We recently expanded into China, our users currently connect via always on global protect client which utilizes split tunneling. Users are complaining about not being able to watch YouTube links, I can’t find definitive info regarding whether back hauling internet to our home base in Canada breaks any Chinese laws. It makes sense to me that if we have employees working and living in China they would need to adhere to Chinese law, is this an issue?
Edit: I just wanted to say thanks to everyone who commented, you have given me a lot of great info.
Isolating everything humanly possible. We basically run China as a separate entity with a managed interchange.
There are cross country links allowed but they have to be bought from vendors approved by the govt communications dept. Cyber laws in China are vaguely written but the simplest way to avoid trouble is China data stays in China.
They can and will inspect everything so if you have any IP you care about try to keep it elsewhere or leave it there and accept the fact it’s not a secret.
Cross country public links can work but the GFoC will block things as and when it wants to it’s not a reliable path.
How is it that I am reading these comments and I don’t see one mention of CN vs CN2?CN is the network that 90% of the country uses and it is terrible even on a good day. Nothing works good, and at night it’s just terrible as everyone is going through the Great Firewall.You should be looking at CN2, where there are only 1-2 Million customers on it, and traffic to the USA and the rest of the world is vastly improved, because of the lack of traffic on it. Granted, you pay a premium for it, but it’s the only way…
You can’t even think about running an IPSEC tunnel, SDWAN, or anything else on CN. But on CN2, it’s works flawlessly and I get < 1% packet loss going to AWS.
So, for us, dedicated 50mb circuit for our Metro Ethernet, and then a backup CN2 that are both connected to our SDWAN.
This comes up from time to time and we’ve so far held to the policy that VPN is _only_ designed and meant to be used for work-related purposes, so we only use split-tunnels. Our VPN is not designed to be used for online anonymity or bypassing other restrictions of wherever the user might be. Plus we just don’t have the overhead on our VPN server to start taking full-tunnel traffic for thousands of users. We regularly have users in China that come in over AnyConnect (https) just fine.
I was in south china and we had an isp based in shenzhen which routed traffic through HK for unfiltered access. I don’t know all the details as was there when i arrived - but there are services available.
Lots of good advice, but you should also know that China is not at all consistent across the country. Some provinces are much more strict than others about providing Internet for employees.
Does the above said rules only applies to chinese citizens workers ? Do these rules also applies to foreign workers temporarily established in China ?
Very interesting subject !
I’m assuming it’s just users from within China that connect… why go through the trouble of enabling services that don’t work in China in the first place ??
I’d definitely play it safe and explain that local rules are local rules. I wouldn’t tunnel the traffic like you say without checking that’s allowed with whoever makes that call. Last thing you want to do is set it up then get the company in trouble if it’s detected.
From what I know the rules are complex / opaque, and enforcement variable over time.
You could look on r/dumbclub for other options if so inclined.
We have an alibaba ssl vpn termination in Shanghai that has an IPSec tunnel to another box in Hong Kong. As an educational institution we are allowed to use our GMail and Drive over the vpn but they were VERY CLEAR that we were not allowed to tunnel YouTube over the VPN unless it was to specifically approved YouTube channels owned by our institution. Also google translate of all things they explicitly told us to block. But yeah… consult your lawyers first before doing anything.
Just allow YouTube to back haul to Canada. Its better than allowing a 3rd party to decrypt your VPN traffic, scan it, and then send it on it’s merry way as one user mentioned. I’m assuming this is work related YouTube video’s because otherwise I’d tell them to pound sand because I don’t have time to worry about their media pleasure. If it’s a small scope of video’s you can also dow load them to a server for access or maybe Teams.
Honestly I can’t think of any international laws you’d break backhauling. If you have a legal department I’d fire off an email to them or whoever setup that part of the business because someone had to. Obeying local laws is where it’ll get you so hand that shit off to someone who gets paid to deal with it. If no one will give you an answer kick it up tou management in an email asking for guidance and if they say do it make a backup of it and CYOA.