Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Also, international performance in general can be quite bad at peak times (i.e 30% packet loss), I suspect due to Comcast-style management of international transit. But if you buy a transit circuit from Unicom, no problem!

Edit: to add to the grand parent, I've actually found ssh -D/-w0 (for a TUN device) quite reliable from China. What I really want to do is run multiple connections from different end points with a routing protocol to do fast-failover.

> Pay one of the telcos (i.e China Unicom) for an MPLS circuit out of the country.

Don't suppose you could explain to us network plebs how that would bypass the Great Firewall?

It's a private network/route with traffic containing nothing but corporate data. Most multinationals facing this situation route out through HK, with a secondary failover usually in Taiwan or Singapore. Works a treat, but is costly and latency can be subpar.

It also doesn't solve the problem of mobile access to Google Apps for Chinese workers (Google Play Store & apps are not bundled by many (any?) Chinese OEM handset makers or carriers. You can root & sideload, or you can purchase phones outside the country and ship them to your employees, but even if you do this, there is still no guarantee they'll be able to access Google's apps while on cellular networks.

Google Apps will drain your battery when they can't access Google's servers. Roaming with a China Unicom Hong Kong sim card, like the cross border king, will give you gfw free access.

> Google Apps will drain your battery

Google Apps will also drain your battery if you are in a region where Google has no network-location data yet, because then Google will turn on your GPS, and send to their servers the pair of GPS-coords and strength of networks.

If you live in a suburb in Germany where almost no networks are known to Google, this means if you enable location services your GPS will try to get a fix 24/7, eating your battery in about 2 hours.

This is probably going to be an issue in China, too, considering that Google doesn’t have location data there.

I think you can turn this off. My phone has a setting called 'Scanning always available', which says "Let Google's location service and other apps scan for networks, even when Wi-Fi is off.". If I turn off this setting, and turn off wi-fi, then the problem you point out should be avoided, right?

Yes.

But if you turn on WiFi and Location at the same time (which is not uncommon), then it will suck your battery dry in seconds. Turn any of those two off, and it works.

Oh. My phone has three options for 'Location mode':

- High accuracy (GPS, wi-fi, mobile)

- Battery saving (Wi-fi, mobile)

- Device only (GPS)

From what you say, it sounds like 'Device only' would save more battery than 'Battery saving'?

How do you setup a routing protocol to do fast failover? Is it easy?

For fast failover, you'd generally use BFD (bi-directional forwarding detection) in conjunction with a standard routing protocol like BGP, OSPF, or IS-IS. It's sufficiently complex to do on a proper networking platform, and even more difficult to do in a general purpose operating system. You can also just use aggressive timeout values with your routing protocol, but failover won't be quite as graceful.

As far as Microsoft office in Beijing, I think they VPN to their Tokyo office first. Their traffic is ensured by negotiating directly with the big telecom company. Disclaimer: I do not work for them.

This is correct

Source: worked there for a while

This is interesting, I'd love to read/hear more about it. Is the negotiation an above-board thing? What are the conditions and costs to getting this kind of exception ensured?

From what I've heard, it's something like 100 000 USD a year for a 100 Mbit connection.

Funny thing is: this is the same price payed in Brazil for a 100mbps MPLS link.

I've heard that commercial DCs and high-end hotels are less censored.

We have colleagues in china and generally speaking, you find an alternative, and host it on premise.

I believe this is the reason why they use Atlassian[1] products, where rest of us would use trello, e.t.c.

[1] company that created jira

Aren't there a dozen of bugtrackers, intranet collaboration software, CI tools and git hostings that they could download and install? What's so special with the Atlassian products?

those sucks a little less than, say, bugtraq, offer enterprise support on premises which you'd never use but you need to do the purchasing when you go for a big company and kind of have a big recognized name for their customization support even if their whole stack sucks.

I think the "enterprise support on premisses" is the main deal, along with the fact that we have already used it for some of our big projects.

Register your VPN with the authorities. We are atm doing this for a office in Beijing.

Is the primary purpose of your VPN to bypass GFW, or to provide access to your corporate network? I guess the latter would be considered a good reason.

yes, mainly to access the corp network.

Not all VPN services are censored, and not all VPN protocol triggers the reset. But you can bet whatever you get for free (thus likely popular), will get banned soon enough.

OpenVPN is like a prime suspect of a police procedural novel, it gets hunt down no matter what.

Personally experience: I did work for Microsoft Shanghai and VPN works just fine. You need to have the right set of tools, and better, have a good channel of negotiation with the government.