How to access internal private host behind corporate VPN safely from China after most VPNs being blocked out – 无须 VPN,也可以安全地访问外企公司内网服务器


We know China government enforces all VPNs be censored and blocks out all unregistered VPN.

It’s going to be a tall order to register your corporate VPN with the government if you are not a huge plant like Oracle / Microsoft / IBM.

Does that mean it’s impossible for you to hire cheap Beijing talents if you protect your interval development host with VPN?

Proposed solution

Well, nope. A simple solution is here.

Let’s assume your internal host is running at, covered by VPN tunnel.

What you could do, is to have a Microsoft Azure Ubuntu server or Microsoft Azure Windows 10 Pro with [OpenSSH for Windows]( "OpenSSH"), running your VPN connecting to your internal network and use SSH port forwarding to open a local port of your Beijing developer’s development machine.

Sample code


ssh  -v -i {sshKey}  -L 8090:{remoteEndpointPort}:{remoteEndpointHost}{username}@${domain}

Isn’t that simple and safe? I’ve already tested with PaloAlto GlobalProtect via Windows 10 Pro image in Azure

More details:

  • SSH should use public key for safety and convinence
  • Disable all outbound traffic unless the port used by your VPN (NTP running at port 123, do not block it. For more info, refer here )
  • Disable all inbound traffic unless port 22 – SSH
  • Make sure the SSH tunnel only be used for your development host, not accessing Google / Youtube. Someone said the Great Firewall of China is versatile enough (machine learning) to know you are wathching videos with SSH port forwarding or using it as proxy to the open world globally.
  • Windows 10 Pro in Azure is the killer that I’ve tested. While the first time of bootstrap costed me almost 30 minutes for Windows User Login page with Welcome over Remote Desktop Client for Mac