China VPN · updated July 2026

VPNs for China — what actually works behind the Great Firewall.

In April 2026, several popular VPN services went dark in mainland China within a two-week span. The most notable casualty was LetsVPN — a service expats had recommended for years — which admitted it could no longer bypass the firewall, froze accounts, and began issuing refunds. Travelers arrived with pre-paid subscriptions and found themselves cut off from Gmail, WhatsApp, and corporate email. That's the reality of the internet in China: any VPN works only until the next censorship update. So choosing which VPN to buy is half the battle; the other half is planning what you'll do when it stops connecting and its website is blocked. This page covers both.

China VPN · the short version

Why China's firewall is different from standard geo-blocking

When Netflix geo-blocks content, it checks your IP against a blacklist — any cheap VPN gets around that. The Great Firewall is a national traffic-filtering system at the borders of the country's network, and it hunts VPNs with three mechanisms.

Deep Packet Inspection

The GFW inspects transit packets for signatures and handshake patterns unique to VPN protocols — a standard OpenVPN or WireGuard handshake is instantly recognizable. Once detected, the connection is dropped, and repeat attempts get the server's IP blocked entirely.

Active probing

If a server behaves suspiciously, the GFW connects to it, masquerading as a normal web browser. A legitimate web server returns a page and an SSL certificate. A VPN server usually reveals itself — an error, silence, or an atypical response — and gets an immediate IP block. Active probing is what compromised Shadowsocks, which previously excelled at hiding from passive inspection.

DNS poisoning

When you request a blocked website, the firewall intercepts the DNS query and returns a fake IP. The page silently fails to load — which is exactly why downloading apps or config files from inside the country is so hard.

Pre-emptive cloud IP blocks

The GFW blocks entire IP ranges belonging to popular hosting providers — AWS, DigitalOcean, Hetzner. That makes the "just run your own VPN on a cheap VPS" plan impractical: the IP block may be in place before you've even configured the server.

What a VPN needs to survive the Great Firewall

Encryption alone is no longer enough — unrecognized encrypted traffic is itself a red flag for DPI. What works in 2026 is mimicry, plus the operational basics people forget to check.

Obfuscation over encryption: VLESS + Reality

The current gold standard is the VLESS protocol with XTLS Reality on the Xray core. When the GFW probes the server, it gets redirected to a major public website (say, microsoft.com) and receives Microsoft's real SSL certificate — to the firewall, the server looks like a harmless website. Only users holding a pre-shared key get tunneled. XTLS-Vision completes the disguise: it reshapes packet sizes and latency patterns after the handshake so the traffic profile matches regular browsing. Commercial VPNs use similar proprietary techniques — Astrill's StealthVPN, Proton's Stealth.

A website reachable from inside China

The GFW blocks VPN provider domains, account portals, payment gateways, and download pages first. Check whether your provider has a working mirror for China (like Astrill's getastr.com) or a primary site that stays unblocked — otherwise you can't renew or re-download once you're there.

Payment methods that don't get flagged

A classic failure: you renew from China, and your bank flags the transaction — a payment to an offshore entity from a Chinese IP looks like fraud. Backup options like cryptocurrency (USDT, Bitcoin) or regional methods (Alipay, UnionPay) resolve this.

Clients for every device you carry

Within the Xray ecosystem the standard clients are Happ or Shadowrocket on iOS, Happ or v2rayNG on Android, v2rayN on Windows, and Clash Verge Rev for advanced desktop routing. A good provider delivers the subscription as a single URL that imports into any of them.

Support that moves in hours, not days

Enforcement intensifies in waves around national holidays and political events. A support team that rolls out new server nodes within 24 hours is the difference between a bad evening and a dead week.

Pre-trip checklist

Everything on this list is dramatically easier before you cross the border.

STEP 01

Set up the VPN at home

Create the account, process payment, install the clients, run a test connection. Doing any of this from inside China is possible but harder — do it from your couch instead.

STEP 02

iOS: fix your Apple ID region

All VPN apps have been removed from the Chinese App Store. If your Apple ID is set to mainland China, change the region or create a secondary account (US or Europe) before traveling. Details in the iPhone setup guide.

STEP 03

Android: download the APKs

Google Play is blocked in China. Download the .apk installers from your provider's website and save them directly to your device. Details in the Android setup guide.

