Ultrasurf Features
Refund period: 0 days
Based in which country: USA
# devices per license: 1
# servers: Unknown
Server locations:One location in the USA
Streaming sites unblocked: Netflix, Disney+, NBC
Supports torrenting: Yes
Does VPN keep logs:No
24/7 customer support: No
Website: https://ultrasurf.us/

In 1999, the Chinese Communist Party decided to crack down on the Falun Gong religious movement and its 70 million followers. Alleged atrocities against this group include “disappearing,” torture, and organ harvesting. The Chinese government’s tight control of the media and its internet censorship made it impossible for Falun Gong to let the world know of the plight of its members.

Falun Gong members inside China and their friends in the Chinese ex-pat community located in the USA worked together to create a secure channel that would allow them to get around the Great Firewall of China, communicate without monitoring, and mask their online activities.

The US arm of the development group formed Ultrareach Internet Corporation to manage the servers needed to support this new, free VPN service. The VPN itself was named Ultrasurf, and although it sounds as though its main purpose is to promote online privacy, like all of the other VPNs in the market, this tool is specifically designed to bypass internet censorship in China.

Ultrareach funds its work through contracts for technical services to US government agencies, such as the Voice of America. The system also receives funds from the Falun Gong organization that has established itself in the United States.

Users within China just turn on the app and connect to the proxy servers in the USA. The circumvention of the Chinese government’s monitoring of internet connections is the reason this free VPN service exists. However, it has also been used by the planners of uprisings in North Africa, such as in Tunisia.

Your security for internet connections is assured with Ultrasurf. However, many observers quibble over whether the VPN service can be described as an anti-censorship tool. This is because Ultrasurf’s managers keep the service’s processes secret, so no one can say whether the service is performing its own censorship.

The purpose of Ultrasurf is to provide privacy to Chinese dissidents who want to communicate with the world outside of China. The country blocks certain online activities and bars access to a number of communication and social media services, such as Facebook and WhatsApp. All internet traffic is also scanned for seditious content. The Chinese authorities regularly break into internet connections to spy on specific people, and the information they gather can lead to the tracking or even the arrest of other people.

The Chinese government’s controls on the internet are collectively known as The Great Firewall of China. The Falun Gong organization has to remain hidden in order for its members to avoid incarceration. However, they also need to be able to communicate with adherents in other countries. Thus, the mechanism of a VPN is ideal for Falun Gong’s purposes.

The Great Firewall of China is a series of filters and searches that performs deep packet inspection on all data as it passes over the internet in China. The searches are useless if the contents of packets are encrypted, and so the technicians that run Chinese internet controls have conducted extensive research into decryption methods. If the system detects the actions of a VPN on a packet, it just removes that packet from the internet. Therefore, VPNs in China need to be able to mimic other traffic. The encryption applied also needs to be strong enough to block decryption.

Types of internet traffic

Different traffic can be identified by the port number that is included in the header of the segment of data that travels across the internet, which is called a packet. There are two levels of address in the header: the IP address, which is the identifier of a device connected to the internet, and then the port number, which identifies the application for the data within the packet, is formatted.

Ultrasurf uses the HTTPS protocol – the Hypertext Transfer Protocol Secure. This is a clever choice because HTTPS is an encrypted system, and it is used for secure Web traffic. The World Wide Web is composed of two systems:

  • The Hypertext Transfer Protocol (HTTP), which manages the request and delivery of Web pages, and the
  • Hypertext Markup Language (HTML), which is the code that each page is written in.

HTTP transports messages in plain text. This presents a problem for eCommerce because no one will trust the system to keep their credit card details or other financial information secure. For this reason, HTTPS was invented.

Although the Chinese authorities want to control all traffic on the internet, they also want to promote eCommerce as a way to grow the country’s economy and enable businesses to find overseas customers for their products. The one type of traffic that the Chinese government will not interfere with is HTTP, so Ultrasurf exploits a weakness in the Great Firewall of China.

TLS tunnel

The “Secure” part of HTTPS is provided by a protocol called SSL. This originally stood for the Secure Socket Layer. However, SSL was discovered to have a security flaw, and it was replaced by Transport Layer Security (TLS). The entire package is still known as SSL despite the fact that it is really provided by TLS.

Ultrasurf operates through HTTPS with authentication security provided by SSL. The most widely-used system for commercial VPNs is called OpenVPN. This is an open-source package, and its authentication service is provided by another open-source system, called OpenSSL.

OpenVPN uses SSL to establish a connection and then switches to another encryption system to protect the traffic of the connection. A VPN connection is called a “tunnel” because it masks the true destination of a connection. The whole IP packet is encrypted, including the header, which contains the source and destination IP addresses.

The routers on the internet need to be able to read the headers of packets so that they can see the destination IP address and send the packet on its way. VPNs place the fully encrypted packet into the data payload of another packet and then address the outer packet in plain text to the VPN server. This process is known as encapsulation.  

When an Ultrasurf user in China turns the VPN on, that VPN app, which is called the client, grabs every outgoing packet, encrypts it, puts it into an outer packet, and addresses that packet to the Ultrasurf server. The actual destination of the original packet is hidden inside the encrypted packet. This enforces connection privacy and is referred to as a “tunnel.”

The Ultrasurf system uses TLS in its encapsulation, and it is known as a TLS tunnel. Owing to the naming peculiarity of TLS, the system is also called an SSL tunnel. There is an existing system available, called Stunnel, that does exactly what the Ultrasurf VPN does. However, Ultrasurf is a closed, proprietary system, so no one outside Ultrareach can say whether its system is the same as Stunnel or whether it deviates from that standard in some way.

A number of other VPN services offer an obfuscation technique that can be turned on for use in China. In every case, these are copies of the Stunnel system like the Ultrasurf proprietary protocol. Some examples of these are:

  • VyprVPN – Chameleon
  • Avast SecureLine VPN – Mimic
  • TunnelBear – GhostBear
  • Surfshark – Camouflage mode
  • TorGuard – Stunnel
  • Windscribe – Stealth mode

A VPN is a type of internet service that is knowns as a proxy. A proxy is a stand-in and that is exactly what a VPN server does. It represents another computer in its transactions with Web servers. It is a front, a representative.

By dealing with Web servers on behalf of another computer, the proxy hides the true identity of the source of the request. Thus, the Web server does not know where the real requestor is. In some cases, Web servers keep blacklists of IP addresses that they will not deal with. So, if a computer is on a blacklist, the owner can dodge that ban by changing its IP address through the use of a Proxy or a VPN.

Ultrareach owns and runs all of the servers for the Ultrasurf proxy VPN service. The business’s premises are located in Cheyenne, Wyoming, but it also runs servers at a location in Fremont, California. Ultrareach doesn’t disclose exactly how many servers it has. China doesn’t ban all contact with the United States, and it particularly wants to encourage HTTPS traffic from there. So, it doesn’t block the connections going out to the Ultrasurf servers or the responses that travel back.

One problem with the Ultrasurf system is that the Chinese authorities pay particular attention to the traffic of suspected dissidents, and so being a frequently contacted address by those people would get the Ultrasurf IP address blacklisted. To combat the problem of being noticed, the Ultrasurf servers change their IP addresses regularly.

Ultrasurf client connections

When a user of Ultrasurf turns the service on, the app creates a connection to the Ultrasurf server. The pair agree on an encryption key, and then all packets in both directions are encrypted and placed in carrier packets.

As part of its session establishment processes, the proxy server allocates one of its IP addresses to the connecting client. When packets are received from the client, the server unpacks and decrypts them, revealing the original packet that still has the IP address of its intended destination in the header. The proxy sends that original packet on its way but first puts that allocated IP address in the header in place of the client’s real IP address as the source address in the header.

The intended destination computer receives the packet and replies to the source address that is written in the packet. This IP address points to the Ultrasurf proxy server. Receiving the packet, the Ultrasurf server encrypts it and places it inside an outer packet. The destination address written into the header of the packet is the real IP address of the client.

The Ultrasurf app on the customer’s computer intercepts the arriving packet, unpacks it and decrypts it, and then passes it back to the application that originated the request to which the new packet is a response.

Network address translation

When an Ultrasurf app connects to one of the Ultrasurf servers, it gets allocated a temporary address. So that the server knows where incoming messages to that IP address should be forwarded, it needs to maintain a cross-reference table that links the real IP address of the client to the address that temporarily represents it. This is what is known as network address translation (NAT).

