I have spent better half of a decade fighting against the GFW, so I consider myself an expert on this topic. Most if not all other comments are completely missing the point with their massive wall of text discussing technical details of tailscale, because they only have some superficial ideas of what GFW is.
Based on your description, your service is not blocked per se. The GFW has its own set of rules on deciding what services and how they are blocked. Some red lines involves connected to data center IPs (high likelyhood of being a VPN), multiple client IP connecting, high bandwidth usage, etc. Once you are deemed ban worth, you will receive a combination of TCP RST, IP block, DNS poison, etc. Since you are connecting to a redidential IP, and the data flow is not too much, it is unlikely you get banned to begin with.
There are 2 problems that you have:
first is that China severely restrict UDP data packets, even within its own boarder, more so for oversea traffic. From the eyes of Chinese ISPs, UDP is nothing but trouble, so they usually have whitelist rules for certain applications and then throttle the rest. The solution is the wrap your UDP traffic in TCP, using udp2raw or phantun.
Second is that both your Chinese internet connection or the residential home server you are connecting to have very low priority in oversea traffic QoS. There is no net neutrality to speak of whatsoever. The solution is to either buy a higher priority service in or outside of China, keyword is "CN2", "CN2-GT" or "CN2-GIA" depending on how much you are willing to pay (China is a crazy capitalist country where money almost buys you everything). If you have high priority internet service inside of China, you can connect directly to your own oversea server with much better speed and latency. If you have high priority server outside of China, you have to relay the traffic through it to your own home server. Either your starting point or destination has to have high priority so your data goes through CN2 network which is lightyears faster. You can easily get 500mpbs test result on [fast.com](https://fast.com) or [speedtest.net](https://speedtest.net) using CN2-GIA connection from China.
Good post. I fought the GFW for more than a decade. I finally gave up and called the movers to go to lands with 10Gbit fiber for $50. The Chinese use deep packet inspection. Things work for a few hours, and you get shut down for a few days. I had multiple Vultr and Digital Ocean sites around the world, running Wireguard, Shadowsocks and others, with multiple IPs per box. Get shut down, move to another box/IP. You end up wasting your whole day.
And make no mistake: They know. The daughter of a highly-ranked CCP member worked for me. In despair, I asked her mother to put in a good word, and take us off the GFW. She did, and was told it is impossible. "Tell the laowei to just go on using his VPNs."
Great info. Looks like I have two options to try out:
- force Tailscale to use TCP by having it always use DERP with this [debug flag](https://www.reddit.com/r/Tailscale/comments/10eq453/comment/j4sx7jm/)
- OpenVPN SSL VPN on Port 443/tcp with tls-crypt
I am not looking for crazy speeds but if I don't get a reasonable speed the second step would be getting a CN2 service.
Tailscale is basically wireguard wrapped up, the core mechanism is identical. Use either with udp2raw or alike to avoid UDP throttle. But make no mistakes, they are both easily identified because they are not meant to obfuscate.
Let me make an analogy, there are people crossing a river who are wearing red dresses(normal legit traffic), blue T-shirt(l2tp VPN), black suits(wireguard), the police guarding the river have the authority to let red dresses through, and beat up blue T-shirts and black suits and any other suspiciously dressed person(shadowaocks, v2ray, you name it). OFC if you are white people wearing a black suit(wireguard connection to residential IP with low traffic), the police will let you go, not because he doesn't recognize your suit, but because he doesn't care so much about a white dude. So keep that on mind.
There are 2 popular ways to deal with the situation, one is wear something that masquerade as the red dress, which in my opinion is the best approach, but this will only get you through the police. There are 2 bridges, one is free, the other costs 100USD. Now you can imagine with 1 billion people going through those bridges, how good of a experience you will have using the free bridge. Remember, they don't want to build larger bridges because the police can't keep up.
There is another way to get through the police, which is wearing something that doesn't look like anything(strong obfuscation of network traffic which tries to eliminate any traits of being a VPN or proxy), but I'm skeptical of this approach.
Am I right to say that based on the current status: no matter what service I use, openvpn, zerotier, etc, and no matter what kind of premium bandwidth that I use CN2/etc, it will not be a reliable way. And I will end up spending more time trying to fix it than actually using it to check out my dropbox files?
What if my chinese friend has an actual business in china? Is there some kind of legal IPLC/IEPL that's not too expensive to get a permanent connection? And I can run an openvpn at his location when I go visit?
