My wife will be in mainland for about three weeks and she need to connect her laptop to her employers vpn network. Pretty sure this connection will be banned in mainland. There was no "great firewall" on foreign SIM cards when we was in mainland in the past. Is it still possible to bypass the firewall with a Hongkong SIM card? Then I would get a mobimatter.com eSIM for her, 30GB for $30. This will be a Three HK eSIM, couldn't find any informations about the speed of this card. My Three UK SIM card was always very slowly when I used it abroad, how about the Three HK SIM?

I think the firewall is more about preventing access via servers, not via SIM cards? I might be wrong though..

Fi is okay, but local SIM + V is a much better plan.

But with a local SIM and a VPN my wife needs to connect to the VPN and then connect to her employers VPN, which will not result in a very reliable connection? With a foreign SIM card she can connect to her employers VPN directly.

Don't understand what you mean, when we was in mainland couple of years ago it with not possible to use Google etc. without VPN with a local SIM card. And the VPN connection wasn't reliable. I guess this situation will not be better now?

The OP is right in their basic question, a roaming SIM card has its traffic tunnelled back to the customers home network and it breaks out to the internet in the country where the SIM card was issued. It therefore does bypass the great firewall.

This tunnelling of data is part of the GSM standard and as far as I know China has never sought to meddle with it. This principle was still working in autumn last year.

A previous good value trick was to buy traveller SIMs off eBay from HK for use in China but I think with the requirement more recently to have proof of ID to get a HK SIM card this opportunity has dried up as a mail order service. Traveller SIMs in other SE Asia countries with bundles of data at a sensible price that can be used in China is an option as is using China Mobile's overseas virtual networks, eg. CMlink UK.

So any HK SIM with roaming enabled in China will have its traffic routed via a tunnel back to the network in HK and access the internet from there. That also includes ChinaMobile HK. And you can hence access employer VPNs and any other services typically blocked in China without restriction whilst roaming in China.

I haven't come across a foreigner here that had an issue with an employer VPN not working, China doesn't care too much about what the foreigners in China are looking at, they try to block access to what their own people can see.

Foreign SIM cards can bypass the firewall either by just using cellular data or via VPN/wifi.

For the mainstream VPN's - avoid ExpressVPN it stopped working sometime last year. Astril works ok for my needs.

Thank you

But a tunnel to her employers network through Astril VPN will be reliable? Astril charge $30 a month, for this price I could get her a mobimatter.com Three HK eSIM with 30 GB, which should give her enough traffic for the three weeks she will be in mainland and she doesn't need a mainland SIM card. Wouldn't that be more reliable compared to a possible banned VPN connection? Just wondering about the speed of the HK eSIM in mainland, but I guess a VPN will also not be very speedy.

If you have a roaming SIM card with enough data for use in China at a sensible cost along with a backup of an employer's VPN (assuming it's not blocked or hosted in Google cloud) then I wouldn't be faffing with a public VPN; it might be pragmatic to have pre-downloaded a VPN app or two just incase but not to take out a subscription.

It's true that employer VPNs, assuming they use SSL (as opposed to a known VPN protocol like IPSEC, PPTP, etc) will typically work from within China without VPN or roaming, but only up to a point. From my experience the firewall will look at traffic patterns and the technology will spot traffic that appears to be tunneled - very long lived TCP connections with either too much traffic, or periods with little or mo traffic but blips that look like keep-alive packets, and it will over time rate shape these to the point where they are inaccessible for a day or so from your China IP, or just superslow for an extended period of time. From my experience tunnelling through SSH (requires a bit more tech knowhow) has been been treated with less suspicion than SSL but do too much and the curtains eventually close.

​​​​​​In a pre-pandemic visit, I was able to do the graveyard overnight shift over several days on a data centre migration for my $dayjob in the UK from China just with my employers VPN on SSL and SSH using local broadband, with the backup of a roaming SIM card. YMMV...

Don't know which protocol they use for her employers VPN but they use a GlobalProtect Gateway which seems to be very strict. E.g. she never was able to connect to the network from a public wifi but it's always working when she use her SIM card instead. Can't be a IP issue, as she used her private HK SIM card last time (in HK).
So getting her a HK eSIM with 30 GB or 45 GB will be her best choice. Thank you.

Global Protect is the product name of the remote access VPN that is a feature of Palo Alto corporate firewalls.

GP supports many different types of configuration, but if the admins of your wife's workplace have chosen to use a traditional VPN protocol like IPSEC then the great firewall will be blocking that by default. She could open a ticket and ask if they have a different configuration for her device (probably SSL) that might offer a backup option for access from a China WiFi/broadband.

But getting good slug of roaming data for a sensible cost on a HK SIM is very much the easiest option.

The GFW does not block IPsec at all. In fact it is one of the most reliable protocols to get through the GFW because it is so widely used for corporate VPNs. I use IPsec for my personal VPNs running off my personal IP addresses in the USA, and it's been rock solid for more than a decade.

The GFW will instead block IPs regardless of the protocol if they suspect that it is a commercial VPN provider. For a corporate VPN this is usually not a problem.

If IPSEC is not natively blocked then I stand corrected, but my experience and that of my other contacts using s variety of different VPN types, corporate or otherwise has been that IPSEC has not worked for a long time unless you have a VPN that is approved/licenced by the authorities.

I agree much of the intelligence of the GFW is pattern matching traffic on any port.

There is one caveat to the reliability of IPsec, you must have your own public IP address. For home users with their own public IPv4 address, operating one IPsec connection to the corporate HQ is usually fine, even with a NAT gateway in between. Once you start running two connections (e.g., one from your laptop and one from your phone) to the same end-point, at least one of them will devolve into UDP. At that point IPsec will no longer be distinguishable from any other VPN technology and may be subject to summary blocking by the GFW.

If you want something more reliable - bring a router that allows you to install Astrill, use the router to connect to it, and then use your laptop to connect to the router and then on to the employer's firewall.

Travel SIMs also work - my US TMo works well (though speed is slow because of the TMo's plan), so the HK SIM may be an option as well.