The ‘Great Firewall of China’ (or GFW) is the nickname given to China’s internet censorship system, which functions through legislation and filtering technologies.
Since 2003, it has given Chinese authorities the power to monitor and restrict internet access to anyone based in mainland China (Hong Kong and Macau are exempt).
The Great Firewall uses a combination of five methods to block websites and apps:
- IP blocking – blocking IP addresses that resolve to specific URLs (websites).
- DNS cache poisoning, or DNS spoofing – to divert traffic from one website to another, which practically blocks you from accessing your desired website or app.
- Keyword and URL filtering – scanning websites and URLs for specific terms.
- Deep packet inspection (DPI) – the inspection of headers in data packets to detect the destination IP address (website).
- Manual actions – Chinese authorities employ thousands of workers to censor forbidden content.
How Does the Great Firewall Work?
Unlike the online censorship of some other countries, China’s Great Firewall has been around since the origins of the internet, and as such is built into the basic internet infrastructure of the country.
It doesn’t operate in a single or straightforward way, and the CCP (China’s ruling political party) maintains a high degree of secrecy about how its censorship functions, but from the outside looking in we can observe some common methods used by the Great Firewall:
China builds a blacklist of IP addresses which correspond to banned websites. If it sees you are trying to connect to these IPs, your traffic will simply be blocked. If IP addresses associated with a non-state approved VPN are discovered, they are blocked too.
When you connect to a website something called DNS is used to establish a connection between your computer or phone and the website’s IP address. China can set DNS servers up to give faulty information for some DNS requests, which will prevent you from establishing a connection with the website.
As well as blocking specific IPs, China scans URLs for sensitive keywords. This means you might be able to access part of a website, but not pages which refer to content China would rather keep you from seeing.
Deep Packet Inspection & Injection
In certain cases, the Firewall will look through blocks of unencrypted data to look for flagged keywords using a process known as ‘deep packet inspection’. It can stop any unwanted packets from being transmitted. After identifying an unwanted connection, China can inject reset packets, to break the connection between you and the website you are visiting for a period of time.
Much of the censorship carried out as part of the Great Firewall isn’t automated. The government hires staff specifically to scan the internet for content to add to its blacklist.
By combining these technologies and constantly upgrading its methods and infrastructure, China has managed to build the most effective and dynamic system of online censorship in the world.
Even with obfuscation technology in place many VPNs simply are not up to the task of overcoming it.
Does the Great Firewall Block Every VPN?
China actively blocks VPN connections, but currently it cannot block every VPN. China has been blocking VPNs to some degree since 2011 but in late 2017 to early 2018 the Chinese government’s VPN clampdowns intensified.
During that time, the Chinese government ordered the Apple App Store to remove all VPN apps and threatened to block all VPN services that were not government-approved.
While China wasn’t successful in blocking all VPN services, many are now unusable.
Even the best VPNs with the most effective obfuscation tools fall victim to the Great Firewall’s crackdowns from time to time.
During times of political unrest, or on significant anniversaries such as June 4 (1989 Tiananmen Square protests), the Chinese government tends to crack down on VPNs more intensely. While you may find it harder to connect to a VPN server, the best VPN services usually find a solution reasonably quickly.
How Do VPNs Beat the Great Firewall?
Some VPNs evade the Great Firewall of China using encryption and obfuscation tools.
VPNs encrypt internet traffic so that the Great Firewall can’t see what you’re trying to access online.
The encrypted traffic is routed to your VPN service’s private servers before going to the website or service that you want to access, hiding the destination of the internet traffic from the Great Firewall too.
However, the Chinese censors have learnt to identify some VPN connections.
Using Deep Packet Inspection, the censors can see certain indicators of VPN traffic, such as characteristics of particular VPN protocols.
The best VPNs for China now employ obfuscation tools which scramble VPN data to look like normal HTTPS internet traffic, helping the data to go undetected.
Even with obfuscation, the Great Firewall still successfully blocks some VPN servers by blacklisting their associated IP address ranges.
This means that one day a server might work but the next it wont. Some trial and error might be required when this happens.
What Is VPN Obfuscation?
VPN obfuscation disguises VPN traffic to make it blend in with other forms of online traffic. Think of it like camouflage; normal VPN encryption stops observers from reading your traffic, but obfuscation stops them from knowing it is even there.
Without obfuscation, the Chinese Firewall will detect VPN traffic (through deep packet inspection) and block it.
Therefore, VPN providers use protocol obfuscation methods to scramble VPN data and mask it as regular HTTPS web traffic.
The two most used ways to obfuscate VPN traffic involve using:
- XOR – Also referred to as OpenVPN Scramble, XOR is an encryption algorithm often used to mask OpenVPN traffic.
- Obfsproxy – Developed by the Tor network, Obfsproxy works by adding a further layer of encryption to OpenVPN traffic using the obfs4 wrapper.
Sometimes obfuscation protocols are also called ‘stealth’ or ‘camouflage’ protocols. All of our recommended VPNs above use obfuscation protocols.
Which Websites Does the Great Firewall Block?
Many of the most popular websites and apps in the world are blocked in China, including:
- Google (Gmail, Google Maps & all other Google services – blocked since 2014)
- YouTube (blocked since 2011)
- Facebook (blocked since 2009)
- Twitter (blocked since 2009)
- Instagram (blocked since 2014)
- WhatsApp (blocked since 2017)
- Skype (blocked since 2017)
- Pinterest (blocked since 2017)
The Google Play Store isn’t available at all in China, and Apple’s App Store complies with Chinese laws, so it’s highly restricted, meaning that you can’t find VPN apps on there.
You can use the greatfire.org analyzer tool to check if specific websites are blocked.
Many VPN websites are blocked in China, which is why it’s super important to set up your VPN apps before you travel.
You can download APK files directly from some VPN websites – although they too may be blocked – for your Android device.
Be wary of downloading those types of files from third-party websites, though, as they can be infected with malware.
Here is a more comprehensive list of websites blocked in mainland China. You can also use this checker to find out if a website is available or not. Censorship varies from day to day and region to region.
During times of political unrest censorship can be heightened, and some areas of China can be affected more than others.
Does the Great Firewall Block Mobile Apps?
The great firewall can block access to anything which requires access to the internet. This includes email (if you use Gmail) and blacklisted mobile apps.
If your mobile app needs to connect to a blocked site or service to operate, it won’t work in China.
The app store itself is also much more limited in China. On iOS you can still access the Apple App Store, but it won’t contain all the apps you can find elsewhere. On Android there are several app stores available, including the Tencent, Oppo, Huawei, Xiaomi, and Baidu stores.
For this reason it is important you download every app you need – particularly your VPN app – before arriving in China.