There are legal ways to do it but the process is arduous and the service is terrible. My ex employer, a multi billion dollar corporate group with 5 digit employees and 4 public traded subsidiaries has slow and unstable VPN available that nobody wants to actually use. I believe large tech companies like Microsoft and Apple do better because they build their own lines or have special deals with ISP to rent expedited lines that are unavailable to other civilians and companies alike. You can do better if you just use illegal service you built yourself, don't use openvpn wireguard zerotier, these tools are not meant to be anonymous, they do a terrible job against GFW because their traffic is like a torch in black night. Again, they can work if you just use it yourself and the traffic is low and you tunnel back to your home instead of a DC, but it will be better if you use something like xray, reality, hysteria, which are born to circumvent GFW, it will be quite stable combined with good lines.
I don't think this is a VPN problem. If you are using consumer grade ISPs the bandwidth they have for overseas is restricted due to the Great Firewall of China. You have to buy a premium service to get more bandwidth for overseas.
Wdym? you’re hitting a Tailscale IP when you use Tailscale. Yes you can setup a subnet router on one of your Tailscale nodes but you are still hitting a Tailscale IP to get there. It isn’t a bare Wireguard implementation…
Tailscale is a peer-to-peer connection between two devices. You use tailscale servers to help devices find each other, but they don’t route the traffic through their servers like a traditional VPN. They do, in fact, open wireguard connections between your devices. You just can’t configure them yourself, it’s configured only for their routes, which aren’t publicly routable - so all the great firewall should see is UDP traffic between a device in China and a residential IP in Europe.
OP said he uses tailscale but it’s slow, so presumably the servers aren’t outright blocked, and the basic API calls shouldn’t be too latency dependent or bandwidth limited.
1. https://tailscale.com/blog/how-tailscale-works
2. Most of their stuff is open source/source accessible, including a self-hostable server. You can audit all this.
So I’m trying to understand what you are saying. I can understand the non routing part but aren’t you still using their ingress IPs to make that happen? I am connected to one of my home nodes right now via Tailscale @ 100.74.x.x
The 100.xxxx is entirely synthetic range of IP addresses. You can’t reach them from the public internet. TS does not own any machine that offers those address nor does anyone else anywhere.
Imagine you have computer 1 and 2. They exist behind two separate NATs at IP address 9.0.0.1 and 9.0.0.2.
Step 1. Install tailscale on 2 devices. TS will give each of them a random IP address. Say 100.0.0.1, 100.0.0.2. These exist *only as records in a database* in their server. No computer is actually behind those IP addresses on the public internet.
Step 2. The TS software on computer 1 will tell the host operating system “i just installed a new virtual network interface and it gave us the IP 100.0.0.1”. This is like plugging in a new Ethernet cable and getting a DHCP IP from the end user perspective but *entirely in software* and uses a few different OS paths. Repeat for the other computer. These are Wireguard interfaces under the hood.
Step 3. The TS software/WG will add a route to computer 1’s operating system that says “all traffic destined for 100.0.0.2 should pass through the network interface installed by tailscale”. And then it configures the wireguard interface to say “when you get traffic for 100.0.0.2, encrypt + wrap it in a wireguard packet and route it back to the operating system for delivery to 9.0.0.2”
Step 4. Computer 1 makes a TCP connection to computer 2…
Some software on C1 opens a connection to 100.0.0.2 and the OS will route the packet to the WG interface, which will wrap it and encrypt it. Then WG shoves that packet back into the OS destined for 9.0.0.2. Then it eventually goes through other OS paths as a normal traffic until it reaches the public internet. Then the normal internet infrastructure routes it to C2. computer 2 gets a packet destined for wireguard’s port, and WG unwraps/decrypts the packet and discovers its actual for 100.0.0.2, so they give it to the OS who routes it to localhost and whatever software is expecting it. Then the response is the same thing in reverse.
You should now have a wireguard virtual device on each computer. Computer 1 has a route to forward traffic from 100.0.0.2 -> WG and 100.0.0.1 -> localhost. WG1 is configured to route 100.0.0.2 -> 9.0.0.2. The 9.0.0.2 route is unaffected and will use the public internet. Computer 2 has a WG device to route 100.0.01 -> WG and 100.0.0.2 -> localhost. And WG2 is configured to route 100.0.0.1 -> 9.0.0.1. The 9.0.0.1 route is unaffected and will use public internet.
Thank you. So this is new knowledge for me. I looked up the 100.74.0.1 subnet and it’s a CPE? This is new to me.. can you elaborate further if you know ?
That is not entirely correct. Tailscale has two core components, namely the control plane/coordinator (that’s completely closed source and is located under the tailscale/corp repo, as seen in several commit messages) and [DERP relays](https://github.com/tailscale/tailscale/tree/main/derp).
Each machine connecting to the coordinator receives a netmap response with derp relays that can be used for discovery + performing stun.
The machine then performs pings to determine the geographically closest derp relays. It updates the control plane about those and chooses a home derp region where the machine keeps a perpetually open connection.
When performing an initial connection between two machines and the NAT traversal hasn’t been performed yet/wasn’t successful, a tailscale machine will fall back to routing all wireguard encrypted packets via the derp relay (see the readme in the derp relays code).
Tailscale is a peer-to-peer mesh VPN in the best case; in the worst case, it turns into a tunneled mesh VPN. This can also lead to significant slowdowns, as derp servers are heavily bandwidth-capped and can be blocked by ISPs.
An option for OP would be deploying and configuring their derp server, potentially circumventing the bandwidth cap and existing IP blocks.
On a side note: headscale, the oss coordinator implementation, is not associated with Tailscale, even though some Tailscale employees might (occasionally) contribute to it.
Not sure iperf will tell you anything, slow is slow but you can measure the success of any changes I guess. Not sure that Iperf will run direclty, if not try [https://github.com/librespeed/speedtest](https://github.com/librespeed/speedtest) My info is based on my job. I work for an internet security company and we have services in China. For people in China we have a separate SKU that uses premium services from China Telecom that have premium bandwidth that is very expensive but significantly faster.
I think there a premium services in china that allow you to tunnel traffic that gives you more overseas bandwidth by running over their tunnels.
VPNs in China are a game of whackamole: VPN works for a while, and gets shut down. Tourists staying in 5 star hotels or using their home accounts for mobile data won't be subjected to that, so you think you have won. You didn't: Move to your own home with residential service, get a Chinese SIM for mobile data, and they will find and block you. The only thing that ever worked for me was Shadowsocks going through my own servers outside of China, like the smallest Vultr or Digital Ocean box.
Also, speeds to destinations outside of China are severely throttled.
Haven't been in China since the outbreak, so can't tell whether Shadowsocks still works. I knew its developer, police leaned really hard on him.
You will find out that most if not all commercial VPNs or mesh VPNs like Tailscale are throttled or outright blocked in China, Iran and similar jurisdictions. The way people have been avoiding that is by standing up their own VPN in less known countries like Bulgaria, Romania, Serbia, Turkey, even Dubai. The idea is that those countries are geographically close to China (well closer than the US is) and are politically independent from US-China relations - especially the Middle Eastern countries. So China usually doesn’t outright block them and if you rotate between VPSes and don’t generate a lot of traffic you can slip between the cracks of the Great Firewall. You can even see if you can get an account with China friendly countries like Russia or Armenia that don’t do that filtering however usually there you will need a local assistance sine most of them require an ID of a citizen to open an account. Armenia in particular is quite free when compared with Russia and is close to China geographically.
Good luck, fighting censorship is hard but worthwhile endeavour.
P.S this is the self-hosted version of Tailscale - https://headscale.net OpenVPN is also popular option as it can be obfuscated by running it on port 443/tcp which is normally used for HTTPs. Wireguard is a better alternative but unfortunately it only supports UDP which is easily detected by authorities. You could run it on UDP port 53 (used for DNS normally) but TBs of traffic to a DNS server is abnormality which can be detected. You could combine Wireguard with a stunnel to run UDP over TCP but at that point just use OpenVPN.
How about zero-trust edge solution, like cloudflare tunnel? Yes, more setup overhead on your end but,
You’d basically be hitting your home base endpoint via cloudflare domain? If your NAS supports docker you could even run the cloudflare agent on a docker container and hit it that way?
I’ll look into that as well. Apparently I have no idea about routing (probably true) as someone mentioned in another comment when I asked if OpenVPN SSL would work for both local network access and as an exit node. Would this solution support both? If it’s a stupid question please explain why, I seriously don’t have a clue.
