Preface
We know China government enforces all VPNs be censored and blocks out all unregistered VPN.
It’s going to be a tall order to register your corporate VPN with the government if you are not a huge plant like Oracle / Microsoft / IBM.
Does that mean it’s impossible for you to hire cheap Beijing talents if you protect your interval development host with VPN?
Proposed solution
Well, nope. A simple solution is here.
Let’s assume your internal host is running at 10.0.0.200:8080, covered by VPN tunnel.
What you could do, is to have a Microsoft Azure Ubuntu server or Microsoft Azure Windows 10 Pro with [OpenSSH for Windows](https://www.mls-software.com/opensshd.html "OpenSSH"), running your VPN connecting to your internal network and use SSH port forwarding to open a local port of your Beijing developer’s development machine.
Sample code
domain=REMOTE_SERVER_IP
remoteEndpointHost=10.0.0.200
remoteEndpointPort=8080
username=paul
sshKey=~/.ssh/YOUR_KEY
ssh -v -i {sshKey} -L 8090:{remoteEndpointPort}:{remoteEndpointHost}{username}@${domain}
Isn’t that simple and safe? I’ve already tested with PaloAlto GlobalProtect via Windows 10 Pro image in Azure
More details:
- SSH should use public key for safety and convinence
- Disable all outbound traffic unless the port used by your VPN (NTP running at port
123, do not block it. For more info, refer here ) - Disable all inbound traffic unless port
22– SSH - Make sure the SSH tunnel only be used for your development host, not accessing Google / Youtube. Someone said the Great Firewall of China is versatile enough (machine learning) to know you are wathching videos with SSH port forwarding or using it as proxy to the open world globally.
Windows 10 Pro in Azureis the killer that I’ve tested. While the first time of bootstrap costed me almost 30 minutes for Windows User Login page with Welcome over Remote Desktop Client for Mac