The cross-reference between a real IP address and a temporary IP address forms a record in a NAT table. Once the session ends, the record is deleted from the NAT table, and the representative IP address is returned to the pool for reuse by another client. If an IP address gets blocked, it is discarded and replaced in the pool with a new IP address that has not yet been identified by the Chinese authorities.

Ultrasurf VPN encryption

The Ultrasurf encryption system uses the mainstay of SSL, which is RSA. The RSA cipher is a public key encryption system. This is a clever formula that generates a pair of encryption keys.

When an encryption cipher transforms a text, it works on each character and applies a formula. The formula has one value missing and the key is slotted into it. Changing the value for the key completely changes the outcome of the transformation. So, it is possible to use a formula that is freely available because hackers won’t be able to use it effectively without knowing the key that is in use at any one time.

With RSA and other public key systems, there are two related formulas: one to encrypt data and the other to decrypt it. Keys are generated so that the two formulas are connected. That means you can’t get your own key paid and use the decryption key on a text that was encrypted by another key pair. So, it is safe to make the encryption key publicly available. This is how public key encryption got its name – the public key encrypts and the private key decrypts.

In order to conduct a secure transmission, the client just needs to get the public key of the server and encrypt a message with it in order to send out the data securely – no one intercepting the packet will be able to decrypt it because they don’t hold the correct private key. When replying, the server gets the client’s public key and encrypts the packet data with it – only the client can decrypt that.

Even though the encryption key and decryption key are related, you cannot decrypt a text with the encryption key, and you cannot guess the decryption key if you know the encryption key.

The key is designed to take an impossibly long time to guess. The most widely used password cracking technique is called “brute force.” This involves substituting a value for the key until the decrypted text becomes something meaningful. Therefore, the main strength of the encryption system lies in the fact that it would take too long to crack.

Hackers use computerized methods to cycle through every possible value for the key. Encryption keys are binary, and so the number of guesses it would take to cycle through every possible bit combination works on a count of all possible combinations of 0 and 1 in a block that has the length of the key.  The producers of encryption systems make the key long enough that it would take too long to guess. RSA keys have to be very long in order to be effective. They are in the order of thousands of bits.

One of the main researchers into password cracking is the Chinese government. It is known that the technicians of the Great Firewall of China have been studying ways to crack RSA keys for a very long time. In fact, they have created a computerized system that can crack RSA with a 1048-bit key. Therefore, it is recommended that no one uses that key length anymore.

The next RSA key length up from 1048 bits is 2048 bits and the Chinese authorities can’t crack that. Ultrasurf uses a 2048-bit key for its RSA encryption. The Chinese authorities can’t crack that, but you can bet that they are currently working on it.

Server authentication and man-in-the-middle attacks

The complementary but unguessable nature of public key systems is put to a second use in the procedures ordained by SSL. Remember, Ultrasurf uses SSL to protect its traffic. The fact that only the computer that holds the related private key can decrypt a text encrypted by the public key is used for authentication.

Anyone that can intercept a conversation across the internet has little time to decrypt its text. However, that interceptor doesn’t need to do any work at all if it can convince the client that it is the server. This is called a “man in the middle” attack.

ISPs and government officials don’t need to “hack” in order to get access to data traveling over the internet. An internet service provider processes all of the traffic of each of its customers in order to put it on the internet. This creates an ideal opportunity for ISPs to control and monitor the traffic of all of their clients.

The Chinese government is able to control all of the ISPs in the country, and those businesses cooperate with the government by allowing government technicians to work in their offices and apply detection software to all traffic.

There are extra interception points in China because there are only ten cables through which all international traffic flows in order to get data in and out of the domestic Chinese internet, and these all pass through Chinese government labs.

So, if those labs wanted to, they could try a man-in-the-middle attack. In this scenario, the lab catches a connection request coming from a computer within China and going out to a server in the USA. The request asks for the public key of the server and the lab passes back its own. At the same time, the lab sends its own connection request to that server in the USA and gets its public key.

The client is actually communicating with the Chinese government lab while it thinks it is communicating with the server in the USA. The US server knows that it is connected to an address in China but doesn’t know or care that it is a Chinese government lab.

The computer of the dissident is now encrypting all of its traffic with the public key provided by the Chinese government lab, and when it arrives, that lab can decrypt and read everything. That dissident won’t be at liberty for much longer.