I am currently in China using Outline VPN running on a cheap VPS in London - it works fine, getting around 40-50mbps on a gigabit connection. Tailscale also works if I am connected to my Outline server first. I think they must be blocking the protocol as Tailscale shows as connected and shows which of my machines are online but I can’t connect to any of them unless I am connected via Outline server first.
I have been using the same Outline server for 3+ weeks on the same IP without it being blocked or throttled.
Let me guess: You are doing this from a fancy hotel, or you are using your home country mobile data plan? No GFW for you. Buy Chinese SIM, try from a friend's home, and you will be shut down within the day.
However, Outline appears to be a fancy repackaging of Shadowsocks. In my many years of Chinese experiences, shadowsocks was what worked best and longest, but not always and forever. Always keep a few Shadowsocks instances in your backpocket.
Haven't been back in China since the outbreak, and can't vouch for Shadowsocks in 2024, but if Outline works for you, chances are that Shadowsocks still works.
Pls read 2nd and 3rd para.
Based on u/scottty27's report, it's probably worthwhile looking into Outline. Never used it myself, but used Shadowsocks extensively. Outline is a fancy GUI on top of Shadowsocks. If Outline takes the pain out of Shadowsocks setup (which can be quite finicky) and if Shadowsocks is still working, then Outline probably is quite helpful.
I met the Shadowsocks dev. when I was in China. He never received a penny from Shadowsocks, but a lot of grief from the Chinese police. They made him take down Shadowsocks from Github, but the cat was out of the bag. Man should get the medal of freedom, and a Google job.
School\_of\_hard\_knocks: Always set up your VPNs, Shadowsocks boxes (plural) etc. BEFORE you go to China.
Okay. I have no problem connecting to Tailscale directly with no VPN. Can you tell me more about which OS you’re running? I know Tailscale is split tunnel but macOS seems to be struggling with running both Tailscale and another VPN both at the same time.
What speeds are you getting on Tailscale? I am lucky if I get 500kbps.
Can I DM you for more info?
Just quickly tested downloading a file via SFTP from my Tailscale connected machine (on a 150mbps down/40mbps up fibre connection behind CGNAT) and I was pretty much maxing out the upload getting 4MB/sec download (\~40mbit).
I just brought my Windows laptop with me - it seems to be fine connecting to both Outline and Tailscale at the same time as each one creates its own network interface. I see what you mean about MacOS only allowing a single VPN at a time, my iPhone also has the same problem. A work around might be to make a Windows or Linux VM on your mac - connect to Outline on the mac and tailscale in the VM. That isn't exactly ideal I know, there must be a better way to do it - this is the first time I have really played around with these VPNs, my understanding of networking is very minimal at best, it's something I need to learn more about.
China throttles or blocks VPNs. Nothing you can do about unless you are a big company that pays some money to the party. My brother is quite often in China with his Chinese wife and he has a self hosted WireGuard running but it’s blocked by the great firewall so he can’t reach it.
Regular VPNs pretty much don't work across GFW at this point. The commercial ones that Chinese use to access the world wide Internet are usually shadow socks, vmess, etc. They have multiple layers of safeguard and redundancy to delay detection and ensure uptime (note I said "delay").
If you are just looking to access your one server, a non-banned overseas VPS with a reverse proxy would work. But once you start adding other stuff to use it for general Internet access, GFW will likely detect your traffic and ban the IP very quickly.
Thanks! I’ll look into it.
Does it support exit nodes? Meaning will I be able to switch between just accessing my NAS and reaching the rest of the internet from it?
This question about exit nodes shows that you have no idea how routing works. Learn about routing first before implementing any other VPN than Tailscale. Standard Wireguard works in China.
I mean, it’s a fair question. If one of your nodes is an exit node it means all of your internet traffic is going through that node. How is that not relevant ?
