HomeAboutMailing ListList Chatter /0/0 3.236.84.188

Working in Mainland China

2021-01-29 by: DaWorm
From: DaWorm 
------------------------------------------------------
Not exactly *nix related, but maybe some of you can help.

Does anyone have any experience working in mainland China?  I'm being
considered for a position that would involve spending time in Qingdao (home
of Tsingtao beer), usually in 3 to 6 week chunks a few times a year, and I
have a few questions.  So if you have some experience, I'd appreciate it.

1. Do I need a VPN plan to get by the Great Firewall, or is that a "nice to
have" item?

2. Will I be able to access my Gmail account for personal email?  If not
directly or via VPN, any other workarounds?

3. How hard will it be to access things like online billpay to keep my
bills at home up to date while away (assuming my wife is travelling with
me)?

4. Is it better to get a local SIM for my phone, or use my carrier's
international plan?  Or should I invest in a local carrier hotspot and only
connect my phone via WiFi (something I've done in Taiwan)?

5. As I understand it, WeChat Pay is pretty much essential.  It can be
linked to a US credit card now (didn't used to be able to), but does anyone
have any caveats or gotchas when doing this?  Foreign transaction fees of
2% or so are typical as I understand it, but I should be able to expense
those.

6. As I understand it, Google Translate is allowed to operate there (unlike
search or maps), anyone have any experience using it?

My only experience in the AP area was a week in Taiwan, but that's a whole
different animal than the mainland.  Any advice from someone who has been
there, done that would be appreciated.  Feel free to move to direct email
if this isn't appropriate here.

Thanks,
  Jeff.

P.S. I already know I can't play Pokemon Go there.  Bummer.

=============================================================== From: Andrew Armstrong ------------------------------------------------------ I can=E2=80=99t answer any of those questions but just want to say how excit= ing that sounds.=20 Andrew Armstrong=20 idered for a position that would involve spending time in Qingdao (home of T= singtao beer), usually in 3 to 6 week chunks a few times a year, and I have a= few questions. So if you have some experience, I'd appreciate it. o have" item? irectly or via VPN, any other workarounds? ls at home up to date while away (assuming my wife is travelling with me)? national plan? Or should I invest in a local carrier hotspot and only conne= ct my phone via WiFi (something I've done in Taiwan)? ked to a US credit card now (didn't used to be able to), but does anyone hav= e any caveats or gotchas when doing this? Foreign transaction fees of 2% or= so are typical as I understand it, but I should be able to expense those. e search or maps), anyone have any experience using it? different animal than the mainland. Any advice from someone who has been t= here, done that would be appreciated. Feel free to move to direct email if t= his isn't appropriate here.

=============================================================== From: Peter Goss ------------------------------------------------------ I lived and worked in China between 2009 and 2015. Things changed a lot during that time and as a China watcher ever since I know that much has changed since, and not for the better, so take what I say with that in mind. 1) VPN is a must but has its downsides. If you use a well known service (or at least know by the CCP) It will be shutdown when there are times of political/social unrest or during "sensitive" time frames. If you have the technical chops, set up your own on a VPS on port 40 or 443. Have a back-up communications channel that doesn't need a VPN such as encrypted email. 2) I was not able to use Gmail without a VPN. 3) If your online bill paying is done on a web-site with a US account it should be just like being at home. Use a VPN of-course but also have someone in the States who also can take care of it when VPNs 4) Local sims are easy to get and are usually prepaid and there are places all over the place to pay the bill. I never used an international plan so I don't know what that is like. 5) WeChat Pay was just coming into existence when I left. I always considered WeChat a "bugged" communications channel and only used when absolutely necessary. Never talk politics on it or say anything that may reflect badly on the CCP. Delete from your contacts anyone who does. 6) No experience with Google translate. I do speak Manderin but my character recognition was week so I used the Pleco app that has Character recognition feature that worked well for me. It doesn't require network access to work. ~ Peter

=============================================================== From: DaWorm ------------------------------------------------------ Thanks for the feedback. My networking skills are pretty grim, so I don't think I can set up much of anything on my own, unless it was pretty much prepackaged. I do have ESXI on my NAS, but beyond setting up a pretty standard distro, don't take that as meaning I know what I'm doing. So setting up my own VPN or encrypted mail service is probably beyond my abilities. Jeff