SSL makes this scenario impossible, and there is an entire cybersecurity industry built around the SSL public key distribution mechanism. Under SSL, the client doesn’t ask the server for its public key. Instead, it asks for the certificate details. The server returns the name of the certificate authority that holds the SSL certificate and the certificate’s ID. This could provide the Chinese authorities with an opportunity to create their own certificate authority. However, the major browsers in the world will only deal with a limited number of certificate authorities and report certificates from anyone else as an error, thus blocking all further communication.

The client then fetches the SSL certificate from the named certificate authority. The certificate includes a number of facts that the client can use as secondary checks in the authentication process. However, the main element of the SSL certificate is the public key of the certified machine.

It is true that, as anyone can access SSL certificates, hackers and Chinese security labs can get them, too, and read the key. However, it would do them no good. The client sends a challenge to the server, which is encrypted with the public key. Only the true holder of that C=SSL certificate has the corresponding decryption key, so only the computer that says it is the owner of that certificate can decrypt the challenge and respond. If the client doesn’t get a response back to the challenge, the connection doesn’t go ahead.

The system of SSL certificates shuts down one method that the Chinese authorities could use in order to read all traffic traveling around the internet in China. The prospect of reading every single message on the internet sounds daunting. However, these processes are automated and also involve storing data for later analysis.

Not all spying methods are applied to all traffic. The Chinese authorities just focus on a list of IP addresses that identify the computers of known troublemakers. However, they also conduct secondary searches and controls that can get someone put on that list.

Ultrasurf private DNS

The Domain Name System (DNS) maps between web addresses and IP addresses. A DNS query is a necessary step that your browser has to perform before sending a request for a Web page. This is because the web addresses used in your browser are meaningless to routers on the internet – they only work with IP addresses.

The Domain Name System is vast, and it is held in a series of databases that are located all around the world. It is not one single location. To simplify the DNS query process, your ISP hosts a DNS resolver, which performs DNS lookups on behalf of the ISP’s customers.

The DNS resolver receives a DNS query and then searches through all of the DNS databases in the world until it finds the right IP address. In order to give a faster response, the DNS resolver stores the recent answers it gave. So, it already has the IP addresses in its own memory for the most frequently requested websites – each new request extends that records life in the DNS resolver’s memory.

The DNS system gives ISPs and the Chinese authorities, an easy mechanism to control access to websites. It just keeps a permanent record for banned sites in its DNS resolver and that returns a fake IP address. Thus, none of the customers of that ISP will ever be able to get to banned sites. Many countries in the world secretly control access to websites through this method. It doesn’t take a law to ban a website, it just needs that site to be entered on a blacklist distributed by the authorities to the ISPs in the country.

It is possible for each computer own to nominate a different DNS resolver in the network settings of their operating system, however, few people do this. Ultrareach does not mention a DNS anywhere on the Ultrasurf website. However, our tests show that when the Ultrasurf service is active, DNS queries are not performed by the user’s ISP. Thus, Ultrasurf has its own private DNS and protects the DNS queries of its users, unblocking many banned sites.

The client end of Ultrasurf works with a special piece of software. This is implemented in two ways. The first is an app, which is available for Windows, iOS, and Android, and the second is a browser extension.

Ultrareach only advertises its Ultrasurf Chrome extension. However, there is an Ultrasurf extension listed on the Microsoft site for Edge Add-ons. It is curious that the Edge Add-on is not mentioned anywhere on the Ultrasurf website. So, to be safe, just go with the Chrome extension.  

To get the Ultrasurf desktop app, go to the Ultrasurf Download page. This has a link to the download that runs on Windows. There is no version for macOS or Linux.

You can get apps for Android mobile devices from Google Play, and there is a version for iPhones and iPads at the Apple App Store.

On the Ultrasurf website Download page, click on the link for Ultrasurf (Windows Client).

This will download Ultrasurf as an executable file for the VPN client. You don’t need to run an installer. Unfortunately, this also means that you don’t get a desktop icon or an entry in the Start menu. Whenever you want to run Ultrasurf, you need to go to the folder into which you downloaded the program and click on the .exe file.

In order to get the browser extension for Ultrasurf, open the Chrome browser and go to the Ultrasurf page in the Chrome Web Store. Click on Add to Chrome.

