Surfshark in China - October 2022

Screenshot 2022-08-13 at 2.36.44 AM

After quite a lot of thorough testing, I can finally come to the conclusion that Surfshark is working very well granted that its DNS servers are not poisoned, which is often the case behind the GFW in the Chinese internet. Fortunately, there are numerous ways that we can combat this issue.

What’s working, what’s not

ServiceStatus
Main websiteWorking, but DNS poisoned
Android AppFully working
iOS AppLogin affected, connection affected
Windows AppLogin affected, connection affected
MacOS AppLogin affected, connection affected
Linux AppFully working
Manual configurationsPartially working, “for China” config files mostly working

DNS poisoning is the main culprit behind connection issues. A more in-depth analysis of how Surfshark functions will be written in the near future, but for now, this is what you need to know.

All Surfshark apps needs access to 3 domains in order to function:

DomainFunction
*.surfshark.comInteractions with the main Surfshark services
*.uymgg1.comSometimes used instead of the main domain to interact with the main Surfshark services
*.prod.surfshark.comDomain where VPN server’s IP addresses are pointed to

All of these domains are DNS poisoned by the GFW, meaning that the app will be trying to communicate with the wrong server with default settings.

Hence, the problem is broken down into 2 parts - logging in to Surfshark and connecting to Surfshark.

Logging into Surfshark in China

For all apps except the Android client, you will need an unobstructed connection to Surfshark before you attempt to login to your Surfshark account in the app.

If you need a free proxy just to login, you may try and use a proxy from https://openit.daycat.space. However, please note that these proxies are nowhere near secure as Surfshark servers due to the nature of the different protocols and the ownership of these servers. Think of the OpenIT project as a community-supported proxy project to circumvent censorship.

For maximum security, connecting first with manual connection and then logging into your Surfshark account through the app is the best way to get into the app in China.

To manually connect to the Surfshark network, you will need your Manual connection username, password, and also a few IP addresses from one of the locations. A good location to try is the Taichung city location, and failing that, the San Jose location.

You may refer to this page from Surfshark’s official guide to connect. However, you must find some IP addresses of the domains instead of connecting with the domain yourself, as Surfshark’s server domains are all dns-poisoned.

Screenshot 2022-08-13 at 3.19.45 AM

If you are not familiar with command-line tools such as dig and nslookup, or if you are on a mobile, you may choose to use https://whatismyipaddress.com/hostname-ip to find a few IP addresses that one of the server domains points to. For example, in this screenshot, I used the domain name of the Taichung city.

Tip: You can also ask customer support for China-optimised OpenVPN and IKEv2 configs - these configs could be easier to use in China, although most servers in the VPN app itself works

The Surfshark macOS app does not offer a manual connect function - in this case you will have to connect manually with IKEv2. See https://support.surfshark.com/hc/en-us/articles/360006636013-How-to-set-up-an-IKEv2-manual-connection-on-macOS- for more details.

Once you have your manual connection ready, you may proceed and login to the Surfshark app.

Connecting to Surfshark’s in-app servers

As mentioned before, Surfshark’s servers all have a domain. When connecting to a Surfshark server, the app first needs to resolve the domain to find the IP address that it needs to connect to, and then form a connection to that address.

As the GFW is deployed in each city or at least province, having DNS server within China and expecting these to not get poisoned is futile. Most Chinese DNS servers are poisoned anyways. Hence, before attempting to connect, we need to make sure that Surfshark’s domains resolves correctly in China.

For macOS, Windows, and all Linux distributions

There are numerous ways you can do this, but I recommend running a local version of AdGuard Home on your laptop / desktop, as it is easy to set up, and can also provide additional benefits such as ad blocking and malware blocking (when your VPN is off, of course. When it is on, you can use Surfshark’s built-in adblocker). Best of all, this is completely free and you have complete control over your data.

The reason to set up AdGuard is that we want a local DNS server that lives directly on your device - so that the GFW has absolutely no way of giving you poisoned DNS requests

You should follow setup AdGuard home according to the official guide on Github. You may also watch YouTube videos on how to set up AdGuard for your specific OS.

Github accessibility in China is rather limited and random. I recommend you do this step before you set foot in China to avoid issues like very slow download speeds to complete blockages when major events are in town (i.e. 1st October National day)

Make sure you tick both Private networks and public networks!

