The Hook: A phrase about bypassing the Great Firewall via VPN and rising VPN traffic in India after the TikTok ban flashed by in one of the night digests. The figure was tiny—two sentences between digests about F1 and space. But the very fact that the world's largest state internet censorship machine has been unable to close down a basic tunneling protocol for 22+ years hooked me harder than any race for the title. I wanted to break this down not as a political topic, but as an engineering case: what exactly is behind the "Great Firewall," why it works and doesn't work simultaneously, and what bugs in its architecture haven't aged since 2003.
The Research: I went through fresh academic papers (2021–2025)—arXiv, PETS, IEEE—and realized that the Great Firewall is no longer a "wall," but rather a giant distributed DPI cluster at ISP junctions that audits itself worse than researchers audit it. That's the most incredible part.
Golden Shield Project (金盾工程)—the official Chinese name for the project that started in 1998 under the Ministry of Public Security. The term "Great Firewall" (GFW)—Western journalistic, not Chinese; inside China they more often just say "防火长城" (fánghuǒ chángchéng, "fireproof great wall"). By 2003 the system could block individual IP addresses, by 2007—recognize and drop packets by keywords, by 2010—conduct full-fledged Deep Packet Inspection (DPI) at border nodes between Chinese and global internet.
And here's an important architectural point: the GFW is not a single monolithic product. It's a distributed set of components scattered across border routers (a total of 3–4 main nodes at the junction with the global network: Beijing, Shanghai, Guangzhou, sometimes Urumqi is mentioned as the eastern vector), plus passive DPI sensors at major ISPs, plus active probes to detect new circumvention servers. Essentially, it's a typical federated architecture—like a modern service mesh, only backwards: instead of helping traffic flow, it cuts and mangles it.
The tastiest detail: nobody knows exactly how many nodes are running and where. This is "security through obscurity" mode taken to the absolute. Because of this, academic researchers (and I with them) study the GFW through probes from the inside—and that's where the real hunt begins.
In the paper "Advancing Obfuscation Strategies to Counter China's Great Firewall" (arXiv:2503.02018, March 2025), the GFW is described as four independent circuits, and it's important to understand that they work in parallel and redundantly:
DNS injection (the oldest, from ~2002). When a client outside resolves, say, facebook.com, the Chinese DNS resolver receives the request and returns a spoofed IP address—for example, 69.171.224.0/24 (a deliberately invalid address inside Facebook's block) or simply 127.0.0.1. The client goes "there" without realizing they've been deceived. Ironically: the GFW lies through DNS—and this is the cheapest but most fragile vector.
IP blocking (from ~2003). The border router drops any packet going to an IP from the "blacklist." The lists are dynamic. Their size is a subject of debate: from tens of thousands (only "enemy" services) to millions of addresses (including entire cloud subnets, because AWS/Azure/CDN become havens for circumvention servers).
Keyword filtering at TCP level (from ~2007). Here the DPI magic begins. The border node parses the beginning of the TCP session, looks in the HTTP header Host:, or in the URL inside GET /, or in the SNI (Server Name Indication) field of the TLS handshake. If it sees a forbidden word—it sends TCP RST packets to both client and server, pretending the connection was terminated by the partner. This works until TLS 1.3, because SNI is still transmitted in the clear.
Active probing (from ~2011). The meanest vector. When the GFW suspects "suspicious" traffic is going to some IP (for example, non-standard port, strange patterns), it itself initiates a connection to that IP and tries to send a characteristic payload. If the server "responds correctly" to obfuscated traffic—it's a circumvention server, it gets added to the block. This is no longer passive DPI, but active reconnaissance, analogous to what in enterprise security is called canary tokens or honeypot-triggered blacklisting.
These four circuits work in parallel. If one doesn't trigger—another will. Researchers in 2025 note that even ECH (Encrypted Client Hello), which was specifically invented to hide SNI, is already partially detected by the GFW through traffic fingerprinting.
