What is the Great Firewall of China and how does it work?

China is infamous for its internet censorship program, widely known as the Great Firewall of China (GFW).  

In this article, we look at what the GFW is and how it prevents citizens of mainland China from accessing the free and open internet.

What is the great firewall of China?

Since 1998, the government of mainland China has been concerned about the internet, which it perceives as a source of social and political threats to the regime’s cultural values and ideology. At the same time, it has always recognized the internet’s utility in fueling economic growth. 

Its response was to build a regulatory framework supported by a far-ranging and increasingly sophisticated system of internet censorship known officially as the Golden Shield project — known outside of China as the Great Firewall of China.

The first phase of the GFW was completed in 2006, but it has since grown in complexity and scope, restricting internet access into and out of mainland China to only three highly-monitored access points. 

The GFW is designed to block Chinese citizens’ access to the uncensored internet via technical censorship measures. It’s not concerned with policing internal dissent. The Communist Party of China (CPC) controls China’s domestic internet using an army of cyberpolice to actively monitor domestic social media channels. 

Get Proton VPN!

One of the most visible aspects of the Great Firewall is that it blocks websites and services that are household names throughout the rest of the world, including all Google services,  YouTube, Instagram, Facebook, Twitter, Wikipedia, and the websites of most major international news organizations.

Also blocked are services designed to bypass China’s censorship measures, including almost all international VPN services.

It is worth noting that the Great Firewall of China covers mainland China, not Hong Kong or Macau. Until recently, these Special Administrative Region(new window)s’ internet access was never interfered with and they could browse the  uncensored internet. Hong Kong’s freedom is now threatened by the 2020 Hong Kong national security law(new window). Still, both Hong Kong and Macau remain outside the scope of the advanced censorship system that is the Great Firewall of China.

Why does the Great Firewall of China exist?

“If you open the window for fresh air, you have to expect some flies to blow in”

Deng Xiaoping

The primary goal of the Great Firewall is to  control the flow of information into and out of the country. As China opened up to the rest of the world with the economic reforms known as the socialist market economy(new window) in the 1980s and 1990’s, its population became increasingly exposed to ideas and attitudes that the CPC saw as a threat to its social values and political ideology.

The arrival and increasing penetration of the internet into Chinese society caused a dilemma for the CPC. They could clearly see the internet’s value as a tool for economic growth — and its ability to  expose the Chinese people to “dangerous” ideas.

However, the GFW also serves a useful secondary purpose. With the GFW, China has effectively built an internet inside the internet, with a captive market of around 700 million internet users (approximately a quarter of all internet users on the planet). 

This has allowed domestic alternatives to international internet services that are ubiquitous elsewhere, to flourish on the Chinese mainland. These include:

The CPC keeps tight control over these services, which serves as a lucrative form of trade protectionism(new window). However, it also makes it much easier for the government to monitor and control domestic political dissent and other social trends it disapproves of. 

How does the Great Firewall of China work?

The CPC doesn’t share details about its highly sophisticated internet censorship system with the rest of the world. 

However, various sources, including reports from inside China and lessons learned from long-standing attempts to breach the firewall (often using side-channel (new window)analysis), have allowed security experts to surmise at least some of the tactics used to prevent people living in China from interacting with the wider world.

These blocks can be implemented either at the three international exit points monitored directly by the government or by the small number of government-controlled internet service providers(new window) (ISPs) that service China’s around 700 million internet users.

Destination IP address blocking

The Chinese government simply blocks connections to address ranges that belong to websites and other internet resources it wishes to censor. 

URL filtering

The government uses transparent proxies(new window) to scan URLs, HTTP headers, and the HTTPS Server Name Indication(new window) (SNI) for banned keywords.

DNS poisoning

The internet is set up so that DNS queries(new window) are usually handled by ISPs. This means the CPC can use the ISPs to aid in its censorship efforts. It often directs ISPs to block or redirect DNS queries to banned websites.

TCP reset attacks

Government cyberpolice can inject forged TCP packets(new window) into connections to send end-of-connection requests to blocklisted servers. These TCP reset attacks(new window) appear to come from the same infrastructure responsible for deep packet inspection.

Deep packet inspection

Originally developed to detect VPN use, deep packet inspection (DPI) is now an integral part of the Great Firewall. China’s DPI techniques are among the most sophisticated ever developed, making them very difficult to bypass. 

Learn more about deep packet inspection

Fake SSL root certificates

HTTPS, the encryption system that secures the internet, relies on a web of trust. Connections are validated using SSL certificates(new window), which we trust because we trust Certificate Authorities(new window) (CAs) to only issue SSL certificates to verified domain owners. 

Over the years, the Chinese government has used root SSL certificates(new window) belonging to Chinese CAs to perform multiple man-in-the-middle attacks. 

The most notable example occurred in 2015, when Google prove(new window)d that the Chinese CA CNNIC was abusing its position of trust by issuing unauthorized digital certificates for several Google domains. In response, some browsers stopped accepting certificates issued by CNNIC. However, this block was not enforced on other Chinese CAs, and browsers continue to accept  new Chinese CAs since.

The 2017 National Intelligence Law of the People’s Republic(new window) gives the Chinese government the formal power to ask any Chinese CA for the use of their root certificates(new window)

Active probing

To help tackle anti-censorship services such as VPNs and Tor, Chinese authorities use active probing(new window) to trace connections back to blocklisted IP addresses.  

Blocking access to app downloads

All access to websites that offer ways to bypass GFW restrictions (such as VPNs and Tor) are blocked. All Google services are blocked, including the Google Play Store, so Android users can’t download VPN apps.

