Self-built VPN series Part 7: Wireguard handshake is normal but can’t open the network? Why do we have to CN2 GIA, with DMIT deployment & out of stock alternatives

Preface
Recently, many friends have asked me a very strange question: the WireGuard client shows ‘Last handshake time’ is obviously normal, indicating that vpn The connection has been successfully established, but both domestic and foreign websites can’t be opened. What’s going on?
I also encountered the exact same problem: after checking for a long time, the allowedips configuration is no problem, the firewall rules are not wrong, the server status is also normal, and the handshake package can be normal, but as soon as I open the webpage, it is stuck and cannot be loaded for half a day.
Later, I figured out the root of this phenomenon: the capacity of small data packets and big data packets is completely different. Wireguard’s handshake is only a few dozen bytes, which is a very small control packet. Even if the network is about to break, this small data packet can be squeezed, so the client will show that the handshake is normal; MB’s business data package, at this time, the congested network cannot transmit these large packages at all, and it will directly become a whiteboard.
Then why is it congested? In fact, the VPS line you use is too bad. Ordinary international routes, as soon as the domestic evening rush hour (20:00-23:00), users all over China are crowded on the same international exit, and they are directly blocked into a parking lot.
Before, I also thought about adjusting allowedips to solve the problem of domestic websites going to VPNs: exclude all domestic IP segments, let domestic traffic be directly connected, and foreign traffic go to VPNs. But after trying it, I found that this problem cannot be solved perfectly – there are too many IP segments at home and abroad, and there are many overlapping ones.
Therefore, there is only one way to solve this problem from the root cause: find a high-end line that is stable enough and will not be congested even at night rush hour, which is what we often call China Telecom CN2 GIA line. Only by using this kind of line can you ensure that no matter when, your VPN connection can run smoothly, and there will be no strange problem of ‘handshake normal but can’t open the website’.

1. Understand first: what is the difference between the three mainstream VPS lines? Why do we have to CN2 GIA?
When many novice friends buy VPS, they will be confused by the terms ‘BGP’, ‘CN2 GIA’ and ‘Cmin2’ promoted by the merchants. I don’t know which one to choose. In fact, these three lines are like the difference between ordinary national highways, provincial roads, and VIP expressways, and the experience is very different.

1. Ordinary international BGP: the most basic ‘national road’
   The ordinary international BGP line is the most basic Internet routing. There is no special optimization for domestic operators, and the traffic of all users is crowded on the same international export.
   Delay performance: the delay from domestic to Los Angeles is usually around 180-220ms;
   The performance of the evening rush hour: After 20:00 in the evening, the congestion is very serious, and the packet loss rate can reach 5%-20%.
   Suitable for scenarios: only suitable for temporary transition, or scenarios with very low requirements for the network, and the daily experience is very poor.
   This is why, although the price of the previous Vultr is cheap, I only regard it as a spare transition model, because its line is this ordinary BGP, which can only be used for long-term use, and cannot be used for a long time.
2. Cmin2: ‘Provincial Road’ for mobile users
   Cmin2 is China Mobile’s international optimization line, which is a special optimization for the return traffic of mobile users, which is equivalent to the exclusive semi-VIP channel of mobile users.
   Delay performance: If it is used by mobile users, the delay can be reduced to 70-90ms, which is much better than ordinary BGP; however, if it is used by telecom users, it is actually an ordinary optimized route, and the delay is about 60-80ms, which is not as good as CN2 GIA;
   Evening rush peak performance: much better than ordinary BGP, but there will still be slight congestion, the packet loss rate is about 1%-3%.
   Suitable for scenarios: suitable for mobile users, or users with limited budget and not very high stability requirements, good cost performance, but not as stable as CN2 GIA.
   The low-cost optimization packages of service providers such as Racknerd and CloudCone we mentioned earlier are actually this Cmin2 or CN2 GT (half CN2 optimization) line, and their price is just right for our 20 The dollar budget, but their telecommunications lines are not the real CN2 GIA, and the stability of the evening rush hour is still a little bit worse.
3. CN2 GIA: ‘VIP Highway’ for telecom users
   CN2 GIA is a high-end full-process optimization line of China Telecom, and it is the best civil international line that can be obtained at present, no one. It is like opening a VIP dedicated expressway for you. Starting from your domestic provincial nodes, you will go through the backbone network of CN2 high-speed telecommunications throughout the whole process. There are no ordinary congestion nodes in the whole process.
   Delay performance: The delay from China to Los Angeles, the United States, can be stable at 30-60ms, and the coastal areas can even reach less than 20ms, which is similar to the delay of visiting domestic websites;
   Evening peak performance: Because CN2 GIA has a dedicated QoS priority, even if the entire network of the evening rush hour is congested, Telecom will give priority to ensuring the traffic of GIA users, and the packet loss rate in the evening peak can be lower than 0.5%, almost indifferent, whether it is watching 4K video, playing games or downloading large files, it will not get stuck at all;
   How to identify true and false CN2 GIA: It’s very simple, you do a routing tracking, if all the core nodes start with 59.43, it is true CN2 GIA; if there is 202.97 The node at the beginning is fake, either CN2 GT, or ordinary line.
   This is the reason why we have to find the CN2 GIA line – only it can be guaranteed, no matter when, your VPN can run smoothly, and the problem of ‘handshake normal but can’t open the website’ will no longer appear.
   Why is the only DMIT and ZgoCloud in the $20 budget that is the real CN2 GIA?
   Many merchants will promote that they have CN2 lines, but most of them are fake, either half-way CN2 GT, or they are packaged into CN2 to fool people. And the real CN2 GIA cost is very high, and most service providers’ CN2 GIA package prices far exceed our $20 budget.
   And we screened, there are only two who can get the real CN2 GIA line within this budget:
   DMIT: Its Premium network is a self-operated CN2 GIA line. The official has clearly marked the CN2 GIA, which includes China Telecom’s next-generation bearer network, and it is a self-operated bandwidth, not a resale. The line quality is very guaranteed. 12.98 US dollars / month’s lax.an5.pro.tiny package, this is the line, but unfortunately it is out of stock now (Note: I waited for about 2 weeks, and I didn’t wait for restocking).
   zgocloud: Its new Los Angeles three-net optimization package is telecommunications go CN2 GIA, China Unicom go 9929 Unicom high-end optimization, mobile go Cmin2, just exactly three operators can use their own high-end lines, and its annual payment for entry-level models is only 58 US dollars, and the monthly payment is only 5 US dollars, which is far lower than our budget, so that you can get the real CN2 GIA The line, the cost-effectiveness is full (Note: The low-priced package is also often out of stock. My family is Chengdu Mobile Broadband, and finally I still chose a high-priced package, and I waited for a few days.).
   Others such as Racknerd and CloudCone, although the price is also suitable for the budget, but their lines are Cmin2 or CN2 GT, not the real full CN2 GIA, the stability of the evening rush hour is still a little worse, so it can only be used as an alternative.

