> it's basically not possible to run any kind of outbound VPN connection (even to private servers) from inside of China anymore.
Really? Because the paper you linked says they don't block any TLS connections so you can just run a VPN over TLS:
> TLS connections start with a TLS Client Hello message, and the first three bytes of this message cause the GFW to exempt the connection from blocking.
Give it a try if you want; it doesn't work. For TLS traffic they track what the connection looks like over time; a TLS connection for normal web traffic versus a VPN connection tunneling through TLS apparently look different enough that they can detect and cut it off.
Worth noting is that OpenVPN’s TCP TLS mode does not work that way. It’s essentially the UDP protocol messages except wrapped into TCP. The initial handshake is not a normal TLS client hello.
Not sure about other SSL VPNs.