In April 2026, several popular VPN services went dark in mainland China within a two-week span. The most notable casualty was LetsVPN — a service expats had recommended for years — which admitted it could no longer bypass the firewall, froze accounts, and began issuing refunds. Travelers arrived with pre-paid subscriptions and found themselves cut off from Gmail, WhatsApp, and corporate email. That's the reality of the internet in China: any VPN works only until the next censorship update. So choosing which VPN to buy is half the battle; the other half is planning what you'll do when it stops connecting and its website is blocked. This page covers both.
When Netflix geo-blocks content, it checks your IP against a blacklist — any cheap VPN gets around that. The Great Firewall is a national traffic-filtering system at the borders of the country's network, and it hunts VPNs with three mechanisms.
The GFW inspects transit packets for signatures and handshake patterns unique to VPN protocols — a standard OpenVPN or WireGuard handshake is instantly recognizable. Once detected, the connection is dropped, and repeat attempts get the server's IP blocked entirely.
If a server behaves suspiciously, the GFW connects to it, masquerading as a normal web browser. A legitimate web server returns a page and an SSL certificate. A VPN server usually reveals itself — an error, silence, or an atypical response — and gets an immediate IP block. Active probing is what compromised Shadowsocks, which previously excelled at hiding from passive inspection.
When you request a blocked website, the firewall intercepts the DNS query and returns a fake IP. The page silently fails to load — which is exactly why downloading apps or config files from inside the country is so hard.
The GFW blocks entire IP ranges belonging to popular hosting providers — AWS, DigitalOcean, Hetzner. That makes the "just run your own VPN on a cheap VPS" plan impractical: the IP block may be in place before you've even configured the server.
Encryption alone is no longer enough — unrecognized encrypted traffic is itself a red flag for DPI. What works in 2026 is mimicry, plus the operational basics people forget to check.
The current gold standard is the VLESS protocol with XTLS Reality on the Xray core. When the GFW probes the server, it gets redirected to a major public website (say, microsoft.com) and receives Microsoft's real SSL certificate — to the firewall, the server looks like a harmless website. Only users holding a pre-shared key get tunneled. XTLS-Vision completes the disguise: it reshapes packet sizes and latency patterns after the handshake so the traffic profile matches regular browsing. Commercial VPNs use similar proprietary techniques — Astrill's StealthVPN, Proton's Stealth.
The GFW blocks VPN provider domains, account portals, payment gateways, and download pages first. Check whether your provider has a working mirror for China (like Astrill's getastr.com) or a primary site that stays unblocked — otherwise you can't renew or re-download once you're there.
A classic failure: you renew from China, and your bank flags the transaction — a payment to an offshore entity from a Chinese IP looks like fraud. Backup options like cryptocurrency (USDT, Bitcoin) or regional methods (Alipay, UnionPay) resolve this.
Within the Xray ecosystem the standard clients are Happ or Shadowrocket on iOS, Happ or v2rayNG on Android, v2rayN on Windows, and Clash Verge Rev for advanced desktop routing. A good provider delivers the subscription as a single URL that imports into any of them.
Enforcement intensifies in waves around national holidays and political events. A support team that rolls out new server nodes within 24 hours is the difference between a bad evening and a dead week.
Everything on this list is dramatically easier before you cross the border.
Create the account, process payment, install the clients, run a test connection. Doing any of this from inside China is possible but harder — do it from your couch instead.
All VPN apps have been removed from the Chinese App Store. If your Apple ID is set to mainland China, change the region or create a secondary account (US or Europe) before traveling. Details in the iPhone setup guide.
Google Play is blocked in China. Download the .apk installers from your provider's website and save them directly to your device. Details in the Android setup guide.
Subscription URLs, config files, account credentials — store them in a notes app or password manager that works offline. DNS poisoning makes fetching them later unreliable.
Phone, laptop, tablet — each one, before the flight. A client you haven't launched yet is a client that will need a download you can't make.
Travel eSIMs (Airalo, Holafly, Nomad, Trip.com) route traffic outside the GFW — your emergency channel for downloads, payments, and support. More on why this works below.
