How To Set Up Outline VPN in China

Updated onDecember 7, 2019 by Mighil

Internet censorship in China is among the most stringent in the world. Finding the best VPN can be quite tricky as an expat in China. When it comes to commercial VPN providers, you always have to deal with unexpected downtimes and connectivity issues. Skip introduction.

However, it’s not a big deal for people like me, who can set up their own VPN/proxy servers without relying on service providers. But, how about others?

Meet Outline, a free and open-source tool that deploys Shadowsocks servers on multiple cloud service providers. Alphabet’s (Google’s parent company) Outline is the best DIY approach I’ve ever seen when it comes to implementing self-managed VPN or proxy servers.

Even though Jigsaw claims Outline is “built for news organizations,” I feel this platform is ideal for expats in China with little to no knowledge about how VPNs or proxy servers work.

Outline powers your own DIY “VPN” via Shadowsocks, an open source SOCKS5 proxy which, according to their official site, is designed to protect your internet traffic. I hope they’ll switch to ShadowsocksR at some point.

Technically, Outline is not a true VPN but a proxy server manager.

Keep in mind that https://getoutline.org/ is blocked in China. But, you can download the outline manager from Github. The client app for iOS is available on Appstore (I’m sure it won’t be available on mainland China store). Anyway, you still can find IPAs for Apple and client app for other operating systems here.

Major features of Outline:

Let’s take a look at the main features of Outline by Jigsaw.

The Outline Manager

A kickass manager app that lets you set up your own Shadowsocks servers via DigitalOcean, Amazon Web Services, Google Cloud Platform and more.

The Outline Client

Built for Android, Windows, Chrome OS, iOS, MacOS, and Linux. Just download the Outline app, add the access key and click the big “connect” button.

Possibility Of Streaming Netflix

It doesn’t work if you’re setting up a proxy server via DigitalOcean. I’ve tested proxy servers based on AWS to stream Netflix before (not via Outline). Few instances in US regions lets you stream Netflix without any error. Enable TCP BBR congestion control to make things smoother.

Use Outline client to connect other SS servers

Already own a Shadowsocks server? You could use the Outline client app and connect to it.

Speed

It depends on your server location and its specifications.

Security & Privacy

Outline gives you control over your privacy by letting you operate your own server and Outline claims they never log your web traffic (but Cloud provider does). Strong encryption (Shadowsocks) helps keep your communications private.

How to setup Outline VPN in China

With the Outline Manager application, you can create a server and share access with unlimited users. Let’s see how we can set up everything.

1. Download & Install Manager App: The process is straight-forward. Since their main website is blocked in China, visit this link to download the Outline manager from GitHub. The manager app is available for Windows, Linux, and MacOS.

2. Choose A Cloud Server & Set Up: DigitalOcean and Amazon AWS are accessible from China. You won’t be able to access Google Cloud Platform from the mainland.

It’s recommended to register an account with the Cloud provider of your choice before connecting it with the Outline manager. As you can see in the screenshot; DigitalOcean is partnered with Outline. So, setting up a proxy server powered by DigitalOcean would be the best approach.

Bonus: You can connect Outline with your existing cloud provider also.

3. Use The Access Key To Connect: Once you finish the setup process, the Outline manager will generate a token (access key).

Now, download and install the client app. Use the Access Key (SIP002 URI Scheme) on the client app, and tap/click connect.

Cons of Outline:

Bandwidth limitations according to the cloud provider.
Your cloud provider may or may not store log and other traces.
Netflix streaming issue. I feel it can be resolved if you’re using AWS.
There’s a chance the Great Firewall of China may block Outline’s Shadowsocks protocol. ~~They should either switch to SSR or something more complex /dynamic/secure in near future.~~ Check Vini Fortuna‘s response to this thread. He’s the engineering manager at Google’s @Jigsaw in NY.
No mirror sites (yet) for mainland China users. GitHub can be slow at times. We definitely need a local mirror site or download mirrors to grab the releases from Outline.
You won’t like it if you’re used to the commercial VPNs. The Outline VPN in China is simple and pretty much relies on a minimal and limited environment. For the same amount, you might be able to access 10 to 15 servers of a Shadowsocks service provider like SocketPro.

Socketpro — Fast. Easy to Use. Netflix Optimized. Get SocketPro Here.

Overall, I’m quite happy with what they’re doing. I highly encourage the readers of this blog post to test Outline at least once instead of relying on a VPN service provider all the time. Outline makes it easier for anyone to set up a proxy server and access restricted content.

More than sixty Internet regulations have been made by the People’s Republic of China (PRC) government. I believe Outline is a great initiative that supports freedom of speech by helping anyone anywhere in the World to break the barriers without relying on a third party VPN provider.

Thank you, Jigsaw (Google)!

The Best Working VPN for China

Updated onOctober 19, 2019 by Mighil

What's the Best VPN for China? (Cover Image)

The “best VPN for China that works 100%,” this has always been a hot topic among expats in China. Despite the crackdowns and restrictions, there are a lot of VPN providers who’re trying to sell (and upsell) their services for expats in China. Skip introduction.

Furthermore, there’s a bunch of mediocre VPN providers and reviewers out there. Avoid them like the plague.

Most of these reviewers are interested in making easy money using affiliate links. They recommend almost all VPN services for China and claims it’s the best VPN for China. “Here are our top picks,” “we’ve picked out five top-notch VPN providers in China”..meh! Don’t fall for the marketing gimmicks.
I’ve seen some of them including Ivacy in their list. It is no good in my opinion. Not to mention the “well-known” bloggers recommending a multitude of VPN services just to stockpile the referral links.
Finding the best from Google is not an easy job because of the “promoted” content you come across.

You need to put a lot of time and effort to research. Let me help you refine the search.

What’s the Best VPN for China?

ExpressVPN: Very popular and works and promise a 99.9% uptime. The services come with optimized servers for streaming Netflix
SocketPro: SocketPro is essentially a ShadowsocksR proxy service provider. The service is dirt cheap, and they provide few servers to stream Netflix, Hulu and more.
DIY Methods: You could set up your Shadowsocks or ShadowsocksR servers on DigitalOcean, Amazon AWS or any other cloud provider of your choice.

Backstory, Finding The Best VPN for China

Having stayed for almost four years in China, I know what works and what doesn’t when it comes to climbing over the great firewall of China.

I’ve tried multiple VPN providers and even wrote a few tutorials on how to set up DIY SOCKS5 proxies for personal use. Read further if you’re tired of the mediocre China VPN reviews.

I’ll share the two best options. Without further ado, let’s look at the best working for VPN for China.

Note:

The second option is a trustworthy Shadowsocks service provider. Essentially not a VPN.
These are my honest recommendations as of February 2019.

The Best Working VPN for China (Review)

ExpressVPN: You might have heard a lot about them. But there are several solid reasons why you should go with ExpressVPN instead of choosing their competitors.

Major Features of ExpressVPN

Let’s look at why ExpressVPN turns out to be the best VPN for China.

Uptime: ExpressVPN has the best up-time comparing to its competitors. Most of their optimized Asian servers are available round the clock.

AES-256 Encryption: Yes, encryption is an essential factor while looking for the best VPN provider. AES (trusted by security experts) is a secure encryption algorithm used in symmetric key cryptography. Additionally, the company uses an RSA-4096 handshake and SHA-512 hash message authentication code, along with PFS. Meaning, you’re in good hands.

Multiple protocols: ExpressVPN recommends protocols and servers based on the location and connection. The company also lets you choose the protocols manually in case you know what you’re doing.

Sign up with ExpressVPN

Stream/Unblock Netflix: Important feature. A lot of expats in China has a Netflix account and want to stream their favorite TV shows and movies online or on the go. ExpressVPN’s US, UK, Canada, Hong Kong, and Taiwan servers are optimized for streaming Netflix.

Dedicated Apps: ExpressVPN has dedicated apps for MacOS, Windows, iOS, Android, routers, and Linux. Their knowledge base comes with pretty neat guides.

Furthermore, the company offers a “limited” free trial as well. You should try the full-featured version of ExpressVPN “risk-free” for 30 days. Not happy? You’ll get a full refund within 30 days, no questions asked.

Pros

Reliable, ExpressVPN is a trusted brand.
Few servers are optimized for streaming Netflix.
Dedicated Apps

Con

One ExpressVPN subscription only covers three devices of any type.

Best VPN Alternative for China

VPN is not your thing? Do you prefer proxy servers to stream Netflix and access Google? Give SocketPro a try.

What’s SocketPro? It is essentially a ShadowsocksR proxy service provider that offers cheap easy to use proxy servers which lets you unblock websites and climb the GFW. The whereabouts of SocketPro team are anonymous because of the nature of the service they provide.

I’ve been using their service for almost two years. So, don’t worry about anonymity. It’s for their own good to survive in China.

Shadowsocks vs. ShadowsocksR

Shadowsocks is an open source SOCKS5 proxy which, according to their official site, is designed to protect your internet traffic.

ShadowsocksR is a fork of the original Shadowsocks project, claimed to be superior in terms of security and stability.

Here are my blog posts on how to manually setup Shadowsocks and ShadowsocksR.

Why ShadowsocksR instead of a VPN?

A conventional VPN protocol creates a network that slows down Chinese websites, which can be annoying when you’re using Taobao, WeChat, JD.com, etc.

On the other hand, Shadowsocks has a Global Mode and Auto Mode.

Best Working Shadowsocks Service for China — Get SocketPro for All The Devices.

The Global Mode acts similar to a VPN connection whereas the auto settings (Auto mode by PAC) makes sure you can access Chinese website faster, without using a proxy.

Major features of SocketPro

SocketPro is packed with cool features as well. They’ve almost 8000+ active users and 74 node servers.

List of SocketPro Premium Servers — Open image in a new tab for better viewing.

Speed: They use a modern SOCKS5 protocol (ShadowsocksR) to transfer your data, which is faster compared to a traditional VPN.

Cross-platform support: Unlike ExpressVPN, SocketPro DO NOT limit your connection, meaning you can connect all your device at the same time.

Get a SocketPro Account

Secure: Your connection is secured with 256-bit encryption to protect your data from prying eyes.

Pros

Dirt Cheap and fast.
Unlimited bandwidth and speed.
Few servers are optimized for streaming Netflix.

Cons

Monthly plans are okay, but the yearly plan comes with better servers.
No dedicated app for iOS, you should purchase a 3rd party app.

These are the best reliable VPN services in China that lets you access blocked sites, online resources, and stream Netflix. What’s your best pick?

Need A Secure Custom Solution?

Hire me to set up a private proxy/VPN for $50 one-time fee

Send A Message

Setup A ShadowsocksR Server On Amazon EC2

Updated onJanuary 10, 2020 by Mighil

How to Setup A Shadowsocks Server on Amazon EC2

Learn how to install ShadowsocksR (not Shadowsocks) server on Amazon EC2 Ubuntu instance (Free Tier) easily. I set SSR in the title because it’s superior to Shadowsocks. The script included in this tutorial comes with the option to choose between Shadowsocks or ShadowsocksR during installation. It’s your call.

Heads up: unlike the DigitalOcean guide I posted before, this one involves fewer commands and scripts. 😉

Update 1: I recommend SocketPro, a dirt cheap option ($2.41/mo annual) if you prefer to rely on a service provider. Their services are top-notch and I’ve been using it for almost two years alongside my DIY servers. Click here to read my review.
Update 2: Thanks Janosch for pointing out the error in the installation script. I’ve updated it now.

Why ShadowsocksR?

ShadowsocksR is a fork of the original Shadowsocks project, claimed to be superior regarding security and stability.

Warning: Although this guide is intended to be 100% n00b friendly, there are chances you may face minor issues or errors during setup. Be prepared. Just comment here or write to webmaster[at]mighil.com or connect with me on WeChat @mighil if you want me set it up for you for a small fee.

Prerequisites:

Access to AWS console. (Requires one time credit/debit card verification)
Read more about EC2 Free Tier.
SSH client.
Patience.

Sign in to the AWS Console & Create an EC2 Instance

AWS may take you to the US region by default. It’s up to you choose the location.

Select EC2 in the Compute Section

Select the Asian region (Tokyo or Singapore recommended) if you’re from China.