STEP 04

Save configurations offline

Subscription URLs, config files, account credentials — store them in a notes app or password manager that works offline. DNS poisoning makes fetching them later unreliable.

STEP 05

Install and test on every device

Phone, laptop, tablet — each one, before the flight. A client you haven't launched yet is a client that will need a download you can't make.

STEP 06

Get a backup roaming eSIM

Travel eSIMs (Airalo, Holafly, Nomad, Trip.com) route traffic outside the GFW — your emergency channel for downloads, payments, and support. More on why this works below.

STEP 07

Set up Alipay / WeChat Pay

Unrelated to VPNs, but essential: mobile payments run daily life in China. Register and complete passport verification before your trip.

Troubleshooting from inside China

Already there and locked out? Work through these in order.

The VPN website is blocked

Expected behavior — provider domains are the first thing the GFW blocks. Use the provider's mirror domains, connect via a roaming eSIM, or email their support address: foreign mail servers often work without a VPN.

The VPN fails to connect

Switch servers, change protocols in the app settings, toggle between Wi-Fi and mobile data — different Chinese ISPs (China Telecom vs China Mobile) enforce different filtering. Update your subscription in the client to pull fresh server IPs. If the provider has suffered a full outage, you need the backup channel — the eSIM.

Why a roaming eSIM bypasses the firewall

Roaming data routes through Chinese carrier networks straight to the home carrier's servers abroad (Hong Kong, Singapore, the US) before touching the open internet — it passes the GFW unfiltered. With an eSIM active you can download a new client, pay, and import profiles, then switch back to Wi-Fi + VPN to save data. Caveats: roaming is expensive (don't tether the laptop for long), hotel Wi-Fi is still filtered (see the hotel Wi-Fi guide), and if your eSIM routes via Hong Kong, TikTok won't work — it doesn't serve Hong Kong IPs.

Payments keep failing

If your card is declined, use a provider that accepts cryptocurrency or Alipay. Crypto is the most reliable way around payment-processing blocks.

Commercial VPN status in China · July 2026

GFW filtering changes fast — check recent user reports (the monthly VPN threads on Reddit's r/chinalife) before purchasing. Status below as of July 2026.

Provider Obfuscation Status in China Price
IT CRP (our service) VLESS + Reality, XTLS-Vision Active; website, portal, and payments reachable from inside China $9/mo · free 1 GB trial key
Astrill StealthVPN, OpenWeb Highly stable; mirror getastr.com works from inside China From $12.50/mo (2-yr plan), $30 month-to-month
ExpressVPN Lightway Frequent drops during peak evening hours and holidays From $6.67/mo
NordVPN Obfuscated Servers Inconsistent; varies by city and ISP From $3.49/mo
Surfshark NoBorders Moderate; vulnerable during censorship sweeps From $1.99/mo
ProtonVPN Stealth Free servers functional but highly congested Free · paid from $4.99/mo
LetsVPN AI Routing Exited the mainland market in April 2026

Astrill — the expat standard for reliability

Stays online during major block waves when competitors fail, using custom protocols and China-optimized servers in Hong Kong, Taiwan, and South Korea. The getastr.com mirror is reachable inside China for on-site downloads. The catch is price: $30 for a single month. Full comparison: IT CRP vs Astrill.

ExpressVPN — a former favorite, now a backup

Historically the go-to China recommendation, now dropping frequently during evening peaks. Support regularly extends subscriptions to compensate for downtime — which tells you the routing issues are ongoing. Fine as a backup, risky as your only line. See IT CRP vs ExpressVPN.

NordVPN & Surfshark — city lottery

Both disguise OpenVPN as standard HTTPS. Some users report months of stability; others can't connect at all. Reliability depends heavily on your city and carrier. See IT CRP vs NordVPN.

LetsVPN — the cautionary tale

Widely regarded as the most resilient VPN in China — until it went completely offline in April 2026 after a GFW update. Operations resumed globally in May, but the company explicitly no longer guarantees service in mainland China. A warning against trusting outdated reviews.

ProtonVPN — the emergency channel

An odd profile: its free servers often outlast paid nodes in China, though heavily congested. Best reserved as an emergency fallback for messaging when everything else is down.

