I have managed to work around the problem by creating a wrapper script to OpenVPN / <insert desired VPN> to randomly open 3-7 connections every couple of minutes to a box in Japan. These were then bonded back to a layer 2 device, which actually terminated the connection.

This worked around the horrible round robin NAT and pipe saturation that you experience connecting outside of China.

IMHO there are 2 main ways Internet if fux0red there:

a) With TCP RST packets being sent when ascii strings in packets match a filterlist at a router
- Easy to get around set your firewall to DROP TCP Reset packets ( you will need to have control of the other side endpoint as well and tell it to do the same)

b) Most international transiting v4 traffic goes through a carrier grade NAT solution at the peering edge of the domestic networks. It's a round robin /22 pool you will notice if you start up a bunch of connections and monitor exit points at a target you get different IP's for each originating connection.
This is problematic as each pool get's starved of ports you get connection time outs, dropped packets and problems with new connections not being tracked against different originating IP's.
- I wrote an OpenVPN intiatialise script that essentially tunnels out on a random port 3-7 times every 5 minutes, and then bonds the connection on the OpenVPN server to a layer 2 tap device. This reduces the chances that all of the connections will timeout/drop, allowing for a stable tunnel out of china.


The little bonding trick worked well enough to keep up a fairly stable ( although not blindingly fast ) tunnel to japan, which we needed to run for real time/interactive app.

Kind regards

-JoelW

On 20 April 2010 11:22, Nicholas Lee <emptysands@gmail.com> wrote:
There is no cost effective solution that I've been able to find.

You can buy private lines to HK from China.��DYXNet gave me a quote for a 1M South China/HK 1Mb line, including the router, 1M international in HK and 8IPs at roughly 1000USD setup and 1000USD/mth. ��You'd have to find another provider for HK to NZ.

On top of the VPN via HK, the best option so far is��centralizing��shared services to some where like US, HK or Singapore. Or��splitting��into traffic into multiple streams: TLS/SSL, SSH. One trick I used was to package putty with a ssh private key by Xenocode. Running this created a localhost host tunnel, which I trained the users to run once before��accessing��the business app. ��

Work in progress, if you figure out a better method I'd be interested.

Nicholas


On Tue, Apr 20, 2010 at 10:46 AM, Stephen Sheehan <Stephen@lostangel.geek.nz> wrote:
Hi Everyone.

Does anyone have experience getting good connectivity out of China to
NZ without breaking the bank.

We are currently bouncing our connection thru a VPN tunnel in HK to
control the egress path out of China, as traffic to our NZ pop
otherwise goes via the US. We are only using commodity DSL internet
connections at our China site so have no influence there.

Looking around the options I am seeing would be going to the likes of
Asia Netcom and Verizon, who can provide connectivity to our Chinese
site and control the egress path and route it via a reasonably direct
path down to NZ.

Are there any other options out there, currently we are seeing around
190ms rtt with the VPN bounce off of HK hack, but would prefer a
simpler way of doing it.


Currently our Chinese office has connections to:
China Telecom AS4134
CNCGROUP �� �� AS17623


NZ office
Maxnet AS9889
Swizzle AS45181


Cheers

Stephen
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog


_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog