate entry IPs on HADAR, say once a week, for a few months, and see what happens to the utilisation level.  It doesn't have to be very dynamic to work, since the GFW research and update process is not that fast.

 

If there is anything I can do to help with testing or whatever, I'm absolutely up for it.  I have a vested interest, you might say.  

Share this post


Link to post

Hello @submergency,

 

thank you for your analysis and your co-operation offer, they are much appreciated.

 

You have also to consider that while the Singapore and Hong Kong servers are used by hundreds and hundreds of customers, the Korea server remained operative almost for a month and its usage was negligible. It was used by 9-10 users. By the way, let's discard marketing reasons at the moment, since our mission takes precedence over them. The true problem is that it is not acceptable for us to keep a server in a non-neutral datacenter, so any solution of this kind is not realistic at the moment.

 

Kind regards

Share this post


Link to post

Hi Staff, and thank you for your response.  I totally understand the DSIBAN withdrawal, and am not suggesting you reverse that decision or change your mission-based policy.  I support it and this is one reason I am a AirVPN user.

 

If you read what is said, I suggested some ways of making HADAR more useful from within mainland China.  SSH connections to HADAR are blocked, on both the primary and secondary IPs, from at least some major cities in mainland China.

 

Could you please review my suggestions below?

 

submergency

I re-examined the problems with HADAR, and confirmed that from several major cities in China, HADAR use through SSH is currently blocked.  It's sooo frustrating! The best VPN for use in mainland China, at the moment, is crippled performance-wise, because you have to go half way around the world to find an accessible server!  As far as I can find out, most VPN users in China use VPN POPs in Hong Kong, Taiwan, Japan, South Korea, Singapore and Malaysia.  So it seems to me that AirVPN must be losing out on a major piece of the very very large market for VPNs in mainland China.

 

I wish that AirVPN would find a way of having a much more dynamic and extensive set of alternate entry IPs for its POPs.  Also, consider the possibility of not making it so easy to find out what IPs are currently in use, like via the public DNS.  That would make it a much more difficult target, and therefore much more resilient and useful for users in China.

 

If AirVPN wanted to try an experiment, it could find a way of changing the primary and alternate entry IPs on HADAR, say once a week, for a few months, and see what happens to the utilisation level.  It doesn't have to be very dynamic to work, since the GFW research and update process is not that fast.Hi

Share this post


Link to post

Guess what?  As of yesterday sometime, HADAR works from mainland China, at least some places! 非常好!

I'm happy to hear that you are able to circumvent the the great firewall.

Share this post


Link to post

HADAR is still very flaky.  AirVPN works very well to other servers, excluding ANTARES in Singapore.  But you pay a performance penalty because of distance. HADAR again seems to have high packet loss and excessive ping times from within mainland China.

Share this post


Link to post

I absolutely agree. I've been given to mostly running Psiphon on devices that support it for the very reasons submergency explains. In fact, I can really only connect to servers on the East coast of the US and Canada. Occasionally in Europe. The SSH penalty over those distances is quite noticable, so I do try and limit myself to OpenVPN only connections.

 

The GFW has real-time packet injection on UDP streams inside OpenVPN tunnels, btw.

Share this post


Link to post

I can connect HADAR, but it is very slow, also is unstable, Antares in Singapore is a good choice, but only two servers in Asia can not satisfy our requirements, maybe AirVpn can consider set a new server in TaiWan or Japan.

Share this post


Link to post

Connections from several places and several different ISPs within mainland China to HADAR continue to be either blocked or very unstable.  SSH tunnelling to other servers works, but there can be a big performance penalty.  As a newbie, I'm uncertain how to get some attention within AirVPN to the HADAR issue. Any advice anyone?

Share this post


Link to post

Connections from several places and several different ISPs within mainland China to HADAR continue to be either blocked or very unstable.  SSH tunnelling to other servers works, but there can be a big performance penalty.  As a newbie, I'm uncertain how to get some attention within AirVPN to the HADAR issue. Any advice anyone?

 

 

I'm now travelling and am using airVPN's free trial. I'll probably extend my subscription before I go back home.

 

I'll see if the Hadar server works well back in my home without tunnelling. A highly available server is certainly important to all airVPN users in the Mainland.

Share this post


Link to post

@lihongwu1987, I used HADAR from Hong Kong and it works great.  It's only when I try to use it from several places on the mainland I have problems.

Share this post


Link to post

I cannot connect to hong kong or Singapore servers, it always times out. I am in shenzhen.

 

Hi @Killacam, my experience is the same.  The IPs for HADAR are very well-known, and have been in place quite a long time.  So SSH connections (at least) to these IPs are pretty comprehensively blocked from the mainland.  But it seems to me that despite having the best VPN solution for mainland China users, AirVPN isn't really interested in doing anything about it.  If you want to keep using AirVPN, just use a more distant access point.

Share this post


Link to post

I am now in Central China. My ISP is China Telecom, which which I can only use SSL tunnelling. With the SSL option airVPN connections to all servers are sometimes not even usable. The speed is so slow that I can't even open a webpage.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...