The Starlink gateway out is a good solution, but I sure wouldn't share it with friends/family over the ISP networks if at all possible.
Just
enable
configure terminal
router bgp <your-AS-number>
neighbor <neighbor-IP-address> shutdown
end
Easy
> IPv4 addresses are limited and constantly reallocated. Most are rented and passed between hosting providers, resold between datacenters, or migrated across regions. The Iranian filtering system uses GeoIP databases and BGP information to decide which IP ranges to trust and which to block. But those records lag behind the changes.
This is surprising to me. Surely iranian ISPs would have directly allocated IP space?
Or alternatively, surely Iran's gov would be in the routers and be able to blackhole any routes leaving the country?
Are they sanctioned away from RIPE, like Russia is? Russia isn't allowed to be allocated any IP addresses they don't already have. They're Russia, so they already have a bunch, but if they didn't, they'd have to keep borrowing them on grey markets, possibly different ones each time. Iran might be that way.
(Fun fact about sanctions: the International Criminal Court is sanctioned away from Microsoft, so they can't legally get access to Windows or Office. This is because they prosecuted a war criminal the USA likes.)
> Fun fact about sanctions: the International Criminal Court is sanctioned away from Microsoft, so they can't legally get access to Windows or Office.
How does that even work? There are many companies in the EU that (legally) sells second hand Windows and Office licenses to anyone.
> WireGuard uses UDP and a small handshake footprint, making detection and blocking via DPI harder.
Not quite true. Wireguard is already actively detected and suppressed if necessary. There's already a fork that employs basic changes to improve the protocol in this regard. AmneziaWG was shown to be more robust to detection for now.
https://docs.amnezia.org/documentation/amnezia-wg/
Too bad managing WG is such a pain and Tailscale/Netbird don't support this protocol yet. The following two issues need attention:
At Obscura we just tunnel WireGuard over QUIC's unreliable datagram mechanism to make it look like HTTP/3 (for DPI): https://github.com/Sovereign-Engineering/obscuravpn-client/b...
We just upstreamed our patch to quinn-rs that pads Datagrams to MTU: https://github.com/quinn-rs/quinn/pull/2274
Some DPIs just flat out block HTTP/3 already.
True. but based on my researches don't use DPI on the NIN, so you might be able to use WG or OpenVpn on a VPS inside Iran but not to a VPS on let's say digital ocean. They can also selectively increase the or decrease the strength of their DPI as well, for example a range of IP can be graylisted and nothing will work on it, or they put more active probing effort on some ranges of IPs.
If you are ever thinking of writing somethings like this: please be aware that people could be executed based upon the validity of your assumptions and advice offered.
It certainly looks like it is compiled by a neural net or human that has no idea how people they talk about actually live. Places of actual discussion of censorship circumvention tools are full of much different talk on how to fool the external or internal DPI servers, on tunnelling through white-listed protocols, and so on.
Also, those who can be executed like that have already realised that “safe†way of being a “good citizen†does not exist, it's a phantom for people who are — at the moment — rich, happy and walled from the rest (either physically or in their minds). They probably don't need to be told not to trust someone who is offering to solve all their problems.
There is that iranian bot army we hear about: "dont write down knowledge or else someone somewhere will be executed!"
I appreciate the final paragraphs which suggest a solid method for those inside the country and under this oppressive regime to remain connected without surveillance. I wonder how many are up to this, and what active resistance or movements inside the country look like these days.
Synapse sucks to run and it doesn't minimize metadata collection. It's not a great choice unless you're running it outside the country where they can't seize the server (but then you have all the problems of not being able to access it when the country is cut off from the rest of the world). It's a pig on resources which means it has to be run on hardware that can handle it, barely runs on SBC's.
Other stuff is weird in their post and suggests they are speaking for Iranians without actually knowing any online. I know a few from the Cellmapper community and SMS is very much not expensive. 1000 SMS costs around 0.03USD worst case: https://irancell.ir/en/p/3771/tariffs-and-voice-packages-en
Finally it's not really that Starlink uses proprietary encryption that's special. They can use any sort of common encryption standard and there's not much Iran can do but locate and seize the terminal since they don't have the keys to it. I imagine at some point they were start looking for signal emissions in known Starlink bands and use that to locate terminals. Allegedly Russia has a detection system 'Kalinka' already built: https://www.space.com/space-exploration/tech/russia-and-chin...
Does it, though? It doesn’t mention whether or not hosting your own encrypted messaging platform is illegal, what the repercussions are, or how to hide that you are doing so.
I found the whole article to be unfortunately light on both technical details and practical details, and certainly wouldn’t suggest that anyone use it as a guide.
I was wondering myself, if it isn't very dangerous to host those kinds of services in an opressive state such as Iran? Hosting a site on Iranian IPs certainly sounds easy to track and I'm sure a Starlink receiver also makes substential RF noise. Anyone has any information about how likely is the Iranian government is to shut down such a site/service? Also, doesn't encrypted traffic in general (like Matrix servers) fall into this category?
> whether or not hosting your own encrypted messaging platform is illegal
Matrix isn't meaningfully encrypted, so it's mostly irrelevant, hooray!
