Shadowsocks Explainer: Jumping China’s Great Firewall

​​Is it possible to get around ​​China’s censors, regional web blocks and government monitoring?

​It’s doable, but getting the better of the world’s most advanced surveillance state involves a continual game of cat and mouse. One month, a particular virtual private network (VPN) might let you bypass some or all of the restrictions. A month later, you’ll find that the same VPN has been hit by a clampdown.

For the time being at least, a proxy toolkit known as Shadowsocks may be the answer. Here’s a closer look at China’s internet restrictions, and at how customized, de-centralized proxy connections via Shadowsocks can help users get around them.

What is China’s Great Firewall?

• China’s government is keen on maintaining what it calls “internet sovereignty”. In reality, this basically means running the world’s most advanced internet censorship regime.
• It does this for all the usual reasons: to control its message, maintain social order, shape public opinion, and to shut down criticism of the government and state organizations.
• Dating back to the early 2000s, China’s internet information security strategy is known as the Golden Shield Project. The so-called Great Firewall of China is a key part of this strategy.
• The Great Firewall consists of a variety of tools and tricks designed to control internet access. A few examples include:
  • IP Access blocking: blanket bans on access to certain IPs.
  • URL filtering: e.g. while you may be able to access Wikipedia, you won’t be able to look at those Wiki pages deemed sensitive.
  • Packet inspection: the ability to identify, filter and block unencrypted data packets (e.g. those which include blacklisted keywords).
  • Connection resetting: this goes hand-in-hand with packet inspection. When a suspicious packet is detected, authorities can send a ‘reset packet’, breaking up the connection between both computers involved in the communication.
• Authorities are especially keen to block access to foreign social media. Instead, users get what are essentially homegrown versions of popular platforms: e.g. WeChat instead of WhatsApp, Weibo for Twitter and Youku for YouTube.

State censorship and VPNs: what’s the problem?

With a VPN service, the user’s device is linked to a remote server owned by the VPN provider. So the server effectively becomes a middleman between the user and the internet. The VPN encrypts packets set by the user before they hit the user’s Internet Service Provider (ISP). It then decrypts those packets before they reach their destination. Information flowing from the websites visited by the end user follows the same path from the opposite direction.

A VPN effectively creates a private network for you to use within the internet, thereby anonymizing your identity online. So while you may be in China, you’ll look like you’re in whatever country the VPN server happens to be based.

There are a couple of practical problems with this, however:

Getting access to a VPN in the first place. As you’d expect, websites for the likes of NordVPN, ExpressVPN are blocked in China – and you definitely won’t find any VPN service providers on the Chinese app stores. Obvious tip: if you’re traveling to a heavily-censored country and you want unfettered internet access, make sure you sign up to a VPN provider before you get there.

VPN suppression. To encrypt and send data, VPNs usually rely on one of several protocols. With the help of AI, Chinese censors have become much more adept at spotting the fingerprints that can identify traffic from VPNs using these protocols. Even though the censors cannot see what’s being sent, they have a pretty good idea that there’s a VPN connection in place, and can block the connection.

The larger VPN service providers constantly tweak their offerings to try and evade this type of suppression, while the censors work to hone their detection techniques. Last year, a researcher did a spot check of VPNs to see how they fared in China. Of the 60 tested, just 13 worked. In the VPN game, it seems that the censors are winning.

What is Shadowsocks and how does it work?

To recap, a VPN works on the basis of an encrypted (i.e. private) network between your computer and a remote server.

With Shadowsocks, there’s no network. Instead, it uses ‘proxying’. With proxying, you connect to another computer (i.e. a proxy server) before you connect to the wider internet.

With Shadowsocks, each user creates their own encrypted proxy connection between the Shadowsocks client on their own computer, and the one on the proxy server they are connecting to, using an open source protocol (SOCKS5).

These individual proxy connections each look a little different from the outside. This means that it doesn’t leave a tell-tale fingerprint in the way that VPN protocols do. Much more so than VPN services, Shadowsocks allows you to disguise your activity as a normal connection.

How do I get Shadowsocks?

It’s worth noting that Shadowsocks was built by developers, for developers – so set-up can be difficult.

The steps you need to follow are as follows:

• You need a remote server to connect to, which means subscribing to a server rental service (e.g. DigitalOcean or AWS).
• Next, you need to Install Shadowsocks on your server of choice (there’s an explainer here for this).
• You also need to install a Shadowsocks client application on the computers and devices you will be connecting to the internet with. Details on how to access the latest client versions for Windows, Mac, Android, iOS and Linux can be found on the Shadowsocks website here.

Want to explore the best ways to get around government censors and restrictions? Our complete Cyber Security Course contains everything you need to know about anonymous browsing. Get the full bundle.