The VM instance is good for setting up a VPN tunnel, but it's not good in terms of bandwidth if it's hosted in. Because of DPI capacity, China has a very limited amount of "real internet" bandwidth. A more capable setup is to have one VM on each side of the firewall on an hosting service with peering between inside and outside - Aliyun (Alibaba Cloud) is an example. The "inside" VM could be just "socat UDP4-RECVFROM:<port>,fork UDP4-SENDTO:<remote>:<port>" or something done using netfilter.
Like others commented in this thread, having an obfuscator is a good idea to ensure the traffic is not dropped by DPI.
When the inevitable ban comes and your VPN stops working, rotate the IP of the external VPN and update the firewall/socat config to reflect it. Usually, the internal VM's IP doesn't need to be updated.
How easy is it to get a VPS in China.
Could HK work?
HK "outside" the firewall, for now. It's where you would place the outside VM.
But does access to HK go throught the firewall?
The access from mainland to HK goes through the firewall, the access from HK to the normal internet is unrestricted as far as I know. The communication between the two VMs still needs to be obfuscated and encrypted. The only reason for the VM inside the Chinese Internet is higher bandwidth.