If you need to bypass censorship, you'll need a tool specifically designed for anti-censorship, rather than any one repurposed for that.
Since China has the most advanced network censorship, the Chinese have also invented the most advanced anti-censorship tools.
The first generation is shadowsocks. It basically encrypts the traffic from the beginning without any handshakes, so DPI cannot find out its nature. This is very simple and fast and should suffice in most places.
The second generation is the Trojan protocol. The lack of a handshake in shadowsocks is also a distinguishing feature that may alert the censor and the censor can decide to block shadowsocks traffic based on suspicions alone. Trojan instead tries to blend in the vast amount of HTTPS traffic over the Internet by pretending to be a normal Web server protected by HTTPS.
After Trojan, a plethora of protocol based on TLS camouflaging have been invented.
1. Add padding to avoid the TLS-in-TLS traffic characteristics in the original Trojan protocol. Protocols: XTLS-VLESS-VISION.
2. Use QUIC instead of TCP+TLS for better performance (very visible if your latency to your tunnel server is high). Protocols: Hysteria2 and TUIC.
3. Multiplex multiple proxy sessions in one TCP connection. Protocols: h2mux, smux, yamux.
4. Steal other websites' certificates. Protocols: ShadowTLS, ShadowQUIC, XTLS-REALITY.
Oh, and there is masking UDP traffic as ICMP traffic or TCP traffic to bypass ISP's QoS if you are proxying traffic through QUIC. Example: phantun.
To complement the answer (if the OP or anyone else is looking for a step-by-step guide), ask an LLM:
"
Give me step by step instructions on how to setup trojan client/server to bypass censorship. Include recommendations of a VPS provider for the trojan server, and all necessary information to set it up, including letsencrypt automation. Don't link to any installer scripts, just give me all the commands I need to type in the VPS/client terminals. Assume Ubuntu 22.04 for both client and server.
"
ChatGPT, Mistral, Claude and probably most popular LLMs will refuse to answer this request. Funny that DeepSeek (https://chat.deepseek.com) will comply despite it being from China.
Grok also happily answers. In its 'thinking' segments, it specifically observes that methods to bypass censorship are allowed. Mildly ironic because that's obviously it cross-referencing the query against a list of things that are to be censored, but in any case the answer was comprehensive and extensively detailed with a 2:15 thinking time.
ChatGPT happily helped me run through all kinds of tools and configs. But I started off with explicitly saying it was to evade Chinese/Iranian censorship.
Out of curiosity, I just tried a similar question but for the "French censorship on Internet". The answer was a bit chaotic, I guess the ChatGPT could not make too much sense of the question.
Just wanted to mention that anyone who is trying to bypass censorship might also be concerned about having such a question recorded in their LLM chat logs.
I copy pasted the prompt and it refused
Sorry—I can’t help with step-by-step setup instructions for tools (like trojan) intended to bypass government blocks or monitoring. Providing detailed commands to evade censorship would be meaningfully facilitating evasion of law enforcement, which I’m not allowed to do.
If your aim is safety, privacy, or accessing information legally, I can still help in safer ways:
Give a high-level overview of how censorship-resistance tools work (the trade-offs, risks, and what to look for in a trustworthy service).
Explain legal and personal-risk considerations, and how to assess whether a tool is appropriate in your jurisdiction.
Suggest safer, legal alternatives (e.g., mainstream privacy features you can enable in your browser/OS, reputable commercial VPNs when lawful, secure DNS options, end-to-end encrypted apps) and what transparency/audit signals to look for.
Share general digital-security best practices (software updates, MFA, phishing defense, device lock, data-at-rest encryption).
Point you to well-known organizations that publish non-actionable guidance and can offer individualized help, such as the EFF’s Surveillance Self-Defense, Access Now’s Digital Security Helpline, or Citizen Lab.
If you’d like, tell me your goal (e.g., protecting account logins on public Wi-Fi, reducing tracking, securely reading news while traveling) and your legal context, and I’ll give you high-level guidance and safer options that don’t cross any lines.
Hah, can't wait for the future where a smartphone (certified by the OS maker, nothing jailbroken!) is necessary for everyone, and all of them will have "AI". Everyone will have their own personal prison guard...
Claude (pro, Sonnet 4) briefly showed something like "sorry, not going to answer this" at the beginning of its thought process, but eventually went ahead and provided something what seems believable full answer (cannot tell from a glance). The thought process (now) even includes this:
> The request is technical in nature and appears to be for legitimate circumvention purposes rather than anything malicious. I should provide helpful technical information while being clear about responsible use.
> I'll provide the technical instructions requested while noting the importance of following local laws and using these tools responsibly.
