back to article Raspberry Pi puts holes in China's Great Firewall

A tech-savvy China-based Redditor has spotted a hassle-free way of ensuring he or she is always able to bypass the Great Firewall, even when out and about, using the Raspberry Pi to connect to a virtual private network (VPN). VPNs are a necessity for foreigners living in the People’s Republic who want to access sites …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Should work here too...

    Once Theresa May or whoever gives her her orders makes us all enemies of the State.

    1. Ben Tasker

      Re: Should work here too...

      S'Funny, that's one of the first places my mind went to as well, but it's more the porn blocking law (and further down the wedge) that's really relevant here.

      Given that our Government [are too ethical/don't have the balls/are too skint]* to threaten physical harm on anyone and everyone they catch circumventing the 'protection', this should show them just how pointless any kind of filtering is. Even the currently enabled blocking (which used to be child-porn, but now includes sites like the Pirate Bay) can be circumvented in 30 seconds.

      We all know filtering's a waste of time and effort, but even with cases like this the politicians don't seem to get it. Filtering only works if there's a real life risk of getting caught, and a nasty penalty if you are caught. Implementing either of those successfully would have a serious affect on our civil liberties (not that they wouldn't try) and would still suffer from the flaws we see in the design everytime someone suggests something of that ilk.

      *Delete as appropriate

      1. Anonymous Coward
        Anonymous Coward

        Re: Should work here too...

        Filtering does work. As tech-savvy people, we know how to circumvent these measures, but for most ordinary people it's too hard. I remember a few years back, when my sister had finally discovered how to download music off of TPB. As soon as a technology becomes so easy that normal people can use it, that's when the government/big business wants to get involved. They just wouldn't care if a few hackers were to share some videos/albums.

      2. Anonymous Coward
        Anonymous Coward

        Re: Should work here too...

        Ben, why do they need to threaten physical harm when they can simply "accidentally" name you as a paedophile and then sit back as lynch mob goes to work.

      3. P. Lee

        Re: Should work here too...

        Filtering does work. It's just that the work its required to do is create headlines and the illusion of action by politicians.

        Whether it works in practise is almost irrelevant in the West.

        1. Ben Tasker

          Re: Should work here too...


          Filtering does work. As tech-savvy people, we know how to circumvent these measures, but for most ordinary people it's too hard.

          As I recall, back in high-school pretty much everyone had worked out quite quickly how to get around the porn blocks. Granted filtering was somewhat less advanced then, but we're talking about teenagers ranging from the tech-savvy to the technically illiterate.

          What I couldn't honestly tell you (as I can't remember) is whether so many people knowing might have been because I showed them - even if that is the case (more than possible), when something can be easily circumvented, word of mouth is all you need to be able to do it.

          @AC - Very true, and something I seem to remember was used as a threat when someone refused to hand over their decryption keys

          @P.Lee - The problem with using filtering as a propaganda tool is it can very quickly backfire when it's shown not to work effectively. Imagine the tearing the politicians will get when it's revealed they spent £x^10 and the average 11 year old can bypass it in minutes. Mind you, that might well be the next government's problem!

  2. DrXym

    Seems like overkill

    Android has a variety of VPN front ends available in the store. For some reason it doesn't support OpenVPN but you could flash a phone with Cyanogenmod to get it and set the phone up as a hotspot. I'm sure some mifi devices could be be configured to automatically connect through a VPN too. No need for cables, dongles and other gubbins.

    1. Anonymous Coward

      Re: Seems like overkill

      Now you just need to do the same on all your other devices.

      And those of your friends, too. And repeat the exercise tomorrow when you're somewhere else.

      Or you could bring your little bag of a cable, a dongle and other gubbins wherever you go.

    2. MrMur

      Re: Seems like overkill

      Recent Android has a framework that allows OpenVPN to operate. I am using it on 4.1 on a Nexus S.

  3. Anonymous Coward
    Anonymous Coward

    RE: VPN protocols PPTP and L2TP have largely been unaffected as they are too tricky to block

    Hmm? I do believe some "correction" is needed here. PPTP and L2TP/IPsec which utilize the GRE and ESP protocol respectively are actually extremely easy to block as you can block both those protocols with relative ease without the worry of such a block affecting just about anything else.

    Heck; I've even seen "home" routers by LinkSys and D-Link which offer such a function (usually a configuration option to the tune of "Restrict Tunneling Protocols").

    If anything OpenVPN with SSL based VPN would be the biggest pain in the buttock to block as it's (to my knowledge at least) almost indistinguishable from regular HTTPS traffic. Especially so if utilized on port 443.

    The reason I say "almost" is because you "could" possibly distinguish SSL VPN from regular HTTPS traffic by looking at the behavior of the connection. An SSL VPN connection could remain as established for long periods of time whereas a visit to an HTTPS website would generate as many connections as there are objects to load but said connections do not stay as consistently established.

