China's anti-VPN measures: Chasing 'ladders' and 'airports' ( update ).
Chasing down unauthorized VPN usage in China has been a mission followed with varying intensity and success by the nation's security organs, but recent advances in AI might make help.
A few days ago a little report made rounds online about a new firewall system sold by the Chinese company ‘Guoji Beisheng Edu’. Mainly designed to chase down VPN usage on university campuses in China.
Although it was just a normal company product advert, it inspired immediately dozens of commentators in and outside of China to deliver their take on this ‘news’.
Some saw already the end of the internet as we know it in China, others mocked it for another over-the-top announcement by a random Chinese network technology company trying to jump on a hype train. And many wondered if the scenario is even technically possible.
But these developments are not novel. They just take their time until they are mature enough to be rolled out. As we will see the government and affiliated research institutions have been working on more reliable anti-VPN systems for quite a while. And with many things in China it is often an incremental shift, instead of a big ‘breakthrough’.
Netaskari has already written plenty of times in the past about the ‘Great Firewall of China’ (GFW), so consider this a little bit of a refresher and an update.
Some history
Since the early stages of the GFW, the nation's citizens have been trying to break away from it. Or ‘climb over’ as it is widely known. In China they were widely known as ‘ladders’ and ‘airports’ (synonyms for VPN services).
We are not going too much into detail about the GFW or how it works, there are better places out there, like the GFW report and this article. Just note that the system is not monolithic and covers a wider range of functions from traffic monitoring via deep packet inspection, censorship, service blocking, browsing surveillance and IP blacklisting. Achieved via a mix of hardware and software solutions. It also includes national DNS resolvers ( WIP ). You can also read about the latest situation on VPNs in China here.
It is also prone to vulnerabilities and inconsistencies due to bad or outdated design choices, that often feel more tacked on than thoroughly planned. The overall performance of the GFW can vary from province to province and from city to city.
Here is a quick primer on a ‘912’ system designed for the Xinjiang province (records from the Geedge leak) for example:
Certain methods might be tested first in more ‘high security’ areas like Xinjiang or Tibet before rolled out to other provinces over time. Some just don't work at scale and stay limited to a certain region. Here is a great report on that approach by the way.
A myriad of challenges
As already pointed out in an earlier article on this blog, the biggest challenge for the GFW was always the sheer amount of traffic the Chinese internet produces. Add to that the necessity of many businesses, academic institutions and even government entities who still need to be able to use web services from around the globe, and it is clear that the general option of just pulling the ‘plug’ like North Korea did (or even Iran to a certain extend), is not really an option. Besides, highly granular control at scale was technically just not possible for the longest time.
But the ruling party's need for control of information flows did of course not subside, instead it grew significantly over the decades. That does not only include internet access from inside China, but also access of the China-Web from the outside.
As data traffic and its complexities expanded rapidly and Chinese citizens gotten more tech savvy while advanced censorship evasion methods proliferated, the GFW struggled to keep up. The past years it was just the authorities trying to chase the latest evasion method with a massive time delay.
Therefore, in the past the authorities adopted a more nuanced approach. The main goal was to try to keep the masses from climbing, while accepting that they can't hunt down every perpetrator and leaving at the same time gaps for small and medium businesses to still operate. This approach, effective on a wider scale, is confusing at times, even for Chinese citizens. Once in a while, if caught, people get punished for operating or using VPN’s, which keeps everyone a little bit on their toes. It was like a rubber band, that sometimes got stiffer but always had a certain elasticity.
But paired with an increasingly closed-off online services ecosystem ( WeChat and its ‘walled garden’ for example ) where it is hard to stay truly anonymous combined with old-school channels of surveillance, it kept China's internet users in check (mostly). VPN usage or sales was only punished sporadically in the past, making it not too obvious to the public how much the network censorship struggles in reality.
Chinese ‘netizens’ knew that as long as they keep their profile low and not rubbing it into the governments face, the porous nature of the GFW was not something that needed to be brought up a lot. In the worst case you could always just go to Hong Kong and get yourself a Sim card there, with no firewall hindrance (although that door is increasingly closing too) and then use very favorable roaming costs when using it on the Mainland.
Today we see an increase in public announcements by the central government in Beijing to actually pay more attention to the status-quo, and changes are afoot.
New tools for an old problem
Now, in the past 15 years China's attempt to combat unauthorized VPN use has been making advances. In reality though that meant often more to ‘regulate’ VPN use than outright banning or blocking.
From a technical point of view Deep Packet Inspection and Network traffic fingerprinting actually has succeeded in some cases. Vanilla OpenVPN, Shadowsocks, IPSec or Wireguard is not really usable anymore in domestic applications. Even corporate VPN's that rely on those protocols, although permitted, still get occasionally taken down or throttled by the GFW.
If you are an international business, you can actually buy a ‘protected’ line that is routing your traffic past the GFW, but it is often very expensive, slow and you can be assured that the authorities will try to monitor the traffic too (though not probably intervening a lot).
With the right license you are also allowed to use and operate VPN’s in the PRC. In the end even Chinese companies rely on secure data transfer for business purpose. Companies like Aodun have built a solid business model on selling devices to the Chinese government that keep an eye out for suspicious traffic that falls outside this spectrum or chase down companies that don't hold the relevant permits. At least when it comes down to the more standard VPN protocols of the past.
