A new kind of censoship in Iran?

Is someone have technical information about iranian new censorship?

1 Like

Here’s the message from #openvpn IRC channel:

[08:24] Hi. I wanted to know how to chain 2 OpenVPN VPN’s. But stuck at routing tables. Can Anyone Help me?
[08:27] I’m Currently located in Iran, as some of you may know is on total Internet Lockdown. I have 2 VPS’es. VPS1 in Iran and VPS2 in europe. Clients can only access VPS1. My scheme is Client <—> VPS1 <—>VPS2 <—> Internet. Client can successfully connect to VPS1 via openvpn, but doesn’t have any access to VPS2. VPS1 can connect to VPS2 via openvpn, but after connection is initiated, no user can connect to VPS1 Anymore.

From this message I assume that the network itself works, but the internet access is limited for residential and mobile connections, but is still available in data centers.


OONI, CAIDA, IODA, and Kandoo have written a report about the Internet blackout in Iran since 2019-11-16.

Iran’s nation-wide Internet blackout: Measurement data and technical observations

This major Internet blackout was rolled out on 16th November 2019, right after protests erupted across multiple cities in Iran. The protests (against economic mismanagement and government corruption) were sparked by the government’s abrupt announcement to increase the price of fuel (as much as 300%) and to impose a strict rationing system. According to Amnesty International, more than 100 protesters are believed to have been killed over the last week, but this figure has been disputed by Iranian authorities. Amid the protests—which began on 15th November 2019 and are ongoing—access to the Internet was reportedly shutdown.

As of 21st November 2019, Internet access is gradually being restored.

Iran’s Internet blackout is also confirmed by several other data sources, such as Google traffic data, Tor Metrics (statistics on the use of Tor software, which is used for online privacy, anonymity, and censorship circumvention), and Oracle’s Internet Intelligence, as well as by NetBlocks and Cloudflare reports.

Not everyone in Iran was disconnected from the Internet during the blackout. We were told that some hosting providers, banks, businesses, and journalists were able to maintain access to the Internet. Meanwhile, most people in Iran were limited to using Iran’s national Intranet during the Internet blackout.

To better understand how the Internet blackout was technically implemented in Iran, we ran a series of tests locally.

By observing the network traffic data from both sides, we can see that a RST packet is injected at both ends of the connection.

Through manual testing, we were able to determine that it could theoretically be possible to use DNS tunneling to get traffic to leave Iran.

This means that it’s possible to get the upstream recursive resolvers of the ISP to perform DNS queries on our behalf. This channel could theoretically be used to transfer some data to the Internet at a very low throughput and with high overhead. Tools like iodine could be used.

It is possible for Iranian citizens to acquire virtual private servers (VPS) inside the country. Through local testing, we were able to determine that these VPS hosts have connectivity with both users inside the country, but also to the Internet. This makes it possible to use these servers to setup a local proxy inside of the country and to use that proxy to tunnel traffic to another proxy outside Iran. Information about this method has also been circulated in Iranian Telegram forums.


An easier way to circumvent the Internet blackout in Iran in November was to use nat on iptables.

To do this, after installing Openconnect on a foreign VPS, just enter these commands on the domestic VPS:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT  --to-destination [foreignVPSip]:443
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 443 -j DNAT  --to-destination [foreignVPSip]:443
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT  --to-destination [foreignVPSip]:53
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source [domesticVPSip]

And then use Openconnect like this:

echo password|openconnect --resolve=domain.com:[domesticVPSip] -vu username --passwd-on-stdin https://domain.com

It is also possible to use Gost on the domestic VPS and V2Ray+WebSocket+TLS on the foreign VPS. This may even look enough like HTTPS to pass a protocol whitelist. https://www.oilandfish.com/posts/v2ray-server-domestic-relay.html

all sockss
all http proxy
and all wireguard is be ban
but in open vpn and chinese protocol
they are banning late
since running on your vps