74
Server access from China (lemmy.dbzer0.com)
submitted 1 week ago* (last edited 1 week ago) by abies_exarchia@lemmy.dbzer0.com to c/selfhosted@lemmy.world
30 comments fedilink hide all child comments

From North America, and I’m going on vacation in china for a few weeks. I wonder if anyone knows if I’ll be able to access any of my self-hosted services over zerotier while I’m abroad?

Edit: To be specific, I’m hoping to ssh into my machine over zerotier in case I need to fix something and back up some photos to my home NAS via rsync or something

top 30 comments
sorted by: hot top controversial new old
[-] socsa@piefed.social 12 points 6 days ago* (last edited 6 days ago)

At first, it will probably work. But you will likely lose access after a few days and your servers will be scanned for exploits, so make sure your shit it up to date.

Source: hosted an XMPP server which was summarily banned after 2 days of access from China and then probed/attacked repeatedly until I took it offline.

[-] GreenKnight23@lemmy.world 3 points 5 days ago

almost like going to China is a mistake...

[-] Konraddo@lemmy.world 4 points 5 days ago

Don't make any connection to your home server, period.

[-] Ptsf@lemmy.world 7 points 6 days ago

Bringing non-disposable technology to China is a mistake in most circumstances.

[-] real_jiakai@lemmy.world 1 points 4 days ago* (last edited 4 days ago)

Maybe it is possible, maybe not. GFW may interfere with zerotier connections.

If that doesn't work, you can consider using Alibaba Cloud's HK server for transit.

Generally speaking, if you come to China for work or pleasure like ishowspeed, there is basically no risk. I wish you a pleasant trip to China.

[-] Treczoks@lemmy.world 2 points 6 days ago

I would not try to access a server from China. Can't you let someone else take care of the machine in the meantime? It's always a good idea to have some backup admin just in case.

[-] zero@feddit.xyz 1 points 5 days ago

Mobile roaming worked but not while connected to hotel Wi-Fi. I also got a VPN before I went to China, routed through Japan. It was slow as shit.

[-] possiblylinux127@lemmy.zip 53 points 1 week ago

I wouldn't access anything nor would I take any tech with you.

Don't risk it

[-] philpo@feddit.org 29 points 1 week ago

It depends. Very much. And this is the main problem: There isn't "one" solution, you will need a few.

The thing with the PRC is: Their great firewall isn't "one big uniform block". It's fairly "variable".

For example: In Beijing,even 10 years ago, I could access google maps and Facebook without any issues(back then highly blocked) as long as my mobile phone was roaming. The second I was on wifi of course it was blocked. But even the cheapo VPN my colleague had did work out fine. Until the day the police started to prepare for the party convention - then suddenly my colleague couldn't get out, neither could I with our company wifi and even my carefully crafted wire guard over HTTPs didn't work - unless I was in the wifi of the hotel or our host company. There it did. Party congress over? Back to normal operations.

If you travel through the country you will find that in one place solution A works, in another solution B. Generally the more rural (or closer to Tibet/Xinjiang/Myanmar) you get, the more restrictive it seems to be.

Personally I would simply get there different commercial VPNs to make sure you have a choice to get out at all - there are various ones with a good PRC reputation. Most providers have trials as well. And then double tunnel through that if you can't directly reach your usual VPN at home

[-] CCMan1701A@startrek.website 19 points 1 week ago

tailscale worked some times, but seemed to depend on the location of the moon relative to the air speed of a nearby sparrow and it was really slow.

[-] MysteriousSophon21@lemmy.world 1 points 5 days ago

Zerotier is similiar - works sometimes but China's firewall is constantly changing which ports/protocols it blocks, so setup a wireguard server on port 443 as backup (looks like normal https traffic) and test both before you go.

[-] alcasa@lemmy.sdf.org 15 points 1 week ago

Look into shadowsocks, or just normal vpn.

Pandafan was quite reliable for me. You might also be able to diy with hk, sg or sk vps instances, but it was a lot of work and a misconfiguration will cut you off.

[-] iopq@lemmy.world 9 points 1 week ago

Normal VPN doesn't work because they don't mask themselves. Even Tor bridges don't work because they are blocked.

Shadowsocks is like 2018 advice, go directly to xray and forget about legacy software

[-] alcasa@lemmy.sdf.org 5 points 1 week ago

Yes, xray is better. Forgot about that. I think there had been a couple newer ones.

The thing with gfw circumvention is that even older approaches work surprisingly often, as detection methods change and often detection depends on the amount of suspicious traffic. I had most success with a more conventional setup on a vps, but that was more for testing out stuff. Found commericial providers to be more reliable.

VPNs work surprisingly often from what others tell me. They only block these occasionally. I think astrill and express often work. Just know that the ones that work, probably have chinese govt access.