But the introduction of more clever and agile solutions like V2Ray in all its flavors, Shadowsocks derivatives and other protocols with heavy obfuscation components made the old methods at times very unreliable. Furthermore, the GFW is aging and the patchwork approach of the past 15 years is increasingly showing its limits. Add at times a wobbly legal framework and the GFW all of a sudden looks far less “tight”.
The government's demand for more reliable online control under Xi's tenure required therefore a new solution.
A new frontier
With the advent of AI and more general processing power, the GFW is being expanded. Engineers and academics were quick to think about new methods to muster this new capabilities to build more reliable classifications systems.
In 2021 scientists at the Southeastern University in Nanjing, one of the top 20 academic institutions, filed a patent for 一种面向高速网络的VPN流量快速识别方法 ( VPN traffic detection method for high-speed networks ).
The patent recommends a two tiered approach: model training and model deployment. During training, VPN and normal traffic data are collected in a controlled environment, sampled, and used to extract robust features (e.g., client window sizes, packet rates, and payload ratios) for building a machine learning model (e.g., Random Forest).
In deployment it uses a Counting Bloom Filter to isolate long-duration flows, and stores flow statistics in a hash table with chaining to track metrics like packet counts, window sizes, and timestamps.
Features are then derived from these statistics and fed into the trained model to identify VPN traffic and classify the proxy tools used (e.g., V2Ray). This solution addresses challenges in high-speed networks by avoiding full-packet inspection, minimizing resource usage, and ensuring stability against network variations. This works fast and with encryption, as it would not need to inspect the package content.
The technology was apparently highly successful in test setups against V2Ray VPN systems according to the write-up.
Last year we ran across an unsecured online dashboard that demonstrated how such a system could be applied in a real-life scenario. It was still a mock up design, but had high resemblance to the system mentioned above. If you are interested read below, there are also more diagrams and fancy graphics and UI elements:
Of course, advanced traffic analysis has also genuine cyber security use cases in trying to hunt down malicious actors inside a corporate network for example. Though that very concept applies to the nature of the China-Web in itself, if you consider the China-Web as some sort of Intranet and VPN endpoints as potential C2, you end up in a very similar scenario.
An article titled ‘Research on identifying and countering encrypted malicious traffic’ by the author Fan Zuwei from the Science and Technology branch of the China Association for Information Security from 2024, presented another, similar method to identify ‘malicious encrypted network traffic’ using Deep Learning.
Going back to the Geedge leaks (a gift that keeps giving) also reveals a lot about company-based research in the field of machine backed network traffic classification for the purpose of online data control:
https://substack.com/@netaskari/p-174818770
Now, this all sounds of course quite academic. Methods reserved for the ivory tower of higher education and lab experiments. But as we will see, the commercial providers quickly jumped on to it.
From the drawing board to application
We already heard of the company Aodun, having been one of the governments trusted providers for the old DPI based systems. Now they are spearheading the deployment of those new VPN detection systems nationwide, as a Chinese account on X demonstrated (here in translation):
Other commercial vendors have also started to roll out their own products with a very similar sales pitch. A program from the company FuhuaNet goes even further and shows on its website the concrete aim of its product by using pretty straight forward language. Gone is the more ‘generic’ wording of helping with network security. They go straight for VPN detection technology to prevent citizens from accessing banned or censored content online. The company is a regular supplier of network security hardware and software for government security bodies.
FuhuaNet's encrypted traffic analysis software was listed among the Shanghai High-tech Achievement Transformation Projects in 2025 (2025年第6批上海市高新技术成果转化项目名单公示).
The company is also working closely with NetEase, another big player in the Chinese network security industry, and some of their technology seems to be powered by NetEase's products, at least an online post in 2022 hints towards it.
The introduction and upgrading of the traditional network traffic monitoring via complex algorithms seems to be in full swing. At least on the product development side. And with government interest (and money) at the center national companies offering similar services and tools are popping up like mushrooms.
How reliable all those products and technologies are, is of course another matter. In the end you are dealing with a very difficult network landscape when you talk about the national internet, which is very hard to control. A campus of a university is one thing, trying to control, monitor and keep track of VPN traffic across a whole nation of the size of China, is a daunting task.
In addition, we don’t know about the upgrade speed or scope how this stuff is rolled out in the wider network. Maybe down the road the government realizes that it is not feasible, too expensive and that they better do what they have done in the past. Or maybe they're just gonna add another rubber band.
Where is it going ?
Will we see an immediate drop of unauthorized VPN usage in China in the coming year? Most likely not. As long as China is sharing the same basic technologies the global internet relies on, there will be always ‘ladders’. Business needs also make it very difficult to go harder on general internet access. Just last year the province of Hainan rolled out a pilot project called "Global Gateway” where wider internet access is granted to employees of some registered companies through the International Data Comprehensive Service Centre (HIDCSC). The authorities do acknowledge that some form of access to the global internet is still necessary.
It is best to be compared with the rise and fall of crypto-currencies in China. After the government eventually cracked down on the scene, it shrank dramatically from its hay days. Did it all vanish completely? No! But it didn't have to, it just shrunk to a more manageable size.
Taking all this into account there is a landscape slowly emerging where it gets increasingly difficult for Chinese citizens to casually climb over the wall. Tech savvy individuals will probably still manage for the years to come but a slow process will close gaps and change the landscape of online usage.
Some of this new methods most likely have contributed to the increasing difficulties VPNs have in China we would assume. As always it is hard to predict where things are gonig, if they can keep it up or if it will fall flat eventually again. But one thing is clear, Chinese internet users have to be more and more innovative if they want to "climb over the wall".