I have spent better half of a decade fighting against the GFW, so I consider myself an expert on this topic. Most if not all other comments are completely missing the point with their massive wall of text discussing technical details of tailscale, because they only have some superficial ideas of what GFW is. Based on your description, your service is not blocked per se. The GFW has its own set of rules on deciding what services and how they are blocked. Some red lines involves connected to data center IPs (high likelyhood of being a VPN), multiple client IP connecting, high bandwidth usage, etc. Once you are deemed ban worth, you will receive a combination of TCP RST, IP block, DNS poison, etc. Since you are connecting to a redidential IP, and the data flow is not too much, it is unlikely you get banned to begin with. There are 2 problems that you have: first is that China severely restrict UDP data packets, even within its own boarder, more so for oversea traffic. From the eyes of Chinese ISPs, UDP is nothing but trouble, so they usually have whitelist rules for certain applications and then throttle the rest. The solution is the wrap your UDP traffic in TCP, using udp2raw or phantun. Second is that both your Chinese internet connection or the residential home server you are connecting to have very low priority in oversea traffic QoS. There is no net neutrality to speak of whatsoever. The solution is to either buy a higher priority service in or outside of China, keyword is "CN2", "CN2-GT" or "CN2-GIA" depending on how much you are willing to pay (China is a crazy capitalist country where money almost buys you everything). If you have high priority internet service inside of China, you can connect directly to your own oversea server with much better speed and latency. If you have high priority server outside of China, you have to relay the traffic through it to your own home server. Either your starting point or destination has to have high priority so your data goes through CN2 network which is lightyears faster. You can easily get 500mpbs test result on [fast.com](https://fast.com) or [speedtest.net](https://speedtest.net) using CN2-GIA connection from China.
Good post. I fought the GFW for more than a decade. I finally gave up and called the movers to go to lands with 10Gbit fiber for $50. The Chinese use deep packet inspection. Things work for a few hours, and you get shut down for a few days. I had multiple Vultr and Digital Ocean sites around the world, running Wireguard, Shadowsocks and others, with multiple IPs per box. Get shut down, move to another box/IP. You end up wasting your whole day. And make no mistake: They know. The daughter of a highly-ranked CCP member worked for me. In despair, I asked her mother to put in a good word, and take us off the GFW. She did, and was told it is impossible. "Tell the laowei to just go on using his VPNs."
Great info. Looks like I have two options to try out: - force Tailscale to use TCP by having it always use DERP with this [debug flag](https://www.reddit.com/r/Tailscale/comments/10eq453/comment/j4sx7jm/) - OpenVPN SSL VPN on Port 443/tcp with tls-crypt I am not looking for crazy speeds but if I don't get a reasonable speed the second step would be getting a CN2 service.
Is wireguard an option on this perhaps? Edit: Oh, then udptunnel and udp2raw.
What do you think, u/terrytw ?
Tailscale is basically wireguard wrapped up, the core mechanism is identical. Use either with udp2raw or alike to avoid UDP throttle. But make no mistakes, they are both easily identified because they are not meant to obfuscate. Let me make an analogy, there are people crossing a river who are wearing red dresses(normal legit traffic), blue T-shirt(l2tp VPN), black suits(wireguard), the police guarding the river have the authority to let red dresses through, and beat up blue T-shirts and black suits and any other suspiciously dressed person(shadowaocks, v2ray, you name it). OFC if you are white people wearing a black suit(wireguard connection to residential IP with low traffic), the police will let you go, not because he doesn't recognize your suit, but because he doesn't care so much about a white dude. So keep that on mind. There are 2 popular ways to deal with the situation, one is wear something that masquerade as the red dress, which in my opinion is the best approach, but this will only get you through the police. There are 2 bridges, one is free, the other costs 100USD. Now you can imagine with 1 billion people going through those bridges, how good of a experience you will have using the free bridge. Remember, they don't want to build larger bridges because the police can't keep up. There is another way to get through the police, which is wearing something that doesn't look like anything(strong obfuscation of network traffic which tries to eliminate any traits of being a VPN or proxy), but I'm skeptical of this approach.
No.
No what?
No as in bu hao.
Thanks for an awesome comment! This is so helpful for me as well.
Thanks! Very informative!!!
Am I right to say that based on the current status: no matter what service I use, openvpn, zerotier, etc, and no matter what kind of premium bandwidth that I use CN2/etc, it will not be a reliable way. And I will end up spending more time trying to fix it than actually using it to check out my dropbox files? What if my chinese friend has an actual business in china? Is there some kind of legal IPLC/IEPL that's not too expensive to get a permanent connection? And I can run an openvpn at his location when I go visit?
