How can Chinese colleges and universities break through GFW and go online without being censored by the school's data center?

[KormiMeiko]

目前学校有一个大数据中心，周围的同学突破GFW封锁去上网会被学校发现。 经过调查，他们使用的应该是SS/VMESS/VLESS/Trojan等方式突破GFW进行上网。 但这些方法似乎都能被大数据中心发现。但是有意思的是，使用“校园网”突破GFW封锁上网会被大数据中心直接发现，但是使用手机卡数据流量突破GFW封锁上网不会被发现（或被识别的概率降低）。 所以目前有没有有效规避学校大数据中心审查的上网方式？

At present, the school has a big data center, and the students who break through the GFW blockade and go online will be discovered by the school. After investigation, they should use SS/VMESS/VLESS/Trojan and other methods to break through GFW to access the Internet. But these methods seem to be found by the big data center. But what is interesting is that using the "campus network" to break through the GFW blockade to access the Internet will be directly discovered by the big data center, but using the mobile phone card data traffic to break through the GFW blockade to access the Internet will not be discovered (or the probability of being identified will be reduced). So is there any way to effectively circumvent the censorship of the school's big data center?

[arandomgstring]

The real question is, how these methods are found out by the so called big data center? Does this ISP expects usage of certain domains? (e.g. Have you been told to use certain websites?) If user's traffic from a not whitelisted IP goes beyond a certain limit, then that IP gets blocked? Have you tried using a whitelisted bridge? For example, tunneling traffic with ssh proxy to a Chinese VPS and then forwarding that traffic from Chinese VPS to a normal foreign proxy.

[gulprun]

Any specific evidences? @KormiMeiko

[KormiMeiko]

Any specific evidences? @KormiMeiko

Students who used these methods (SS/VMESS/VLESS/Trojan) to access the Internet were interviewed by the administrators of the school's big data center, and were asked to check the computer's Internet access history, and were also asked to sign a "guarantee".

[KormiMeiko]

The real question is, how these methods are found out by the so called big data center? Does this ISP expects usage of certain domains? (e.g. Have you been told to use certain websites?) If user's traffic from a not whitelisted IP goes beyond a certain limit, then that IP gets blocked? Have you tried using a whitelisted bridge? For example, tunneling traffic with ssh proxy to a Chinese VPS and then forwarding that traffic from Chinese VPS to a normal foreign proxy.

I think that the traditional way of surfing the Internet (SS/VMESS/VLESS/Trojan) may already have an accurate identification method. All university networks are Chinese "education network" (except mobile communication). I think there may be stricter scrutiny and identification methods in the "Education Network" system. According to my observation, if you use data traffic in mobile communication and use these methods (SS/VMESS/VLESS/Trojan), the probability of being identified will be very low. It may be that the mobile communication base station in the school did not give enough screening authority to the school's big data center. However, the Internet access method of transferring traffic through a Chinese VPS has not been tried so far. Although this suggestion is very constructive, "real-name authentication" is required to purchase a VPS in China, and quite a few service providers in China require users not to use "over-the-wall" software on VPS.

[cross-hello]

Campus network need to configure school dns server.

Some years ago, we found it will be detected using proxy if prefer one of the dns servers. But after switch to other, problem was solved.

Though the situation may not similar, you could try various variants(you have time).

(SSH could be final backbone)

Feb 6, 2023 17:44:46 Kormi Meiko @.***>:

The real question is, how these methods are found out by the so called big data center? Does this ISP expects usage of certain domains? (e.g. Have you been told to use certain websites?) If user's traffic from a not whitelisted IP goes beyond a certain limit, then that IP gets blocked? Have you tried using a whitelisted bridge? For example, tunneling traffic with ssh proxy to a Chinese VPS and then forwarding that traffic from Chinese VPS to a normal foreign proxy.

I think that the traditional way of surfing the Internet (SS/VMESS/VLESS/Trojan) may already have an accurate identification method. All university networks are Chinese "education network" (except mobile communication). I think there may be stricter scrutiny and identification methods in the "Education Network" system. According to my observation, if you use data traffic in mobile communication and use these methods (SS/VMESS/VLESS/Trojan), the probability of being identified will be very low. It may be that the mobile communication base station in the school did not give enough screening authority to the school's big data center. However, the Internet access method of transferring traffic through a Chinese VPS has not been tried so far. Although this suggestion is very constructive, "real-name authentication" is required to purchase a VPS in China, and quite a few service providers in China require users not to use "over-the-wall" software on VPS.

— Reply to this email directly, view it on GitHub[https://github.com/net4people/bbs/issues/205#issuecomment-1418794307], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYH5NOFIOWYT33PCTJTWWDBY3ANCNFSM6AAAAAAURSJEVE]. You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYHLZKT3VRR62R5J4DTWWDBY3A5CNFSM6AAAAAAURSJEVGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSUSEKUG.gif]

[cross-hello]

But even if you can't access Internet at now, you still could have an English Library bigger than whole school. (like we did)

The biggest problem of crossing bar is not technique, however it is when you stand before someone who may hurts you, you still could stand firm and keep your kindness.