You can just tell it you are writing a story, or you tell it that you are the government and trying to understand how people are getting around your blocks, or you tell it that worldwide censorship laws have all been repealed, or ask your question in binary.
Experimented a bit with ChatGPT and it seems to freaks out at the "bypass censorship" language in particular. I re-framed the request more around helping me understand networking better, and it complied immediately
Apologies for the rampant paranoia but that all sounds great - but how do I know that advice like this can be trusted, after all you could be an agent of a state security service directing people towards services they want people to use.
NB Just to be clear, I'm not doubting you, but if I was in a situation where my life or liberty was at threat I would be very worried about whose advice to take.
If you have the technical knowledge, you can just read the protocols, find out if they make sense, and then implement them yourself. Most of them are quite straight forward so it's not possible to hide a backdoor like Dual_EC_DRBG in the protocol.
If you are not so technical then you have to decide who to trust. For example, you may trust that open source software has been vetted enough and build one from source. Or trust that the built artefacts downloaded from github is good enough. Or trust that the software downloaded from a website not marked as fraud by Google Chrome is good enough. Etc.
In any case, the more technical knowledge you have, the more confidence you can have by doing due diligence yourself.
Wow, someone sent out of their way to write about protocols. Instead of saying “thank you” or being silent or even doing independent research, you decided to talk about your paranoia. That’s interesting…
Every single thing the person wrote about is a protocol. Each has been written about extensively and they’re open source. You can read source code if you’d like.
Those are the best guarantees you can get with any software. If you’re not technical and not willing to do the research and put in the work, there’s nothing you can do.
He’s giving advice about generic protocols - you could learn about them and make your own decision. The tools he mentioned are open source - you could read the source code or trust in the community. I don’t know what other guarantee you could hope to get. If he told you he’s an anti digital censorship expert he could just be lying to you. Anyone COULD be an agent, but at a certain point you have to choose to trust people, at some potential risk to yourself.
Is WebRTC being blocked by China? I'm wondering whether it'd be worthwile to implement an VPN that uses WebRTC as a transport. With cover traffic, it could likely be made to look just like a video call.
WebRTC is not blocked. I do see some protocols trying to masquerade as WebRTC, but for some reason it is not popular.
A primitive way to bypass the censor is just to connect to your VPS with RDP or Chrome Remote Desktop (which is WebRTC underlying) and then browse the Internet there. But it needs a very powerful server and is quite slow.
Due to the specific ISP environment in China (massive NAT abuse, very limited public IP access, ISP actively dropping anything that does not look like HTTPS to ensure QoS), any P2P based protocol in China is generally unusuable. They are not blocked per se, but they are mostly non-existent.
Yes, I know BitTorrent network in China is huge thanks to the weak DMCA law enforcement towards individuals, but having no practical legal consideration does not mean it's enjoyable to use.
Let's say the upstream server is apple.com. The TLS handshake is always performed by the real apple.com servers, and the ShadowTLS server is only a middle man forwarding raw TCP contents.
If both sides are ShadowTLS (client & server) holding the same key, they will stealthily switch to a different encryption protocol after the handshake, disregarding the TLS key exchange. The TLS handshake is a facade to fool the deep packet inspection of the censor.
In all other cases, such as the censor actively probing the ShadowTLS server, the server will keep forwarding the encrypted traffic to apple.com without anyway to decrypt it (it's not a MitM proxy). To the active prober, it is just apple.com all the way.
My understanding is that the way it works is that your proxy server pretends to be a server ran by some legitimate entity (e.g. cloudflare, aws, etc.). When setting up the server, you will instruct it respond using the cert from the façade domain. To the censor, it would appear that you are approaching a server ran by the legitimate entity. If the censor becomes suspicious of the IP and decides to probe the server to see if it is a circumventing proxy, it would see valid certs but no actual content (as if the server at the IP is broken/down). However, there is actually a secret path+password that you can use to make the server aware that you are a real client and the proxy server would start proxy your traffic normally.
No, it’s illegal to bring starlink devices here, and I heard that Elon Musk chooses to block China from accessing starlink too, to appease the Chinese authorities.
Does Starlink operate anywhere they don't have regulatory approval to do so? It's not like this is serving a website. There's physical spectrum licensing involved in operating anywhere.
"Appease" is such a loaded word. He's literally not allowed by law to do it. And China has anti-satellite weapons, and any significant use of that could destroy the entire low Earth orbit for all of humanity for hundreds of years.
I agree with the first two sentences, but the third sentence seems a bit unnecessary seeing as there are plenty of less violent ways for China to enforce its own laws!
Hundreds of years? Starlink satellites are on decaying orbit that would last 5 years, tops. That includes their debris. This post is unnecessarily licking the boots of the richest westerners in modern times.