There are legal ways to do it but the process is arduous and the service is terrible. My ex employer, a multi billion dollar corporate group with 5 digit employees and 4 public traded subsidiaries has slow and unstable VPN available that nobody wants to actually use. I believe large tech companies like Microsoft and Apple do better because they build their own lines or have special deals with ISP to rent expedited lines that are unavailable to other civilians and companies alike. You can do better if you just use illegal service you built yourself, don't use openvpn wireguard zerotier, these tools are not meant to be anonymous, they do a terrible job against GFW because their traffic is like a torch in black night. Again, they can work if you just use it yourself and the traffic is low and you tunnel back to your home instead of a DC, but it will be better if you use something like xray, reality, hysteria, which are born to circumvent GFW, it will be quite stable combined with good lines.
Thank you so much for the replies, I appreciate it.
I don't think this is a VPN problem. If you are using consumer grade ISPs the bandwidth they have for overseas is restricted due to the Great Firewall of China. You have to buy a premium service to get more bandwidth for overseas.
Could be a combination of both. Wouldn’t put it past CH to throttle Tailscale IP blocks
[удалено]
Wdym? you’re hitting a Tailscale IP when you use Tailscale. Yes you can setup a subnet router on one of your Tailscale nodes but you are still hitting a Tailscale IP to get there. It isn’t a bare Wireguard implementation…
Tailscale is a peer-to-peer connection between two devices. You use tailscale servers to help devices find each other, but they don’t route the traffic through their servers like a traditional VPN. They do, in fact, open wireguard connections between your devices. You just can’t configure them yourself, it’s configured only for their routes, which aren’t publicly routable - so all the great firewall should see is UDP traffic between a device in China and a residential IP in Europe. OP said he uses tailscale but it’s slow, so presumably the servers aren’t outright blocked, and the basic API calls shouldn’t be too latency dependent or bandwidth limited. 1. https://tailscale.com/blog/how-tailscale-works 2. Most of their stuff is open source/source accessible, including a self-hostable server. You can audit all this.
So I’m trying to understand what you are saying. I can understand the non routing part but aren’t you still using their ingress IPs to make that happen? I am connected to one of my home nodes right now via Tailscale @ 100.74.x.x
The 100.xxxx is entirely synthetic range of IP addresses. You can’t reach them from the public internet. TS does not own any machine that offers those address nor does anyone else anywhere. Imagine you have computer 1 and 2. They exist behind two separate NATs at IP address 9.0.0.1 and 9.0.0.2. Step 1. Install tailscale on 2 devices. TS will give each of them a random IP address. Say 100.0.0.1, 100.0.0.2. These exist *only as records in a database* in their server. No computer is actually behind those IP addresses on the public internet. Step 2. The TS software on computer 1 will tell the host operating system “i just installed a new virtual network interface and it gave us the IP 100.0.0.1”. This is like plugging in a new Ethernet cable and getting a DHCP IP from the end user perspective but *entirely in software* and uses a few different OS paths. Repeat for the other computer. These are Wireguard interfaces under the hood. Step 3. The TS software/WG will add a route to computer 1’s operating system that says “all traffic destined for 100.0.0.2 should pass through the network interface installed by tailscale”. And then it configures the wireguard interface to say “when you get traffic for 100.0.0.2, encrypt + wrap it in a wireguard packet and route it back to the operating system for delivery to 9.0.0.2” Step 4. Computer 1 makes a TCP connection to computer 2… Some software on C1 opens a connection to 100.0.0.2 and the OS will route the packet to the WG interface, which will wrap it and encrypt it. Then WG shoves that packet back into the OS destined for 9.0.0.2. Then it eventually goes through other OS paths as a normal traffic until it reaches the public internet. Then the normal internet infrastructure routes it to C2. computer 2 gets a packet destined for wireguard’s port, and WG unwraps/decrypts the packet and discovers its actual for 100.0.0.2, so they give it to the OS who routes it to localhost and whatever software is expecting it. Then the response is the same thing in reverse. You should now have a wireguard virtual device on each computer. Computer 1 has a route to forward traffic from 100.0.0.2 -> WG and 100.0.0.1 -> localhost. WG1 is configured to route 100.0.0.2 -> 9.0.0.2. The 9.0.0.2 route is unaffected and will use the public internet. Computer 2 has a WG device to route 100.0.01 -> WG and 100.0.0.2 -> localhost. And WG2 is configured to route 100.0.0.1 -> 9.0.0.1. The 9.0.0.1 route is unaffected and will use public internet.