=============================================================== From: Andrew Armstrong ------------------------------------------------------ I have had very good luck with creating virtual machines using the ISO image for OpenVPN Access Server for those instances where I would prefer to have something up and running and not spending time making it work. https://openvpn.net/access-server/ I have not been in this world for some time so there could be much better options out there and I'm interested to see what others suggest. -- Andrew Armstrong

=============================================================== From: Dave Brockman ------------------------------------------------------ May I suggest a one-click Linode? https://www.linode.com/marketplace/apps/linode/openvpn/ Cheers, -Dave I ting ably wn e n g I'm e if t s a local It I it? vice n't =2E

=============================================================== From: DaWorm ------------------------------------------------------ OpenVPN - Not sure what that pricing structure means. Two is free, 10 is $75 a month. But what does "one" get you, one server with multiple connections, or just one connection? I'd expect to need two phones, one laptop and one tablet to be able to work, is this all "one" or is it "four"? Linode - I don't even know what that is. Looks to be a cloud platform like Azure or AWS? As I said, pretty grim on networking and server stuff, I'm usually down in the bits and bytes. If I have nothing else on Linode, is it worthwhile signing up just for this? The other question for either of these, is what would I be looking to do here? Is this the scenario? Home Setup 1. Open a port in my home firewall for incoming connections. I'm on EPB, not sure what ports they have open, but between EPB and the rest of my home network, there is a Ubiqiti EdgRouter X. I think it's blocking all incoming except Plex (at least that was my intention when I set it up, and that was about three years ago, haven't really touched it since). 2. Point that incoming port to the VPN server IP/port in the routing rules/table/whatever that's called. 3. The VPN server port then acts as a (bridge? access point? router?) to take that incoming traffic onto my home network, and send data back out the VPN. Client Setup 1. Connect the client (laptop, phone) to public WiFi or cellular data. 2. Open VPN client and connect to my home network (but EPB isn't guaranteed a fixed IP address [right?] so now I have to do some sort of DynDNS type trickery?). 3. Now everything from the phone or laptop goes to my home network, and from there it can go back out to the internet able to access anything I can from home. Like I said, this sort of networking is not something I've ever done. That incoming access for Plex took me several hours to get right. It took me two days to update my ESXI instance to something that would run the new Plex server (they dropped support for the 5.x I put on there five years ago). My NAS is running Synology, is the VPN package for this worthwhile? Would it be easier to set up? For that matter, OpenVPN is built into the EdgeRouter , I believe (maybe not EdgeRouter X?), can I use that? Thanks, Jeff

=============================================================== From: Andrew Armstrong ------------------------------------------------------ Two free connections to the server. If you want any more you pay. I have use= d it for my own needs for free for a few years but we used it for more at my= last IT job.=20 Andrew Armstrong=20 75 a month. But what does "one" get you, one server with multiple connectio= ns, or just one connection? I'd expect to need two phones, one laptop and o= ne tablet to be able to work, is this all "one" or is it "four"? e Azure or AWS? As I said, pretty grim on networking and server stuff, I'm u= sually down in the bits and bytes. If I have nothing else on Linode, is it w= orthwhile signing up just for this? ere? Is this the scenario? ot sure what ports they have open, but between EPB and the rest of my home n= etwork, there is a Ubiqiti EdgRouter X. I think it's blocking all incoming e= xcept Plex (at least that was my intention when I set it up, and that was ab= out three years ago, haven't really touched it since). /table/whatever that's called. ake that incoming traffic onto my home network, and send data back out the V= PN. d a fixed IP address [right?] so now I have to do some sort of DynDNS type t= rickery?). om there it can go back out to the internet able to access anything I can fr= om home. t incoming access for Plex took me several hours to get right. It took me t= wo days to update my ESXI instance to something that would run the new Plex s= erver (they dropped support for the 5.x I put on there five years ago). =20 it be easier to set up? t EdgeRouter X?), can I use that? : e n g e t s it?