Click Launch Instance

Go on and read their Getting Started Guide if you’ve got enough time.

Select The Ubuntu Server 16.04 LTS

Ubuntu Server 16.04 LTS is Free Tier Eligible, and that’s what we’re going to use for this guide as well. Click Select and proceed to the next step.

Choose the Instance Type

Look for the t2.micro which is Free Tier eligible. Select it and click Review and Launch.

Configure Security Group

Open the TCP ports you’re going to use for ShadowsocksR. I’ve set Port Range from 8000–8083 for this guide. You can limit the source according to your preference. Click Review and Launch when you’re ready.

Create a New Key Pair

Create, download and save keypairname.pem file in a safe place.

Congrats on the 60% progress. Now learn how to use PEM key on Mac before jumping to the big steps. Windows users, you have to convert PEM file to PPK. Please read it and come back to this article.

macOS: Copy The AWS Generated PEM File to a Safe Location

Here’s how to copy keypairname.pem to /Users/usrname/.ssh/ (hidden directory)

Copy the keypairname.pem file.
Open Finder, use the shortcut “Shift + Command + G” and type in /Users/usrname/.ssh/
Paste the keypairname.pem file.

macOS: chmod 400 the PEM file

We have to set the right permissions for PEM file. Use the chmod command to make sure that your private key file isn’t publicly viewable. For example, if the name of your private key file is keypairname.pem, use the following command:

$ chmod 400 /Users/username/.ssh/keypairname.pem

Alright, it’s about time fellas! Let’s dive into the Terminal/Putty.

macOS: Uncheck this Sucker in Terminal Preferences (Recommended)

There are chances some users may get locale errors, it’s a best practice to uncheck this from Terminal Preferences.

SocketPro Shadowsocks Service Provider — Get SocketPro now if you need a cheap option. 100% working in China.

Connecting to the EC2 Instance

Let’s connect to your instance from Putty or Terminal:

macOS, via Terminal:

$ ssh -i /Users/username/.ssh/keypairname.pem [email protected]

!! Check your public IP from the corresponding AWS EC2 webpage.

Windows via Putty:

Load your PPK and connect to the server as the Ubuntu user

Switch User in EC2 instance

Once you’re inside the EC2 instance. Switch to the root user:

$ sudo su

Run The ShadowsocksR Auto-Installer

Script by @teddysun. Copy and paste each line separately.

$ wget --no-check-certificate -O shadowsocks-all.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-all.sh
$ chmod +x shadowsocks-all.sh
$ ./shadowsocks-all.sh 2>&1 | tee shadowsocks-all.log

This installer is intuitive and will guide you setup ShadowsocksR on your instance.

Note: It contains installers for other Shadowsocks packages as well.

The installer will generate and display the final config. It displays Private IP (not public IP). So make sure you use Public IP within client apps. As I mentioned EARLIER, you can find your public IP within the corresponding AWS EC2 instance page or run the command below to display the public IP

$ wget -qO- -t1 -T2 ipinfo.io/ip

Commands to start | stop | restart | check status

Shadowsocks-Python：

$ /etc/init.d/shadowsocks-python start | stop | restart | status

ShadowsocksR：

$ /etc/init.d/shadowsocks-r start | stop | restart | status

Shadowsocks-Go：

$ /etc/init.d/shadowsocks-go start | stop | restart | status

Shadowsocks-libev：

$ /etc/init.d/shadowsocks-libev start | stop | restart | status

That’s it, congrats on the 100% progress.

Write to mighilcn at gmail dot com or connect with me on WeChat @mighil if you want me set it up for a small fee.

Join The Mailing List

Get tips on WordPress optimization, website hosting and VPN/proxy optimization guides for expats in China. Subscribe via email. MailChimp automates the Mighil.com mailing list. The mailer won’t spam your inbox. You can unsubscribe at any time.

Setup A Shadowsocks Server on DigitalOcean

Updated onJanuary 10, 2020 by Mighil

Shadowsocks is an open-source SOCKS5 proxy which, according to their official site, is designed to protect your internet traffic. As an expat in China, I have tried a few VPN services. The major downside of well-known providers is that their VPNs create one connection for all traffic (which is easier for China’s GFW to detect/block/slow down).