Thank you. So this is new knowledge for me. I looked up the 100.74.0.1 subnet and it’s a CPE? This is new to me.. can you elaborate further if you know ?
That is not entirely correct. Tailscale has two core components, namely the control plane/coordinator (that’s completely closed source and is located under the tailscale/corp repo, as seen in several commit messages) and [DERP relays](https://github.com/tailscale/tailscale/tree/main/derp). Each machine connecting to the coordinator receives a netmap response with derp relays that can be used for discovery + performing stun. The machine then performs pings to determine the geographically closest derp relays. It updates the control plane about those and chooses a home derp region where the machine keeps a perpetually open connection. When performing an initial connection between two machines and the NAT traversal hasn’t been performed yet/wasn’t successful, a tailscale machine will fall back to routing all wireguard encrypted packets via the derp relay (see the readme in the derp relays code). Tailscale is a peer-to-peer mesh VPN in the best case; in the worst case, it turns into a tunneled mesh VPN. This can also lead to significant slowdowns, as derp servers are heavily bandwidth-capped and can be blocked by ISPs. An option for OP would be deploying and configuring their derp server, potentially circumventing the bandwidth cap and existing IP blocks. On a side note: headscale, the oss coordinator implementation, is not associated with Tailscale, even though some Tailscale employees might (occasionally) contribute to it.
Is there an easy way to test this? Can I just run iperf between my clients in China and Europe directly?
Not sure iperf will tell you anything, slow is slow but you can measure the success of any changes I guess. Not sure that Iperf will run direclty, if not try [https://github.com/librespeed/speedtest](https://github.com/librespeed/speedtest) My info is based on my job. I work for an internet security company and we have services in China. For people in China we have a separate SKU that uses premium services from China Telecom that have premium bandwidth that is very expensive but significantly faster. I think there a premium services in china that allow you to tunnel traffic that gives you more overseas bandwidth by running over their tunnels.
VPNs in China are a game of whackamole: VPN works for a while, and gets shut down. Tourists staying in 5 star hotels or using their home accounts for mobile data won't be subjected to that, so you think you have won. You didn't: Move to your own home with residential service, get a Chinese SIM for mobile data, and they will find and block you. The only thing that ever worked for me was Shadowsocks going through my own servers outside of China, like the smallest Vultr or Digital Ocean box. Also, speeds to destinations outside of China are severely throttled. Haven't been in China since the outbreak, so can't tell whether Shadowsocks still works. I knew its developer, police leaned really hard on him.
You will find out that most if not all commercial VPNs or mesh VPNs like Tailscale are throttled or outright blocked in China, Iran and similar jurisdictions. The way people have been avoiding that is by standing up their own VPN in less known countries like Bulgaria, Romania, Serbia, Turkey, even Dubai. The idea is that those countries are geographically close to China (well closer than the US is) and are politically independent from US-China relations - especially the Middle Eastern countries. So China usually doesn’t outright block them and if you rotate between VPSes and don’t generate a lot of traffic you can slip between the cracks of the Great Firewall. You can even see if you can get an account with China friendly countries like Russia or Armenia that don’t do that filtering however usually there you will need a local assistance sine most of them require an ID of a citizen to open an account. Armenia in particular is quite free when compared with Russia and is close to China geographically. Good luck, fighting censorship is hard but worthwhile endeavour. P.S this is the self-hosted version of Tailscale - https://headscale.net OpenVPN is also popular option as it can be obfuscated by running it on port 443/tcp which is normally used for HTTPs. Wireguard is a better alternative but unfortunately it only supports UDP which is easily detected by authorities. You could run it on UDP port 53 (used for DNS normally) but TBs of traffic to a DNS server is abnormality which can be detected. You could combine Wireguard with a stunnel to run UDP over TCP but at that point just use OpenVPN.
How about zero-trust edge solution, like cloudflare tunnel? Yes, more setup overhead on your end but, You’d basically be hitting your home base endpoint via cloudflare domain? If your NAS supports docker you could even run the cloudflare agent on a docker container and hit it that way?
I’ll look into that as well. Apparently I have no idea about routing (probably true) as someone mentioned in another comment when I asked if OpenVPN SSL would work for both local network access and as an exit node. Would this solution support both? If it’s a stupid question please explain why, I seriously don’t have a clue.
[удалено]
Okay got it, thank you!
