Published by James Brown on October 22, 2019
Last updated on July 30, 2020
Surfshark is one of the best VPN deals that you will find anywhere.
But the question you may want to know is: Does Surfshark VPN work in China?
Yes, Surfshark does work in China. In fact, it is currently rated #2 on the Best VPN for China page.
However, it can be very tricky to set up.
If you are looking for a more user-friendly VPN to use in China, ExpressVPN is a better choice. The apps are always working in China and they are easy to use.
The main problem with Surfshark is that the apps don't usually work in China, so you will likely need to set up manual connections. And don't expect too much help from Surfshark support (it's about as good as you can expect from a VPN that charges under $2/month).
But don't worry, I'm going to show you everything you need to know about how to use Surfshark in China with manual OpenVPN and Shadowsocks connections.
The Surfshark apps may or may not be working in China at the time you are reading this guide, so you could always try them first before following these steps.
Then scroll down to the bottom of the page until you see the Advanced heading. Then choose Shadowsocks.
Now click the Enable Shadowsocks button.
You should now see a Shadowsocks port and password.
For iOS, download the Shadowrocket app from the Apple App Store. This app costs $2.99 and you will need a non-Chinese iTunes account. If your iTunes account is registered with a Chinese address, you can make a new US iTunes account.
If you don't want to pay $2.99 for Shadowrocket, you can try some free apps such as Potatso Lite. However, these free apps usually have DNS leaks and don't work with VoIP (WhatsApp voice calls, etc). So it's recommended to pay $2.99 for Shadowrocket if you can afford it.
This is the tricky part. You will need to find IP addresses that are not blocked in China. If you don't want to do this yourself, you could check the bottom of this page for some recommended IPs that I found.
Do not follow the instructions on the Surfshark website. You cannot enter the server hostnames directly or ping the hostnames because the DNS requests are poisoned in China.
To find working IPs, copy the server address from the Surfshark website and look up the IPs using the OpenDNS CacheCheck website.
For example, here are the results for the Japan location.
Pro Tip: If the IPs shown are blocked, you can often add +1 from what is shown here.
For example, the first IP is 220.127.116.11. Adding +1, we get 18.104.22.168 (only add +1 to the last of the 4 numbers).
This is a special trick that only works for Shadowsocks connections (does not work for OpenVPN). It doesn't work 100% of the time, but it usually does.
You need to go through the list and find the IPs that are not blocked in China.
You can check if the IP is blocked in China by sending a ping command. Make sure to turn off any existing VPN connections because you need to ping directly from China.
If you don't know how to send a ping command, refer to this article for instructions.
If you are using a mobile device or if you are not in China yet, you can use this ping tool. The tool is in Chinese language, but it's simple to use. Choose only China servers to ping from, as shown below.
We are not interested in the ping results from regions other than mainland China, so make sure the other regions are unchecked if you use this tool.
As I am already in china, I will directly send a ping command from Windows. Here is what a successful ping test looks like.
The lower the ping time, the better. Try to find server IPs with a low ping time.
Here is what an unsuccessful ping test looks like (server is blocked).
Build a list of all the IPs that respond to a ping. It's possible that some IPs will respond to ping but still not work, so try to find as many as possible before going to the next step.
Now that you have a list server IPs, you can go ahead and try them. Enter the following server settings into the Shadowsocks app for each server IP that you want to set up.
Server address - Enter an IP from your list (step 4)
Server port - Enter the port shown on the website (step 2)
Password - Enter the password shown on the website (step 2)
Encryption - AES-256-GCM (recently changed)
Remark - Enter any name to identify your server
Any other options can be left as default.
The specific name and order of these options may vary on different platforms. Here is what my settings look like on Windows.
Note - The above image shows the old settings with Encryption set to aes-256-cfb. The current setting is now aes-256-gcm.
The specific steps on how to connect to the server varies on different platforms. On Windows, right click the icon in the taskbar and choose System Proxy ---> Global. To turn Shadowsocks off, right click the icon and choose System Proxy --> Disable.
For Mac, the options are Turn Shadowsocks On and Turn Shadowsocks Off.
Unlike a traditional VPN connection, you will not know if the server works or not until you try to load a website.
If your Shadowsocks servers don't work, or if they stop working after some time, you may need to reset your credentials (port and password). The server management of the Shadowsocks servers seems to have some bugs. Sometimes ports get closed randomly and sometimes the credentials just don't work.
The first thing to check is whether you can still ping the server. If it doesn't respond to a ping, then it was likely blocked in China and you will need to find another server to use.
If the server responds to a ping, but the Shadowsocks connection fails, then you should go back to the Surfshark website and reset your credentials.
To do this, click on Disable Shadowsocks and then Enable Shadowsocks again. You will get a new port and password. Then you will need to update the Port and Password with your new credentials for each server profile in your Shadowsocks app.
Make sure you test several different servers with your new credentials because sometimes certain servers don't get updated properly (or there can be a delay). If none of them are working, then reset again. In rare cases you may need to reset your credentials several times before it works.
After logging in to your account, click on Devices, and then choose Manual under the advanced section at the bottom (beside Shadowsocks).
If you don't know how to use OpenVPN, you can follow the guides on the Surfshark website, with the following exception.
You will need to edit the .ovpn config file and change the server hostname to an IP address.
To find working IPs, follow the same instructions as Shadowsocks, except do not add +1 to the IP address. You will need to use the IP addresses from OpenDNS CacheCheck results directly.
If you are using Windows 10, you will also need to add the line block-outside-dns to the config file.
Here is an example of my edited config file for a Japan server on Windows 10.
The easiest way to edit the OpenVPN config file is to download the file on a computer, make the edits, save the file, then transfer it to your device (for iOS you can email it to yourself because transferring by USB doesn't seem to work).
Alternatively, if you don't have a computer available, you can use a text editing app to edit the file directly on your device.
For iOS, I recommend the Documents by Readdle app. First install both the OpenVPN Connect app and the Documents by Readdle app. Then download the OpenVPN config file from the Surfshark website using Safari. Instead of Opening it with OpenVPN, choose "More...", and then choose "Copy to Documents". This will open the file in the Documents by Readdle app. After you you make the edits, tap the ... symbol in the top right and then choose Share. Then choose "Copy to OpenVPN".
Android is much easier to work with, so you don't need to follow specific steps like you do with iOS. There are many text editing apps available for Android that will work. Personally, I like the Just Notepad app.
Just download the config file to your Android device, edit it with any text editing app, save it to your device, then import it into the OpenVPN Connect app.