This doesn't work anymore; the GFW no longer detects VPN connections by port but instead by performing deep packet inspection to characterize the type of traffic going over every connection. Using this technique in combination with some advanced ML systems, they're able to detect any encrypted VPN connection and cut it off; it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore, and it's usually not even possible to _tunnel_ a VPN connection through some other protocol because the GFW now detects that too.

Stepping back and looking at it from a purely technical perspective, it's actually insanely impressive.

Here's a USENIX paper from a few years ago on how it is done: https://gfw.report/publications/usenixsecurity23/en/

So there's a disconnect between what you're saying and what others and myself have experienced in China even recently. You appear to be saying that it's not possible to use a VPN to bypass the GFW, but I apologise if I have misunderstood.

The comments have multiple examples of people successfully bypassing the firewall. I personally just used Mullvad with wireguard + obfuscation (possibly also DAITA) and it just worked. No issues whatsoever.

This is what IPsec TFS is for [https://datatracker.ietf.org/doc/rfc9347/]

> the focus in this document is to enhance IP Traffic Flow Security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP-encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-size, constant-send-rate IPsec tunnel

(If they block a constant rate stream, that'll hit a whole ton of audio/video streaming setups)

When I lived in China 10 years ago, GFW had a pretty effective way by slowing constant traffic that goes to an outside china ip address more and more over time. I had about 6 hours per ip (it starting to get slower and slower during that time) before having to rotate because even basic webpages didn't get through and ssh was unusable.

> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore

This is not true anymore, and your own link says so:

> all circumvention strategies adopted by these tools are reportedly still effective in China

And while this paper is not the most up to date, there are actually many new kinds of obfuscating VPN/proxy/tunnel technologies out now, and they are currently not blocked. Some methods can even disguise themselves as unencrypted, plaintext legitimate-looking HTML and still tunnel traffic (slowly) through it.

That is impressive. Beyond bonkers, but impressive.

Assuming they don't MITM SSH, you should still be able to use something like wireguard over an SSH tunnel. At least I would think.. it's all SSH traffic as far as any DPI listener is concerned, you'd of course need to ensure the connection signature through another vector though.

> it's basically not possible to run any kind of output VPN connection (even to private servers) from inside of China anymore.

What if you run your own HTTPS server that look semi-legitimate and just encapsulate it in that traffic?

Can they still detect it?

What about a VPS in HK? Is this even doable?

> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore.

Really? Because the paper you linked says they don't block any TLS connections so you can just run a VPN over TLS:

> TLS connections start with a TLS Client Hello message, and the first three bytes of this message cause the GFW to exempt the connection from blocking.