As I posted elsewhere before:
Those Astrill or other VPN specific routers will probably lock you in for using their service. It would be best to use a router with software that supports certain standards (like Shadowsocks) so you always have the freedom to change providers.
My main recommendation would be to check out GL-iNet routers. They have Wireguard and Shadowsocks support out of the box. They have a store on Taobao, English software and extensive documentation on their website. They are also selling on Amazon, so that might help to browse and read about which model fits best for you.
Another option is to search for 'Padavan'. This is the name of another firmware with Shadowsocks pre-installed and there are a lot of models with it on Taobao.
To get Shadowsocks based VPN servers you can get a VPN provider that supports it like 12vpn or Wannaflix.
NordVPN doesn’t work well in China at all. So that’s simply not true. And you completely avoided his answer by asking the same question he literally just answered. The VPNs that work do so because the traffic looks like other traffic and they can’t block everything perfectly without disrupting legitimate non VPN traffic.
Well, I do not know a thing about that, but I am using Surfshark successfully in China. They are quire small, so might have not been tracked enough to be blocked yet. *Happy*
Switched from the Assdrill to after the assdrones completely shit the bed this year reliability and customer service wise (seriously, copy and paste support replies are outright ridiculous). This is now my fourth provider, after Vypr, Express, then Astrill.
VPNac works pretty good, is half the price, and has some features that cost extra with other providers (like multi hop servers). I've got it working on my android phone & tablet, pc (Win 10), laptop (win 7 - took a bit of work to configure) and my wife's Macbook. They also have an applet for flashed routers, but I haven't set it up. I've had no reliability issues and it's worked great through sensitive times (summits, historical anniversaries, etc).
The only downside is lack of a server speed test, however the server ping test is MUCH faster than AssDrolls'. With that in mind, they have a "China Optimization" setting that has a nice playlist of servers and configurations that all work reliably fast.
Wouldn't it be better to drop the router VPN idea and find an solution for each client? In my experience this GFW stuff changes too often to have a stable solution running on something dedicated like your router. For example Wireguard and V2ray maybe be the way to go now, but before you know it your ISP start to throttle you, cut your UDP tunnel (Wireguard), or you get some DNS issues.
Some providers (probably not Astrill/Express) allow you to use enough client sessions on one subscription for your company. Another solution might be to 1. Run one VPN client on a PC in your company (of an often updated application/provider) and share that proxy over your LAN. Many VPN apps have that feature. 2. Then, on the other clients you set them to use that proxy (and optionally DNS) in the computers network settings.
Step two can also be skipped if you have a router that can connect all clients to that single proxy on that one PC. When I was running the Padavan firmware it had a tool for that (iirc, transocks).
I guess I am thinking about having a setup like this, but use separate devices for each step instead of all on the computer like the article talks about. It's ridiculous and not sure if it even works.
​
How to tunnel OpenVPN over Shadowsocks with ExpressVPN
I can't answer this question with certainty because I'm not in China, but IMHO Express VPN is 3x overpriced crap. They're all marketing hype and referral BS. I have complete access to all ExpressVPN servers because of a security vulnerability I disclosed to them and told them how to fix... they insured me they were secure and then ignored me. Thus I'm on ExpressVPN right now, but I've never paid for it and I'd never recommend anyone else does either.
PIA (PrivateInternetAccess) is better and cheaper. Mullvad and Azire VPN are the top two public VPN providers IMO. Mullvad is probably the best, they offer OpenVPN, Wireguard and SOCKS proxies for half the price of ExpressVPN (who limits you to three devices btw.)
IMO you're best option is to rent a cheap VPS and setup a private Wireguard VPN and/or OpenVPN server for yourself. That'll never get blocked because it's just you using it, nobody would ever find out it's a VPN and block it.
Either way, I just had to post this because Express VPN is so arrogant and overpriced it makes my blood boil.
Haha, yeah, OK dude...NordVPN says it's fine, so it must all be fine. Sounds good.
If you go about four links down in the Google search you linked there is a post that leads you to this story, about a man in Hunan being arrested and charged for using a VPN.
But it's cool, NordVPN says it's no problem...except if you actually click that link and read the "article" (instead of the snippet that Google gives you) it says further down that Chinese have been charged with using VPNs and how un-sanctioned VPNs are not legal in China.
