This past July, I found myself looking for a way to test a web application from behind “the great firewall of China” (aka Golden Shield). The problem is that I can’t test that something works in China if I’m not in China. My first thought was to use Nord VPN to connect to a VPN server in China but the closest that Nord offers is Hong Kong. I did a little light investigating and found that Hide My Ass VPN claims to have 4 servers in Beijing. After paying $59.88 for an account, I was ready to start testing.
Unfortunatly, it looks like HMA VPN is doing some shinanigans to make it look like your traffic is originating from the country without it actually originating from that country.
When you use their client, it shows that you are connected using an IP that is in China. You can use IP Chicken to prove that it is your new public IP address and you can use a service like MaxMind GeoIP or IP Location Finder to prove that IP address is in Beijing. The problem was that despite that, the Golden Shield limitations were not happening. I could still visit things like Google and Twitter and see things like photos of the Tiananmen Square massacre.
The first thing that came to mind was to use nmap to trace the path between the remote server and my computer. It does that by sending packets to the server with decrementing TTL, in an attempt to elicit ICMP time-exceeded messages. That didn’t work great because the result didn’t show my public IP. My next idea was to use traceroute since instead of decrementing the TTL, it increments it.
Since the traceroute goes from where your computer is to the target server, the first hop should be your public IP address but in this case, it isn’t. So, where is 22.214.171.124?
It looks like for some reason, when you select China, you get a Chinese IP address but the traffic actually emerges onto the internet in Singapore?!?
I have no idea why this is happening but when I asked them, they said:
The most I can do to show you we are indeed telling you the correct information is to point you to the database of the official registry RIPE NCC:
RIPE NCC is one of five RIRs worldwide coordinating and maintaining the information databases about the registered IPs and operating under IANA (Internet Assigned Numbers Authority). You can also confirm these IPs are allocated to RIPE by looking them up here: https://www.iana.org/whois.
I understand that the inner working of the internet is not your prime concern, but rather the websites recognizing your location correctly. Still, I just wanted to demonstrate that we have taken all the necessary actions on our end. At the moment, incorrect IP details appear, but they appear less and less frequently as other websites conduct updates of their databases.
So, they aren’t denying that they are faking the traffic. They are just saying the IPs are registered in China (which doesn’t help).
I still need to figure out if there is a legitimate way to test if I site works in China. Have a suggestion? Feel free to drop a comment, below.