Flashes of Panic

The so-called Great Firewall of China turns out to be made of swiss cheese, not that anyone didn’t already know this. I’m bypassing it at will.

And I need to. Thanks to the IOC’s ridiculous cave-in to the Chinese government, allowing the firewall restrictions to apply to internet connections within the Olympic venues and Main Press Center, China still blocks the IP addresses associated with major blog sites. That means if your weblog is hosted with LiveJournal, Typepad or Wordpress—pretty much any blog that’s not self-hosted—and you don’t publish the full text of your blog in your feed, the Chinese can’t read you. (I’ve had mixed success with Blogger blogs.) (If the same host also hosts your feed, they can’t see that, either; if you use Feedburner, your feed is still available.) This means that without bypassing the firewall, I couldn’t read JohnL’s blog. I wouldn’t be able to see what Amby’s writing for Runner’s World because it’s hosted by Typepad.

(So much for the blocked sites “not being Games-related.” The IOC should damned well be ashamed of that.)

I intended to complete and publish this explanation of how I’m bypassing the firewall only after returning from China, but I’ve realized that the same route I use to bypass the Chinese firewall is useful for avoiding geographic blocks on streaming video. (In other words, this is also how you get live streaming video without NBC’s bizarre 12-hour time warp. Sort of.)

What I did was install Squid. Squid is an internet proxy server, which means it accepts requests from one source and forwards them on to another without necessarily revealing the original source. I’ve installed Squid in two places, a server in the basement in Amherst which I used as an off-site backup for certain work servers, and one of those work servers (hosted in Dallas if I recall correctly). The default configuration was almost sufficient, but I did change the configuration so Squid would only accept connections from localhost. (Here’s a good HOWTO explaining Squid configuration.) This means the proxies aren’t public; only people on the proxy host (or people who can establish authenticated connections to them) can use them.

This is the trick: you need a proxy which is in the IP space you want to be “from”. I need a proxy outside China; if you’re trying to get video from outside its restricted area, you need a proxy inside the restricted area.

Connecting to the proxy is the easy part. I open a connection to the proxy host by opening up Terminal (actually iTerm in my case) and using ssh -L 2008:localhost:3128 pjm@proxyhost to set up the connection. This means my localhost port 2008 is “tunnelled” to Squid’s default port on the proxy host. Anything I send to localhost 2008 will be delivered to proxyhost 3128, transparently and over an encrypted connection. I could change Squid’s port or even the port used by SSH arbitrarily to disguise this connection, but so far there’s been no reason to bother with this.

Now I open Firefox’s preferences. In the “advanced” section, I look under the “Network” tab. In “Connection” I click the button (“Settings”) next to “Configure how Firefox connects to the internet.” I switch from “No proxy” to “Manual proxy configuration”, fill in localhost for the host and 2008 for the port.

If you’re using an open proxy by permission, you fill in its settings here instead.

Click “OK” and it’s over. I’m through the Great Firewall of China.

Obviously, though, I had one big advantage: access to servers in the USA on which I could install proxy software. If you lack such access, you’ll have to find an open proxy, which requires some care.