So, again, VPNs are not legal in China. But as I said above, most people will not have a problem, and foreigners certainly won't (unless they tack it on to something else when they get busted).
Yes, without VIP package, you need to wait until after mid-night.
This is why some of the expensive VPN's would say they had a gateway within China.
In the old days, to help my mates who didn't have it, I opened a port on my router, and routed their VPN traffic in and out, so they could use my broadband.
Test your speed and ping time to US or Europe by https://www.speedtest.net/ you need to change test server to US or Europe.
While it's some time ago, I tested V2ray via CDN, on a non-VIP package, e.g. using BBC iplayer. Worked perfect for a short while, when it does'nt, switch CDN domain, all good again, always to the same server. Keep switching.
Sorry, it's the only advice I have if you don't have VIP package.
EDIT: I was too mean to pay for expensive VPN, I wanted to DIY. But I paid for VIP, thank God..
Most free VPNs like X-VPN, VPN360 stopped working around third of October. Express worked for a few days with the free trial, but got extremely wobbly around third day of use. It would connect but nothing would load, or it loads but then local sites like WeChat gets painfully slow.
Astrill is far the best option.
I have been using ExpressVPN but have recently switched to Astrill. Simply because Astrill works in China and I was desperate. Astrill is expensive though.
When ExpressVPN works, then it's great, but too many times it does not work at all for China. Express seems to be especially targeted by the Chinese censorship machine.
I'm not going to try that.. just in case. If we need to research sensitive matters, we can just tunnel out over a vpn over this line. Any paid vpn or self hosted will work. Astrill, nord, pia, etc. We have cheap VPSs in the US that we have SS servers on. China doesn't have a way to read encrypted data, yet.
Of all the well-known ones, Astrill seems to be constantly decent. ExpressVPN is too hit and miss.. Lesser known ones can be a good thing, but that requires trial and error. Doing your own setup is the best and most "reliable", but also the most headache inducing.
Local ones are cheaper but it's all in Chinese and there's risks of being honeypots.
The reliable ones are likely honeypots operated by the state to monitor dissidents.
Another question I don't know, say you use Mullvad and it works. They comply with law enforcement when requested. Would they comply with requests from China?
That does seem to be somewhere between Astrill and 12VPX price wise. How's the PC and mobile clients? Do they drain battery like crazy? Can you whitelist or blacklist apps to be to tunneled? Can you add certain domains to whilelists?
>The most popular among expats are probably Astrill and Express.
Astrill is meh at best. Express is a huge no. Too expensive and you get like two server choices.
>Technically educated Chinese tend to use obfuscated tunnels such as V2Ray/Xray and Trojan.
Listen to this poster, OP!
The most popular among expats are probably Astrill and Express. Technically educated Chinese tend to use obfuscated tunnels such as V2Ray/Xray and Trojan.
> want to be sure that it will work
Not going to happen. When you are up against a state-level adversary, nothing is certain.
Yes I second that Astrill is probably blocking access to your local area network and hence the imaging device. Most VPNs do this, so you'll need to see if there's a setting to bypass your LAN, so that all LAN connections aren't routed through the VPN. However not all VPN applications have this setting. If Astrill doesn't have this setting then like the comment above mentioned you'll need to use split tunneling to bypass the IP of your imaging device.
Does Astrill not have a "Allow LAN traffic" option somewhere in the settings?
Alternatively the 2 options I would consider would be to exclude the IP address of the imaging device in Astrill (so that it would not be routed via the vpn) or alternatively specify routing at the OS level so that traffic for the imagine device is routed to the correct device (no idea how to do this on Windows, in *nix it would be via the 'ip route' command)
Both do the job. Just understand that Astrill is an international company that has a few servers for China, but v2ray was specifically designed for the network environment here to bypass censorship and avoid detection. V2ray is better suited to the environment here, as the providers specifically cater to that environment.
I've never used Astrill, so can't really compare. I've used v2ray for years myself. It works well, but it requires a lot more setup of the clients, I actually run mine from the router. Costs vary from provider to provider. Mine is 800 a year.
Luckily AWS (Amazon web Services) isn't blocked in China. So restarting the server is as simple as logging in to AWS and then pressing Restart (haven't had to restart for a whole month now but I've had to do it every few days previously.)
