Updated: Aug 26, 2022
Yes, seriously - this is something I had to figure out recently, and actually has a super simple solution to an otherwise annoying issue. Lets start from the beginning.
What is conditional access?
Conditional access, and in particular the “named locations” feature that comes as a part of conditional access is a feature of Microsoft 365 under one of the tenancy plans (I can’t remember exactly which plan, but pretty sure it’s the Azure AD P2 plan? - Correct me if I’m wrong) that blocks access from specified countries or cities into the Microsoft tenancy for that organisation. This also works against VPN’s, annoyingly, otherwise my super simple even easier fix to this problem would be to simply just run a VPN, and in any case, VPN’s don’t work a lot of the time in China, which is where my connection is going to be coming from into these organisations that have their location set in conditional access to block anything outside of Australia.
So, what’s the solution to getting around conditional access, as well the great firewall of China? Let’s first talk about why I need to achieve this.
Why do you need to bypass it?
For those of you who know me well enough, you would know that I have been trying to get to China so that my wife can see her family, friends, and so we can both travel around and see some of South East Asia without having to fly for long periods of time just to get outside of Australia. While we base ourselves for a few years in China though, I need to have access to be able to work, and one condition of being able to work remotely is to be able to access the systems I can usually access from Australia, as if I was here.
Besides this, I also want to be able to use the normal systems I use in Australia like discord, twitter, Instagram etc. while living over there, and while I have my own SOCK5 Proxy VPN setup on my phone, computer and iPad, connections using the SOCK5 proxy in china are increasingly being shut down by the firewall, which for me is unacceptable, as I need a reliable and fast connection to be able to work from as well. All of these requirements need a solution, which we’ll get to in a moment.
The Great Firewall of China (GCFW)
Below is a snippet from Wikipedia showing what is blocked and why on the GCFW;
In addition to previously discussed techniques, the CAC is also using active probing in order to identify and block network services that would help escaping the firewall. Multiple services such as Tor or VPN providers reported receiving unsolicited TCP/IP connections shortly after legitimate use, for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking.
For example, shortly after a VPN request is issued by a legitimate Chinese VPN client and passes outbound though the Great Firewall to a hidden VPN IP, the Great Firewall may detect the activity and issue its own active probe to verify the nature of the previously unknown VPN IP and, if the probe confirms the IP is part of a blacklisted VPN, blacklist the IP. This attack can be circumvented with the Obfs4 protocol, which relies on an out-of-band shared secret.
The Great Firewall scrapes the IPs of Tor and VPN servers from the official distribution channels, and enumerates them. The strategy to resist this attack is to limit the quantity of proxy IPs revealed to each user and making it very difficult for users to create more than one identity. Academics have proposed solutions such as Salmon.
Dynamic IPs are quite effective to flush out from blacklists.
The solutions to all of these restrictions on access is actually quite simple really. I’ll bullet point it below then go over how each step works.
SOCK5 Proxy for general use (not work) - https://github.com/shadowsocksrr/shadowsocksr-csharp/releases
RDP access to a google cloud server
TeamViewer Access - http://teamviewier.com/
RustDesk Access - https://rustdesk.com/
BaiduCloud VPS with RDP and IPSEC tunnel to Google Cloud Server
Another SOCK5 Proxy on rotating connections
How this works in the end is that on my computer in China, I connect using my initial SOCK5 proxy. This triggers a seconday SOCK5 connection, and after 15 minutes the initial connection changes to the secondary and the flow continues like this. There are 15 individual proxies connected across both aws and gcloud to achieve this.
From there, I connect up to my gcloud server (Server 2022), and have the option to connect via VPN or yet another sock5 proxy, or to just use that raw connection to whatever it is I need to do. Simples!
I have tested this connection out thoroughly with friends and family living in China and am happy to confirm it works like an absolute dream. Success at last!