How do people do this in China?
this is much more severe than in China. I've never been completely shut of Internet before. each time one of my servers had access to global Internet. this time no connection whatsoever. I hope people realise that encryption needs transmission, with no wire to transfer data encryption won't help you
Shadowsocks is the common method
This has been DPI'd to death in China and hasn't been useful in a while.
>SMS in Iran is unencrypted.
SMS everywhere is unencrypted
Yes, although many people probably don't know the difference between SMS and RCS and use SMS to refer to both.
Yes, sorry my bad.
Even tech people? wowe
You mean that group that still calls TLS SSL even though its been 26 years?
I wish this article went into more details on what the "National Information Network" is. I would guess it's at least a set of nationally managed DNS servers that will always resolve national IPs even if upstream global DNS is cut off.
Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
It's simply not going to be possible to meaningfully use the Internet unauthenticated and unapproved in a few years. Costs to reach mass audiences online will increase until only the big players can do it, and it'll be their platforms or nothing. There's going to be no room for anything that those with millions and billions of dollars don't want or can't make money off of in some way.
Overall, this makes me want to reduce the role of the Internet and tech in my life. I don't need the fastest data plan, latest PC, newest phone, or whatever AI trend is hot to use the apps I need for daily life or to line up events and meetings with others that I actually know.
> Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
I feel like I’ve been hearing this for decades. During the initial wave of Napster-era piracy debates a lot of people assumed the end of the free internet was near because corporations wouldn’t allow it.
> It's simply not going to be possible to meaningfully use the Internet unauthenticated and unapproved in a few years.
I will take the opposite of that bet any day. Certain countries like Iran will impose their restrictions, but if you think the average country is going to restrict internet access in only a couple of years I don’t know what to say.
This is just pendulum swinging between centralized and distributed. This is true for "online services", the Internet, computing (mainframes, PCs,cloud, mobile, etc.). If it swings one way, it'll swing back eventually. Just look for the innovations that make one option viable compared to others.
Even 20 years ago the so-called “geeks†were reacting to those news with “We can fix that!â€, and indeed were making the tools. They were often primitive, but modern ones are based on those developments and collected knowledge.
Today's crowd is full of lickspittles who are constantly searching for someone or something to kneel before. Money, power, or at least flavour-of-the-month fame. A lot of work was put into spreading those ideals, and not teaching anything “outdatedâ€, “dissenting†or “controversialâ€.
So you're not just waving the white flag even before anyone intimidates you personally, you're actively working for that cause, willingly or unwillingly.
Something tells me that you were not using 56 bit encryption when posting. In a different world, you would, and lament how pathetic and insecure it is to let someone calling themselves “government†have access to everything, but how understandable it is in presence of communists, terrorists, degenerates who have rejected the democratic values and thus stopped being humans, etc.
Dystopias and the dystopian outlook actually helps any kind of high profile swindler a lot. People treat them as the portrayal of “how the world really worksâ€, and expect it to be normal when someone does it, or just hints at such option to scare the public, while they were intended to portray how stupid people can be if they cease to think. Please choose some higher standards.
The current global Internet is an anomaly in space and time, and it's held together by spit, prayers, and the hope the reliability gains from multiple redundant paths outweigh the reliability losses from so many distinct actors being involved. It would be quite easy for any major government to cause major problems in global connectivity. So far, they mostly seem content to only cut themselves off, and the ones with the power to mess up the global net don't seem to want to. But the NSA was diverting a whole lot of intra-Europe traffic via the USA at one time so they could snoop it.
I have to do more research on NIN, it's hard to know what they're exactly doing.
> more details on what the "National Information Network" is
Some sources [0][1]
> I would guess it's at least a set of nationally managed DNS servers that will always resolve national IPs even if upstream global DNS is cut off.
Yep. Along with an entire ecosystem of domestically created and regulated search engines, DPI, centrally managed certs, AV, networking backbone, etc.
It's similar in intention to the Great Firewall in China, except much more restrictive.
Imagine corporate IT restrictions and posture being deployed nationwide on all endpoints, that's how these kind of initiatives tend to architected.
SSE/Zero Trust, DPI, Cert Mgmt, etc are all dual-use, and it's essentially a logistics and organization problem.
[0] - https://apps.dtic.mil/sti/pdfs/AD1107324.pdf
[1] - https://www.article19.org/data/files/medialibrary/38316/The-...
Maybe, or Starlink and software destabilize the authoritarians.
Yes, they will, im saying it with such certainty because of how much they're scared of it. It shows when they criminalize it and call it "spyware".
But no matter what they do there will be light at the end. it cannot always be night.
The only way to have global uncensored sharing of information is shortwave radio. Always has been, always will be.
Triangulation exists to locate such stations
Did I say untraceable?
You’ll be found on the internet too btw. But far more easily.
> Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
This is defeatist. You're probably right 'for the masses' but there will always be those networking and collaborating and bypassing whatever restrictions get put in place. I have online contacts in 'firewalled' regimes that use v2ray/shadowsocks or whatever the thing of the now is to get around the restrictions.