The addition of Ultrasurf to your browser is a process that is managed by Chrome. You don’t have to do anything to get the system installed.

You run the Ultrasurf app by clicking on its executable file. There is no work needed to set the VPN running. This is because you don’t get a choice of servers, so the system doesn’t have to wait for any instructions from you – opening the app is enough.

The small message panel in the app will show a message: CONNECTED. The app will also open a Web page in your default browser. This is https://home.ultrasurfing.com/, and it indicates that the VPN is working.

The app offers very limited functionality. Unfortunately, in our test, all indicators show that the VPN wasn’t working. The service didn’t change the IP address of the computer and didn’t unblock the sites that were banned by the ISP.

The Ultrasurf Chrome extension was more successful.

You access the Ultrasurf browser extension in the top right of your Chrome browser. If you don’t see the Ultrasurf icon in the row of symbols after the address bar, click on the puzzle piece symbol to find it.

Click on the pin symbol so that the icon will be visible outside of the extensions list in the future.

When you click on the extension, you will see a message that the service is disconnected. Click on the On/Off button to turn the VPN on. Once the VPN is connected, the browser extension will open the ultrasurfing.com home page.

Our tests showed that the browser extension worked well – it changed our IP address and enabled us to access sites that the ISP has banned.

The Android app is very simple. It just has an On/Off button. It is impossible to paste an image of that here because the app blocks the screenshot function in Android.

On connecting to the VPN service, the Android Ultrasurf app opens the page m.ultrasurfing.com. Like the Chrome extension, the mobile app works well, unblocking banned sites and changing the IP address.

A big advantage of using the mobile app is that it costs nothing, and keeping it on all the time will protect you against the security risks of public WiFi hotspots.

As you can only connect to a proxy server in the USA, you can’t use Ultrasurf to get cross-border access to streaming services. We tries the service with a number of frequently accessed US video streaming services, and here are the results:


We hoped to examine the performance of the Ultrasurf Chrome extension to see its influence on internet speed. The VPN doesn’t have any influence on bandwidth (line capacity), so we just need to examine throughput rates. We usually perform VPN speed tests using the Ookla system at speedtest.net. Unfortunately, the Ultrasurf system disabled the test system’s ability to find suitable test locations. Most other testing services that enabled testing to a specific location were also confounded, but we found that Meter.net did work.

First, to establish a performance baseline, we tested a connection to a nearby server without the VPN turned on:

The mean download speed achieved was 7.44 Mbps, and the upload speed was 2.68 Mbps. Turning on the Ultrasurf VPN and connecting to the same test server got these results:

This test gave a download speed of 5.46 Mbps and an upload speed of 0.40 Mbps. That was a reduction in download speed but a very significant fall in upload speed. As Ultrasurf only has servers in the USA, any user outside of the USA connecting to a destination within their own country is going to get all traffic looped over longer distances. Connections across the world should be slower because there is further for the signal to travel and it will pass through more routers. This test without the VPN turned on went to Sydney, Australia:

As can be seen, a connection to the other side of the globe without the VPN was a great deal slower than a connection within the same country. The connection had a download speed of 2.65 Mbps and an upload speed of 0.17 Mbps.

Turning on the Ultrasurf VPN service and connecting to the same test server in Sydney again, the results were similar to those using the VPN on a local connection.  

The download speed was a little better than on the unprotected connection at 3.63 Mbps and the upload speed improved to 0.28 Mbps.

The speed test showed that the greatest influence on performance was distance and not the Ultrasurf VPN.

Does Ultrasurf VPN work in China?

Ultrasurf was designed for users in China.

Is Ultrasurf a Trojan?

Some antivirus systems flag Ultrasurf as malware because its behavior in modifying internet traffic looks similar to the activities of a Trojan. However, the VPN is safe to use.

Is Ultrasurf a fast VPN?

Ultrasurf is not the best choice for fast connection speed.

Does Ultrasurf include an ad blocker?

There are no ad blocker or tracker blocking services in the Ultrasurf package.

Does Ultrasurf block infected files?

TunnelBear doesn’t inspect the contents of incoming packets, so it has no way to search for malware. You still need to run an antivirus system.

To sum it up

The great thing about Ultrasurf is that it is free and lightweight. The main problem is that it only has servers in the USA. International users should check out ExpressVPN or NordVPN if they are willing