You could always just set it up before you go so that you know it's working. I had to do some light googling to fix an error I got when running the install script (something about docker permissions I think). Then once you're here you can always just restart to get a new IP assigned to your server.
Also I forgot to mention that VPN browser plugins doesn't seem to get blocked. For example I rarely use my VPN on my desktop anymore (because outline doesn't work that well on Linux) since I mainly need a VPN for accessing blocked websites. So I actually use browser plugin which works great. I think NordVPN has a browser plugin as that I could test if you're curious. But really outline is all you need. Outline works perfectly on Windows 10 and Android (haven't tested other OSs except arch Linux where it seems to stop working after a few minutes).
The OS for the Pi is Raspberry Pi OS (32-bit) Lite (Minimal image based on Debian Buster) from https://www.raspberrypi.org/downloads/raspberry-pi-os/ official website. I choose this because it has no GUI, so it's headless (I just SSH into it)
Then to setup on the Pi, I followed this tutorial on setting up Shadowsocks on Pi. https://gist.github.com/QuLk/2f482746f3dff29c795a52be4c4c9a8e
Install openwrt on old router. https://openwrt.org/
Then you can install shadowsocks or v2ray clients. Best to use this on separate router than your ISP, then connect your openwrt router to ISP. router.
You can also use a raspberry pi 3, install openwrt
Just a heads up, Phicomm has a suspect reputation with their products.
The good news is that you can flash OpenWRT over the stock K2P firmware.
Trying to understand these protocols is a headache for novices. So I use jigsaw's outline manager to deploy and manage shadowsocks, it works with both outline client and shadowsocks client.
So basically you want to protect your DNS queries from spoofing (or "poisoning") which is separate from regular network traffic. It's like a radar probe, before flying from A to B, you need to run a radar scan. If the probe gets spoofed, it will give you a wrong/invalid map and you would never get to B. DNSCrypt works by encrypting the query so you will always get the "correct" map. For windows client, go to https://simplednscrypt.org and download the installer. Once installed, it will run as a service on the network card, all DNS queries will be caught and converted to secure query. You can choose your own DNS server from the resolver tab. On Linux, DNS queries go from dnsmasq -> dnsforwarder -> shadowsocks. Performance hit is about 30~40 ms per query.
Use the generator on here under "Try it yourself". You enter the uncrypted key and it will give you an encrypted key/QR you can add to outline
​
This is truly great. VeePN seems also offer V2Ray, but it's not running over OpenVPN or any VPN protocol but only as a proxy.
In addition, as far as I know, Tunnelbear, Cactus, IVPN, etc offer Obfs4 over OpenVPN (or actually OpenVPN over Obfs4), which also seems a legitimate solution to me.
Really?! I wanted to use MullVad a year or two ago, but it wouldn't work for me in China.... So you can confirm it works? Because from what I can see, I like their business and privacy ethics. So you never had problems with reliability with Mullvad?
I think this is the first of the major brand VPN players to implement V2Ray. It's probably a year or more too late as so many people already have created their own v2ray solutions. has always seemed to put a little more focus in R&D compared to marketing, in contrast to the bigger names.
Zoom (as a Chinese company) is available. I've ran a self hosted Jitsi Meet server (so no need for a VPN)
I did use ExpressVPN, ProtonVPN and ran my own servers too, shadowsocks, v2ray and tinc. Worked well enough for WhatsApp messages. I did some calls but I can't remember what connection I used and I don't think I did video calls. I think my roommate used Astril and also did his own setup.
Finally, I'm not currently in China so things change daily there and this may not work anymore (but it is a starting point)
Surfshark uses SS, not SSR, so I suggest using this app for Android. Although you can also use the SSRR app with protocol=origin, obfuscation=plain if you prefer it. You can enter a port number directly, no need to scroll. Just tap the number in the middle to highlight it and the number pad should pop up to enter a number.
By the way, here is my guide for setting up SS with Surfshark. The app was not working in China when I first wrote this guide, but it's working now. So you could try the app as well, but make sure you download the apk from their website because the version from the Play Store doesn't work in China. The app uses IKEv2, which can achieve similar speeds as Shadowsocks.
How can we trust this site is from NordVPN? Do you have a link on the domain listing this address?
This looks very fishy. The domain was not registered by the same entity as . The page looks different from the authentic one. I'd be very skeptical about this site. Don't forward it to anyone unless you have confirmation it's from NordVPN.