Yes, tor never works.

[-] ag10n@lemmy.world 11 points 1 week ago

What you’re asking is illegal where you’re going

Best of luck to you

[-] abies_exarchia@lemmy.dbzer0.com 9 points 1 week ago

Is it illegal to backup my photos to the NAS in my house? I’m not even attempting to access banned services

[-] greyfox@lemmy.world 5 points 6 days ago

Unauthorized VPNs (non government approved) are illegal in China. If a business needs their own they can get approval but they have to apply for those exceptions.

It isn't really enforced, probably especially so for non citizens, but if you do something they don't like it is something they could use against you.

You would probably be less breaking the law to just directly open up SSH and access that instead of tunneling through a VPN. Even though SSH can do tunneling of its own.

[-] kristoff@infosec.pub 2 points 6 days ago

You mean "copy the photos you have taken but you not want in your device if you would get checked on your way back out to a server in a hostile country " ?

99.99% if the normal tourists do not have a personal server to store their photos. They use a commercial cloud. By using your personal server, you behave differently from 99.99% of the tourists.

" Why do you keep your images to your personal server and not the cloud? What do you have to hide? "

[-] ag10n@lemmy.world 15 points 1 week ago

Bypassing the GFW is illegal

[-] iopq@lemmy.world 2 points 1 week ago

You realize not only Google is blocked, but also Brave search, duckduckgo, everything but Russian and Chinese search engines? You can't find anything on them except scams and SEO spam

[-] ag10n@lemmy.world 9 points 1 week ago

Yes, I do know and realize that. Why it’s probably not a good idea to try connecting to your homelab lol

[-] iopq@lemmy.world 1 points 6 days ago

Just connect, they don't block random IPs for no reason. You need to transfer a lot of traffic to trigger something

[-] BaroqueInMind@piefed.social 7 points 1 week ago* (last edited 1 week ago)

People posting here don't realize that CN gov IDs and allows certain traffic to get rerouted through a certain VLAN so they can do DPI and record every packet through a beefy expensive tap device to analyze the telemetry later, and potentially build a case against you. If they so choose. And they likely have the capability to trivially decrypt TLS.

Don't bring in any tech, don't access your personal net back home, don't expect any level of actual privacy or good intentions. Just do your business and keep your digital digital persona minimal while there.

[-] amino 1 points 4 days ago* (last edited 4 days ago)

really off-topic here, but as long as you factory reset a google pixel before leaving home why wouldn't you bring that with you?

AFAIK it's possible to detect government tampering by using GrapheneOS' Auditor

I'm asking in good faith but maybe it would be dangerous to stand out by running non-standard OSes

[-] BuoyantCitrus@lemmy.ca 9 points 1 week ago

they likely have the capability to trivially decrypt TLS

Whoa. Anywhere to read more about this? Had not been paying close attention, didn't realise that was so starkly the case.

[-] BaroqueInMind@piefed.social 13 points 1 week ago* (last edited 1 week ago)

China blocks newer TLS and forces a TLS downgrade of a version they have decryption capabilities of - https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report

More info - https://gfw.report/publications/usenixsecurity23/en/

More - https://www.scmp.com/news/china/politics/article/2167240/chinese-police-get-power-inspect-internet-service-providers

Chinese cryptography law mandates packet inspection and supervison of all foreign telemetry - https://link.springer.com/chapter/10.1007/978-3-031-11252-2_4
https://en.m.wikipedia.org/wiki/Cryptography_law

If you are truly skeptical of one of the world's largest cyber threat actors with an enormous economy and large population of cyber security experts is or isnt capable of trivially decrypting TLS, I don't know how else I can convince you that they are capable.

[-] TehNomad@piefed.social 6 points 1 week ago

As another user posted, how strict the firewall is depends on where you are (and if there are any special events). I heard that Wireguard doesn't work because of deep packet inspeciton, but I was able to use Tailscale to my home network without problems when I was there last year. I also set up a xray vless-reality proxy on a VPS and Outline servers on Google cloud and those worked too.

But the easiest method is to buy an HK eSIM for roaming (I used 3HK). I bought a month of LetsVPN but they booted me from the service for some random reason, so I changed to Mullvad which also worked too.

[-] yaroto98@lemmy.org 3 points 1 week ago

From what I've read if you use a VPN it's pretty simple to get past the great firewall of china. It's also only technically illegal, and not really punished.

[-] iopq@lemmy.world 4 points 1 week ago

Well, no, if you open a wireguard connection it well just get dropped in a minute. You need to do a lot more work than that

[-] alteredEnvoy@sopuli.xyz 1 points 1 week ago

Doesnt it also depend on the type of VPN and the providers?

this post was submitted on 21 Jul 2025
74 points (100.0% liked)

Selfhosted

49903 readers
292 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz