The best tools to evade GFW are `shadowsocks` and `openconnect` at this point.
The first one is a proxy, but unlike TLS proxy, it does not have a handshake phase. Rather, it encrypts all data with a preshared key, and the server rejects the connection if decryption yields invalid data. The stateless nature makes it much harder to detect.
The second one is a VPN over DTLS or TLS. Its security is even better than OpenVPN, as it supports ECDHE and AES-GCM from very early. No stunnel or obfuscation is needed at this point.
The first one is a proxy, but unlike TLS proxy, it does not have a handshake phase. Rather, it encrypts all data with a preshared key, and the server rejects the connection if decryption yields invalid data. The stateless nature makes it much harder to detect.
The second one is a VPN over DTLS or TLS. Its security is even better than OpenVPN, as it supports ECDHE and AES-GCM from very early. No stunnel or obfuscation is needed at this point.