Once set up, travel to localhost:3000 in your browser to complete the configuration for your AdGuard server.

localhost:3000 setup

You do not need to change anything here. Your password is hashed and then safely stored locally so your password never leaves your machine, but it is nether-the-less recommended that you use a secure password anyways. Once you’re done, you should see this screen:

Screenshot 2022-08-13 at 10.27.23 PM

Click “Open Dashboard”, and you should be in the main dashboard. The next time that you want to change settings for AdGuard home, you can go to “localhost” in your browser.

AdGuard main dashboard

Click on the hamburger menu on the top left > Settings > DNS settings

DNS settings

Change the value in “Upstream DNS servers” to two or more from this list:

https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://dns.daycat.space/dns-query # This server is operated by me for China. Use this if you trust me.
quic://dns.daycat.space # This server is operated by me for China. Use this if you trust me.
https://public.dns.iij.jp/dns-query
https://doh.opendns.com/dns-query

Once you’re done, hit “Test upstreams”, and if all servers works, click apply.

You may also use any other servers with that uses tls, quic or http as your upstream DNS server. If you can find other servers that works, you are welcome to contact me via iyasmalan(a)gmail.com to share your finds with others :D

Congratulations. You have now finished setting up your AdGuard home DNS server. However, you will need to set up your system to use the AdGuard Home server that you just set up.

Here are instructions for changing DNS servers. You will need to set your DNS server to 127.0.0.1.

OSLink
Windowshttps://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10
macOShttps://support.apple.com/en-sg/guide/mac-help/mh14127/mac
Linuxhttps://docs.rackspace.com/support/how-to/changing-dns-settings-on-linux

For iOS, Android, and HarmonyOS devices

For this, we will use the TrustDNS app, made by Surfshark. You can find download links for all platforms below

PlatformLink
iOSapp-store-button
Androidgoogle-play-button
HarmonyOSApkpure

TrustDNS-homepage

Go to Change DNS > + . Choose a name and then use one of the servers from this list:

https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://dns.daycat.space/dns-query # This server is operated by me for China. Use this if you trust me.
quic://dns.daycat.space # This server is operated by me for China. Use this if you trust me.
https://public.dns.iij.jp/dns-query
https://doh.opendns.com/dns-query

Adding custom DNS server Click activate, then click the red button to connect.

Connected to Cloudflare DNS

Now, you can proceed with the login.

Debugging

Sometimes, there may be weird issues. If you still cannot connect with the right DNS settings, please follow these debug steps.

Changing the protocol

Surfshark’s WireGuard protocol doesn’t perform well in China. Hence, it is recommended that you use another protocol instead of WireGuard. You can find this setting in Settings > VPN settings > Protocol

OSRecommended protocol
AndroidIKEv2
iOSOpenVPN UDP
WindowsOpenVPN UDP
macOSIKEv2
LinuxOpenVPN UDP

Is the red banner present?

In China, Surfshark will show you a red banner telling you that you can connect to limited locations because you are in China. Through testing, I found that this banner must show up before a successful connection.

OSScreenshot
AndroidScreenshot 2022-08-14 at 12.21.00 AM
iOS
WindowsScreenshot 2022-08-14 at 12.24.44 AM
macOSScreenshot 2022-08-14 at 12.25.13 AM
LinuxScreenshot 2022-08-14 at 12.25.51 AM

You may attempt to connect without these banners showing up, but generally it probably will not work.

Trying different locations

Here is a list of recommended locations for China. Please attempt to connect to these locations rather than other locations

Hong Kong
Japan
Singapore
Taiwan
United Kingdom - London
United States - San Jose
United States - San Francisco
United States - Los Angeles

If these locations doesn’t work, I recommend attempting to connect to these locations again rather than trying other locations.

Making sure that “NoBorders” mode is on

NoBorders is developed by Surfshark to combat firewalls around the world. Making sure that this option is on, in Settings > VPN settings, is important when you are connecting.

Update the Surfshark app

Sometimes Surfshark app updates solves bugs and issues in previous versions, with some versions also solving connectivity issues. It is always a good idea to keep your apps up to date.

Still can’t connect?

Hmm. That’s weird. Please contact me at iyasmalan(a)gmail.com so I can debug for you.

Screenshots :D

iOS

macOS

Android (HarmonyOS)