I have managed to work around the problem by creating a wrapper script to
OpenVPN / <insert desired VPN> to randomly open 3-7 connections every couple
of minutes to a box in Japan. These were then bonded back to a layer 2
device, which actually terminated the connection.
This worked around the horrible round robin NAT and pipe saturation that you
experience connecting outside of China.
IMHO there are 2 main ways Internet if fux0red there:
a) With TCP RST packets being sent when ascii strings in packets match a
filterlist at a router
- Easy to get around set your firewall to DROP TCP Reset packets ( you will
need to have control of the other side endpoint as well and tell it to do
the same)
b) Most international transiting v4 traffic goes through a carrier grade NAT
solution at the peering edge of the domestic networks. It's a round robin
/22 pool you will notice if you start up a bunch of connections and monitor
exit points at a target you get different IP's for each originating
connection.
This is problematic as each pool get's starved of ports you get connection
time outs, dropped packets and problems with new connections not being
tracked against different originating IP's.
- I wrote an OpenVPN intiatialise script that essentially tunnels out on a
random port 3-7 times every 5 minutes, and then bonds the connection on the
OpenVPN server to a layer 2 tap device. This reduces the chances that all of
the connections will timeout/drop, allowing for a stable tunnel out of
china.
The little bonding trick worked well enough to keep up a fairly stable (
although not blindingly fast ) tunnel to japan, which we needed to run for
real time/interactive app.
Kind regards
-JoelW
On 20 April 2010 11:22, Nicholas Lee
There is no cost effective solution that I've been able to find.
You can buy private lines to HK from China. DYXNet gave me a quote for a 1M South China/HK 1Mb line, including the router, 1M international in HK and 8IPs at roughly 1000USD setup and 1000USD/mth. You'd have to find another provider for HK to NZ.
On top of the VPN via HK, the best option so far is centralizing shared services to some where like US, HK or Singapore. Or splitting into traffic into multiple streams: TLS/SSL, SSH. One trick I used was to package putty with a ssh private key by Xenocode. Running this created a localhost host tunnel, which I trained the users to run once before accessing the business app.
Work in progress, if you figure out a better method I'd be interested.
Nicholas
On Tue, Apr 20, 2010 at 10:46 AM, Stephen Sheehan < Stephen(a)lostangel.geek.nz> wrote:
Hi Everyone.
Does anyone have experience getting good connectivity out of China to NZ without breaking the bank.
We are currently bouncing our connection thru a VPN tunnel in HK to control the egress path out of China, as traffic to our NZ pop otherwise goes via the US. We are only using commodity DSL internet connections at our China site so have no influence there.
Looking around the options I am seeing would be going to the likes of Asia Netcom and Verizon, who can provide connectivity to our Chinese site and control the egress path and route it via a reasonably direct path down to NZ.
Are there any other options out there, currently we are seeing around 190ms rtt with the VPN bounce off of HK hack, but would prefer a simpler way of doing it.
Currently our Chinese office has connections to: China Telecom AS4134 CNCGROUP AS17623
NZ office Maxnet AS9889 Swizzle AS45181
Cheers
Stephen _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog