There has been an almost complete shutdown of external network connectivity in Iran since about 2025-06-18 13:30 UTC (17:00 Iran Time). By strange happenstance, one IP address that has remained accessible is that of api.github.com, which means that people have been able to read and comment on GitHub issues during the shutdown. I manage a discussion forum that’s hosted on GitHub, which has become a venue for information sharing between the inside and outside about what the network conditions are like. This is a summary of my understanding of the situation so far.

The two main points are two significant IP addresses that have remained accessible and have facilitated some limited amount of communication:

• api.github.com (140.82.121.6). This lets people do things allowed by the GitHub REST API, which apparently includes logging in and reading/commenting on issues using a GitHub app (presumably https://github.com/mobile, not sure about https://github.com/apps/desktop). It does not include downloads from GitHub or even browsing the github.com web site.
• google.com (216.239.38.120). This IP address was not available during the shutdown at first, but became so around 2025-06-19 11:00 UTC. Through this IP address you can access many Google services, not just Google Search. It only requires setting some entries in the hosts file to make, e.g., maps.google.com resolve to 216.239.38.120. It does not require domain fronting – that is, there’s no SNI filter that permits only “google.com”.

This IODA graph shows measurements that reflect the shutdown.

Internet Connectivity for Iran (Islamic Republic Of), Jun 17, 2025 12:00am UTC - Jun 20, 2025 12:00am UTC2000×1120 199 KB

• The rectangular dip in the “Google (Search)” series on 2025-06-17 was a more limited shutdown that preceded the current one.
  https://infosec.exchange/@dougmadory/114699258567046111
  Notice how, at this time, the “Active Probing” series remained high.
• The current shutdown started at 2025-06-18 13:30. At that time, both the “Active Probing” and “Google (Search)” went almost to zero.
  https://mastodon.social/@IODA/114704752451701595
  There was one little blip in the “Active Probing” series a few hours later:
  https://mastodon.social/@IODA/114706908958417608
• At about 2025-06-19 11:00, the “Google (Search)” suddenly returns to normal, while the “Active Probing” remains low. This appears to correspond with when the google.com IP address 216.239.38.120 became accessible.

This is the thread on the discussion forum I manage:

The same day the shutdown occurred, there was a post on the thread itself by someone saying the GitHub app was working for them:

https://github.com/net4people/bbs/issues/484#issuecomment-2985672840

I’m in iran and just got access to outside network using github app on android.

Idk how is this working but i need to replicate it on real vpn connection

https://github.com/net4people/bbs/issues/484#issuecomment-2987484989

Turns out api.github.com’s ip (140.82.121.6) is open for connections

On 2025-06-18, users reported that they were able to browse Google Search through google.com. Clicking the search results didn’t work, unless they were for websites in Iran.

https://github.com/net4people/bbs/issues/484#issuecomment-2988483200

Are people able to access Google Search?

only “google.com” opens. all other subdomains or google services are down. you can search in google.com only; but then only iranian websites opens.

Further experiments showed only “google.com” worked, not “www.google.com” (which resolves to a different IP address). But generally, you can access many Google services through the google.com IP address, either by editing the system hosts file, running a local DNS resolver, or using the --connect-to option in curl. We initially tried some experiments with domain fronting, but domain fronting is not required: you only need to be talking to the right server IP address.

https://github.com/net4people/bbs/issues/484#issuecomment-2988836609

Thanks for running the test. It looks like you need to add the --ssl-revoke-best-effort option:

curl --ssl-revoke-best-effort --header "Host: amp-dev.cdn.ampproject.org" https://google.com/c/s/amp.dev/

curl --ssl-revoke-best-effort --header "Host: www-aljazeera-net.cdn.ampproject.org" https://google.com/c/s/www.aljazeera.net/amp/sport/2025/6/19/%d9%86%d9%82%d9%84-%d9%85%d8%a8%d8%a7%d8%a8%d9%8a-%d9%86%d8%ac%d9%85-%d8%b1%d9%8a%d8%a7%d9%84-%d9%85%d8%af%d8%b1%d9%8a%d8%af-%d8%a5%d9%84%d9%89-%d8%a7%d9%84%d9%85%d8%b3%d8%aa%d8%b4%d9%81%d9%89

What happening is, curl want to check the revocation status of the server TLS certificate. But because of the shutdown, the server that is used to check the certificate status is not reachable. That’s why the command failed before, “the revocation server was offline”. The --ssl-revoke-best-effort should let the command run, even if the revocation server cannot be reached.

I got the response back. It works great!

https://github.com/net4people/bbs/issues/484#issuecomment-2989129342

Setting maps.google.com to google.com’s ip in hosts file, allows me to open Google maps on Firefox!

https://github.com/net4people/bbs/issues/484#issuecomment-2989892386

there’s no sni blacklist, any sni works on ip from google.com
curl -vk --connect-to ::216.239.38.120 https://void.com returns 404 in iran, the same as outside

The curl --connect-to trick has provided a way to download files, by uploading the files to Google Drive, then accessing drive.usercontent.google.com through the accessible IP address 216.239.38.120. It looks like this:

https://github.com/net4people/bbs/issues/485#issuecomment-2992413851

curl --connect-to ::216.239.38.120 --ssl-revoke-best-effort -L -o champa-client-darwin-amd64 "https://drive.usercontent.google.com/download?id=1ROCBSIsnat8uDQSlOFajuW2XAbeqNNZh&export=download&confirm=t"

The accessibility of the google.com IP address also means that the Google AMP Cache (cdn.ampproject.org) can also be accessed, which in turn enables limited proxying to other destinations. We have tried an AMP cache tunneling proxy, which works to some extent, but because of rate limits its speed and usefulness are limited.

https://github.com/net4people/bbs/issues/485

Champa is a censorship circumvention proxy that tunnels through an AMP cache. Because the IP address of google.com is currently reachable, you can use that IP address to reach an AMP cache, and then from the AMP cache reach any other service.

