Surfshark in China - October 2022
After quite a lot of thorough testing, I can finally come to the conclusion that Surfshark is working very well granted that its DNS servers are not poisoned, which is often the case behind the GFW in the Chinese internet. Fortunately, there are numerous ways that we can combat this issue.
What’s working, what’s not
| Service | Status |
|---|---|
| Main website | Working, but DNS poisoned |
| Android App | Fully working |
| iOS App | Login affected, connection affected |
| Windows App | Login affected, connection affected |
| MacOS App | Login affected, connection affected |
| Linux App | Fully working |
| Manual configurations | Partially working, “for China” config files mostly working |
DNS poisoning is the main culprit behind connection issues. A more in-depth analysis of how Surfshark functions will be written in the near future, but for now, this is what you need to know.
All Surfshark apps needs access to 3 domains in order to function:
| Domain | Function |
|---|---|
| *.surfshark.com | Interactions with the main Surfshark services |
| *.uymgg1.com | Sometimes used instead of the main domain to interact with the main Surfshark services |
| *.prod.surfshark.com | Domain where VPN server’s IP addresses are pointed to |
All of these domains are DNS poisoned by the GFW, meaning that the app will be trying to communicate with the wrong server with default settings.
Hence, the problem is broken down into 2 parts - logging in to Surfshark and connecting to Surfshark.
Logging into Surfshark in China
For all apps except the Android client, you will need an unobstructed connection to Surfshark before you attempt to login to your Surfshark account in the app.
If you need a free proxy just to login, you may try and use a proxy from https://openit.daycat.space. However, please note that these proxies are nowhere near secure as Surfshark servers due to the nature of the different protocols and the ownership of these servers. Think of the OpenIT project as a community-supported proxy project to circumvent censorship.
For maximum security, connecting first with manual connection and then logging into your Surfshark account through the app is the best way to get into the app in China.
To manually connect to the Surfshark network, you will need your Manual connection username, password, and also a few IP addresses from one of the locations. A good location to try is the Taichung city location, and failing that, the San Jose location.
You may refer to this page from Surfshark’s official guide to connect. However, you must find some IP addresses of the domains instead of connecting with the domain yourself, as Surfshark’s server domains are all dns-poisoned.
If you are not familiar with command-line tools such as dig and nslookup, or if you are on a mobile, you may choose to use https://whatismyipaddress.com/hostname-ip to find a few IP addresses that one of the server domains points to. For example, in this screenshot, I used the domain name of the Taichung city.
Tip: You can also ask customer support for China-optimised OpenVPN and IKEv2 configs - these configs could be easier to use in China, although most servers in the VPN app itself works
The Surfshark macOS app does not offer a manual connect function - in this case you will have to connect manually with IKEv2. See https://support.surfshark.com/hc/en-us/articles/360006636013-How-to-set-up-an-IKEv2-manual-connection-on-macOS- for more details.
Once you have your manual connection ready, you may proceed and login to the Surfshark app.
Connecting to Surfshark’s in-app servers
As mentioned before, Surfshark’s servers all have a domain. When connecting to a Surfshark server, the app first needs to resolve the domain to find the IP address that it needs to connect to, and then form a connection to that address.
As the GFW is deployed in each city or at least province, having DNS server within China and expecting these to not get poisoned is futile. Most Chinese DNS servers are poisoned anyways. Hence, before attempting to connect, we need to make sure that Surfshark’s domains resolves correctly in China.
For macOS, Windows, and all Linux distributions
There are numerous ways you can do this, but I recommend running a local version of AdGuard Home on your laptop / desktop, as it is easy to set up, and can also provide additional benefits such as ad blocking and malware blocking (when your VPN is off, of course. When it is on, you can use Surfshark’s built-in adblocker). Best of all, this is completely free and you have complete control over your data.
The reason to set up AdGuard is that we want a local DNS server that lives directly on your device - so that the GFW has absolutely no way of giving you poisoned DNS requests
You should follow setup AdGuard home according to the official guide on Github. You may also watch YouTube videos on how to set up AdGuard for your specific OS.
