Trying to get off the hook on a technicality isn't going to work. Lots of people use VPNs completely in the open without getting jailed, because they're not otherwise of interest, but if you are being targeted, nobody is going to care about your "sshing to aws" excuse. And ssh tunneling web traffic looks quite different from normal ssh usage anyways.

> And ssh tunneling web traffic looks quite different from normal ssh usage anyways.

Could you explain this further, this seems counter to my understanding of encrypted traffic!

I assume the timing patterns and amounts of data would likely be distinct between SSH and web. "Normal" SSH usage would mostly consist of much lighter packets, such as user keystrokes and terminal screenfuls of text. Typing tiny commands and getting a few kilobytes of output. SSH file transfers happen occasionally, sometimes with a large bulk of data.

Active web browsing requires downloading a crapton of files with wildly different sizes and sporadic timings between them. Add normal user interaction, API requests, ad cycles, long video streams that won't max out all bandwidth, all happening at once across multiple tabs. The client also sends much more data with each TLS handshake and all those HTTP headers.

This could probably be masked by deliberately filling idle periods with garbage data just to appear as a stable data stream both ways.

Forget using a real web browser over an SSH proxy. What using elinks on a remote host with ssh? I bet somebody using elinks across ssh is virtually indistinguishable from somebody using a text editor.

Not much good for images or video, but you could easily read https://text.npr.org/

SSH encryption only hides the content, not how much is being sent and when. When your browser fires off a bunch of requests to load a webpage, the timing is different from running typical commands on a server and receiving the output.

Open network tools in your browser and go to Reddit, count total traffic. Now compare it with a typical SSH session, even with 'tail -f' some logs.

> At least legally I can claim that I'm just sshing to my aws server and not be jailed for using vpn.

Your mistake is assuming that China has rule of law. If you're in China and you upset Xi enough, you get jailed/disappeared even if you technically didn't break any laws on the books.

I suspect TCP tunneling your traffic looks different than SFTP-ing some files around.

using ssh for proxying is getting blocked within the first minute.

Could be a use case for X-Windows with ssh -X [0]? (so your web browser is actually running outside the GFW, it's just the window updates that are coming over the SSH tunnel).

[0] https://unix.stackexchange.com/questions/12755/how-to-forwar...

any ssh traffic that does not look like ssh traffic (few bytes send to server, some more bytes returned) gets either terminated or slowed down to a crawl

Does this mean that in addition of the classic fail2ban, geoip firewall, or forever super slow login banners, we could also have a honey pot sending a lot of data with a traffic pattern similar than web browsing ?