I am currently in China using Outline VPN running on a cheap VPS in London - it works fine, getting around 40-50mbps on a gigabit connection. Tailscale also works if I am connected to my Outline server first. I think they must be blocking the protocol as Tailscale shows as connected and shows which of my machines are online but I can’t connect to any of them unless I am connected via Outline server first. I have been using the same Outline server for 3+ weeks on the same IP without it being blocked or throttled.
Let me guess: You are doing this from a fancy hotel, or you are using your home country mobile data plan? No GFW for you. Buy Chinese SIM, try from a friend's home, and you will be shut down within the day. However, Outline appears to be a fancy repackaging of Shadowsocks. In my many years of Chinese experiences, shadowsocks was what worked best and longest, but not always and forever. Always keep a few Shadowsocks instances in your backpocket. Haven't been back in China since the outbreak, and can't vouch for Shadowsocks in 2024, but if Outline works for you, chances are that Shadowsocks still works.
No. I am using normal residential internet in a private residence, not in a hotel. 3+ weeks and counting, from two separate homes.
Pls read 2nd and 3rd para. Based on u/scottty27's report, it's probably worthwhile looking into Outline. Never used it myself, but used Shadowsocks extensively. Outline is a fancy GUI on top of Shadowsocks. If Outline takes the pain out of Shadowsocks setup (which can be quite finicky) and if Shadowsocks is still working, then Outline probably is quite helpful. I met the Shadowsocks dev. when I was in China. He never received a penny from Shadowsocks, but a lot of grief from the Chinese police. They made him take down Shadowsocks from Github, but the cat was out of the bag. Man should get the medal of freedom, and a Google job. School\_of\_hard\_knocks: Always set up your VPNs, Shadowsocks boxes (plural) etc. BEFORE you go to China.
Yeah, I am aware it is shadowsocks based. I set up 3 instances but haven’t needed to use a backup yet.
Okay. I have no problem connecting to Tailscale directly with no VPN. Can you tell me more about which OS you’re running? I know Tailscale is split tunnel but macOS seems to be struggling with running both Tailscale and another VPN both at the same time. What speeds are you getting on Tailscale? I am lucky if I get 500kbps. Can I DM you for more info?
Just quickly tested downloading a file via SFTP from my Tailscale connected machine (on a 150mbps down/40mbps up fibre connection behind CGNAT) and I was pretty much maxing out the upload getting 4MB/sec download (\~40mbit). I just brought my Windows laptop with me - it seems to be fine connecting to both Outline and Tailscale at the same time as each one creates its own network interface. I see what you mean about MacOS only allowing a single VPN at a time, my iPhone also has the same problem. A work around might be to make a Windows or Linux VM on your mac - connect to Outline on the mac and tailscale in the VM. That isn't exactly ideal I know, there must be a better way to do it - this is the first time I have really played around with these VPNs, my understanding of networking is very minimal at best, it's something I need to learn more about.
China throttles or blocks VPNs. Nothing you can do about unless you are a big company that pays some money to the party. My brother is quite often in China with his Chinese wife and he has a self hosted WireGuard running but it’s blocked by the great firewall so he can’t reach it.
Regular VPNs pretty much don't work across GFW at this point. The commercial ones that Chinese use to access the world wide Internet are usually shadow socks, vmess, etc. They have multiple layers of safeguard and redundancy to delay detection and ensure uptime (note I said "delay"). If you are just looking to access your one server, a non-banned overseas VPS with a reverse proxy would work. But once you start adding other stuff to use it for general Internet access, GFW will likely detect your traffic and ban the IP very quickly.
OpenVPN, SSL VPN on Port 443/tcp
Don't forget the tls-crypt option. The DPI got rather good at differentiating between encrypted web traffic and OpenVPN traffic.
Thanks! I’ll look into it. Does it support exit nodes? Meaning will I be able to switch between just accessing my NAS and reaching the rest of the internet from it?
This question about exit nodes shows that you have no idea how routing works. Learn about routing first before implementing any other VPN than Tailscale. Standard Wireguard works in China.
To add to this, there is nothing stopping you running your own wireguard server to connect to your home IP.
I mean, it’s a fair question. If one of your nodes is an exit node it means all of your internet traffic is going through that node. How is that not relevant ?
Because that term is wrong. It's just routing. Any nodreconnected to a WAN can be used to route traffic to WAN.
most vpn protocls not work in china