Github accessibility in China is rather limited and random. I recommend you do this step before you set foot in China to avoid issues like very slow download speeds to complete blockages when major events are in town (i.e. 1st October National day)
Once set up, travel to localhost:3000 in your browser to complete the configuration for your AdGuard server.
You do not need to change anything here. Your password is hashed and then safely stored locally so your password never leaves your machine, but it is nether-the-less recommended that you use a secure password anyways. Once you’re done, you should see this screen:
Click “Open Dashboard”, and you should be in the main dashboard. The next time that you want to change settings for AdGuard home, you can go to “localhost” in your browser.
Click on the hamburger menu on the top left > Settings > DNS settings
Change the value in “Upstream DNS servers” to two or more from this list:
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://dns.daycat.space/dns-query # This server is operated by me for China. Use this if you trust me.
quic://dns.daycat.space # This server is operated by me for China. Use this if you trust me.
https://public.dns.iij.jp/dns-query
https://doh.opendns.com/dns-query
Once you’re done, hit “Test upstreams”, and if all servers works, click apply.
You may also use any other servers with that uses tls, quic or http as your upstream DNS server. If you can find other servers that works, you are welcome to contact me via iyasmalan(a)gmail.com to share your finds with others :D
Congratulations. You have now finished setting up your AdGuard home DNS server. However, you will need to set up your system to use the AdGuard Home server that you just set up.
Here are instructions for changing DNS servers. You will need to set your DNS server to 127.0.0.1.
For iOS, Android, and HarmonyOS devices
For this, we will use the TrustDNS app, made by Surfshark. You can find download links for all platforms below
| Platform | Link |
|---|---|
| iOS |  |
| Android |  |
| HarmonyOS | Apkpure |
Go to Change DNS > + . Choose a name and then use one of the servers from this list:
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://dns.daycat.space/dns-query # This server is operated by me for China. Use this if you trust me.
quic://dns.daycat.space # This server is operated by me for China. Use this if you trust me.
https://public.dns.iij.jp/dns-query
https://doh.opendns.com/dns-query
Click activate, then click the red button to connect.
Now, you can proceed with the login.
Debugging
Sometimes, there may be weird issues. If you still cannot connect with the right DNS settings, please follow these debug steps.
Changing the protocol
Surfshark’s WireGuard protocol doesn’t perform well in China. Hence, it is recommended that you use another protocol instead of WireGuard. You can find this setting in Settings > VPN settings > Protocol
| OS | Recommended protocol |
|---|---|
| Android | IKEv2 |
| iOS | OpenVPN UDP |
| Windows | OpenVPN UDP |
| macOS | IKEv2 |
| Linux | OpenVPN UDP |
Is the red banner present?
In China, Surfshark will show you a red banner telling you that you can connect to limited locations because you are in China. Through testing, I found that this banner must show up before a successful connection.
| OS | Screenshot |
|---|---|
| Android |  |
| iOS | |
| Windows |  |
| macOS |  |
| Linux |  |
You may attempt to connect without these banners showing up, but generally it probably will not work.
Trying different locations
Here is a list of recommended locations for China. Please attempt to connect to these locations rather than other locations
Hong Kong
Japan
Singapore
Taiwan
United Kingdom - London
United States - San Jose
United States - San Francisco
United States - Los Angeles
If these locations doesn’t work, I recommend attempting to connect to these locations again rather than trying other locations.
Making sure that “NoBorders” mode is on
NoBorders is developed by Surfshark to combat firewalls around the world. Making sure that this option is on, in Settings > VPN settings, is important when you are connecting.
Update the Surfshark app
Sometimes Surfshark app updates solves bugs and issues in previous versions, with some versions also solving connectivity issues. It is always a good idea to keep your apps up to date.
Still can’t connect?
Hmm. That’s weird. Please contact me at iyasmalan(a)gmail.com so I can debug for you.
Screenshots :D