    That is unless of course you're downloading a file through HTTPS.

    So; am I missing something here?

    1. sysconfig

      Re: RE: VPN protocols PPTP and L2TP have largely been unaffected as they are too tricky to block

      "If anything OpenVPN with SSL based VPN would be the biggest pain in the buttock to block as it's (to my knowledge at least) almost indistinguishable from regular HTTPS traffic. Especially so if utilized on port 443."

      Indeed. Such a setup got me through any corporate firewall so far, which is necessary, because when I'm onsite with a customer, I can't have their own firewall stop me from doing my work for them.

      The larger the company, the less likely they are to -quickly- poke holes into their firewalls for you, even though you are a sysadmin contractor. At the very least you end up filling out forms or running from A to B to find a person who can allow you to carry out the work which they pay you for..

      So, OpenVPN on TCP/443 works perfectly well, even if there's a transparent proxy in the way.

      I suppose the quoted Redditor in the article is doing just that, and offers it in a way that an average internet user can benefit from it. Everybody wins.

    2. Anonymous Coward
      Anonymous Coward

      Re: RE: VPN protocols PPTP and L2TP have largely been unaffected as they are too tricky to block

      Two thoughts come to mind:

      PPTP was MS' preferred option - so maybe it is a business reason?

      PPTP is, AFAIK, not that secure and unlike SSH which normally warns you if the server has changed identity, PPTP has nothing specific to detect a man-in-the-middle style of attack. Maybe they allow it so they can gather information on what it is being used for while the user is thinking all is totally secret?

  4. mark l 2 Silver badge

    If its just for browser traffic you can set up tunnel over SSH as a socks proxy, used it a few time with my vps hosted in the US to watch some shows online that are geo blocked from the UK

    ssh -D <port> -N then set your browser to use localhost as a socks proxy with the port you number you specified in <port>

  5. Anonymous Coward
    Anonymous Coward

    Could have been done cheaper with a TP-703: Locally sourced, physically smaller, lower powered and has the wifi dongle on board leaving a spare USB port.

  6. Anonymous Coward
    Anonymous Coward

    PPTP and L2TP

    I'll post here what I posted on the linked site:

    Having spent a year in china in 2012, I'm afraid you are not entirely correct. I travelled extensively using a VPN provider that only offered PPTP and L2TP, both of these were often blocked, sometimes one, sometimes the other and sometimes both. It all depended on the ISP. I wasn't using a private server, so it could well be that IP blocking of the server was in place, but to say that PPTP and L2TP are entirely unaffected is not accurate.

    I would add, that I researched this at the time, and found plenty of people suggesting that PPTP and L2TP connections were affected.

    To say that it's not possible to block the traffic due to the port it uses sounds like a lack of understanding to me. Either that, or an underestimation of the resources being put towards the filtering.

    1. Daniel B.

      Re: PPTP and L2TP

      Yes, not blocking at least PPTP is more of lazy people, not "break the internet in blocking this" people. As someone else commented, it is much harder to block OpenVPN on port 443, as it looks like HTTPS traffic. But even then, some firewalls manage to block even that by limiting how much MBs go through a single HTTPS connection...

  7. Parax

    I like it.

    but is there a neater solution? there are many network to wireless access point boxes available.

    And what about wifi-wifi, running via hotel/other/public wifi to your own wifi hotspot?

    1. JaitcH

      Re: I like it.


      All hotels now have State supplied equipment that monitor EACH ROOM.

      I have stayed for years at a 20-odd room hotel in NanNing, GuangXi Province and just before the BeiJing Olympics the owner took me to his basement and showed me the new array of equipment. installed Mien Phi (No Charge) that monitors every InterNet connection in the building.

      So all points in a hotel are monitored regardless of the number rooms.

  8. Mister_C

    Oh the irony...

    If its a "red board" Pi (made in China for local sale).

    Black Helicopters

    L2TP difficult to block?

    I don't know. My mobile ISP, Yes WiMax internet Malaysia, has been blocking L2TP and PPTP since the filesharing block came up in 2011. I only recently discovered that OpenVPN still works but takes forever to connect. Also, very slow.

    Black helis. Just because.

  10. zb42

    PPTP usually uses MS-CHAP authentication so in most cases the encryption is breakable with modest effort.

    Perhaps PPTP is sometimes allowed because they prefer to watch what people are doing over it instead of blocking it.

  11. Anonymous Coward
    Anonymous Coward

    My variation doesn't work

    I set up my Pi in HK to host an OpenVPN server, with an OpenVPN client on my mobile phone in China with a China Unicom SIM, it fails to connect, and has done since December. I use TCP and port 443, I have no idea why it no longer works, and how they can block it.

This topic is closed for new posts.

Other stories you might like