access wikipedia (walk through the great firewall of China)

张韡武 weiwu at
Fri Dec 8 02:10:07 PST 2006

在 2006-12-08五的 06:53 +0000,Matthew Seaman写道:
> ??? wrote:
> > Hello. My office use this method to access wikipedia behind the great
> > firewall of China:
> > 
> > 1) we have a server in europ, let's call it server;
> > 2) I run this command on my desktop:
> > $ ssh -L server;
> > 3) everybody in the office edit /etc/hosts, add this line:
> > [my_ip_addr]
> > 
> > So my computer become a 'proxy'.
> > 
> > The trouble is I have to keep the ssh running there. The 'proxy' will
> > not automatically set up next time I reboot my computer.
> > 
> > Is it possible to install some software to run as a daemon and do this
> > proxy?
> > 
> > I think of stunnel, but I have too few knowledge to know if stunnel can
> > do this.
> There are two general possibilities here:
>   a) A Web cache/proxy -- squid is the canonical example, but you can
>      do this sort of stuff in apache very readily.  I think apache 
>      would be a good place for you to start, as most sysadmins have
>      at least a passing acquaintance with its configuration.
>      You'ld need set up a proxy on your European server to redirect
>      any web traffic to -- your users would use the
>      service exactly as they do at the moment, but they'd put the
>      IP of the European server into their hosts file, rather than
>      your desktop.  If that is a problem, then you can chain together
>      a series of proxies starting with your desktop machine, then
>      the European server -- but performance may be a tad slow.

We have a lot of problems accessing any sort of proxy outside China, the
latest technology in the great firewall of China, if you had read the
newspaper, is content-based filtering. 443 port of many foreign servers
are also being blocked.

>   b) IPsec or other VPN tunnel between your server in Europe and a
>      local firewall -- preferably your local firewall should be on
>      the egress path from your LAN.  Then you can arrange routing
>      so that packets to destinations in Europe pass through the 
>      tunnel and use your European server as the gateway to the
>      internet.  In this case, there shouldn't be any need for your
>      users to have to spoof the address of in 
>      their hosts files.  IPSec comes standard with FreeBSD, but
>      you'ld probably want to combine it with pf(4) or other firewall
>      software which you can use to control redirecting appropriate
>      packets through your tunnel.  If IPSec is too mind-mangling
>      for you, OpenVPN (in ports) is a pretty good alternative.
>      You'll almost definitely want to configure a NAT gateway on
>      the European server.
> Either of these solutions will run automatically on system startup, if
> so configured.  Option (a) will send your web traffic across the net
> in clear-text unless you can chain two proxies together and get creative
> about using HTTPS.  Or you can combine both approaches: use a local HTTP
> proxy with a VPN tunnel to your European server.

Thank you very much for your detailed explanation, I believe me and many
other people on the list is going to benefit from it.

Currently the only website we want very much but being blocked is
wikipedia. Other websites being blocked are mostly about politics and
news, which we are not interested (I think most people in China are not
interested what foreign news says, and getting used to ignore 3rd party
politic information). Wikipedia is an exception because it has a lot of
useful information, not just politics. So basically if wikipedia is
accessible, we are happy. Your general solution looks really complicated
to me that I would like to do it as weekend fun, but probably not going
to be able to maintain it.

Information is like this: you don't need to block all information in
order to prevent people knowing them, you only need to put barrier
higher. There are many ways to workaround (walk-through) the Great
Firewall, but every time when I look into different complicated
solutions, I say to myself is it worthy to spend so much time on it? And
ends up saying to myself, save the time, let's just don't read these

More information about the freebsd-questions mailing list