The phrase Great Firewall of China (sometimes abbreviated GFW) refers to a set of technical mechanisms operated at the network level in mainland China that filter and modify internet traffic crossing the country's borders. This page is a factual explainer of how those mechanisms work. It does not take a position on policy.
This is a reference page. Journalists, academics, and traveler-prep writers often link to factual explainers like this one — we try to keep it updated and accurate.
The Great Firewall is not a single piece of software or a single location. It is a combination of filtering techniques applied at several points in the Chinese internet backbone, primarily at the border gateways where mainland networks connect to international transit providers. The techniques have evolved substantially since they were first described publicly in the early 2000s.
When a device in mainland China tries to resolve the domain name of a blocked service (say, a popular social platform), DNS servers along the path return incorrect or empty results. The device then cannot find the server's IP address. This is the first and simplest filtering mechanism, and it blocks casual browser access effectively.
IP addresses belonging to blocked services are routed to null or dropped at border routers. Even if a device has the correct IP address (bypassing DNS filtering), packets sent to it do not reach the destination.
Network equipment inspects the contents of packets in transit. If the packets match patterns associated with specific protocols (TLS certificates from certain issuers, handshake signatures from certain VPN implementations, QUIC patterns that do not resemble ordinary web traffic), the connections can be throttled, reset, or blocked. DPI is the most sophisticated layer and has been refined continuously since 2015.
Server Name Indication (SNI) is the part of a TLS handshake that announces which hostname a client is trying to reach. Even though the rest of the connection is encrypted, the SNI is visible to any network observer. Border routers can read the SNI and drop connections to blocked domains.
Detected suspicious servers (fresh IP addresses, unusual protocols) can be probed by automated scanning systems. If the probe response matches known VPN or circumvention-tool patterns, the server is added to a blocklist.
The set of filtered services changes over time. As of 2026, most major Western services (Google, Facebook, Instagram, WhatsApp, YouTube, Twitter / X, Reddit, Wikipedia in some editions) are unreachable from mainland networks. Most Chinese services (WeChat, Weibo, Douyin, iQIYI, Taobao, JD.com) are reachable normally.
For a regularly-updated reference list, see apps and sites with regional issues in China.
A VPN establishes an encrypted tunnel from the user's device to a server outside mainland China. Once the tunnel is up, all web traffic flows through that tunnel, and the filtering mechanisms described above do not apply to the encapsulated traffic — they only see the tunnel itself.
The question is whether the tunnel establishment is visible to DPI. Modern obfuscated transports are designed so the tunnel handshake looks like ordinary HTTPS or QUIC traffic, which makes pattern-based blocking difficult. See the obfuscated VPN explainer for how these work.
Private VPN for Windows, Android, and macOS. iPhone support coming soon. Plans from $3.99/month. 7-day money-back guarantee.
Download apps View plans