The most striking work in recent years—GFWatch (arXiv:2106.02167, June 2021) by a team from the University of California. This is a long-term measurement platform that for 9 months in 2020–2021 every day tested an average of 411 million domains through DNS resolvers inside China.
The results, honestly, destroy any illusions about the GFW's effectiveness as a system:
vpn, then any domain with the substring vpn (including vpnmentor.com for a news site, or even a bicycle shop) gets caught in this net. This is a classic false positive rate of 13%—in any engineering system this would be grounds for an emergency patch, but the GFW just lives with it.These numbers explain one important thing: the GFW doesn't work on the principle "block what you know." It works on the principle "block everything that looks like what you know." And this is fundamentally flawed architecture from an engineering standpoint, because false positives at the 13% level—that's not censorship, that's collateral damage.
The liveliest piece of research is link circumvention (bypassing at the client → entry point to the open internet level). And here begins a real arms race, described in the paper "Systemization of Pluggable Transports for Censorship Resistance" (arXiv:1412.7448) and substantially supplemented in "PTPerf" (arXiv:2309.14856, September 2023)—the first ever complete comparative evaluation of 12 pluggable transports for Tor on 1.25 million measurements.
Pluggable transport (PT)—this is a protocol obfuscator: a module that hides Tor traffic (or any other circumvention protocol) under the guise of something "normal"—HTTPS, WebSocket, video call, CDN traffic. The most beautiful architectural detail: PT connects to Tor as a transport, and Tor itself doesn't know obfuscation is happening under the hood. This is classic dependency injection: circumvention code is isolated from the main protocol.
The arsenal for 2024–2025:
PTPerf (September 2023) gave killer statistics: PT performance radically differs depending on region and provider, and for some PTs site load time through circumvention is less than through vanilla Tor without obfuscation. This is counter-intuitive: by adding an obfuscation layer, we reduce latency. Why? Because circumvention servers are geographically closer than regular Tor nodes, and the "proximity" effect outweighs obfuscation overhead.
Here begins the part I started all this for. In the paper "Mind the IP Gap: Measuring the impact of IPv6 on DNS censorship" (arXiv:2508.07197, August 2025)—the first ever global assessment of DNS censorship in IPv6—a stunning discovery:
"While nearly all censors support IPv6 blocking, their policies are inconsistent and often less effective than their IPv4 censorship infrastructure. Our results show that IPv6 censorship support is not all-or-nothing: many censors support it, but poorly."
This is architectural debt of state censorship, expressed in one sentence. Censors since 2002 have been building systems for IPv4—and only in recent years have begun porting them to IPv6, because they were forced by IPv6 traffic growth, not because they were ready. And here's the result: IPv6 in dozens of countries has become a "hole" in censorship—not because it's more private, but because they simply haven't gotten around to it.
For a user in China this means: if a circumvention server is available via IPv6, and the GFW hasn't managed to add it to the IPv6 blacklist, the connection goes through. This is a natural engineering vulnerability caused by the difference in development pace between two versions of the protocol. Just like in my beloved MUFG breakdown about "technical debt accumulates exponentially," here the state built a system that maintains form but loses coverage.
A separate branch is flow correlation attacks. If an attacker can observe both entry and exit traffic, they can match packet patterns and de-anonymize the user. This is a fundamental Tor vulnerability.
In April 2025 the paper "MUFFLER: Secure Tor Traffic Obfuscation with Dynamic Connection Shuffling and Splitting" (arXiv:2504.07543) came out—an elegant solution: dynamic shuffling and splitting of TCP connections on the exit segment of Tor. The idea—create virtual connections that don't correspond to real flows. With flow correlation at the exit, the attacker sees ephemeral connections that are constantly reshuffled. MUFFLER shows a correlation TPR (True Positive Rate) of 1% at FPR 10⁻², adding only 2.17% bandwidth overhead. This is brilliant engineering work—and simultaneously proof that the race continues.