Unrelated to VPNs, but essential: mobile payments run daily life in China. Register and complete passport verification before your trip.
Already there and locked out? Work through these in order.
Expected behavior — provider domains are the first thing the GFW blocks. Use the provider's mirror domains, connect via a roaming eSIM, or email their support address: foreign mail servers often work without a VPN.
Switch servers, change protocols in the app settings, toggle between Wi-Fi and mobile data — different Chinese ISPs (China Telecom vs China Mobile) enforce different filtering. Update your subscription in the client to pull fresh server IPs. If the provider has suffered a full outage, you need the backup channel — the eSIM.
Roaming data routes through Chinese carrier networks straight to the home carrier's servers abroad (Hong Kong, Singapore, the US) before touching the open internet — it passes the GFW unfiltered. With an eSIM active you can download a new client, pay, and import profiles, then switch back to Wi-Fi + VPN to save data. Caveats: roaming is expensive (don't tether the laptop for long), hotel Wi-Fi is still filtered (see the hotel Wi-Fi guide), and if your eSIM routes via Hong Kong, TikTok won't work — it doesn't serve Hong Kong IPs.
If your card is declined, use a provider that accepts cryptocurrency or Alipay. Crypto is the most reliable way around payment-processing blocks.
GFW filtering changes fast — check recent user reports (the monthly VPN threads on Reddit's r/chinalife) before purchasing. Status below as of July 2026.
| Provider | Obfuscation | Status in China | Price |
|---|---|---|---|
| IT CRP (our service) | VLESS + Reality, XTLS-Vision | Active; website, portal, and payments reachable from inside China | $9/mo · free 1 GB trial key |
| Astrill | StealthVPN, OpenWeb | Highly stable; mirror getastr.com works from inside China | From $12.50/mo (2-yr plan), $30 month-to-month |
| ExpressVPN | Lightway | Frequent drops during peak evening hours and holidays | From $6.67/mo |
| NordVPN | Obfuscated Servers | Inconsistent; varies by city and ISP | From $3.49/mo |
| Surfshark | NoBorders | Moderate; vulnerable during censorship sweeps | From $1.99/mo |
| ProtonVPN | Stealth | Free servers functional but highly congested | Free · paid from $4.99/mo |
| LetsVPN | AI Routing | Exited the mainland market in April 2026 | — |
Stays online during major block waves when competitors fail, using custom protocols and China-optimized servers in Hong Kong, Taiwan, and South Korea. The getastr.com mirror is reachable inside China for on-site downloads. The catch is price: $30 for a single month. Full comparison: IT CRP vs Astrill.
Historically the go-to China recommendation, now dropping frequently during evening peaks. Support regularly extends subscriptions to compensate for downtime — which tells you the routing issues are ongoing. Fine as a backup, risky as your only line. See IT CRP vs ExpressVPN.
Both disguise OpenVPN as standard HTTPS. Some users report months of stability; others can't connect at all. Reliability depends heavily on your city and carrier. See IT CRP vs NordVPN.
Widely regarded as the most resilient VPN in China — until it went completely offline in April 2026 after a GFW update. Operations resumed globally in May, but the company explicitly no longer guarantees service in mainland China. A warning against trusting outdated reviews.
An odd profile: its free servers often outlast paid nodes in China, though heavily congested. Best reserved as an emergency fallback for messaging when everything else is down.
IT CRP was built specifically for the person who is already in China and locked out of the network.
The website, user portal, and payment processor stay unblocked on Chinese networks — you can register and pay without an active VPN. That's the exact failure mode that strands people with other providers.
Test the connection on your actual hotel or office Wi-Fi and verify Gmail and WhatsApp load before paying anything.
The mimicry stack described above — built to defeat DPI and active probing. Server nodes and routing paths are updated within 24–48 hours of GFW sweeps; we've run this protocol configuration since 2024.
The Happ client on iOS, Android, Windows, and macOS with one-tap subscription import; v2rayN and Clash Verge Rev also supported. Routing through high-speed nodes (up to 300 Mbps) in the US, Germany, and the Netherlands. $9/month, 5 devices, 7-day refund, card or crypto, email-only registration.