The Iran Firewall - A preliminary report
6 min read
I got sidetracked for the last 3 days to assess the Great Firewall of Iran (GFI).
The Internet is easily censored. The neo-liberals got their arses kicked. The big players like Google/Apple/AWS are partly to blame. China runs the GFI as a service.
The GFI uses Deep Packet Inspection (DPI) on all international peering points. In addition, the local operators (telco & DSL) use their own Firewall but most of them are static and badly configured. Some use DPI.
The GFI is port number agnostic and changing the port number of a service will not yield success.
The GFI consists of three parts:
All blacklisted domains resolve to 10.0.34.35
An active component constantly scans Iran's internal network for 'hostile' services (like open Socks5 proxies).
IP addresses are rarely fully blocked. Instead, the TCP 3-way handshake won't complete (the syn-ack is dropped).
The GFI seems to operate differently almost every day - from severe disruption to barely any disruption.
The most severe disruption is when the regime turns off all cell towers and all local Internet. They just pull the plug and it's game over for any neo-liberal smart-arse that thinks V2ray/Tor/Shadowsocks is the solution.
All Free Internet is blocked from all Mobile Phones and some DSL connections between 4pm and 12pm (it's OFF). During these hours only VPSs inside of Iran can (sometimes) access the Free Internet. Volunteers are running V2Ray/Shadowsocks/etc relays on VPSs inside of Iran to reach the Free Internet. Those relays last hours or a few days before getting blocked by the GFI (The VPS provider is legally obligated to shut them down thereafter).
At the moment the Free Internet is mostly only accessible to geeks and those who can tunnel out using various protocols and tricks.
The worst affected are the ordinary citizens. The GFI blocks them effectively. Many people (and mostly women) depend on the Free Internet for work. The illegal regime of Iran uses the GFI as a form of blackmail - to run them out of money (and by that out of their independency).
On bad days:
Tor is blocked (since day 1).
Wireguard/OpenVpn is blocked (since day 1)
V2ray/Vmess/Shadowsocks/... are either permanently blocked or blocked as soon as the IP Address of the EXIT node becomes known.
The DPI blocks on TLS's cleartext SNI.
Any outbound traffic is blocked after 1k-4k is transmitted upstream.
Any website that offers VPN solutions is blocked (ProtonVPN, Mullvad, NordVPN, ..). Those who already had the software before the GFI can not use the software (most apps require to register an account or make an API call to a WebRTC - which is blocked).
Cloudflare is blocked (including DoH/DoT/DoQ).
Docker is sometimes blocked.
Google Play and App Store are blocked.
Some operators use a whitelist and block all other websites.
The most blocking local operator is IR-MCI (aka HamrahAvval). They seem to be regime lovers.
The users of Iran can not get to the software that would help them to circumvent the GFI. This is mostly a failing of Google/Apple and the big players: It is no longer (easily) possible to copy software from one device to another (or when the network is down).
China is involved. Connecting to any random port number from the outside world on any server inside of Iran (passing the GFI) is almost always followed by a port probe on that specific port from an IP address belonging to China.
The filtering on TLS by SNI is embarrassing. TLS is not secure until the SNI is encrypted. I was there at the IETF-88 (9 years ago) and part of the TLS-Working group when Eric Rescorla famously said that encrypted SNI is no priority and that the big players like Google/Apple/Facebook/AWS all want speed (lower RTT) over security. We tried hard to convince the players but got shut down.
The GFI extends to SMS and OTP. The users (if they get Internet) can not log in to their accounts or sign up for new services (WhatsApp/Signal/VPN/..): Many services rely on 2FA by SMS/OTP. Those SMS/OTP messages are dropped by the Mobile Operators. 2FA becomes a DoS. Checkmate.
The big players (Google/Apple) should implement a feature that allows users to share apps with friends (via Bluetooth) when the network is down.
VPN Providers should make their apps work when above mentioned restrictions are in place.
A mesh-like networking method is needed (using local wifi or Bluetooth) when the main network goes down.
Encrypted SNI needs to happen without fallback to non-encrypted SNI.
Exemption from sanctions to get Starlink and other equipment into the country and a transport method (Customs and Border Control seizes shipments. Donkeys and smugglers are at their capacity limit and not reliable enough).
"How to stage a rebellion effectively" should be part of the school's syllabus. In the decades to come the knowledge to rebel against oppression and tyranny will be more useful to our children than knowing about Nietzsche or why Bonobo Apes are so happy.
Does China breach sanctions by providing the GFI as a service?
Iran signed the Universal Declaration of Human Rights. May the UN comment on why Iran is allowed to disregard it and what that means for the integrity of the UN if members can pick and choose at will.
Thank you to all the courageous people of Iran who provided me with access to various servers and DSL systems. You are the true heroes.
Stay safe and read our IT Security and Privacy for the rebellions around the world.
THC operates a variety of EXIT nodes and Proxy Services in Iran. We need help. Join us on Telegram.
Addition: After writing this article I got asked about the most reliable way to circumvent the GFI.
A relay host inside of Iran is needed (Iran-Relay) and an EXIT node outside of Iran (EU-EXIT). The Iran-User and the EU-EXIT node both need to connect TO the Iran-Relay (connecting from the Iran-Relay TO EU-EXIT is sometimes blocked). Iran-User and EU-EXIT "meet" at the Iran-Relay. Iran-User TO Iran-Relay traffic needs to be obfuscated (V2ray/Shadowsocks/ssh is effective). EU-EXIT to Iran-Relay needs to be less obfuscate (SSH works just fine). No software needs to run on the Iran-Relay to give Iran-Relay admin plausible deniability. No IP must be logged. This is the setup that THC is providing . The most widely adopted solution however is a V2Ray/Shadowsock connection from Iran-User to the Iran-Relay and the iptables DNAT to EU-EXIT - It seems to work most (but not all) of the times.
The most widely adopted solution is XTLS/Trojan gRPC.
There are many Firewalls at play with the main one being at the international junction point doing DPI.
Domain Fronting and SNI faking are not reliable. It may work for a few days until the Freedom-IP is blacklisted. The GFI has now almost fully transitioned to a 'whitelisting' model where everything is blocked or throttled to 0-10Mbit unless the flow is to a whitelisted SNI on a whitelisted IP. Running your own Exit Node in Freedom only works for 1-3 weeks on average until the IP (or entire AS) gets blacklisted or throttled.