There has been a shift in the situation since about 2025-06-21 02:00 UTC, about 28 hours ago. The shutdown hasn’t “ended” exactly, but it’s qualitatively different now. There are still great many blocked destinations, but not as many as there were the past 3 days. For a short while after 2025-06-21 02:00, I could even some web sites hosted in Iran, which I cannot any longer (I didn’t keep track of exactly when it worked and didn’t).

Here’s the IODA graph. Notice the abrupt increase in Active Probing and Telescope signals early on 2025-06-21.

Internet Connectivity for Iran (Islamic Republic Of), 2025-06-18 00:00 to 2025-06-22 00:002000×1120 214 KB

Here’s a graph of OONI measurements. Notice a gap on 2025-06-19 and 2025-06-20, and a recovery on 2025-06-21. (These charts count reported measurements: during the shutdown, OONI clients in Iran couldn’t upload their measurements.)

Web, Connectivity Test, Iran1248×604 21.4 KB

Not all networks are acting the same, however:

https://infosec.exchange/@dougmadory/114722381235179054

In the 4th day of #Iran’s govt-directed internet shutdown, the picture is now complicated. Most large networks are still down but some are now carrying traffic.

Back online: TCI (AS58224), Rasana (AS31549), Neda Gostar (AS39501), Pars Online (AS16322)

Still down: Irancell (AS44244), MCCI (AS197207), Rightel (AS57218)

Temporarily restored: TehranServer (AS213807), PEP (AS213732)

Partially restored: Abrarvan (AS202468), Respina (AS42337), Tebyan (AS48434), AminIDC (AS48147)

Discussion of the new situation begins at https://github.com/net4people/bbs/issues/484#issuecomment-2993296832.

The two main new observations are:

• ICMP echo (ping) apparently works, to all IP addresses. ICMP tunnels work, however one user reports ICMP tunnels being detected and blocked after a short time. There are instructions on how to use a particular ICMP tunnel called pingtunnel in [Iran] How to use pingtunnel · Issue #486 · net4people/bbs · GitHub.
• Various IP addresses are accessible, including the IP addresses of some Tor relays. One range of unblocked IP addresses is in the HostAfrica host. But the usual Tor protocol detection of the Iran firewall is still in place, so you cannot connect to them with a normal Tor client, but a patched Tor client works.

The IP addresses of api.github.com (140.82.121.6) and google.com (216.239.38.120) remain accessible as before. So participation on GitHub issues, and the existing methods of accessing Google services including Google Drive, continue to work. The AMP cache tunnel continues to work and continues to be slow and prone to temporary rate limits.

I2P
http://metrics.i2p/router-distribution

i2p1121×921 44.5 KB

Cloudflare
https://radar.cloudflare.com/traffic/ir
ir.html (338,4 КБ)

cf11247×924 151 KB

cf2933×857 85.9 KB

cf3933×402 24.4 KB

cf4970×705 88.2 KB

I have a VPS in Tehran, AS48715 Sefroyek Pardaz Engineering PJSC (Asiatech).

Could not connect to it over SSH, and only by pure coincidence managed to log into the hosting panel and connect over VNC — the hosting panel did not open in the browser, but I spotted it works with curl, as it turned out large TLS ClientHello due to ML-KEM (Kyber) support in the browser was the reason. Started to work again after I disabled it.

Before 22 June

UDP

Everything is filtered. No packets reach European servers from Iran, regardless of destination port and payload. No packets reach the server in Iran sent from EU either. Tested with several protocol payloads (random data, QUIC, NTP).

TCP

The censorship is bi-directional.

For outgoing connections to censored ranges over TCP works as follows:

1. 3-way handshake is successful
2. First data packet is dropped, and all subsequent packets are dropped

This complicates scanning process, as pure TCP connection attempt always succeeds.

For incoming connections to Iran:

1. 3-way handshake is successful
2. First data packet is dropped
3. Second data packet arrive to Iran
4. The receiver waits for the first packet, which never arrives
5. ACKs from Iran to the source are never delivered

ICMP

ICMP is unfiltered and works to any destination, more or less.
ICMP tunnel with hanstunnel works without any issues.

Email

No email provider works.

• mail.rambler.ru resolves to blacklist 10.10.34.35, does not connect when accessing real IP address
• imap.yandex.ru:993 TCP connection timeout
• imap.mail.ru:993 TCP connection timeout
• imap.gmail.com:993 TCP connection timeout
• imap.mail.me.com:993 (iCloud) TCP connection timeout
• proton.me TCP connection timeout
• outlook.office365.com:993 TCP connection timeout

Tor

11 Tor Relays are working, mostly in Hong Kong, Singapore, Japan, with the IP ranges from AFRINIC.

After 22 June

18:55 UTC my ICMP tunnel got disrupted.
Many IP ranges which used to ping are now not reachable. Incoming TCP connections also does not work from the earlier ranges.

No tor relays are reachable.

I managed to setup another ICMP tunnel using another Hong Kong IP range. Interesting that far from all IPs from that range are pingable. This could be due to censorship (whitelist) or because of multiple uplinks with different filtering configuration.

I can confirm that Google IP which @tango mentions, as well as Github API IP, are working.