If you use an Android in China, you must instead download apps from one of the several  domestic app stores, such as Tencent MyApp or Baidu Mobile Assistant. These stores often contain apps of dubious provenance but no international VPN apps.

The Apple App Store remains accessible from within China, but in 2017 Apple complied with China’s demands(new window) to remove all major international VPN apps from its app marketplace.  

What websites does the Great Firewall of China block?

China now blocks thousands of websites, including protonvpn.com and proton.me. Some of the more notable blocked sites include(new window):

  • ABC
  • BBC
  • Bloomberg
  • CNN
  • Dropbox
  • Facebook, Messenger, and Instagram
  • Gmail
  • Google services and apps (including Calendar, Docs, Maps, Play Store, etc.)
  • Hong Kong Free Press
  • LinkedIn
  • OneDrive
  • New York Times
  • Pinterest
  • Reddit
  • Quora
  • Reuters
  • Signal
  • Slack
  • Snapchat
  • Spotify
  • Steam Store
  • Twitch
  • Twitter
  • The Guardian
  • Time
  • Vimeo
  • Wall Street Journal
  • Wikipedia
  • WhatsApp
  • YouTube

It’s important to note that while the GFW is incredibly sophisticated, it isn’t entirely impenetrable. In fact, its implementation is rather inconsistent within China. Websites blocked in one province might be accessible in the next. Theoretically subversive websites can sometimes be accessed freely while innocuous ones devoid of objectionable or politically sensitive material are banned.

Even Google services have occasionally been reported as available in some areas in recent years. 

Is it possible to bypass the Great Firewall of China?

There are no reliable ways to consistently bypass the GFW of China. This includes almost all VPN services, which can be detected using China’s highly advanced DPI systems, even when using obfuscation technologies that are useful elsewhere. 

Other technologies can be helpful, although results are usually very hit-and-miss. You can counter DNS poisoning with third-party DNS services that encrypt DNS queries(new window) using DNS over TLS (DoT) or DNS over HTTPS (DoH). Similarly, you can evade URL filtering using Encrypted Server Name Indication (ESNI). ESNI is now supported in Firefox(new window) but not  Chrome (yet).

All public Tor nodes are blocked in China, but the anonymity network is still partially accessible in China using bridges(new window) and pluggable transports(new window) such as obfs4(new window).

Another tool reported to be effective is Shadowsocks(new window). Created by a Chinese developer specifically to bypass Chinese censorship, this tool creates SOCKS5 proxy connections to a server you rent yourself. This makes it unlikely that Chinese authorities have placed this server’s IP address on a blocklist. 

Final thoughts

The effort and resources the CPC has poured into the Great Firewall demonstrates how potent free speech can truly be.

Here at Proton VPN we believe that free speech, access to unfiltered information, and the ability to freely form friendships and exchange ideas with others around the world is a fundamental human right.

Tools offered by Proton VPN, such as Stealth protocol (new window)and Alternative routing(new window) have proven effective at defeating censorship in places such as Russia, Iran, and Egypt. While we at Proton have yet to find a way to consistently bypass the GFW, we support efforts everywhere to defeat online censorship.

Frequently asked questions

Why doesn’t China allow Google?

Google was happy to enforce the Communist Party of China’s (CPC) censorship restrictions for years in return for access to the 700 million internet users in China. However, in 2009, the CPC banned all Google services following a dispute over accusations that the Chinese government was complicit in cyberattacks on Google websites(new window).

Google responded by refusing to censor content in China, including refusing to remove videos on YouTube(new window) that showed police beating protesters during riots in Tibet.

Why doesn’t China allow Facebook?

The Chinese government blocked access to Facebook in 2009 when protesters used it to organize resistance to authorities during deadly riots in the western Xinjiang region(new window). When the government demanded Facebook to hand over the protesters’ identities and information, Facebook refused to comply, leading to the block.

Why doesn’t China allow Twitter?

The Chinese government blocked Twitter at the same time it blocked Facebook, and for the same reason — protesters used it during the 2009 Ürümqi riots to organize themselves and share information.

Is it legal to use a VPN in China?

There are no laws specifically against using a VPN in China. In fact, the use of domestic VPN services is very popular in China, although these must be registered, and they must submit logs to the government. In 2019, a man in Guangdong province was fined(new window) 1,000 Yuan (approx. $145) for accessing foreign websites using the Lantern VPN app. This is the only known example of someone getting into trouble simply for using a VPN, although there has been a crackdown on people running unlicensed domestic VPN services. In 2017 the municipality of Chongqing city announced fines(new window) for VPN users, but as far as we know, no one has ever been charged. All of this is quite remarkable for a country where, according to a 2019 survey by GlobalWebIndex, 29% of China’s 700 million internet users use VPNs(new window).

Does China allow social media?

All major international social media platforms are blocked by the Great Firewall. This includes Facebook, Instagram, Twitter, and Quora. However, there is a thriving social media culture in China on domestic platforms such as WeChat, Sina Weibo, and Douban(new window). These platforms must give the Chinese government access to their systems and comply with its censorship orders.

Protect your privacy and security online
Get Proton VPN free

Related articles

Paris Olympics
The 2024 Summer Olympics in Paris begins this July. While you’ve likely already missed your chance to get a ticket and witness the best athletes from around the world in person, there are plenty of ways to enjoy the games from the comfort of your hom
Where to watch euros
Every four years, the entire continent of Europe turns its eyes to see who will be crowned as the continent’s champion of football (or soccer for the Americans).  This is the 17th edition of the UEFA European Football Championship, in which 24 natio
How to enable location services
Location services refer to a combination of technologies used in devices like smartphones and computers that use data from your device’s GPS, WiFi, mobile (cellular networks), and sometimes even Bluetooth connections to determine and track your geogr
What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati