[HN Gopher] Tell HN: The Internet situation inside Iran - We nee... ___________________________________________________________________ Tell HN: The Internet situation inside Iran - We need your help As you probably have heard, there have been widespread protests going on inside Iran for the past week or so following the death of Mahsa Amini at the hands of the morality police. Following the protests, the government has cut off or severely limited residential and especially mobile broadband access to the internet and people can only access websites and services hosted inside Iran. This has made connecting to VPNs with servers outside Iran, and Tor close to impossible. That being said, the servers inside Iranian data centers still have access to the outside world. The government has also blocked Instagram and WhatsApp (the main channels of communication used by people inside Iran), and alternatives such as Telegram, Signal, etc are also blocked, halting communications to a crawl. People have to either call each other via GSM or send SMSs (which by the way is being monitored and messages containing keywords related to the protests don't even get delivered). As you can imagine, it's preventing people from coordinating the protests and strikes, and with the sattelite TVs being also heavily jammed, the only source of information accessible to most people is the government-led local TV channels which are distributing regime propaganda 24/7 and trying to scare people into submission. We (a group of tech people inside Iran) have started using the servers inside Iranian data centers gain access to the Internet, and are setting up VPN servers and Tor bridges and giving the information to people we know. It's not scalable, and it's risky for us (the servers inside Iran can be traced back to us), but that's the only way we could think of to help. The technical details are published here: https://github.com/InternetForIran/InternetForIran We need help on multiple fronts: - Please review and contribute to our repository on GitHub linked above. We need to improve the security and make deployment easier. - The methods for setting up Tor bridges described in the repository were working up until 2 days ago, but have mostly stopped working and we haven't figured out why yet, maybe you can help? - We have reports that V2Ray VMess and ShadowSocks are working inside Iran even at times when most other tools and protocols don't. We haven't been able to reliably deploy and test this (there are many configuration options and it's not clear which methods are working). Please create an issue or send a PR if you know how it works and how to deploy it. - If you are an Iranian expat: Get a server inside Iran and set this up for your family and friends and get them back online. - If you are an entrepreneur or work at a tech startup inside Iran: Your company already has servers inside Iran. Talk with your team, set up VPN servers and Tor bridges and share them with other employees and ask them to help get their family and friends online. Edit: Formatting. Author : throwaway124592 Score : 190 points Date : 2022-09-29 19:37 UTC (3 hours ago) | anthk wrote: | Briar works over Bluetooth, Wifi: | | https://briarproject.org/how-it-works/ | | https://briarproject.org/download-briar/ | [deleted] | metapsj wrote: | along the same line... | | freemesh for wifi AP based mesh networks. not as convenient as | briar, but considering the situation having multiple modes of | communication seems like a good hedge. | https://freemeshwireless.com/ | | also, if you can get a hold of lora wan based devices, e.g. | esp32 w/ lorawan, you can set up a lorawan based mesh network | with wifi entry points. https://meshtastic.org/ | rany_ wrote: | Yes, it's such a shame people are spamming Signal proxies when | Briar is the one most deserving of attention. Especially | considering Briar works without internet and Iran has a history | of shutting off the internet. | anthk wrote: | Briar is built for emergencies such as natural disasters. | BTW, blocking comms (for any country) it's a disaster for the | economy. | ttislak wrote: | There's https://berty.tech/ as well. Not sure if it's as mature | yet though (https://berty.tech/blog/berty-not-war-ready/) | ethotool wrote: | Just my opinion but I think that non-interventionism should be | promoted here. Especially when it comes to political situations | like this. It's a dangerous game. | rany_ wrote: | I agree, but if you're never going to step foot in Iran and | have no contacts there then I don't see why not. | ethotool wrote: | Actually that's a selfish way to look at it. You're putting | other peoples lives at risk inside the country. Anyone could | easily decide to contribute compromised and malware infected | VPN or TOR servers that will in actuality log traffic. | pazimzadeh wrote: | They are literally asking for help. | Centigonal wrote: | I think non-interventionism is a good choice for governments | that are addicted to foreign adventurism. | | I think non-interventionism is a bad choice for individuals | with the power to help people under repressive regimes | communicate with the outside world. | A4ET8a8uTh0 wrote: | It is not a game. Governments around the world, big and small | have been seen turning internet off at the first sign of | trouble. It only makes sense that we provide a way for the | population to circumvent those efforts. As flawed as internet | is, I still think it is worth defending and protecting from | government overreach. | | I will say even more. Other governments are watching and likely | debating what could be used on their respective turfs. | Something to think about. | nanch wrote: | I support non-interventionism as a default mode for public | policy. | | I also support the rights of private citizens living in a free | society to act on their own behalf, however they see fit. | | That's not a dangerous game, that's an excercise of the rights | protected by the society they are part of. | rcarr wrote: | "Of course, you