The Great Firewall of China (GFW) is a nickname given to China’s internet censorship system, which functions through legislation and internet filtering technologies.
Since 2003, it has given Chinese authorities the power to monitor and restrict internet access to anyone based in mainland China (Hong Kong and Macau are exempt).
The Great Firewall is designed to regulate and censor the Internet within China’s borders. It does this by limiting, slowing, or completely blocking access to certain foreign websites and services.
How Does the Great Firewall Work?
Unlike the online censorship in some other countries, China’s Great Firewall has been around since the origins of the internet. As a result, it is built into the basic internet infrastructure of the country.
The Great Firewall uses a combination of five methods to block websites and apps:
- IP blocking: blocking IP addresses that resolve to specific URLs (websites).
- DNS spoofing: diverting traffic from one website to another, which practically blocks you from accessing a desired website or app.
- Keyword and URL filtering: scanning websites and URLs for specific terms.
- Deep packet inspection (DPI): inspecting the headers in data packets to detect the destination IP address (website).
- Manual actions: Chinese authorities employ thousands of workers to censor forbidden content.
The GFW doesn’t operate in a single or straightforward way, and the Chinese Communist Party (China’s ruling political party) maintains a high degree of secrecy about how its censorship functions.
From the outside looking in, these are some of the common methods used by the Great Firewall to block websites and services.
By combining these technologies and constantly upgrading its methods and infrastructure, China has managed to build the most effective and dynamic system of online censorship in the world.
Here’s a more detailed explanation the five methods used to block or censor content in China:
1. IP Blocking
China builds a blacklist of IP addresses which correspond to banned websites. If it sees you are trying to connect to these IP addresses, your traffic will simply be blocked.
If an IP address associated with a non-approved VPN are discovered, it is blocked too.
2. DNS Spoofing
When you connect to a website, the Domain Name System (DNS) is used to establish a connection between your device and the website’s IP address.
China can set DNS servers up to give faulty information for some DNS requests, which will prevent you from establishing a connection with the website.
3. URL Filtering
As well as blocking specific IP addresses, the GFW scans URLs for sensitive keywords. This means you may be able to access one part of a website, but not the pages that refer to content that the government would rather keep you from seeing.
4. Deep Packet Inspection & Injection
The Great Firewall can look through blocks of unencrypted data to identify flagged keywords using a process known as ‘deep packet inspection’. It can then stop any unwanted packets from being transmitted.
After identifying an unwanted connection, China can inject reset packets, to break the connection between you and the website you are visiting for a period of time.
5. Manual Actions
Much of the censorship carried out as part of the Great Firewall isn’t automated. The government hires staff specifically to scan the internet for content to add to its blacklist.
Does the Great Firewall Block Every VPN?
China’s Great Firewall actively blocks VPN connections, but it cannot block every VPN.
The Chinese government has been blocking VPNs to some degree since 2011, but this process has intensified since 2017 and early 2018.
During that time, the Chinese government ordered the Apple App Store to remove all VPN applications and threatened to block all VPN services that were not government-approved.
While it wasn’t successful in blocking all VPN services, many popular services are now unusable.
Even the VPNs with the most effective obfuscation tools occasionally fall victim to the Great Firewall’s censorship.
During times of political unrest, or on significant anniversaries such as June 4, the Chinese government cracks down on VPNs more intensely. Connecting to a VPN server will be harder, but the best VPNs usually find a solution reasonably quickly.
How Do the Top VPNs Beat the Great Firewall?
VPN services encrypt your internet traffic so the Great Firewall can’t see what you’re trying to access online.
The encrypted traffic is routed to a VPN server in another country before going to the website or service that you want to access. This hides the destination of the internet traffic from the Great Firewall, too.
The Chinese censors have learnt to identify some VPN connections.
Using Deep Packet Inspection, the censors can see certain indicators of VPN traffic, such as characteristics of particular VPN protocols.
As a result, the most reliable VPNs for China now use obfuscation technology to scramble VPN traffic and make it look like normal HTTPS internet traffic. This helps the data to go undetected.
PrivateVPN uses obfuscation to unblock YouTube in China.
Even with obfuscation, the Great Firewall still successfully blocks some VPN servers by blacklisting associated IP address ranges.
This means that one day a VPN server might work, and the next day it won’t. Some trial and error might be required when this happens.
What Is VPN Obfuscation?
Obfuscation technology disguises your VPN traffic so it blends in with other forms of online traffic. Normal VPN encryption stops observers from reading your traffic, but obfuscation stops them from knowing it is VPN traffic at all.
A VPN that offers obfuscation technology will allow you to select an obfuscation protocol from the settings menu.
Without obfuscation, the Chinese Firewall will detect VPN traffic (through deep packet inspection) and block it.
VPN services use protocol obfuscation methods to scramble VPN data and mask it as regular HTTPS web traffic.
The two most common ways to obfuscate VPN traffic are:
- XOR: Also referred to as OpenVPN Scramble, XOR is an encryption algorithm often used to mask OpenVPN traffic.
- Obfsproxy: Developed by the Tor network, Obfsproxy works by adding a further layer of encryption to OpenVPN traffic using the “obfs4” wrapper.
Sometimes obfuscation protocols are also called ‘stealth’ or ‘camouflage’ protocols. All of the recommended VPNs above use obfuscation protocols.