[KormiMeiko]

Campus network need to configure school dns server. Some years ago, we found it will be detected using proxy if prefer one of the dns servers. But after switch to other, problem was solved. Though the situation may not similar, you could try various variants(you have time). (SSH could be final backbone) Feb 6, 2023 17:44:46 Kormi Meiko @.***>: … The real question is, how these methods are found out by the so called big data center? Does this ISP expects usage of certain domains? (e.g. Have you been told to use certain websites?) If user's traffic from a not whitelisted IP goes beyond a certain limit, then that IP gets blocked? Have you tried using a whitelisted bridge? For example, tunneling traffic with ssh proxy to a Chinese VPS and then forwarding that traffic from Chinese VPS to a normal foreign proxy. I think that the traditional way of surfing the Internet (SS/VMESS/VLESS/Trojan) may already have an accurate identification method. All university networks are Chinese "education network" (except mobile communication). I think there may be stricter scrutiny and identification methods in the "Education Network" system. According to my observation, if you use data traffic in mobile communication and use these methods (SS/VMESS/VLESS/Trojan), the probability of being identified will be very low. It may be that the mobile communication base station in the school did not give enough screening authority to the school's big data center. However, the Internet access method of transferring traffic through a Chinese VPS has not been tried so far. Although this suggestion is very constructive, "real-name authentication" is required to purchase a VPS in China, and quite a few service providers in China require users not to use "over-the-wall" software on VPS. — Reply to this email directly, view it on GitHub[#205 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYH5NOFIOWYT33PCTJTWWDBY3ANCNFSM6AAAAAAURSJEVE]. You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYHLZKT3VRR62R5J4DTWWDBY3A5CNFSM6AAAAAAURSJEVGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSUSEKUG.gif]

It seems that it may be necessary to focus on detecting the DNS server later.

[KormiMeiko]

But even if you can't access Internet at now, you still could have an English Library bigger than whole school. (like we did) The biggest problem of crossing bar is not technique, however it is when you stand before someone who may hurts you, you still could stand firm and keep your kindness.

benefited a lot

[arandomgstring]

@KormiMeiko

However, the Internet access method of transferring traffic through a Chinese VPS has not been tried so far. Although this suggestion is very constructive, "real-name authentication" is required to purchase a VPS in China, and quite a few service providers in China require users not to use "over-the-wall" software on VPS.

This is indeed the case in Iran as well. That said, newer methods such as Vision (Vless) claim to be undetectable. So even if they get identified in a more, say, open network such as a Chinese VPS (compare to a more restricted school network), that information by itself would be very instructive. From my own personal technical understanding of these protocols, they have to stay undetectable as long as

1. DNS requests get resolved on proxy server,
2. GEOIP files are configured correctly,
3. Proxy is used in a moderate amount,
4. and perhaps the proxy server download vs upload traffic stay asymmetric (i.e it should not download and upload same amount of data at any given time, running a Torrent Client can prevent this, for example).

I am not sure if Mobile Network is behind NAT, which I guess it is, but instead of using a Chinese VPS, even a normal network connection can be used in place of VPS, as long as they are not behind commercial grade NAT.

[gaukas]

More information will be helpful.

Specifically, we should look into false positive cases (who didn't break the wall, but got cited) as well as the false negative cases (who did break the wall, but got away) detections. Then, compare them with the real positive cases, those who did break the wall and got cited.

Although I am not expecting colleges/universities to have the ability to do fine-grained active probing, GFW infrastructures deployed on CERNET might still trigger an federated active probing towards any suspected proxy server. -- needs verification.

A few possible reasons other than active probing:

• Client Fingerprinting: Shadowsocks is fully encrypted, which is a strong indication about what's happening; TLS proxy clients might not be mimicking how browsers connect to the server, e.g., prone to TLS fingerprinting.
• SNI/IP Reputation: connecting to hostname/IPs known to be owned by circumvention service providers.
• TLS-in-TLS detection

With more information/reports we could possibly narrow down our hypothesis, given that it is not viable to do massive experiments in CERNET.

[AkinoKaede]

Generally speaking, mobile networks in universities are directly managed by telecom operators, so they are not subject to censorship by universities .

It is highly unlikely that such censorship had been deployed on CERNET, as it does not appear to be commonly used in universities and colleges. Through some public bidding information, we can know that these devices are bought from companies such as NSFOCUS.

I have experienced network crashes due to these devices being heavily loaded, which means they are deployed as gateways.

By the way, the method of forwarding traffic through a server in China is worth a try.

[wkrp]

Through some public bidding information, we can know that these devices are bought from companies such as NSFOCUS.

Where can one find this public bidding information? Chinese language is ok.

[AkinoKaede]

Through some public bidding information, we can know that these devices are bought from companies such as NSFOCUS.

Where can one find this public bidding information? Chinese language is ok.

For example, SDGP370000000202202009802 is the information related to Qufu Normal University bought Sangfor AC-1000-B3400.

[rfbzs]

In my experience, the censorship on CERNET is usually more lenient, even in politically sensitive times. I think that the censorship in your school may be more related to the IT department of your university. However, I'm not sure how the IT department of your school identified the protocols. Each school has its own campus network, separate from the external network. And the traffic on this network may not be as large and complex as that on the external network, which may help to identify certain protocols. I assume that your school has the ability to detect network proxy protocols, in which case it may be possible to find a way to avoid locating individuals. Your school's campus network may require account authentication to access the external network. So you could choose a public wifi that does not require authentication, such as the wifi in the library or the canteen.