I am an Iranian and have a family member in Iran. As you now the internet is currently shut off from outside or very slow.<p>Over the past years, I would create a OpenVPN server with a port other than default OpenVPN port (1194) and share the connection with my family member in Iran. Using a random port was needed because default OpenVPN is blocked in Iran for sometime (probably since 2010). But recently [after the recent internet shutdown] I notice a change. My family member cannot even connect to a server IP address or (private) domain using any port so VPN doesn't work anymore. Instead they are only able to connect to the outside world using locally paid VPNs but applications that have end-to-end encryption doesn't work anymore with these VPNs (Telegram, WhatsApp and etc).<p>So my theory is they cut off the connection to outside and people are only able to connect with outside world using certain VPNs that are probably made by the government. Not really sure.
OpenVPN, Strongswan, Tinc, Wireguard and even Tor without obfuscation modules and without private entry nodes are all trivial to detect and block. Assuming one can reach a VPS provider outside of the country, the most likely solution would be an HTTPS enabled proxy using SNI and a wildcard cert that makes it look like one is just pushing code to a git repo. HAProxy could peel off the default traffic to an actual Gitea git repo and forward the proxy traffic to a Squid SSL-Bump proxy. Create a VM somewhere, give it a DNS name like "git.yourdomain.tld" and then proxy through that HTTPS connection from a different SNI name like "artifacts.yourdomain.tld". This isn't perfect but may work.<p>Another option if SSH is still permitted to VPS providers, one could tunnel over SOCKS connections through a VPS VM initially as the first hop, then through a friends home in that same region outside of Iran as the second hop to minimize the number of CATPCHA's one is subjected to. SSH can make multiple hops transparent to the client. Ensure DNS resolution in the browser is set to use the upstream SOCKS connection. As with the previous proposal, try to make the VM look like a git repo or something else work related.<p>One could find some examples of both of the above ideas on SuperUser, StackExchange and ServerFault.<p>Here [1] is a previous discussion on the topic or Iran internet lock-down.<p>[1] - <a href="https://news.ycombinator.com/item?id=33025954" rel="nofollow">https://news.ycombinator.com/item?id=33025954</a>
This looks like a classic DPI based blocking. My university had one and it was freaking annoying. Apparantly OpenVPN TLS handshake is subtly different from mainstream ones that DPI firewalls can know the difference.<p>In the end I found the easiest solution was to use SSTP (which is just PPP over TLS). I just used this [1] for the server implementation. And Windows has built in support for it so saves a lot of trouble if you wanna share it with family.<p>1. <a href="https://www.softether.org/" rel="nofollow">https://www.softether.org/</a>
If they use the same great firewall to do the blocking, then yes, you will need to adopt the Chinese netizen rulebook and hopping the firewall.<p><a href="https://www.iranintl.com/en/202202123131" rel="nofollow">https://www.iranintl.com/en/202202123131</a>
I hate to make light of a terrible situation, but this really highlights whether or not a private connection over various technologies is truly private.<p>If state actors can see you wearing a mask, it still means you're visible.
It might really be worth going oldskool:<p>Make a website. HTTPS. Put something like PHProxy on it. If you really want to, stick on some messaging, like a BBS. Then you can upload stuff. It's not going to be quite as quick as snapping a pic on WhatsApp or Twitter, but it's not <i>bad</i>.<p>Then put a plausible front on the website. Like, if you're in the grains business, put some public data about grain prices, trade broker services, weather, that sort of thing.
You could set up a Tor bridge with an obfs4 pluggable transport. That works even in China, because it resists DPI and probing. Does your VPN protocol resist probing? If not, that may be how they are blocking it. Also if the government goes hard enough on manually requesting Tor bridges, you will have to distribute bridges yourself (which you seem to already be doing with VPN server addresses).
does this work? -> OnionShare 2.6 – Released → (October 9, 2022) : <a href="https://news.ycombinator.com/item?id=33155721" rel="nofollow">https://news.ycombinator.com/item?id=33155721</a><p>FYI: Tor Browser (Bundle) 11.5.4 – (All Platforms) release is due, probably within a few hours<p><i>Help people in Iran reconnect to Signal – a request to our community</i> : <a href="https://www.signal.org/blog/run-a-proxy/" rel="nofollow">https://www.signal.org/blog/run-a-proxy/</a><p>Also, what DNS are they using, is DoH or DoT able to be used?
Starlink works if you can hide or camouflage the dish:<p><a href="https://www.wsj.com/articles/iranian-protesters-struggle-to-activate-starlink-and-circumvent-internet-restrictions-11664798819" rel="nofollow">https://www.wsj.com/articles/iranian-protesters-struggle-to-...</a>
I don't have personal experience with this, but <a href="https://getoutline.org/" rel="nofollow">https://getoutline.org/</a> is designed to be resistant to blocking and may be worth trying.
Check this post from a few days ago on HN:<p>Tell HN: The Internet situation inside Iran<p><a href="https://news.ycombinator.com/item?id=33025954" rel="nofollow">https://news.ycombinator.com/item?id=33025954</a>