VPN China 2026: what still beats the Great Firewall

The question recurs with every travel cycle: "will my VPN still work in China in 2026?" The answer has evolved between 2020 and 2026 because the Great Firewall has evolved — faster than most VPN providers. In March 2026, Chinese filtering uses machine-learning DPI (Deep Packet Inspection) capable of identifying even encrypted VPN protocol signatures. Standard WireGuard, NordLynx, IKEv2, OpenVPN with default patterns: all blocked. What still works in May 2026 is a short list of specific configurations on three major providers, with obfuscation protocols that mask VPN traffic as standard HTTPS.

This guide summarizes what actually works, how to configure it, how to install it before departure, and what backup plans to prepare. It is the direct technical companion to the 2026 travel VPN pillar — exclusively focused on China for business travelers, students, and expats.

How the Great Firewall works in 2026

The Great Firewall — officially Golden Shield Project — has existed since 2003 and has evolved continuously. In May 2026, its technical stack combines four filtering techniques that reinforce each other. Understanding the mechanics helps understand why certain configurations pass and others fail. The Wikipedia Great Firewall page maintains an up-to-date technical documentation that this guide summarizes for traveler use.

Layer 1 — IP blocking. Major Western service IP ranges (Google, Facebook, YouTube, Twitter/X, Instagram, WhatsApp, most media) are fully filtered at border routers. Consequence: impossible to directly reach these services from China, even without encryption attempt. Filtering is dynamic — Cloudflare and AWS are partially blocked by IP range but allowed for local Chinese services hosted on these clouds. The workaround: route through a VPN server whose IP is not in a filtered range.

Layer 2 — SNI inspection. Even when a Western service uses a non-blocked IP, the Great Firewall inspects the Server Name Indication field of the TLS handshake. The SNI contains the target domain name in cleartext, allowing the Firewall to identify the consulted service before the HTTPS session is encrypted. Consequence: a site like nytimes.com on Cloudflare is blocked via SNI inspection even if the Cloudflare IP is technically accessible. The workaround: ECH (Encrypted Client Hello) encrypts the SNI but is not widespread. The VPN remains the structural countermeasure.

Layer 3 — Machine-learning DPI. Since 2022, the Great Firewall uses ML models to identify encrypted VPN protocol signatures. Standard WireGuard has a characteristic statistical signature (packet size, frequency, timing) that models identify with >95% accuracy. NordLynx (NordVPN's WireGuard variant) is in the same situation. OpenVPN with default configuration is also identified. Consequence: a VPN that "works everywhere except China" is likely using standard WireGuard. The workaround: obfuscation protocols that mask traffic as standard HTTPS (NordWhisper, Lightway-Streisand, Mullvad obfs4 bridges).

Layer 4 — Selective cutoffs. During sensitive political events (Tiananmen anniversary, Party congresses, Taiwan tensions), filtering intensifies temporarily — some obfuscation protocols may be blocked briefly, and even VPNs that usually pass fail for 24–72h. The workaround: have 2 providers in redundancy and a non-VPN backup plan (WARP, Shadowsocks).

Which VPNs still work in 2026

Three providers maintain reliability above 80% observed on weekly windows in March–May 2026. Measurements come from automated tests on nearby servers (Beijing, Shanghai, Shenzhen) cross-referenced with community reports on Reddit r/China and r/VPN.

NordVPN with NordWhisper + Obfuscated servers. The most effective combo in May 2026. NordWhisper is a proprietary protocol deployed late 2024 that wraps VPN traffic in a standard TLS session, indistinguishable from regular HTTPS for DPI tools. Obfuscated servers add an extra masking layer. Observed reliability >85% on weekly windows. Acceptable throughput (40–80 Mbps from Beijing on Hong Kong or Japan server). Documented Deloitte no-log audit 2024. Competitive 2-year engagement price. Details in our NordVPN review after 8 months of use.

ExpressVPN with masked Lightway-UDP. The direct historical competitor. Lightway is a proprietary ExpressVPN protocol with automatic masking that also beats the Great Firewall in May 2026. Reliability comparable to NordVPN, sometimes slightly higher on certain corridors (notably Shanghai → US West Coast). Higher price (~$12/month on long engagement), documented Cure53 2024 audit. Relevant choice if you already use ExpressVPN on other setups.

Astrill. Long-standing premium veteran centered on the China market since 2009. Dedicated engineering for Great Firewall bypass, several proprietary protocols (StealthVPN, OpenWeb), specialized servers with frequent IP rotation. Historically the most stable reliability but high price (~$15/month minimum, no long engagement). Relevant choice for long-stay expats who justify the additional cost by critical reliability needs.

Surfshark with NoBorders mode + Camouflage. Passes in May 2026 but with slightly lower reliability (~75%). Advantages: unlimited connections (useful for families), lower price, automatic NoBorders mode that switches to obfuscation when needed. Relevant choice if budget is constrained or if you equip multiple devices. Detailed comparison in Surfshark vs NordVPN 2026.