I'm trying both Nord and Surfshark now: this CNET review I just saw is quite representative of my testing also:
CNET: Surfshark vs. NordVPN: VPN speed, security and price compared
​
Surfshark has OVPN and Shadowsocks, but not Wireguard... WG seems to be coming soon.
Nord only has OVPN, they have WG in Beta, but I couldn't get access.
Speeds of both are great.
I currently use Wannaflix for the speed and stability. It is my best option for 2020. The company moved from shadowsocks to V2ray successfully after shadowsocks was regularly blocked. It also now offer EclypseVPN has an option when security is an issue. I previously use both ExpressVPN and Wannaflix. But Wannaflix is more focused on the Asian market and more adaptable when blockage occurs and the speed is really good.
After my Shadowsocks server finally got blocked last year set up a V2Ray proxy. It’s actually much faster than my old SS server and has been running steadily for half a year.
ExpressVPN and Nord never worked for me at all.
We are allowed to use any browser we like, including safari, chrome, etc. but Hotspot Shield and Opera VPN work in our school for some reason, the others don't work. What is so special about these two.
Don't use VPNs... All of them really really suck. Check service section.
There's only few of tools working in China, none of them are VPNs. Namely, four. Shadowsocks,ShadowsocksR,V2Ray,Trojan. WireGuard is also not working well in China, which is the most advanced vpn by far. I have many ShadowsocksR or V2Ray servers that I'm not using. All of them can reach 500 Mbps. Most vpn can only reach 20 Mbps at most. I'm glad to share it free for you since I have too many that I can't use all of them. Please send me private message if you need.
great info, thanks
>what sort of speed are you guys looking for ?
For plain internet, I'm getting 90Mbps+ on Ethernet on my home connection.
For Surfshark or Nord connected to OVPN to a server in the same country I can still get between 30-70 Mbps. This is great.
Doesn't have a server in the same or adjacent country so the speeds can sometimes be below 10Mbps on OVPN. Maybe 12-20 with WG. Not acceptable.
I don't think you are the first though. There is the Cheesy guy/s who i have seen in this forum who use V2Ray and charge about 25 rambos a month ish i think (not sure for what bandwidth)...
I also think you are a bit expensive. I have 1TB bandwidth servers that are $5/month around the world, or $10/month for Hong Kong
Express and Astrill are about $8/month and unlimited
However good luck with it. I have seen many many many people discuss doing this over the years so its about time someone succeeds!
WireGuard is the new preferred protocol of Astrill and Co. Very lightweight yet very secure, a little more complex to setup but there are some good installers on github that make it easier for mobile setup.
I’m hosting it on my Alibaba EC2 instance out of HK as well as my Amazon Lightsail Instance in Tokyo. Both work fine, HK is better and gives me approx 100mb/s download speed.
I suggest you google for tutorials or just sign up for Astrill if you are not super comfortable with server setups, SSH, etc.
Depends on the time of day, I've got VIP but only leave it on when I'm downloading big files as it tends drop less, but I've found some of the speeds on the normal servers are actually faster, but they're drop rate is more regular. Right now for example, it's 3am in Shanghai and I'm getting a download speed of 325mbps on Astrill, but that same server at around 10pm was only giving me 20mbps...
What you might be looking for is the V2Ray/Vmess protocol.
Provider I am with Celo VPN just started supporting this. Sorry not too sure who else , but it should help with your needs. Look around im sure there are plenty
Like you and others have mentioned a VPS + V2ray should do the trick. Maybe try the Alicloud VPS?
Celo VPN has just implemented V2Ray on some of their servers. Check them out.
Good luck and report back would be good to know what you done.
Cloudflare as well. I use China Unicom, seems to work well. Doesn't work well with my shit home ISP though, but is still better than ExpressVPN and NordVPN.
I wonder if anyone has tried using Alibaba CDN from Hong Kong...
I use ExpressVPN in mainland China on Windows 10 and Android devices without any issues. I would highly recommend you change the topic to Apple Mac issues running these VPN clients that you choose. Likely however its not a problem with the client but the machine or ISP which neither product is responsible for.
Thanks,
You are asking a question to one of the dumber members of dumb club.
There are a few router companies which allow you do install custom firmware and that gives a wifi network that project a VPN wifi signal to all your devices. I tried to install the custom firmware from ExpressVPN on a high end NetGear Router and the firmware did not work. Also, the firmware tried to destroy my router.