Recently, I tested Shadowsocks on an Ubuntu server based in Singapore and I must say I’m quite happy with SOCKS5 rather than the paid services. I know there are a bunch of tutorials out there on how to configure Shadowsocks. But, I’d like to be more precise providing the best tips and workarounds.

In this tutorial, you’ll learn how to install Shadowsocks and related packages on an Ubuntu server and bypass the Great Firewall of China.

Prerequisites

A DigitalOcean droplet (preferably an Ubuntu or CentOS x64 server) / Cost: Starts from $5 per month. Feel free to sign-up with my referral link if you’re interested.
Notepad++/Sublime Text Editor if you don’t prefer UNIX vi editor.
SFTP/FTP client like WinSCP if you prefer a GUI.

How To Create A New Droplet In DigitalOcean

Note: I highly recommend new users to generate/set-up SSH keys while creating a droplet as they provide a more secure way of logging into a virtual private server with SSH than using a password alone.

How To Install Shadowsocks on Ubuntu 18.04

Let’s fire up putty or any other SSH client and log in to your server as root user.

Once you have logged in to the server, run the following command to update the packages:

$ apt-get update

Now, run the following commands to install Python then Shadowsocks:

$ apt-get install python-pip
$ pip install shadowsocks

Now install M2Crypto, which is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES). Run the following commands to install M2Crypto:

$ apt-get install python-m2crypto
$ apt-get install build-essential

Since salsa20 and chacha20 are fast stream cyphers. Optimized salsa20/chacha20 implementation on x86_64 is even 2x faster than rc4 (but slightly slower on ARM). You must install libsodium to use them:

$ wget https://github.com/jedisct1/libsodium/releases/download/1.0.10/libsodium-1.0.10.tar.gz
$ tar xf libsodium-1.0.10.tar.gz && cd libsodium-1.0.10
$ ./configure && make && make install
$ ldconfig

After finishing up the steps above, we must create a .json file (config file) for Shadowsocks. In order to do this, fire up Vi editor or open your text editor and create a new file. Add these data to the file:

{
"server":"your_droplet's_IP_address",
"server_port":8000,
"local_port":1080,
"password":"your_password",
"timeout":600,
"method":"aes-256-cfb"
}

You can choose any encryption method from here.

Save the file as shadowsocks.json and copy it to the /etc folder.

Now start your Shadowsocks server. Run the following command to do so:

$ ssserver -c /etc/shadowsocks.json -d start

You can check the Shadowsocks log file, which is located in /var/log/shadowsocks.log to make sure everything is okay.

Now that you are almost done, we need to make sure Shadowsocks server will be started automatically during system reboots. Edit the file named /etc/rc.local to do so.

Open up /etc/rc.local and add the following content before the exit 0 line.

/usr/bin/python /usr/local/bin/ssserver -c /etc/shadowsocks.json -d start

Now you’re ready to roll.

Note: In the future, use this command: “ssserver -c /etc/shadowsocks.json -d stop” to stop the Shadowsocks server. and “ssserver -c /etc/shadowsocks.json -d restart” to restart.

Server Optimization

There are a number of ways to optimize your server, here are the best ones.

To increase the maximum number of file descriptors:

Edit the limits.conf file located in /etc/security/limits.conf and add the following two lines:

* soft nofile 51200
* hard nofile 51200

Now, temporarily stop the Shadowsocks server to set the ulimit.

Run:

$ ssserver -c /etc/shadowsocks.json -d stop

Now set the ulimit:

$ ulimit -n 51200

To optimize the kernels:

We can optimize the kernel parameters by editing the /etc/sysctl.conf file. Open up the file and add the following lines to the end of the document:

fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = cubic

Save it and run this command:

$ sysctl -p

Now that you finished optimizing, start the server!

$ ssserver -c /etc/shadowsocks.json -d start

Shadowsocks Clients:

Check out the clients for different platforms listed on Shadowsock’s official website.

What's faster than a VPN?

Use SocketPro. Best VPN alternative for expats in China. Just $2.41/m.

Set up a fast website in China

Hire me. I provide top-notch website optimization services for China.