=============================================================== From: Nick Smith ------------------------------------------------------ Does a linode vm come with a public ip for use with the openvpn one click? On Fri, Jan 29, 2021 at 3:30 PM Andrew Armstrong wrote: r"? , , me d he an k w : m a re on e ng e m me at is t g

=============================================================== From: Dave Brockman ------------------------------------------------------ Unless you buy OpenVPN, you don't have to license it, it is OSS. IIRC, what you pay for is their management interface. Yes, Linode is a cloud provider. $5/month for a 1-click deployment of a (free) OpenVPN server. You would know better than I how you would value that. I'm not sure I understood that you wanted to VPN back to your house. You can also run OpenVPN directly on your EdgeRouter, and use a Dynamic DNS service to get around the dynamic IP issue. Then you connect the VPN to your EdgeRouter, and access the internal network across the VPN tunnel. I was initially just getting you a reliable, easy VPN to bypass the Great Firewall. Cheers, -Dave 10 is e s, one our"? form server else o on f cking since). er?) ata. =A0 It im, so I s nd setting s probably 015. Things er since I know that , so take what I say If you use a well known be shutdown when "sensitive" time p your own on a channel that doesn't -site with a US Use a VPN of-course an take care of it prepaid and ever used an s like. hen I left. I always annel and only used on it or say your contacts peak Manderin but my leco app that has for me. It doesn't ybe some of you can help. working in mainland that would involve r), usually in 3 to 6 week have a few questions.=C2=A0 So if preciate it. y the Great Firewall, or mail account for personal via VPN, any other workarounds? things like online billpay to while away (assuming my IM for my phone, or use my =A0 Or should I invest=C2=A0in a local my phone via WiFi (something y is pretty much d now (didn't used to be able veats or gotchas when doing fees of 2% or so are typical as I ble to expense those. anslate is allowed to operate nyone have any experience a was a week in Taiwan, but than the mainland.=C2=A0 Any advice done that would be move to direct email if this isn't Pokemon Go there.=C2=A0 Bummer.

=============================================================== From: Dave Brockman ------------------------------------------------------ That's only if you use their management GUI. I run dozens of connections on the OSS version, no licensing required. Cheers, -Dave e 10 tiple es, tform server else on ter?) data. =A0 It rim, so I as ond is 2015. Things ver since I r, so take what If you use a well known be shutdown g "sensitive" time up your own on channel that b-site with a US Use a VPN can take care of it prepaid and never used an is like. when I left. I hannel and only s on it or say m your contacts speak Manderin Pleco app that has l for me. It aybe some of you can help. working in mainland that would involve er), usually in 3 to 6 week I have a few questions.=C2=A0 ppreciate it. by the Great Firewall, or Gmail account for personal via VPN, any other workarounds? s things like online e while away (assuming my SIM for my phone, or use my =A0 Or should I invest=C2=A0in a local t my phone via WiFi ay is pretty much rd now (didn't used to be aveats or gotchas when doing fees of 2% or so are typical as I able to expense those. ranslate is allowed to anyone have any ea was a week in Taiwan, but than the mainland.=C2=A0 Any , done that would be move to direct email if this y Pokemon Go there.=C2=A0 Bummer.

=============================================================== From: Dave Brockman ------------------------------------------------------ It wouldn't be very useful without one.... Cheers, -Dave ck? ree, ith need gning I'm I lar data. get ty ice te: and 2015. er ever since I etter, so take des. If you use a will be uring set up your own ions channel VPN. a web-site with ome. Use a VPN lso can take ally prepaid =2E I never used an hat is like. nce when I ns channel and itics on it or from your do speak the Pleco app well for me. ut maybe some of you can ence working in mainland tion that would involve o beer), usually in 3 to and I have a few 'd appreciate it. get by the Great my Gmail account for y or via VPN, any other ccess things like online date while away cal SIM for my phone, or n?=C2=A0 Or should I invest=C2=A0in nnect my phone via WiFi at Pay is pretty much t card now (didn't used ny caveats or gotchas tion fees of 2% or so are be able to expense those. le Translate is allowed s), anyone have any P area was a week in imal than the mainland.=C2=A0 here, done that would be e to move to direct email if play Pokemon Go there.=C2=A0

=============================================================== From: Dan Lyke ------------------------------------------------------ A decade and change ago (yeesh, was it almost two decades?), when I was visiting Hong Kong and China for work, I used SSH tunneling for the bits I didn't want to trust the local networks with. VPNs are probably easier, but may also show up in ways that an SSH tunnel through a common port might not.