2. Register an account (direct operation in China, no need to go over the wall)

1. Open the DMIT registration page directly:https://www.dmit.io/register.php(You can open it directly without going over the wall, even if my VPN is broken) (Figure 2)

1. Enter my email address, set the password, after completing the slider man-machine verification, click the ‘Register’ button (no mobile phone number, as simple as vultr registration)
2. After the registration is complete, the system will automatically log in to my account, and you don’t need to manually enter the account and password to log in again. In the future, you only need to complete the email verification (the verification email will be sent to my registered email address to ensure that the account is in normal use) (as shown in Figure 3).

3. Deploy the basic server
Highlights: DMIT requires a ‘valid order’ (deployed server) to recharge (otherwise it will prompt ‘You must have at least one active order before you can’ add funds’), so deploy the server first, and then recharge, which is slightly adjusted to my previous vultr process, but the operation is exactly the same.
The status quo of the full node description: At present, the core nodes of DMIT are out of stock or the price is too high, which is completely in line with the current situation I have observed, as follows:

1. Los Angeles nodes: Premium, Eyeball, Tier 1 All instances are out of stock under three network types, including lax.an5.pro.tiny (premium) that I can barely accept Network, $12.98/month), the AN5 series of this node has been sold out (Figure 6);

1. Tokyo Node: All network types and all instances are out of stock, and there is no inventory to deploy, which is consistent with the law of replenishment in Los Angeles nodes, and it is difficult to release a large amount of inventory in the short term (Figure 4);

1. Hong Kong node: only some instances of the eyeball network are in stock, the monthly payment price is 29.90 US dollars, premium The cheapest package on the Internet ($39.90/month) is also out of stock, and even if it is in stock, the prices of the two network types are far more than the $12.98/month budget I can accept.
   Supplementary note: The low-cost package of the DMIT Los Angeles node is out of stock. The core reason is that the global hardware cost continues to rise, and the merchant has suspended the sales of the Los Angeles AN5 series; at the same time, the merchant plans to The AS3 (LTS) platform will be expanded and upgraded. In the future, the platform will be the core cost-effective product line, and it is expected to maintain a low price similar to the $12.98 level, but it has not been launched yet, and the specific launch time is to be determined.
   According to the current situation of the industry and the official announcement of DMIT, the current low price in Los Angeles Premium The package ($12.98/month) in the short-term (within 1-2 months) is likely to be difficult to restock, and only occasionally there will be idle inventory that a small number of users can unsubscribe from, and it will be sold out within a few minutes after restocking; Hong Kong Eyeball The price of the package is too high, far exceeding my budget. It is not recommended to choose reluctantly. The following high cost-effective alternative service providers are given priority (all support one-click deployment of WireGuard, Alipay/WeChat payment, and the operation process is basically the same as Dmit and Vultr).

4. Solutions that adapt to my budget (sorted by priority, focusing on optimizing alternative service providers, suitable for budget expectations of $12.98):

1. Option 1 (preferential recommendation, suitable for my budget): Accurately monitor the low-cost inventory in Los Angeles + set up notice of arrival, and seize a small amount of replenishment inventory. You can open the DMIT inventory monitoring page (https://stock.qixi.me/），该页面会实时同步DMIT All network types, the inventory status of all instances, no need to manually refresh the official website (as shown in Figure 7). At the same time, you can pay attention to the expansion of the DMIT AS3 (LTS) platform. The platform is expected to maintain a low price after its launch, and you can pay more attention to the official announcement.

1. Option 2 (Key recommendation, replacing Hong Kong’s high-priced node, priority selection): Choose the same high cost-effective alternative service provider (to suit my operating habits, support one-click deployment Wireguard, Alipay/WeChat payment, the price is suitable for the budget of 12.98 US dollars, no need to accept the high price of Hong Kong $29.90), the following are three mainstream and stable service providers, sorted according to cost performance, can meet daily needs, the operation process and The DMIT is basically the same, you can directly refer to the next steps in this guide:

Supplementary note: The following 4 alternative service providers can access the official website without going over the wall, registering, deploying servers, recharging, and deploying Wireguard, and DMIT in this guide The operation is completely the same, only the official website interface and package name are slightly different, you can directly refer to the next steps, without the need to learn new processes.

2.1 ZgoCloud (ZGoVPS): There are currently three-network optimized VPS replenishment in Los Angeles, which is very cost-effective, which is in line with my budget expectations. Core advantage: The computer room is located in Los Angeles, USA, and is equipped with China’s advanced optimization network (CN2 GIA+9929+Cmin2 three-line optimization), delay 30-60ms, with DMIT Los Angeles Premium The network experience is basically the same, the stability is strong, and the evening peak is not detoured and lost; it supports one-click deployment of Wireguard (with TLS anti-sealing), no SSH is required Log in, no need to run the script; support Alipay/WeChat payment, directly visit the official website in China, do not need to go over the wall. Recommended package: The entry fee is only 58 US dollars per year (converted to about $5 per month), configured as 1 core (AMD EPYC)/1 GB memory/10G NVMe, daily browsing foreign websites, Google search/translation is sufficient, if you need higher configuration, you can choose to pay $12-15 per month The configuration has been upgraded to 1-core 2G memory and 1T monthly traffic, which is completely in line with my budget, and the price is more than half of Hong Kong’s US$29.90.
2.2 Racknerd: Mainstream cost-effective service provider, close to DMIT positioning, and the stability is guaranteed. Core advantage: Los Angeles nodes have cheap optimization line packages (similar to Dmit Premium experience), occasionally replenished, monthly payment price is 12-15 US dollars, which is suitable for my budget; support one-click deployment Wireguard, supports Alipay payment, and can directly access the official website in China; the line is optimized for Cmin2, the delay is 60-80ms, and the stability of the evening peak is good, which is better than my previous Vultr The Singapore node has been experienced too much; the current entry-level package (1-core 2G memory, 1T monthly data) is paid 12.99 US dollars per month, which is basically the same as the DMIT of 12.98 that I can barely accept, and there is no need to exceed the budget.
2.3 CloudCone: A niche but stable service provider, focusing on cost-effective optimization lines, suitable for temporary transition or long-term use. Core advantage: Los Angeles optimized line package (similar to the Dmit Eyeball experience), the monthly payment price is 13-16 US dollars, and occasional promotions can be as low as 12 US dollars / month; support one-click deployment Wireguard (with anti-sealing configuration), support Alipay/WeChat payment, operation process and dmit It is completely consistent; the line is delayed by 70-90ms, and the daily browsing and office are fully satisfied, there is no obvious lag, and the price is much lower than Hong Kong’s US$29.90, so there is no need to reluctantly accept high prices.
2.4 Alternate Transition: ColoCrossing (CC): If the above three service providers have no restocking, you can choose this service provider as a temporary transition, and the price is currently in stock and the price is stable. Core advantage: the regular package of the Los Angeles node, the monthly payment is about 13 US dollars, which is suitable for my budget; support Alipay payment, can directly visit the official website in China; line The road is an international BGP line, with a delay of 180-220ms. Although the speed is not as good as the optimization line, it can be satisfied by browsing foreign websites every day, and supports one-click deployment Wireguard, easy to operate, avoid the use of waiting for replenishment.

3. Option 3 (not recommended, only for reference): If it is urgently needed in the short term, and a large amount of over-budget can be temporarily accepted, DMIT Hong Kong Eyeball can be considered The network is in stock example ($29.90/month), the node is optimized for three networks, and the delay is 30-70ms (Telecom 30-60M S, China Unicom 20-40ms, mobile 40-70ms), good stability, basically not stuck at night rush hour, support one-click deployment Wireguard has TLS anti-sealing, which can fully meet daily use, but the price is far exceeding my budget, and the cost performance is much lower than that of the alternative service provider of option 2. It is recommended to temporarily choose only when all alternative service providers are out of stock.