Codex CLI has become indispensable for many developers, but if you're in China, chances are you hit connection errors on first run: ConnectionError, Timeout, or "Failed to connect to OpenAI API." Your network isn't broken — Codex depends on OpenAI's API endpoints, which are indeed inaccessible from mainland China through no fault of your own. This isn't something a Wi-Fi toggle or a terminal restart will fix. This article breaks down the three layers of blockage and presents the cleanest workaround that requires no VPN, no proxy, and no network reconfiguration.
Three Layers of Blockage: Why Codex Can't Connect from China
Codex CLI depends on OpenAI's /v1/responses and /v1/chat/completions endpoints. Under China's network environment, these requests face not one but three stacked layers of interference.
Layer 1: DPI/SNI Blocking by the GFW
OpenAI's API domains (api.openai.com, oaiusercontent.com, etc.) are long-standing targets on the GFW's DPI (Deep Packet Inspection) blocklist. When your client initiates an HTTPS handshake, the GFW inspects the Server Name Indication (SNI) field in the TLS ClientHello, and on matching a blocked domain, it immediately sends a TCP RST to kill the connection. This is the direct cause of most "Operation timed out" and "Connection reset" errors.
Layer 2: DNS Poisoning
Even if you somehow bypass SNI inspection, DNS queries for OpenAI domains are actively poisoned. When your system resolves api.openai.com, the GFW returns a spoofed or incorrect IP address. Some users try switching to 8.8.8.8 or 1.1.1.1, but the GFW's interference now extends to DoH (DNS over HTTPS), making DNS workarounds increasingly unreliable.
Layer 3: Egress IP Geolocation Restrictions
Even with a proxy or VPN that gets your request out, OpenAI itself applies risk policies to requests originating from mainland Chinese IP ranges. You can get a 403 or 429 response, or be silently throttled to a lower priority queue. This is why the browser sometimes works while the CLI consistently fails — browser traffic routes through CDN edge nodes on different IP ranges, while CLI API calls are more likely to hit the IP-range filters.
Why the Browser Works but the CLI Doesn't
This is one of the most confusing symptoms: you can open chat.openai.com in Chrome and interact normally, but curl api.openai.com in the terminal times out. The reason lies in different network paths:
- Browser access: ChatGPT's web front-end sits behind Cloudflare's CDN. Your browser reaches the nearest CDN edge node, which has its own independent network path and IP ranges not directly blocked by the GFW. WebSocket and HTTP/2 connection pooling further improve reliability.
- CLI access: Codex CLI makes direct HTTPS requests to
api.openai.comwith no CDN fallback. Every new request initiates a fresh TLS handshake, exposing the SNI field to inspection. The HTTP client libraries (urllib3, httpx) also handle retries differently from browsers — aggressive retry loops can trigger a cascade of connection storms.
This explains why many users assume "ChatGPT works = Codex works," when they actually operate on completely different network routes.
Common Connection Failure Symptoms
If you see any of these errors in Codex CLI, you're almost certainly facing network-level blocking:
ConnectionError: HTTPSConnectionPool(host='api.openai.com', port=443): Max retries exceededrequests.exceptions.ConnectTimeout: Connection to api.openai.com timed outssl.SSLCertVerificationError: certificate verify failed(triggered by MITM-style SNI blocking)openai.APITimeoutError: Request timed out after 60000ms- Codex CLI hangs at "Checking API connection..." for over 30 seconds
- Random disconnections mid-task with endless "reconnecting" loops
All these trace back to the same root cause: the domestic network cannot reach OpenAI's API reliably.
Solution Comparison
| Approach | How It Works | Reliability | Maintenance |
|---|---|---|---|
| Self-hosted proxy/VPN | Forward requests through overseas server | Depends on proxy quality | High: needs server upkeep, IP rotation |
| DNS switching | Use 8.8.8.8/1.1.1.1 | Decreasingly reliable | Medium: frequent switching needed |
| Nginx reverse proxy | Set up on overseas VPS | Medium | High: self-maintained |
| API gateway | baseUrl-compatible gateway reachable from China | Stable | Low: one-time config |
Recommended: Use a Codex-Compatible API Gateway
The cleanest solution isn't forcing a path through to api.openai.com — it's changing the endpoint you connect to. Codex CLI natively supports a custom baseUrl. Point it at a gateway that is reachable from China and 100% compatible with the OpenAI /v1/responses protocol, and you bypass the GFW without any local proxy or VPN.
TeamoRouter is an Agent-native LLM gateway designed for exactly this use case:
- Accessible from China: TeamoRouter's API endpoints are reachable under China's network without DNS poisoning or SNI blocking. Just set Codex CLI's
baseUrlto TeamoRouter's address. - Native
/v1/responsessupport: Full compatibility with Codex's responses protocol — no local protocol conversion needed. Unlike older gateways that only support/v1/chat/completions, TeamoRouter works with Codex out of the box. - One Key, multiple models: Beyond Codex (calling GPT-4o and friends), the same Key works for Claude Code and Gemini CLI. Manage one Key, not one per tool.
- No account login required: No OpenAI account login, no phone verification, no overseas payment method needed. Top up and get an API Key — the entire setup crosses zero censorship walls.
- 100% protocol fidelity: Model tiers are explicitly chosen by you; the gateway never rewrites requests or swaps models behind your back. When you call GPT-4o, that's exactly what you get.
- Enterprise-grade stability: 99.6% SLA with 5000 QPM concurrency. A cache hit rate above 99% means your actual cost is far below the listed price, with a floating rate of 10-20% of official pricing.
Other alternatives include running a self-managed Nginx reverse proxy or using CC Switch with a local routing layer, but each adds ongoing maintenance overhead. For the vast majority of developers in China, a dedicated gateway is the most hands-off approach.
Get Started
- Sign up for TeamoRouter and get an API Key (pay-as-you-go, start with a small top-up)
- Follow the Codex install guide to configure baseUrl and API Key
- Run your first Codex task
Access Codex, Claude Code, and Gemini CLI stably through TeamoRouter — no VPN, no network reconfiguration, no overseas bank card needed.
FAQ
Is Codex blocked in China?
Yes. OpenAI's API domains are blocked by the GFW through DPI/SNI inspection. DNS poisoning and IP geolocation restrictions add two more layers, making direct access from mainland China nearly impossible.
Why does Codex still disconnect even with a VPN?
Two common reasons: the VPN node's IP is flagged by OpenAI's proxy detection, returning 403/429; or the VPN client's HTTP proxy mode has compatibility issues with Codex CLI's urllib3 connection pool, causing random disconnects. An API gateway avoids both by routing through direct official API channels.
Can I use Codex if both my browser and VPN are blocked?
Yes. If conventional bypass methods have all failed, the most effective path is an API gateway that's reachable from within China. Your requests don't target the blocked api.openai.com, but a compatible endpoint that routes to the official API on the backend. The destination changes, not your local network.
Can one Key serve both Codex and Claude Code?
Yes. TeamoRouter is compatible with both the OpenAI /v1/responses and Anthropic protocols. Use the same Key with different baseUrl configurations per tool, with consolidated billing.
Gateway vs VPN: which is faster for Codex in China?
A gateway is generally more stable with lower latency. VPN requests go through an overseas server before reaching OpenAI, adding an extra hop. Gateways optimize routing and reduce actual request overhead through caching. VPNs also require ongoing maintenance as IPs get blocked; a gateway is a one-time configuration for long-term use.