=============================================================== From: Wil Wade ------------------------------------------------------ If you have an EdgeRouter, Linode, etc.. I'd suggest WireGuard. Even a lot of services support it now as well. Might be a bit more of a learning curve, but it is fast: https://www.wireguard.com/install/ I use it to connect home and out when somewhere I want a VPN. Works fine with EPB (as long as you are not GNAT'd, but they can make sure you are not with a chat if you are)

=============================================================== From: Dave Brockman ------------------------------------------------------ As of current status, I would only recommend Wireguard if Performance is of paramount more importance than security. I also haven't seen any stats one way or the other as to the effectiveness of WG penetrating the GFoC. Cheers, -Dave t =A0 IIRC, yment of a ould value =2E amic ect the VPN ree, 10 is ultiple d platform and server thing else g I'm on 's et it ed it ing router?) back ular data. one.=C2=A0 =C2=A0 It ere /openvpn/ skills are pretty my own, unless I on my NAS, but as meaning I know rypted mail service na between 2009 and 2015. Things as a China watcher ever since I nd not for the better, so take t has its downsides. If you use a by the CCP) It will be cial unrest or during echnical chops, set up your own ck-up communications channel ted email. Gmail without a VPN. ying is done on a web-site with like being at home. Use a VPN the States who also can take get and are usually prepaid and to pay the bill. I never used an on't know what that is like. ming into existence when I ed" communications channel and =2E Never talk politics on it or say the CCP. Delete from your contacts gle translate. I do speak week so I used the Pleco app ture that worked well for me. work. :35 AM DaWorm *nix related, but maybe some of you can have any experience working in mainland dered for a position that would involve (home of Tsingtao beer), usually in 3 to w times a year, and I have a few me experience, I'd appreciate it. d a VPN plan to get by the Great Firewall, or have" item? e able to access my Gmail account for If not directly or via VPN, any other will it be to access things like online ls at home up to date while away (assuming my with me)? tter to get a local SIM for my phone, or nternational plan?=C2=A0 Or should I invest=C2=A0in spot and only connect my phone via WiFi n Taiwan)? erstand it, WeChat Pay is pretty much ed to a US credit card now (didn't used es anyone have any caveats or gotchas Foreign transaction fees of 2% or so are it, but I should be able to expense those. erstand it, Google Translate is allowed ke search or maps), anyone have any erience in the AP area was a week in ole different animal than the mainland.=C2=A0 e who has been there, done that would be =2E=C2=A0 Feel free to move to direct email if here. =2E ady know I can't play Pokemon Go there.=C2=A0

=============================================================== From: Sudo Bash ------------------------------------------------------ Don't get in trouble in China...

=============================================================== From: DaWorm ------------------------------------------------------ So I can pay OpenVPN to host and use their management interface, or pay Linode to host the OpenVPN and manage that way, or I can use the VPN built into my EdgeRouter. I'm not sure I understood that you wanted to VPN back to your house. I didn't necessarily want to do that (although access to my Plex server would be nice), but if I do it on the EdgeRouter, I'm guessing that's just a bonus? But is doing it that way the same as doing it via OpenVNP? Or do I have to set up additional rules to take the incoming VPN connection and allow it to access the internet at large? I appreciate the help. As I said, all of this networking stuff is not my strong suit. The idea of throwing a few pesos at the problem has a lot of merit, but I don't know that I'll learn much that way. I've been playing with this off and on over the weekend, and here's what I've managed so far. I have set up a Dynu DDNS account, and successfully set up the Edgerouter to update it with my current EPB IP address. I have set up an l2tp VPN on the EdgeRouter, and I can disconnect my phone from WiFi and use the mobile data to connect to the VPN. Unfortunately, after about 90 seconds, the connection drops. I've done quite a bit of googling on that and it seems a common issue, but I haven't found a solution for it. Even with that, since my mobile data has access to pretty much everything, I have no real way of knowing if this connection would let me access things when the mobile data doesn't. If it will, then fixing the disconnect issue should be sufficient, but if all this will do is let me access my own local network, then other than learning some new things, it won't be helpful. Jeff

=============================================================== From: DaWorm ------------------------------------------------------ I just realized that setting up an l2tp VPN server isn't the same as an OpenVPN server. Hmm, looks like more research is in order. Jeff

=============================================================== From: Dave Brockman ------------------------------------------------------ =A0 IIRC, or pay PN You can buy their management interface, I'm not aware of OpenVPN providing hosting of any kind. =2E amic ect the VPN ming I can't really speak to specifics of OpenVPN configuration on the EdgeRouter. I'm an IPSEC guy :) I'm pretty sure you will have to set a configuration option or two via the CLI. I don't believe the GUI will configure "tunnel all traffic". =C2=A0 not as a t =C2=A0 I've data That's why I suggested the Linode option, you'll have a static IP address to tunnel to, and you can configure the OpenVPN options to tunnel all traffic. That's what you want to Google, "Tunnel All Traffic OpenVPN [EdgeRouter]". (EdgeRouter if you want to do it there). Cheers, -Dave

=============================================================== From: Dave Brockman ------------------------------------------------------ This may be of assistance: https://help.ui.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Ser= ver Cheers, -Dave ce, or ouse. me as to t the f is roblem and I can n a h the

=============================================================== From: DaWorm ------------------------------------------------------ Just finished going through that one. Built the ovpn files for my phone. Going to test either later this evening or tomorrow. I'm thinking this link may have what I need to push web traffic through. If not, the search I used to find it should yield other results (some are for making sure all local traffic goes out a VPN, rather than the other way around that I want, but I can filter those out). Thanks again. Jeff

=============================================================== From: Dave Brockman ------------------------------------------------------ rch I l You lost me there. Local traffic, by definition, should never transit, VPN or otherwise, it should be, well, local. The title of your link sounds promising. The technical phrase you are looking for is "tunnel all", although I believe the OpenVPN option is more like "redirect-gateway" or similar.

=============================================================== From: DaWorm ------------------------------------------------------ What I meant was, anything that originated on the local network that should go outside the local network should go through the VPN, not directly through the WAN interface. Whereas what I'm trying to do is have the incoming traffic over the VPN that is not intended for the local network to go out through the WAN interface. Like this: Phone/Laptop -> VPN Client -> Filtered/Firewalled Internet -> EdgeRouter VPN Server -> EdgeRouter WAN Interface -> Open Internet I've now got the OpenVPN client on my phone to connect to the EdgeRouter VPN server, but no data goes through. Dashboard vtun0 interface shows 0 bps Rx and Tx. Android client log shows that I connect, go through some handshaking, then after about a minute it disconnects then reconnects. Guessing this has to do with the vtun0 configuration and what's in the ovpn file, and it preventing the keep-alive (and all other) traffic from flowing properly. My local network is 192.168.254.0/24 and the vtun0 network is 172.16.1.0/24 (copy/pasted from tutorial), but I don't know if the [route], [route-gateway], [dhcp-option] or [ifconfig] options are correct, since I'm not 100% sure what they do. OpenVPN Client Log 09:21:15.648 -- EVENT: RECONNECTING 09:21:15.655 -- EVENT: RESOLVE 09:21:15.658 -- Contacting **.**.***.***:1194 via UDP 09:21:15.658 -- EVENT: WAIT 09:21:15.661 -- Connecting to [******.mywire.org]:1194 (**.**.***.***) via UDPv4 09:21:15.754 -- EVENT: CONNECTING 09:21:15.756 -- Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client 09:21:15.756 -- Creds: UsernameEmpty/PasswordEmpty 09:21:15.756 -- Peer Info: IV_VER=3.git:released:662eae9a:Release IV_PLAT=android IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO_STUB=1 IV_COMP_STUB=1 IV_COMP_STUBv2=1 IV_AUTO_SESS=1 IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891 IV_SSO=openurl 09:21:16.592 -- VERIFY OK: depth=0, /C=US/ST=Tennessee/L=Chattanooga/O=Chihuahua Chase/OU=Home/CN=server/emailAddress=daworm@gail.com 09:21:17.286 -- SSL Handshake: CN=server, TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 09:21:17.287 -- Session is ACTIVE 09:21:17.288 -- EVENT: GET_CONFIG 09:21:17.291 -- Sending PUSH_REQUEST to server... 09:21:17.354 -- OPTIONS: 0 [redirect-gateway] [def1] 1 [dhcp-option] [DNS] [192.168.254.254] 2 [route] [192.168.254.0] [255.255.255.0] 3 [route-gateway] [172.16.1.1] 4 [topology] [subnet] 5 [ping] [10] 6 [ping-restart] [60] 7 [ifconfig] [172.16.1.2] [255.255.255.0] 09:21:17.354 -- PROTOCOL OPTIONS: cipher: AES-256-CBC digest: SHA256 compress: LZO_STUB peer ID: -1 09:21:17.355 -- EVENT: ASSIGN_IP 09:21:17.382 -- Connected via tun 09:21:17.382 -- LZO-ASYM init swap=0 asym=1 09:21:17.382 -- Comp-stub init swap=0 09:21:17.382 -- EVENT: CONNECTED info='******.mywire.org:1194 (**.**.***.***) via /UDPv4 on tun/172.16.1.2/ gw=[172.16.1.1/]' 09:22:17.358 -- Session invalidated: KEEPALIVE_TIMEOUT 09:22:17.360 -- Client terminated, restarting in 2000 ms... EdgeRouter Configuration firewall { ... name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action accept description openvpn destination { port 1194 } log disable protocol udp } rule 30 { action drop description "Drop invalid state" state { invalid enable } } } } ... interfaces { ethernet eth0 { ... firewall { in { name WAN_IN } local { name WAN_LOCAL } } ... } ... openvpn vtun0 { mode server server { name-server 192.168.254.254 push-route 192.168.254.0/24 subnet 172.16.1.0/24 } tls { ca-cert-file /config/auth/cacert.pem cert-file /config/auth/server.pem dh-file /config/auth/dh.pem key-file /config/auth/server.key } } ... } ... service { ... dns { dynamic { interface eth0 { service dyndns { host-name ******.mywire.org login ****** password **************** server api.dynu.com } web dyndns } } ... } ... ... } I feel like I'm very close. Jeff

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Chad Smith is over there right now.. He's active on FB. Chat him up. As for VPN's.. You have friends in low places. Inquire within. But my experience is (I've been told ;) that a rando OpenVPN server/Client gets out without an issue. Never let your laptop out of your site and/or make sure it's locked/encryted as far as you can stand. My hostile environment machine is "disposable" with full drive encryption and my important stuff in my home dir is also GPGtar'd. People find "housekeepers" plugging USB drives into systems in hotels/apartments and stranger things. Hadn't travelled much in a few years, I kinda miss it now.

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Hmm.. I need to compare that to the ones I've recently built. That's useful. The OpenVPN web management stuff is good for 2 client certs/users for free, but I've also got one pushing 20 certs that gets paid for. The web GUI theoretically allows someone besides me to manage it. And hat tip to Dave that pushed my to OpenVPN and kick started my usage years ago on pfSense.

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ I need to experiment with that. I've had some SonicWall's whose "deep packet inspection" blocks client VPN's - It might just be UDP & Port # checking. I think there are settings you can tweak (ports and more) that may disguise/obfuscate the traffic.

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ Kinda. They seem to have intentionally obfuscated their website. It's really links to other entities last I looked.

=============================================================== From: Stephen Kraus ------------------------------------------------------ On my brief trip to China, my OpenVPN running on 443 made it through fine. And yeah, OpenVPN rocks. I had issues with Wireguard making it through, though. On Fri, Feb 5, 2021 at 9:50 AM Mike (meuon) Harrison wrote:

=============================================================== From: DaWorm ------------------------------------------------------ I know only a little about how these things work. I can change the port easily enough, maybe going from 1194 to some other UDP port, or even over TCP as suggested in this (admittedly old) blog post. Jeff On Fri, Feb 5, 2021 at 9:55 AM Mike (meuon) Harrison wrote:

=============================================================== From: DaWorm ------------------------------------------------------ Were you on UDP or TCP 443? Jeff On Fri, Feb 5, 2021 at 10:25 AM Stephen Kraus wrote:

=============================================================== From: Stephen Kraus ------------------------------------------------------ UDP.

=============================================================== From: Stephen Kraus ------------------------------------------------------ They started blocking UDP 443 shortly after I came back in 2017.

=============================================================== From: DaWorm ------------------------------------------------------ Hmm, looks like I've got more research to do then. Sigh. I know why network engineers get paid well. This stuff is hard. Jeff

=============================================================== From: Chad Smith ------------------------------------------------------ Sorry for the delay. I just saw this. I am currently working in Mainland China. 1. Do I need a VPN plan to get by the Great Firewall, or is that a "nice to have" item? Yes you need it. If you want to use Google, YouTube, Facebook, Twitter, Gmail, Netflix, Pandora, or any "normal" internet things. You need a VPN. 2. Will I be able to access my Gmail account for personal email? If not directly or via VPN, any other workarounds? You need a VPN. Full stop. 3. How hard will it be to access things like online billpay to keep my bills at home up to date while away (assuming my wife is travelling with me)? You need a VPN. 4. Is it better to get a local SIM for my phone, or use my carrier's international plan? Or should I invest in a local carrier hotspot and only connect my phone via WiFi (something I've done in Taiwan)? 5. As I understand it, WeChat Pay is pretty much essential. It can be linked to a US credit card now (didn't used to be able to), but does anyone have any caveats or gotchas when doing this? Foreign transaction fees of 2% or so are typical as I understand it, but I should be able to expense those. I've never been able to link WeChat Pay to any American accounts. I had to use a Chinese account. If you aren't planning on living here full time, you can use a friend's account if they will let you. (Each Chinese bank account can be linked to up to 5 different WeChat accounts.) 6. As I understand it, Google Translate is allowed to operate there (unlike search or maps), anyone have any experience using it? I use it almost daily. But I have a VPN. That said, you can download the languages offline (English and Chinese, specifically) so that you can use it even without a VPN. That said, some features will be limited (Like, oddly, translating images stored on your phone, while live camera-based translation is functional.) Hope that helps! And Ni Hao, new neighbor! *- Chad W. Smith*

=============================================================== From: Chad Smith ------------------------------------------------------ Ooops, I skipped #4. 4. Is it better to get a local SIM for my phone, or use my carrier's international plan? Or should I invest in a local carrier hotspot and only connect my phone via WiFi (something I've done in Taiwan)? Your carrier's international plan will be a lot more expensive. I have a local SIM here, and it costs me about 90 RMB per month for unlimited talk, text, and data on a 4G network. (90 RMB is less than $14 USD.) That did require setting up an account that is tied to my passport, and I needed a local friend's help to make that happen. There are pay-as-you-go style cards available to foreigners, but I've never used them and can't speak for their expense or to their functionality. *- Chad W. Smith*

=============================================================== From: Chad Smith ------------------------------------------------------ One more thought - buy and install the VPN on your devices BEFORE you come here. You can get ISPs with VPN built-in, but it's not secure VPN. As in, it doesn't protect you from big brudda looking at what you are doing. It does, however, open up *some* of the normal non-firewalled internet to you. A lot of VPNs won't work here. I've used ExpressVPN for years, and it's been the most reliable for me. If you want to sign up for an account, I can send you a link to get a free month. (Full disclosure, signing up with that link will give me a free month as well.) In fact, (with risk of violating some forgotten or unspoken Chugalug rule), here is my referral link. https://www.expressrefer.com/refer-friend?referrer_id=22048642&utm_campaign=referrals&utm_medium=copy_link&utm_source=referral_dashboard probably don't need all those tracking bits.... https://www.expressrefer.com/refer-friend?referrer_id=22048642 anyway, welcome to China! A few more tips.... Bring deodorant, it's difficult to find here, and expensive when you find it. The reason being - and this is true - Chinese people's sweat doesn't stink. Or, at least 97% of ethnically Chinese people's sweat doesn't attract the bacteria that eats most people's sweat and causes the BO odor... so deodorantisn't necessary for over 1.3 billion people here. Set up an account on BaoPals or TBfocus. TaoBao is China's answer to Amazon and eBay and Walmart-online combined, and it's only available in Chinese. You will be told, constantly, to "Just order it from Taobao!" Stock up on pocket tissues, hand santizer, and wet-wipes, because most bathrooms don't have TP or soap or paper towels. You can buy those here, though. Just always have them on you, (even on your first trip here - like on the plane, have them in your pocket). Also, buy flip-flops / sandals / houseshoes, and take your shoes off when you enter anyone's home. (The sandals are for your own home / hotel.) One trip to a public restroom and you'll know why taking off your shoes in homes is not just a tradition. The food is good. It's not what you think Chinese food is. Forget fortune cookies, eggrolls, General Tao, and sweet-and-sour-chicken are not things here. Didi is like Uber / Lyft / traditional taxi service app all rolled into one. You will want an account. Cash is very much frowned upon by most people. (At least in the cities.) There are places that straight up won't take it. You need to pay by WeChat Pay or AliPay. AliPay can be set up with an American account, so I've been told. Most cities' public transportation is great, subways have English accountments (in my experience in South China), Buses do not. Everything shuts down for Chinese New Year. Well, not so much this year because the government told everyone to not travel - but typically, you will want to stock up on at least a week, if not two weeks, of supplies (food, household items, consumables, etc.) prior to the shut-down date. Last year the shutdown bled into COVID, so I was very grateful to have supplies ahead of time. This year, the shutdown is meant to be a couple of days. (It just started last night, so we'll see.) You need face masks. COVID is pretty much contained here, especially in the south, where I am. But wearing a mask is required to enter many places, and to use public transportation, including taxis and Didis. You will be asked by perfect strangers to teach their kids English. It pays typically 250 RMB per hour. Your temperature will be taken. Your passport will be photographed. Your movements will be recorded by your phone - regardless of what brand phone it is, what SIM card you use, or what VPN you use. Because to track and prevent COVID - you will be required to add an app to your phone to track your movement. You are coming to China. You are agreeing to this by coming here. Memorize your new phone number, your passport number, and your address. Learn how to say wherever you are saying in Mandarin. There is no such thing as a spoken language called "Chinese". There are dozens of spoken Chinese languages (plural). The most common and most widespread (and official language of China) is Mandarin. The second most often used is Cantonese. But nearly every region has its own traditional language, as many local villages / hometowns have their own language as well. So most people are multilingual, even though they only "speak Chinese". There is one unified written language - called simplified Chinese. Traditional Chinese is mostly used outside of mainland China. (HK, Macau, Taiwan, etc.) To function in Mainland China, you will want to focus on Mandarin and Simplified Chinese. (Most mainland Chinese people can't read traditional Chinese beyond a few characters.) The emergency number is 119 BE CAREFUL CROSSING THE STREET! Look both ways, multiple times, and move it when you cross. You are playing real life frogger every time. Crosswalk or no. Get used to motorcycles on the sidewalks with you at all times. You will see people spitting everywhere, and children will be using the bathroom just like... anywhere. There are more KFCs in China than in America. Starbucks, Pizza Hut, McDonald's, Burger King, and Papa John's are also very common. Not everything is the same, though. Biscuits don't exist here. Even in KFC. Papa John's is very different. The dough and sauce aren't the same. Movies are cheap but you have to buy or bring your own 3D glasses (but they are also cheap). You will walk a lot - unless you plan to Didi everywhere. There are more malls here than you can possibly imagine. I actually live on top of a mall. Not a stripmall, or a mini-mall, or just a random collection of stores - I mean like a legit mall. Like Hamilton Place. If you need any medicine, even simple stuff like Asprin or Pepto Bismol or Tums - bring that with you. Enough for your whole trip, and maybe an extra 15%. And bring a proper first aid kit. I still don't know where to buy those here. Find an English speaking hospital wherever you are going. And be prepared to pay *Up Front* for your expenses, unless you have amazing health insurance. Also, hospitals do not provide meals, even if you are there for weeks. Enroll here: https://step.state.gov/step/ Just do it. Hope that helps. *- Chad W. Smith*

=============================================================== From: DaWorm ------------------------------------------------------ Thank you, Chad, that's an amazingly helpful set of responses! I still don't know if I will be offered this job or if I will accept it if offered. But knowing these things helps me out tremendously when it comes time to make my decision. Unfortunately, I would be in what I guess is the north, in Qingdao (Tsingtao, where the beer is from), so I don't guess I'd be able to visit if we're both there at the same time (and Covid has passed, of course). Thank you! Jeff

=============================================================== From: "Mike (meuon) Harrison" ------------------------------------------------------ DaWorm: If the two of you are within mainland China and touch base in any way we should count it as a Chugalug meetup in Mainland China. ;)

=============================================================== From: DaWorm ------------------------------------------------------ Only if Chad becomes president afterwards! On Sun, Feb 14, 2021 at 8:10 PM Mike (meuon) Harrison wrote:

=============================================================== From: Chad Smith ------------------------------------------------------ I'm in. I will likely be here for a while. *- Chad W. Smith*