Anyone operating in/around China who needs a real VPN has a service they pay for and use that isn't mainstream that isn't blocked (using V2ray or similar). There's a reason why Shadowrocket is the number 1 app on the app store. I'm sure there are a lot of cases of people using e.g., off-the-shelf VPN apps and have trouble, but power users in China are always running a VPN, usually to Japan, that doesn't have this problem.
That's literally what VPNs are for.
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Thanks for the reply. In order to connect to the VPN, your first call must be over https, from China, to the VPN. How does that circumvent the phenomenon in the article, where a nation state was injecting TCP to cause your connection to hang up, thus no VPN connection?
You do not establish a VPN connection in the clear. You must give your client the encryption key before connecting. All transactions are fully encrypted from the beginning.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Awesome thanks for all of that. Then it sounds like the only way a nation state could block VPNs is if they decided to "go nuclear" and do what the person above said-- block anyone who they detect is using a VPN/encrypted channel.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.
How do you propose users in China will magically get around a nation state injecting packets?