You might have noticed the VPN you’ve been using reliably since you came to Beijing recently started to falter and fail. Well, you’re not alone. Users of StrongVPN, Astrill, Witopia, PandaPow and other VPN services all reported slower connections or the inability to connect at all. Both western and Chinese media reported recent crackdowns on VPN servers.
Now you’re probably getting desperate for a VPN that isn’t blocked and won’t be anytime soon, but a service like that can’t really be guaranteed. Thankfully, alternatives do exist. They require a bit more technical know-how, but if you want something done right, you have to do it yourself.
Amazon Web Services offers one year of free virtual server space, provided you use less than predetermined amounts of bandwidth, time and space. Even if you go over that limit, the cost of running a server image on Amazon’s Elastic Compute Cloud is probably less than you’re paying for your undependable VPN subscription.
I’ve researched two different ways to use EC2 to bypass the Great Firewall: SSH Tunneling and OpenVPN. Each has advantages and disadvantages, so use the one you find more suited to your needs. No matter which you choose, you’ll require the following:
- An Amazon Web Services account. This requires a credit card, but you’ll only be charged for what you use, which will likely be nothing if you’re prudent about what you’re doing.
- PuTTy, if you’re on Windows. OpenSSH via Cygwin is another option, but I found it to be a pain. I believe Linux and Macs already have SSH prompts built into their boxes and terminals, respectively. You’ll also need PuTTy’s sister key generation program, PuttyGen.
- A basic working knowledge of Unix commands and how servers work with clients will be massively helpful in troubleshooting should something not go exactly as planned.
Use the first part of this tutorial up until it starts talking about OpenVPN (we’ll get to that later) to get your server and PuTTy set up. I made an Ubuntu 12.04 LTS server under the classic AMI wizard with all the default settings.
Once you’ve launched your first instance from the EC2 console, make sure you keep any downloaded files in a convenient and secure place. The .ppk file and .pem file generated by PuTTygen will act as a sort of password. Once you’ve got your key pair and the .pek and .pem files, you can create more instances in the future without having to redo the entire process.
Secure Shell Tunneling
It’s easy. Compared to the alternative below, opening an SSH tunnel takes less than half the time. You’ll be using PuTTy to forward the SSH port to a SOCKS proxy, as explained in this tutorial. Complete all the steps but ignore the “Using OpenSSH” section if you’re using PuTTy.
The tutorials are a little unclear on this, so I’ll add some detail. When you open PuTTy, use the public DNS address in the Host Name field. Then expand the SSH tree on the left to reveal “Auth.” The “Private key file for authentication” field is where you’ll upload that .ppk file. Then click on “Tunnels” to set up the port forwarding, which means the connection can be used between your browser and the server instead of just between PuTTy and the server. When I did this, I found sites like Facebook and Youtube don’t play well with some ports. Use port 1080 (as opposed to 9999 in the tutorial) if you plan on visiting those sites. Click “Open” and log in as “ubuntu”. Click yes on any alerts that pop up.
To use the proxy, you need to download an extension of your Firefox or Chrome browser. The downside to the SSH tunnel approach is that each program you want to use the tunnel must be individually set up to do so. For instance, you must set up each browser separately, as well as programs like Spotify or torrenting clients. Not all applications have the option to do this, so the main use for SSH tunneling is just web browsing and server management.
Making your own VPN with OpenVPN
This takes a little more technical knowledge, but it should be easy if you stick to the tutorial I linked to at the beginning. The tutorial says to use an Ubuntu 9 server found in the community API list, but I just used the newest version of OpenVPN with my Ubuntu 12.04 LTS server, and it worked fine. The rest of the tutorial does a pretty good job of walking you through step by step, so I won’t parrot it. Unfortunately, the Catch-22 is that the OpenVPN software download website is blocked in China. You’ll have to use the SSH tunneling steps above to navigate to it. Once you’ve got the .deb file, you’ll need WinSCP to transfer it via FTP to your EC2 virtual server.
The first time I created one of these servers, it worked great for a little more than a day. Then I could no longer connect. I thought it might have been an error on my part or just a coincidence, so I made another instance. It also worked great, but less than 48 hours later, it was inaccessible again. Later, I discovered that the Public DNS and IP address changes every time an instance is stopped and started again. An easy way to get around this is to create an Elastic IP on the EC2 Management Console and associate it with your server. Then the instance will keep the same IP even after a reboot. You can even reassign the IP to a new instance if you want to terminate the old one. An Elastic IP is free as long it is associated with a running instance, but it costs one cent per hour (about $7 per month) if you’re not using it.
This only partially solved the problem. I’ve confirmed with two sources also working on this project that the default OpenVPN ports, 443 and 1194, are blocked within a day or two of setting up a new IP. This effectively renders the VPN useless. We believe this block comes from the government via our ISP. You can change the port, but that solution is just as temporary. One theory is that OpenVPN uses a protocol and certificate that makes it very easy to identify and stop the packets it sends. It’s odd that the entire ISP is not blocked … SSH and HTTPS ports still work fine. One colleague reported marginal success by setting OpenVPNto only use TCP. We will experiment with a few work arounds and I’ll hopefully post a more permanent solution in the future.
In the end, I would suggest you make a server for SSH tunneling if you’re unsure of your technical skills and you just need to browse the web. If you need a full blown VPN for a faster connection and tasks besides browsing, start up OpenVPN. If the IP of your OpenVPN server changes, the client program on your computer should automatically update if you log in via your browser. Remember to keep your bandwidth within Amazon’s free tier limits. The easiest way is to right click on your instance and click on the “Add/Edit Alarms” link. You can set your server to stop or even terminate after a few hours of inactivity.
The free tier allows for 750 hours per month (which covers the whole month), so I shouldn’t need to do this. But those users past their initial free year of service or doing more with their server can prevent unnecessary charges for unused server time.
A work in progress
I plan on experimenting with other protocols like IPSec, L2TP and PPTP to see if those work any better. If you have any other suggestions or solutions, I encourage you to share. In the meantime, I hope this can grant a few people some reprieve from the government’s tighter restrictions.