Mullvad and ProtonVPN. Excellent in strict privacy terms but intermittent Great Firewall passage (40–60% reliability). Mullvad uses effective obfs4 bridges but limited bandwidth. ProtonVPN offers Stealth protocol that passes at times. Use as backup, not as primary VPN for China.

Specific configuration: what works, what doesn't

Three precise adjustments distinguish a configuration that passes from one that fails. Testing the configuration on the home network before departure is non-negotiable — if it doesn't work in the UK or US, it won't work in China.

Adjustment 1 — Protocol. Disable standard WireGuard and NordLynx (identifiable by machine-learning DPI). Switch to NordWhisper (NordVPN), masked Lightway-UDP (ExpressVPN), StealthVPN or OpenWeb (Astrill), Camouflage mode (Surfshark), Stealth (ProtonVPN). OpenVPN TCP on port 443 remains an acceptable fallback because it resembles HTTPS. OpenVPN UDP is less reliable because it is easier to identify.

Adjustment 2 — Obfuscated servers. In NordVPN, Settings → Connection → Specialty → Obfuscated servers (visible only when the protocol is compatible OpenVPN or NordWhisper). In Surfshark, NoBorders mode auto (enabled by default in affected regions). In ExpressVPN, masking is integrated into the Lightway protocol and enabled automatically. In Astrill, explicitly choose "China optimized" servers in the list. These servers are rotating (IPs change regularly to escape blacklists) and dedicated to censorship bypass.

Adjustment 3 — System-mode kill switch. Not app mode (which only blocks configured apps). System mode, which blocks all outgoing traffic if the tunnel drops. Configuration: iOS Settings → General → VPN → On Demand. Android Settings → Network → VPN → Always-On VPN + Block connections without VPN. Windows: in the NordVPN/ExpressVPN client, Settings → Kill switch → System. macOS: same. Without system kill switch, a one-second tunnel drop is enough to leak SNI and DNS to the Great Firewall — which can then blacklist your IP and VPN server on the session.

Dry run on home network. Procedure: connect the VPN to a Hong Kong or Japan server with the planned configuration, open a DNS leak test in our dedicated tool, verify no leak occurs, load a site like nytimes.com (blocked from China, useful as witness), and confirm the session remains stable 10–15 minutes. If the configuration holds in the UK/US, it holds in China. If it wavers at home, abandon that config.

Install the VPN BEFORE departure: complete procedure

This is the most costly documented error — arriving in Beijing without a VPN installed. Three operational reasons make it mandatory.

Blocked download sites. NordVPN.com, ExpressVPN.com, Surfshark.com, ProtonVPN.com, Astrill.com are systematically blocked at IP/SNI level from China. Without an already-active VPN, the download page is unreachable. Some mirrors and CDNs may pass occasionally but are not reliable.

Blocked App Stores. The iOS China region App Store has not distributed any VPN app since 2017 (Apple complied with the government request). Changing your Apple account region is possible but heavy: new payment card required (non-Chinese), configuration to redo, access to already-downloaded apps may be lost. Play Store officially blocked — Chinese Android users go through third-party stores (Huawei, Xiaomi, Vivo) which do not distribute Western VPNs.

Recommended procedure 48–72h before departure. First, subscribe to 2 distinct providers (NordVPN + ExpressVPN or NordVPN + Astrill) with active subscription and valid billing for at least 30 days. Second, install the apps on all devices (phone, laptop, tablet) from the home country App Store or Play Store. Third, keep backup Android APKs on Google Drive/Dropbox accessible via VPN once on site. Fourth, configure Obfuscated + obfuscation protocol + system kill switch on each app. Fifth, test each combination on the home network. Sixth, note account credentials outside the cloud password manager (which may be blocked locally). Seventh, verify the payment method is valid for auto-renewal (Western bank card OK, no Chinese card for international renewals).

Backup plans when VPNs drop

Commercial VPNs can fail temporarily — cutoffs during political events, blacklisting of server IPs, Great Firewall DPI update. Three effective backup plans to prepare before departure.

Cloudflare WARP. Technically not a strict VPN, but a managed WireGuard tunnel by Cloudflare. Critical advantage: traffic blends with the ubiquitous Cloudflare CDN across the web, making blocking difficult without breaking part of the legitimate web. Often passes the Great Firewall when commercial VPNs drop. Free, no logs (Cloudflare publishes a transparency report), decent throughput. Installation from 1.1.1.1.cloudflare-dns.com — site to load before departure. Limits: does not mask source IP the same way as a strict VPN (Cloudflare exit IP visible to sites), no independent no-log audit equivalent to NordVPN's.

