> What I never understood with my self build SSH proxy VPN: China seems to be able to sniff on it.
There's two possibilities that I can see; you were letting your DNS requests leak and they were being poisoned, or they were doing a direct MITM hijack of your SSH session. Neither is particularly comforting, but it's fairly easy to work out which if either is going on.
The SSH one is probably easiest to detect. When you first connect to a session the public key fingerprint of the server is saved in your ~/.ssh/known_hosts file. If you can verify this out of band somehow actually is the correct fingerprint (call a friend and ask them to connect and get it), then chances are it's not being tampered with. Essentially it would have had to have happened the first time you connected to the server, and every single time afterwards else OpenSSH makes it very, very clear you've been hijacked.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Yeah. So if you don't remember seeing that and the fingerprint is correct, probably nobody has been tampering with the connection. Which would imply that they've either cracked the cipher and are tampering with it anyway (unlikely as hell), that your DNS requests are somehow leaking (somewhat likely) or maybe it's some sort of nocebo effect. Hard to say for certain, wireshark might be the place to go in order to find out some more about your outgoing DNS requests though.
There's two possibilities that I can see; you were letting your DNS requests leak and they were being poisoned, or they were doing a direct MITM hijack of your SSH session. Neither is particularly comforting, but it's fairly easy to work out which if either is going on.