What a VPN won't fix in China

  • Mobile payments need the VPN off. Alipay and WeChat Pay accept international cards (Visa, Mastercard, JCB) — set up and verify before arriving. Under 200 RMB is fee-free; above that costs 3%. Crucially: a payment for a Shanghai merchant originating from a US IP triggers anti-fraud blocks. Turn the VPN off before paying.
  • Local apps misbehave through a tunnel. Amap navigation and DiDi ride-hailing can throw geolocation errors or fail outright over a VPN. Split-tunnel them past the VPN if your client supports it, or toggle the VPN off before booking rides or scanning codes.
  • SMS verification needs a local number. Most Chinese services require a domestic phone number. No VPN changes that — you'll need a local SIM, bought with your passport.
  • App Store regions don't move with your IP. A VPN won't change your Apple ID region or restore apps removed from the Chinese App Store. Sort accounts out before departure.
  • Legal status is a gray area. Chinese regulations target providers of unlicensed VPN services. There are no public records of foreign tourists penalized for personal use, but unlicensed VPNs remain technically illegal. Make your own risk assessment; consult counsel if you need formal advice.

How IT CRP handles China

IT CRP was built specifically for the person who is already in China and locked out of the network.

Sign up from inside China

The website, user portal, and payment processor stay unblocked on Chinese networks — you can register and pay without an active VPN. That's the exact failure mode that strands people with other providers.

Free 1 GB trial key, no card

Test the connection on your actual hotel or office Wi-Fi and verify Gmail and WhatsApp load before paying anything.

VLESS + Reality with XTLS-Vision

The mimicry stack described above — built to defeat DPI and active probing. Server nodes and routing paths are updated within 24–48 hours of GFW sweeps; we've run this protocol configuration since 2024.

One subscription URL, every platform

The Happ client on iOS, Android, Windows, and macOS with one-tap subscription import; v2rayN and Clash Verge Rev also supported. Routing through high-speed nodes (up to 300 Mbps) in the US, Germany, and the Netherlands. $9/month, 5 devices, 7-day refund, card or crypto, email-only registration.

$9 / mo
Free 1 GB key first · 5 devices · 7-day refund · card or crypto · works from inside China
Get free 1 GB key

China VPN questions

Is it legal for tourists to use a VPN in China?
Regulations target providers of unlicensed VPN services rather than individual end users. There are no public cases of foreign tourists being penalized for personal VPN use, and expats and business travelers use them daily. However, it remains a legal gray area — make your own risk assessment.
Which VPN is guaranteed to work in China right now?
No service can guarantee 100% uptime; GFW updates can temporarily disrupt any provider. The most resilient configurations are VLESS + Reality setups and Astrill's StealthVPN. Always choose a service that offers a trial or money-back guarantee, and keep a backup option ready.
Do ExpressVPN and NordVPN work in China in 2026?
Yes, but inconsistently. ExpressVPN experiences frequent disconnects during evening peak hours and holidays, while NordVPN's performance varies heavily by city and ISP. Both work well as backup options but are risky as primary connections.
Can I purchase a VPN if I am already inside China?
Yes, though it is more difficult. You can connect via a roaming eSIM, use mirror domains, or sign up through an unblocked provider site like IT CRP. If your credit card is flagged by anti-fraud systems, you can pay using cryptocurrency.
If I have a travel eSIM, do I still need a VPN?
Not while you are routing traffic through the eSIM, as roaming data bypasses the Great Firewall. You will need a VPN when connecting to local Wi-Fi networks (hotels, offices, cafes) or to conserve expensive mobile roaming data.
Why did my VPN stop working today when it worked yesterday?
GFW enforcement is cyclical, tightening around holidays and political events. Try changing servers, switching protocols, updating your subscription nodes, or switching between Wi-Fi and mobile networks. Active providers usually deploy updated routing nodes within 24 to 48 hours.
Are there free VPNs that work in China?
There are no full-featured free options that offer stable performance. ProtonVPN's free tier can work for basic messaging during outages, though it is highly congested. IT CRP offers a free 1 GB trial key, which allows you to test the connection on your network before purchasing.
China VPN overview · provider status last verified July 2026 · GFW behavior changes in waves — check recent user reports before relying on any single provider.
IT CRP is operated outside mainland China. Founders, payment processing, and servers are outside Chinese jurisdiction.