Shadowsocks. Encrypted SOCKS5 proxy protocol designed specifically for Chinese censorship bypass (created in 2012 by a Chinese developer). Stealthier than commercial VPNs because it does not resemble any standard VPN protocol. Two options. Self-hosted: VPS server outside China (DigitalOcean Singapore, Vultr Tokyo, Linode Frankfurt) + Outline client (distributed by Jigsaw, a Google subsidiary) or ShadowsocksX-NG. Setup ~30 min, cost ~$5/month for the VPS. Commercial: Outline VPN with shared or dedicated servers, simpler but less stealthy. Full documentation at getoutline.org.

Tor with bridges. Less reliable than Cloudflare WARP or Shadowsocks in Chinese practice — Tor exit is slow, bridges are actively blocked, and latency is high. But useful as emergency backup. Procedure: download Tor Browser before departure from torproject.org, configure obfs4 or Snowflake bridges (request form via email to bridges@torproject.org accessible before departure), note bridge addresses on physical paper. Snowflake bridges are harder to block because they use WebRTC that blends with legitimate browser traffic.

Mobile backup apps. Lantern and Psiphon are two free censorship-bypass apps designed for emergency use. Less reliable than WARP or Shadowsocks, but useful as ultimate redundancy. Install before departure from the home country store.

Legal risks and practical precautions

The legal question recurs in every China travel conversation. Measured answer: grey area for tourists in May 2026, no documented sanction.

The legal framework. The 2017 MIIT (Ministry of Industry and Information Technology) regulation officially bans unauthorized VPNs in China. Officially, only VPNs that have obtained a Chinese license (with obligations to keep logs and cooperate with authorities) are legal. No Western commercial VPN has obtained this license — they are all technically illegal under Chinese law.

Real enforcement. Known prosecution cases concern: (1) local commercial operators distributing VPNs without licenses (documented prison sentences for some Chinese entrepreneurs 2017–2020), (2) Chinese nationals using a VPN to publish critical political content on foreign platforms (administrative fines, sometimes brief administrative detention), (3) no documented arrest of Western tourists or foreign nationals using a personal account for ordinary communication purposes (emails, personal social media, web browsing). Reporters Without Borders and Freedom House confirm the absence of reported cases in their 2023–2026 reports.

Pragmatic operational precautions. Do not discuss VPN use with local authorities if asked. No screenshots of the VPN interface shared on social networks or Chinese messaging apps. VPN app in a discreet folder on the phone (not on the home screen, not with visible VPN icon). Use the nearest server (Hong Kong, Japan, Singapore) to minimize traffic signature. Disable the VPN during administrative interactions (digital customs declaration, government application, hotel registration). See the RSF World Press Freedom Index for global context and the Freedom House Freedom on the Net report for updated practices.

Practical advice: payment, communication, hotel WiFi

Beyond the technical VPN, a few operational considerations for the China trip.

Payment and financial applications. WeChat Pay and Alipay are nearly mandatory in mainland China for daily payments. Both now accept foreign Visa/Mastercard cards (rolled out 2024–2025 for tourists), but require prior configuration. Setup to do BEFORE departure: install WeChat and Alipay from Western App Store/Play Store, link your bank card, validate KYC (scanned passport). Once on site, use does not require the VPN — these are Chinese apps optimized for the local network.

Communication with relatives outside China. WhatsApp, Messenger, Telegram, Signal blocked from mainland China. Only alternatives that work without VPN: calls and SMS via international roaming (but expensive), Gmail email (sometimes passes but blocked on some Google IPs), Apple iMessage (passes on non-filtered hotspots). With active VPN, all Western apps work normally. For business travelers, plan VPN use as base infrastructure, not as occasional tool.

Hotel WiFi in China. Double layer of filtering: national Great Firewall + potential local hotel filtering. Most major international hotels (Marriott, Hilton, IHG) do not filter on top of the national Firewall, but log sessions at DNS level. Active VPN mandatory. See our dedicated VPN hotel WiFi article for the general procedure that also applies in China.

International eSIM. The most effective technical trick: use an international eSIM routed outside China (Airalo China plan via Hong Kong, GigSky) instead of a local Chinese SIM. The data connection routes through the international partner network, outside the scope of local filtering. A VPN on an Airalo eSIM in China often works when the same VPN on a local Chinese SIM does not. Indicative cost: $15–30 for 10 GB over 14 days.

Article published 29 May 2026. Methodology: synthesis based on VPN reliability measurements from mainland China in March–May 2026 (target servers Beijing, Shanghai, Shenzhen via Hong Kong and Japan partner networks), cross-referenced with community reports on Reddit r/China, r/Tsinghua_VPN, and the GreatFire forum, public Great Firewall documentation updated on Wikipedia, the Reporters Without Borders World Press Freedom Index, and the Freedom House Freedom on the Net 2025 report. Operational verifications carried out on three setup types (NordVPN Obfuscated + NordWhisper, ExpressVPN Lightway-UDP, Astrill StealthVPN) with access tests to a panel of witness sites (Google, BBC, New York Times). No physical travel to mainland China for this update — measurements rely on simulated connections via rented Chinese VPS and local tester contributions.