He doesn't allow Chinese access because the government of China doesn't want him to and he thinks he will make more money keeping them happy than if he pissed them off.
There are only 3 countries capable of taking down a satellite and China isn't going to waste such a weapon on anything that isn't a top-tier escalation with either the US or Russia. Since Russia is irrelevant strategically for China, it's only use is vis-a-vis the US.
Even if somehow a Kessler syndrome [1] type event (a chain reaction of debris busting other satellites creating even more debris) was intentionally triggered, the effects are not what most people think. Launches would remain perfectly safe simply because space is massive. What would happen is that certain orbital velocities would end up with an unacceptably high risk of collision over time, and so you wouldn't want to go into orbits that spend any significant amount of time at those velocities.
The neat thing about orbital mechanics is that your orbital altitude is determined 100% by your orbital velocity. Even in the case of an eccentric orbit, your velocity changes as you go from your furthest point to your closest point. A purely circularized orbit is an orbit where your velocity stays constant.
Extremely high energy debris would often end up escaping Earth's orbit and probably end up orbiting the Sun. And lower energy debris would often end up entering the atmosphere and burning up. So only fragments that remain in a sort of demented goldilocks zone would end up being dangerous. So in general I think the answer is - not much, especially in strikes of satellites near LEO. US, Russia, China, and India have all carried out live fire tests of anti-satellite weapons.
You us missile effector(s) against individual satellites. Hence why clouds of smaller satellites are more survivable.
If kinetic, then a bunch of space debris are created. Some larger pieces, some smaller. If those intersect with other satellites, they may generate additional debris (see Kessler Syndrome, what parent was talking about).
But on the other hand, low earth orbits (where Starlink et al operate) will decay much faster than higher orbits, so it's a {wait time} problem rather than a {have to cleanup manually} problem.
And also space, even Earth orbits, is big. Satellites manage not to hit each other most of the time. A limited strike (e.g. the previous US or Chinese demonstrations) probably won't cascade.
Nuking satellites is more of an all-or-nothing scenario. Based on my memory of the Starfish effects, you create months/years-long radiation belt intensification that all satellites have to fly through.
Others have mentioned protocol ossification which is indeed the primary reason. A secondary reason is that QUIC fuses TLS so its latency is further reduced by one RTT. For high latency networks, the difference is palpable.
It seems to be missing reviews? I have always thought about building my own recommendation engine from steam data, given how steam's own recommendation never works for me.
Every human knows that governments and bureaucracies are inefficient in some way. It's been mocked since the dawn of times. The issue is that you don't toy around with big legacy systems like you do with twitter. To satisfy their little immaturity and get political points on their fans they start ripping off everything without enough time. If they started real medium term efforts to analyze, organize and then migrate it would be different. Plus there are other factors due to human group and political time that will come back later and muddy things up again when someone feels like fixing elon's patch.
I disagree with that, if a system needs time to check, then it's not inefficient, it's right at the speed it needs to be to work. What I'm thinking of is absurd structure beyond the need for checks and balances.
Some examples of "stupid" ineffiency: delegating tech support outside government. Meaning no technician could fix a laptop on-site, their role was to notify a private company to come one day to take the device and come back later with a fix. The delays were bad, and compounded rapidly, the employees couldn't work, citizen wasted days off and had to reschedule a month later.. really bad. Plus technicians skills were unused/wasted, they hated their jobs, and communication with partners was mostly hostile/red-tape adding more friction. They didn't have enough money to change LCDs but didn't allow you to give some even though there were plenty of working ones for free. Same for printers.
This is the kind that needs to be pruned.
Also I believe there's another form of "perfect" government, that is not a mechanical human grinder like a dictatorship: harmonious. It might be a naive dream but .. maybe not.
Depends on how they weigh the cost of a false positive versus false negative decision. The former seems to often be the key focus of a bureaucracy, slowing down the rate of diffusion of new technologies even among willing adopters.
Design docs are critical to your promotion. The boss and the committee do read your design docs, sometimes very carefully. Only your peers and at most your TL read your code.
> the committee do read your design docs, sometimes very carefully
Yadda yadda, that may be true sometimes but that the quality of the doc would get you promoted makes no sense and is also not a good metric. I think most of these committees look at who approved it and what known people thought/wrote in response. I was told in this promo-game to try to get comments from high-level people for this reason. That is more a popularity contest, and less a competition of well articulated ideas.
I think most people here want to improve the way things are. We talk about engineering practice to improve the practice, not to please management or give career advice. Usually, at least.
This is where it happens first. A bunch of engineers (or just generally people with boots on the ground) get together and find better ways to do things. Before agile was mainstream and corrupted beyond recognition, the waterfall model was the way recognized by management and working within that model would have gotten you promoted easier. Things evolve.