I had to restore the original firmware from my phone back into my router.
I wasted about 4 hours trying to get it to work.
I feel like the Chinese are building up the great firewall to make VPNs crap out more.
Thus, I pay for three VPNs and hope one of them works.
By chance you seen any guides that goes into how to set that up?
I've seen guides for running VPNs over shadowsocks for PC/Mac, but nothing much for the situation above. I'll be coming back to China in a few weeks & would like to have a better, more-reliable solution than just the ExpressVPN app by itself.
The goal is instead of configuring SS & VPN on each device, I can have one WiFI AP that, when connected to, most traffic would go through the VPN & SS w/o additional configuration on devices (e.g. Chromecast, phone, etc), & for any Chinese web traffic (e.g. Taobao, WeChat) not to use VPN/SS at all.
My method is pretty simple. I just plug an ExpressVPN router into my Shadowsocks router. Not the most elegant solution, but it works. I mostly just use this for streaming on my Roku.
I don't know of any way you could set up split tunneling in the way you describe. The only way I can think of is connecting to a Shadowsocks router with the bypass China option and then run a VPN app on your device with a split tunnelling option. You could set the VPN app to whitelist Taobao and Wechat apps. You could also whitelist a specific browser. For example, use Firefox for VPN traffic and Chrome for China traffic.
I can’t answer that unfortunately since I don’t use that option myself. I’ve just heard from other’s that it works. I use three options personally: ExpressVPN (when it works), Shadowsocks, and v2ray. Usually one of the options will work if the other(s) are being targeted.
I finally got around to trying WG on . It works, but performance was similar to the benchmarks on your site. It's faster than an OpenVPN XOR connection to the same server/region, but substantially slower than an SSR or Outline connection.
I've mostly switched over to Outline these days, with for Netflix and as a backup.
OP here in Mainland China, Wow, I signed up for NordVPN and ExpressVPN.
Nord works on my MacBook but not on my iPhone or iPad
If I use what they call "Obfuscated Servers" within the Mac NordVPN app, I can connect, normal servers don't work.
​
Express works on my iPhone and iPad but NOT on my MacBook, unless I disconnect the ethernet and create a Wifi Hotspot using my China Mobile connected iPhone.
​
It seems that I have a stubborn ISP who is not cooperating.
Additionally, Nord's Mobile Apps appear to suck for Apple devices.
​
I really wanted to use either Express or Nord to set up my router with Wifi, but now I don't trust either of these companies.
I second this, expressVPN works fantastic on Iphone and in Linux. Highly recommended. That being said it can be a struggle to get it to work well in Windows.
In my school the teachers mostly use ExpressVPN and Nord. But as a late they are moving to expressVPN.
Hey JayCroghan, thanks for the reply!
So I figured out at least one mistake that I did. I was entering the actual SSR server IP in both Astrill and Proxifier, while connected to the SSR server using the SSR app.
I've fixed this by tunneling traffic through 127.0.0.1:1080, so now the connections are actually going through instead of failing, both on Astrill and Proxifier.
Problems I'm still having however: * RL will eventually matchmake after multiple minutes (instead of the usual 5-20 seconds outside of China), and the "Recommended" server won't necessarily use the HK region where my SS server is located (last attempt connected me to a Japan server) * SC2 simply doesn't seem to be able to download the game content when attempting to launch any game from within the app itself.
Proxifier shows a lot of connections being created and closed, with average lifetimes between 1 second and 10 seconds. Really not sure if this is normal traffic at all, since I'm very new to this.
I'm not sure you understand either. I know what is SS, I have one. I also have Astrill. What I want to do is tunnel the VPN through SS (which is a proxy, and Astrill client supports such). Buying a VPS anonymously isn't as good as VPN provider with shared ip addresses and no-logging.
Anyway I already figured it out, thanks.
Using any of the normal options like Astrill, Nord, Express, etc, you get mixed results... Sometimes the servers are good, sometimes they're not. It also depends on location and ISP.
If you're a "real" steamer (IE you actually get good views and good money) it might be worth looking into a top tier hosting platform like Azure, AWS, or Alicloud, and running a proxy/VPN off that. You can also do that with cheaper options like Vultr but it's not as reliable.