Shadowsocks or VPN?
If you live in China and want a recommendation which solution to go: Shadowsocks or VPN? the quick answer is Shadowsocks, because Shadowsocks works while most of the VPN don’t.
China’s GFW is so successful that it has blocked all major VPN protocols, none of the VPN can survive without revising or obfuscating its packet pattern a bit. But GFW has a hard time telling if you are using Shadowsocks proxy to browse the web. Therefore, Shadowsocks is your best choice. The situation is similar in Iran, and maybe United Arab Emirates, where VPN protocol is heavily censored, probably by the same equipment from China, but Shadowsocks is still unrecognizable, undetectable. In fact, the designer’s goal is to make GFW’s cost to block Shadowsocks unbearably high. Having that as a goal, Shadowsocks will probably be here to stay, to stand the GFW’s attack for a long time.
So what’s the difference between Shadowsocks and VPN?
Shadowsocks was originated in China for the purpose of thwarting the Great Firewall’s blockage.
Shadowsocks is a proxy, that means the proxy server is relaying the communication on your behalf, with encryption in the case of Shadowsocks. It is more for TCP packet relay but Shadowsocks can also relay UDP packet. The Shadowsocks proxy server is a middle man between your computer and the rest of internet, it relays your TCP/UDP request to the destination such as facebook.com, and returns the content of facebook.com back to you. Shadowsocks was specially designed bypass GFW’s blockage with 4 considerations.
1. Initiate and relay packets as much as HTTPS protocol but without the full chain of connection establishment and certificate, so GFW can’t tell the difference, if GFW block all HTTPS packets they’d block the entire web – something they can’t afford to do.
2. Password authenticated client server authentication, establishing the connection quick and easy.
3. Use industry level ciphers to encrypt the data transfer, nullifying GFW’s deep packet inspection.
4. Bleeding edge techniques using asynchronous I/O and event-driven programming.
So users can connect to Shadowsocks server unnoticed, encrypted, at high speed, GFW has no good way to pinpoint the Shadowsocks packets, that’s why they had to physically pinpoint the developer and ask him to quit the project.
VPN stands for Virtual Private Network, it is essentially a full virtual network which obscures your device, your IP, your connection as a whole and makes it look like you are surfing through a different location. It was created long before China’s Great Firewall and used widely for unblocking GFW’s blockage. It was also quite secure, although on individual protocol level you can find vulnerabilities in some variants such as PPTP, in general, the GFW’s mandate is to block, not to decrypt, it is very hard to decrypt the huge volume of encrypted VPN data.
VPN is a great solution for encrypted communication and bypassing internet censorship, it works in most countries but not China. The unfortunate fact is that VPN protocol need a few rounds of packets exchange to establish the encrypted channel, it is not VPN’s fault since almost every communication protocol need a few round to establish the connection, and they are all created before China’s GFW. The GFW just took advantage of the plain text protocol pattern and tear them down. It is reported that very few VPN providers still work under GFW but they all have to add some secret sauce to the protocol.