There's a ton of cheap tools now that can be used for running local or citywide networks, hams have their own packet radio stuff. There's now all those new LoRa networks that only really popped up in the past few years.
What I'm trying to say is the stuff is there and it's accessible, but it's only going to be a minority of people that use it just as it's a small minority that comments on posts like this (people like us) and even smaller yet again that write content on how to do it and create those tools to begin with. But it has always been this way....
>there will always be those networking and collaborating and bypassing whatever restrictions get put in place.
I don't think so. It's just a question of the severity of the punishment for violating regulations. A couple of small fines for an unlicensed networking and collaborating - and there will be no one left.
>There's a ton of cheap tools now that can be used for running local or citywide networks, hams have their own packet radio stuff.
The issue has never been in the technical plane. The equipment for building and operating networks has become dozens of times more accessible over the past couple of decades. The problem is in the increasing number of regulations that purposefully lock all clients into a few select controlled service providers. They have a goal and they have the tools to achieve it, so it's only a matter of time before they reach the minority of network-enthusiasts.
> What I'm trying to say is the stuff is there and it's accessible, but it's only going to be a minority of people that use it
Exactly. This is why the tech has to be made resistant to surveillance and censorship by default. Until usage of alternative connectivity and circumvention methods sticks out as a sore thumb (turns out, for most tools it does), it applies a constant pressure on anyone under oppression to stop, increasing the risks for those who continue to use them.
Live in China/Iran for a few years and see if you would still post this same comment.
I don't think personal reprisal because you posted something critical is generally the most scalable or realistic concern. It seems far easier to just let citizens know that if they're disruptive, you don't have protections; for everyone else, who knows if others can even see what you post?
The current american administration clearly wants to stamp down on disruption, too. If they can't deport us I think they'd be fine with prison or working us to death. Future administrations won't be so dumb to think this is just related to criticizing Israel, either, but anything.... disruptive.
it seems to me that a nation determined to control wired network traffic within its borders cannot be circumvented. if they can control the ISPs and observe packet flows then they can just obstruct any connection they cannot conclusively prove is acceptable.
it seems then that store-and-forward ad hoc p2p (ie extremely high unpredictable latency) is the only option for those who can reach some node with a connection to the outside (maybe laser near the border). or perhaps really clever steganography with outside partners assisting.
> it seems to me that a nation determined to control wired network traffic within its borders cannot be circumvented.
Starlink/Kuiper and the geostationary satellites are an alternative. Not perfect... but far better than *nothing*
i believe the base stations for those can be triangulated leading to knocks on the for for unsanctioned traffic.
None of the major mobile satellite networks work without the terminal’s position being known.
> hams have their own packet radio stuff
We got basically three different things. First we got APRS, mostly used for position reports (go on aprs.fi for a map). That is pretty nice but unusable for anything more than a SMS worth of things, and you need repeaters and not just internet gateway collectors to actually have something that's resilient.
Next thing is AX25, the technical foundation behind APRS. Yes you can use it to create actual data links, but it's about modem speeds so virtually useless outside of toying around.
And finally there is HamNet but it's line of sight based and not cross routed to the internet, and identically to all things ham radio, encryption is banned by law.
And on top of that, you can expect regulatory agencies to crack down on ham radio fast and hard, should it be used for political dissency motives at scale. It's already against ham practice to talk politics, especially with people in repressive countries - we don't want more countries other than Yemen and North Korea to just blanket ban ham radio.
> but it's about modem speeds so virtually useless outside of toying around.
I don’t understand this sentiment. For exchanging information, modem speeds were great. Wikipedia, forums like this one, instant messengers, etc all worked fine
Am I right to assume that it's easy to locate the source of ham radio signals?
i.e. if there's a blanket ban, can you use your radio hidden in your house or can the government easily find out that the user they've noticed on the airwaves is located there and knock down your door?
It's very easy, has been for a long time. See the story of Israeli Eli Cohen, an operative in Syria.
I wrote a blog post which hopefully clears up the "National Network": https://ahrm.github.io/jekyll/update/2025/06/20/iran-interne...
It is way more than just DNS.
Is Google's AI Mode working? That might solve the problem you mentioned.
Well, the internet is not national anymore (for now!), but isn't Google AI Mode US only? Anyway, the only google service that did work at that time was google search as far as I know nothing else worked (no gmail, maps, etc.).
Ah - I didn't realize Google AI Mode is US Only!
> the only google service that did work at that time was google search as far as I know nothing else worked (no gmail, maps, etc.)
Yea, sounds like they resorted to a hard whitelist. How were other Internet services impacted in Iran? My understanding is payment is increasingly tap-to-pay or via digital wallets within Iran? How was that impacted during the shutdown?
Well, Iran is sanctioned as fuck, so no global payment system works in Iran anyway. All the payment systems used by Iranians are local so they work even in national internet.
Yep! What I meant was during the recent conflict, was the domestic payment system working? How brittle or robust was it during that, especially given that my understanding is that Iran has transitioned to a cashless society?
Yes, it was working at least in my experience.