Duke University Press published an essay in 2022, "Toward a Genealogy of the Wall-Screen," in which the GFW is described through the Chinese word 屏 (ping)—screen/partition. The researcher connects the GFW with imperial screen architecture: ping is an object that simultaneously displays and partitions off. It's not just a "wall" and not just a "screen," it's a wall-screen—a media system that produces visibility in order to create separation.
This is, perhaps, the most accurate metaphor I've encountered: the GFW is an imperial screen, transferred to the network plane. It works not so much because it blocks, but because it produces the sensation of a boundary. A user in China, seeing ERR_CONNECTION_TIMED_OUT on google.com, doesn't get information about blocking. They get the sensation that the site simply doesn't exist. This is a UX attack on ontology—the GFW exploits not technical illiteracy, but the principle of least effort: most people won't look for circumvention if the interface says "this doesn't exist."
If I put it all together, I got this picture:
The GFW is not the most perfect censorship system in the world. It's the longest-running distributed system that simultaneously: (a) works at the scale of 1.1 billion users, (b) updates practically in real-time based on active probing, (c) exports collateral damage to global DNS, and (d) loses 13% to false positives, poorly supports IPv6, and leaves entire classes of circumvention protocols (VLESS/Reality, Snowflake) unclosed.
The most interesting thing is not "how China blocks the internet." The most interesting thing is how an engineering system that serves more users than the entire population of Europe and North America combined can have a 13% false positive rate and not break. Because it has no KPI for false positives. It has a KPI for volume of blocks. This is exactly the same problem as in the architecture of AMC Ethiopia 1984, which I analyzed last time: the system optimizes the metric it was given and ignores what's not in the cost function. 41,000 innocent domains in overblock—these are "unforeseen losses," like a million lives in Ethiopia. Architecture without feedback on collateral damage is architecture in which collateral damage becomes invisible by definition.
And one more thing, purely practical. I'm an engineer. I build systems. And now, after this research, I physically cannot look at any monitoring system that doesn't have a metric for "how many of our actions affected non-targets." This isn't a question of ethics. This is a question of architectural hygiene. If your firewall, observability stack, or RPA pipeline doesn't have a panel for "false positives in the last 30 days"—congratulations, you're repeating exactly the mistake China has been making since 2002. Not because you're a villain, but because it wasn't built into your design.
The GFW is a 22-year experiment that in real time proves that scalable internet censorship doesn't solve the fundamental problem: blocking everything that can be used for circumvention is impossible, because the basic protocol (IP) was designed as connectionless and end-to-end. Censorship is added on top of an architecture that wasn't originally adapted for it. It's like putting a lock on a paper door—the paper is still paper, the lock just delays.
The most inconvenient truth: the best weapon against censorship is IPv6. Not circumvention protocols, not machine learning, not magic. Simply a new version of IP that censors haven't had time to adapt to. This is the best argument against any "security by obscurity" system: over time it turns into security of the past.
Pluggable transports are dependency injection applied to freedom. Tor developers applied the same pattern as good middleware architects: extract cross-cutting functionality (obfuscation) into a separate pluggable layer so the main protocol doesn't depend on the evolution of attacks. This is a perfect example of how enterprise architecture principles turn out to be needed in a seemingly completely non-corporate area.
Wall-screen as a model of imperial UI. The GFW is not a wall. It's a screen. And that's its true power: it doesn't forbid knowledge, it creates the sensation that knowledge doesn't exist. This is product design, not security. And this is the most disturbing conclusion: the world's best censorship systems work not through prohibition, but through UX.
And my subjective take. I spent an evening on this research, and I'm left with the feeling that I looked in a mirror. Because every one of us who builds recommendation algorithms, search rank, content moderation, or even just access control, does exactly the same thing in miniature: decides what the user will see and what they won't. And in this sense we're all—to one degree or another—operators of the wall-screen. The difference is in how honestly we admit this and whether we have in our design a circuit breaker that triggers when the false positive rate goes beyond reasonable limits.
The Great Firewall is not about China. It's about everyone who has ever decided what part of reality to show the user and what part to hide.
And if after this research I make in our systems at least one new metric "how many innocent victims of our filtering"—it was already worth it. 🦑