know of the Prime Directive, which tells us | that we have no right to interfere with the natural evolution | of alien worlds. Now I have sworn to uphold it, but | nevertheless I have disregarded that directive on more than one | occasion because I thought it was the right thing to do. Now, | if you are holding on to some temporal equivalent of that | directive, then isn't it possible that you have an occasion | here to make an exception, to help me to choose, because it's | the right thing to do?" | | Jean-Luc Picard | ummonk wrote: | I don't see how providing internet connections to people in | Iran constitutes intervention. What they do with those | connections is up to them. | type0 wrote: | Here's how to create a Signal proxy | https://www.youtube.com/watch?v=Tf-mtjEF4t0 | LinuxBender wrote: | _the servers inside Iranian data centers still have access to the | outside world._ | | Knowing that, the simplest and easiest solution that would avoid | detection is to SSH tunnel into that datacenter and SSH- | ProxyForward out of that datacenter into Amazon AWS via SSH and | use that SSH proxy chain as a SOCKS proxy for browsers. Make sure | the browser is using the SOCKS proxy (SSH) for its DNS. Many | sites will make your friends solve captchas if they show up from | Amazon so if you have a friend outside of Iran in the same AWS | region that is willing to open SSH on their home router then one | could add that private home router as their last hop in the SSH | proxy forward. Do not go directly from the datacenter to the | home. It is _normal_ and _expected_ for Datacenters to SSH to | Amazon. | | SSH Client -> Iranian Datacenter / Server -> AWS VM -> Home | router in same region as AWS -> Internet. | | If many people are using the same server and VM then make sure | that MaxStartups and MaxSessions have been increased in | sshd_config as well as any PAM limits on the servers for open | files on every node in the path. Clients should enable | ControlPath / ControlMaster in their ssh_config or ~/.ssh/config. | To harden each hop configure PermitOpen to only allow the SSH | hops and the final hop should also permit *:443 | | Examples of all these steps can be found on SuperUser / | StackExchange / ServerFault and are all public knowledge. All | above-board, no hacking involved. | | [Edit] Removing the Squid MITM SSL-Bump proxy idea. That would | make follow on questions harder to explain. | | [Edit from Fatnino's input] If your Amazon VPC's are too | outbound-restricted then pick another VPS provider that is | commonly used for hosting 3rd party tools for datacenters, | preferably one already used by that datacenter. | | [Edit] In theory hypothetically speaking every hop possible could | have misconfigured but realistic looking syslog so that SSH | connections are not logged on the server and in theory a log-less | silent rule in the edge firewall to not log SSH connections. | Sometimes syslog disks also fill up by mistake. SSH can also be | performed in ephemeral diskless containers such as Docker, Podman | and LXC. | UniverseHacker wrote: | The first hop, "SSH Client -> Iranian Datacenter" seems | extremely vulnerable to surveillance, and would create an | incriminating list of people involved. With this discussion in | the open, you can bet Iranian authorities are going to | specifically look for anything discussed here, so the only | viable solutions should have no measurable deviation from | normal behavior that would allow them to detect which | datacenter was doing this. | | To make this happen, you should have a minimum number of | connections from inside Iran into the datacenter. | | For a small group of trusted people with always on connections, | you could just create a linear chain of SSH forwards connecting | everyone. For widespread connectivity, a TOR bridge through the | path you describe would be workable. | Fatnino wrote: | I worked at a place with very restrictive internet policies. My | team had access to one aws instance that could get out to the | open internet. | | So my connections looked like this:my laptop at work in | California, tunnel to aws in Virginia, tunnel back to a server | at my house in California, connect to actual desired site | likely hosted on aws in Virginia yet again. | RupertEisenhart wrote: | I would recommend trying to set up tailscale[0] in the servers | instead of a VPN, its similar to the reply about SSH | ProxyForwarding but it has a lot more tricks under the hood. Of | course you need somewhere (aka an AWS server in eg. europe) to | connect to. | | Also have a look at their blog post about NAT traversal for some | potential inspiration: https://tailscale.com/blog/how-nat- | traversal-works/ | | Good luck out there! I'll have a look at your github repo now. | | [0]: https://tailscale.com/ | its_bbq wrote: | Please if you're having trouble setting up Shadowsocks consider | using Outline (getoutline.org) asl19.org and their Telegram bot | for generating Outline access keys. This team has put in years of | effort to make Shadowsocks usable by regular people | jimbob45 wrote: | For what was supposed to be a spontaneous protest, this all seems | incredibly well-coordinated. Certainly wouldn't be the first time | a foreign government used riots to influence government policy. | Even further, Khamenei may not last the year and such riots could | heavily influence the selection of his successor, offering a | strong motive to any country looking to engage in such espionage. | ttislak wrote: | https://getoutline.org/ is based on shadowsocks I think, and | comes in an easy to deploy package. | its_bbq wrote: | It is indeed Shadowsocks (I used to be affiliated with that | team) | amir734jj wrote: | I'm an Iranian living in the US and I have family in Iran. The | internet is completely shut off for two weeks and international | phone calling also doesn't work. All I can do is pray at this | point. ___________________________________________________________________ (page generated 2022-09-29 23:00 UTC)