[HN Gopher] Tell HN: The Internet situation inside Iran - We nee...
___________________________________________________________________
Tell HN: The Internet situation inside Iran - We need your help
As you probably have heard, there have been widespread protests
going on inside Iran for the past week or so following the death of
Mahsa Amini at the hands of the morality police. Following the
protests, the government has cut off or severely limited
residential and especially mobile broadband access to the internet
and people can only access websites and services hosted inside
Iran. This has made connecting to VPNs with servers outside Iran,
and Tor close to impossible. That being said, the servers inside
Iranian data centers still have access to the outside world. The
government has also blocked Instagram and WhatsApp (the main
channels of communication used by people inside Iran), and
alternatives such as Telegram, Signal, etc are also blocked,
halting communications to a crawl. People have to either call each
other via GSM or send SMSs (which by the way is being monitored and
messages containing keywords related to the protests don't even get
delivered). As you can imagine, it's preventing people from
coordinating the protests and strikes, and with the sattelite TVs
being also heavily jammed, the only source of information
accessible to most people is the government-led local TV channels
which are distributing regime propaganda 24/7 and trying to scare
people into submission. We (a group of tech people inside Iran)
have started using the servers inside Iranian data centers gain
access to the Internet, and are setting up VPN servers and Tor
bridges and giving the information to people we know. It's not
scalable, and it's risky for us (the servers inside Iran can be
traced back to us), but that's the only way we could think of to
help. The technical details are published here:
https://github.com/InternetForIran/InternetForIran We need help on
multiple fronts: - Please review and contribute to our repository
on GitHub linked above. We need to improve the security and make
deployment easier. - The methods for setting up Tor bridges
described in the repository were working up until 2 days ago, but
have mostly stopped working and we haven't figured out why yet,
maybe you can help? - We have reports that V2Ray VMess and
ShadowSocks are working inside Iran even at times when most other
tools and protocols don't. We haven't been able to reliably deploy
and test this (there are many configuration options and it's not
clear which methods are working). Please create an issue or send a
PR if you know how it works and how to deploy it. - If you are an
Iranian expat: Get a server inside Iran and set this up for your
family and friends and get them back online. - If you are an
entrepreneur or work at a tech startup inside Iran: Your company
already has servers inside Iran. Talk with your team, set up VPN
servers and Tor bridges and share them with other employees and ask
them to help get their family and friends online. Edit:
Formatting.
Author : throwaway124592
Score : 190 points
Date : 2022-09-29 19:37 UTC (3 hours ago)
| anthk wrote:
| Briar works over Bluetooth, Wifi:
|
| https://briarproject.org/how-it-works/
|
| https://briarproject.org/download-briar/
| [deleted]
| metapsj wrote:
| along the same line...
|
| freemesh for wifi AP based mesh networks. not as convenient as
| briar, but considering the situation having multiple modes of
| communication seems like a good hedge.
| https://freemeshwireless.com/
|
| also, if you can get a hold of lora wan based devices, e.g.
| esp32 w/ lorawan, you can set up a lorawan based mesh network
| with wifi entry points. https://meshtastic.org/
| rany_ wrote:
| Yes, it's such a shame people are spamming Signal proxies when
| Briar is the one most deserving of attention. Especially
| considering Briar works without internet and Iran has a history
| of shutting off the internet.
| anthk wrote:
| Briar is built for emergencies such as natural disasters.
| BTW, blocking comms (for any country) it's a disaster for the
| economy.
| ttislak wrote:
| There's https://berty.tech/ as well. Not sure if it's as mature
| yet though (https://berty.tech/blog/berty-not-war-ready/)
| ethotool wrote:
| Just my opinion but I think that non-interventionism should be
| promoted here. Especially when it comes to political situations
| like this. It's a dangerous game.
| rany_ wrote:
| I agree, but if you're never going to step foot in Iran and
| have no contacts there then I don't see why not.
| ethotool wrote:
| Actually that's a selfish way to look at it. You're putting
| other peoples lives at risk inside the country. Anyone could
| easily decide to contribute compromised and malware infected
| VPN or TOR servers that will in actuality log traffic.
| pazimzadeh wrote:
| They are literally asking for help.
| Centigonal wrote:
| I think non-interventionism is a good choice for governments
| that are addicted to foreign adventurism.
|
| I think non-interventionism is a bad choice for individuals
| with the power to help people under repressive regimes
| communicate with the outside world.
| A4ET8a8uTh0 wrote:
| It is not a game. Governments around the world, big and small
| have been seen turning internet off at the first sign of
| trouble. It only makes sense that we provide a way for the
| population to circumvent those efforts. As flawed as internet
| is, I still think it is worth defending and protecting from
| government overreach.
|
| I will say even more. Other governments are watching and likely
| debating what could be used on their respective turfs.
| Something to think about.
| nanch wrote:
| I support non-interventionism as a default mode for public
| policy.
|
| I also support the rights of private citizens living in a free
| society to act on their own behalf, however they see fit.
|
| That's not a dangerous game, that's an excercise of the rights
| protected by the society they are part of.
| rcarr wrote:
| "Of course, you know of the Prime Directive, which tells us
| that we have no right to interfere with the natural evolution
| of alien worlds. Now I have sworn to uphold it, but
| nevertheless I have disregarded that directive on more than one
| occasion because I thought it was the right thing to do. Now,
| if you are holding on to some temporal equivalent of that
| directive, then isn't it possible that you have an occasion
| here to make an exception, to help me to choose, because it's
| the right thing to do?"
|
| Jean-Luc Picard
| ummonk wrote:
| I don't see how providing internet connections to people in
| Iran constitutes intervention. What they do with those
| connections is up to them.
| type0 wrote:
| Here's how to create a Signal proxy
| https://www.youtube.com/watch?v=Tf-mtjEF4t0
| LinuxBender wrote:
| _the servers inside Iranian data centers still have access to the
| outside world._
|
| Knowing that, the simplest and easiest solution that would avoid
| detection is to SSH tunnel into that datacenter and SSH-
| ProxyForward out of that datacenter into Amazon AWS via SSH and
| use that SSH proxy chain as a SOCKS proxy for browsers. Make sure
| the browser is using the SOCKS proxy (SSH) for its DNS. Many
| sites will make your friends solve captchas if they show up from
| Amazon so if you have a friend outside of Iran in the same AWS
| region that is willing to open SSH on their home router then one
| could add that private home router as their last hop in the SSH
| proxy forward. Do not go directly from the datacenter to the
| home. It is _normal_ and _expected_ for Datacenters to SSH to
| Amazon.
|
| SSH Client -> Iranian Datacenter / Server -> AWS VM -> Home
| router in same region as AWS -> Internet.
|
| If many people are using the same server and VM then make sure
| that MaxStartups and MaxSessions have been increased in
| sshd_config as well as any PAM limits on the servers for open
| files on every node in the path. Clients should enable
| ControlPath / ControlMaster in their ssh_config or ~/.ssh/config.
| To harden each hop configure PermitOpen to only allow the SSH
| hops and the final hop should also permit *:443
|
| Examples of all these steps can be found on SuperUser /
| StackExchange / ServerFault and are all public knowledge. All
| above-board, no hacking involved.
|
| [Edit] Removing the Squid MITM SSL-Bump proxy idea. That would
| make follow on questions harder to explain.
|
| [Edit from Fatnino's input] If your Amazon VPC's are too
| outbound-restricted then pick another VPS provider that is
| commonly used for hosting 3rd party tools for datacenters,
| preferably one already used by that datacenter.
|
| [Edit] In theory hypothetically speaking every hop possible could
| have misconfigured but realistic looking syslog so that SSH
| connections are not logged on the server and in theory a log-less
| silent rule in the edge firewall to not log SSH connections.
| Sometimes syslog disks also fill up by mistake. SSH can also be
| performed in ephemeral diskless containers such as Docker, Podman
| and LXC.
| UniverseHacker wrote:
| The first hop, "SSH Client -> Iranian Datacenter" seems
| extremely vulnerable to surveillance, and would create an
| incriminating list of people involved. With this discussion in
| the open, you can bet Iranian authorities are going to
| specifically look for anything discussed here, so the only
| viable solutions should have no measurable deviation from
| normal behavior that would allow them to detect which
| datacenter was doing this.
|
| To make this happen, you should have a minimum number of
| connections from inside Iran into the datacenter.
|
| For a small group of trusted people with always on connections,
| you could just create a linear chain of SSH forwards connecting
| everyone. For widespread connectivity, a TOR bridge through the
| path you describe would be workable.
| Fatnino wrote:
| I worked at a place with very restrictive internet policies. My
| team had access to one aws instance that could get out to the
| open internet.
|
| So my connections looked like this:my laptop at work in
| California, tunnel to aws in Virginia, tunnel back to a server
| at my house in California, connect to actual desired site
| likely hosted on aws in Virginia yet again.
| RupertEisenhart wrote:
| I would recommend trying to set up tailscale[0] in the servers
| instead of a VPN, its similar to the reply about SSH
| ProxyForwarding but it has a lot more tricks under the hood. Of
| course you need somewhere (aka an AWS server in eg. europe) to
| connect to.
|
| Also have a look at their blog post about NAT traversal for some
| potential inspiration: https://tailscale.com/blog/how-nat-
| traversal-works/
|
| Good luck out there! I'll have a look at your github repo now.
|
| [0]: https://tailscale.com/
| its_bbq wrote:
| Please if you're having trouble setting up Shadowsocks consider
| using Outline (getoutline.org) asl19.org and their Telegram bot
| for generating Outline access keys. This team has put in years of
| effort to make Shadowsocks usable by regular people
| jimbob45 wrote:
| For what was supposed to be a spontaneous protest, this all seems
| incredibly well-coordinated. Certainly wouldn't be the first time
| a foreign government used riots to influence government policy.
| Even further, Khamenei may not last the year and such riots could
| heavily influence the selection of his successor, offering a
| strong motive to any country looking to engage in such espionage.
| ttislak wrote:
| https://getoutline.org/ is based on shadowsocks I think, and
| comes in an easy to deploy package.
| its_bbq wrote:
| It is indeed Shadowsocks (I used to be affiliated with that
| team)
| amir734jj wrote:
| I'm an Iranian living in the US and I have family in Iran. The
| internet is completely shut off for two weeks and international
| phone calling also doesn't work. All I can do is pray at this
| point.
___________________________________________________________________
(page generated 2022-09-29 23:00 UTC)