Join Log in
Score:9
dante velli avatar Server

VPN Server protocol or trick work in iran

yt flag
dante velli

I hope this question is consistent with the rules of the forum. Our access to the international internet from Iran has become very difficult. Only some specific VPNs work.

Do you have any suggestions for me to set up a vpn server to work in Iran? For example, a specific protocol - a specific trick - using a specific type of data center.

4299
1 + 2
vpn
djdomi avatar
za flag
djdomi
sorry but we can't tell you how to break the law. mostly I wozld say, use 443 as a port
1
Reply
drookie avatar
za flag
drookie
Actually we can, since we clearly don't support any supressive regimes as we aren't hired by'em.
8
Reply
Score:10
drookie avatar Server
za flag
drookie

So far there is a handful of VPN protocols that you can try. I'll try to summarize'em along with my observations of how easily they can be distinguished (and blocked) with or without DPI.

This post is not a recommendation of any commercial or free to use VPN service, but a review of some popular existing protocols that you can use to construct your own services.

Protos that can be easily blocked on any simple packet filter:

  • PPTP, tcp/1723 - control, gre - data. Proto is hardcoded (port numbers/underlying proto cannot be changed). Can be easily blocked.
  • L2TP plain. udp/1701. Proto is hardcoded. Can be easily blocked.
  • L2TP/IPSec, with NAT-T or w/o. udp/4500 with NAT-T or plain ESP without. Can be easily blocked.
  • GRE/IP-in-IP encapsulation, plain. Can be easily blocked using IP header analysis.
  • IPSec of any sort (on top of GRE/IP-in-IP tunnel, or w/o) - VTI, legacy tunnels, etc. Same - Can be easily blocked using IP header analysis.

Protos that can only be blocked using DPI, and only when applying certain DPI skill level:

  • openvpn. proto isn't hardcoded, ports changeable, using tcp or udp (tcp is a subject for TCP meltdown, and openvpn in general is poorly implemented).
  • wireguard. udp/custom. ports changeable.
  • ssh tunnel (ssh -w [...]), using dedicated tunnel interface. tcp/custom port, or just tcp/22 - which cannot be easily distinguished from plain SSH, which is, in turn, one of the most used protos in the Internet. though also a subject for TCP meltdown, this is the most hard case to sniff.

Least but not last: the most simple way to access the Internet resources of the free world is, from my experience, to use TLS-encrypted HTTP-proxy without VPN: for instance this can be merely a squid proxy working with TLS support (which, for squid is a bit tricky to configure, but still) and a Firefox with FoxyProxy addon (the latter is needed since FF out-of-the box cannot use HTTPS-enabled proxy). This traffic is indistinguisheable from custom TLS traffic on port 3128 (or any other port your squid is configured to listen on) even with DPI.

Goofs:

  • there's also a ICMP tunnel implementation, but the overhead is so enormous that I cannot recommend it.
  • there's also a VPN written using TypeScript, a VPN written using Visual Basic for Applications and a VPN written using canvas for Microsoft Paint: all of these, while nominally working, cannot be recommended due to terminally inacceptable performance.

Greetings from Mordor, and good luck.

+ 5
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
OpenVPN over TCP allows for very unusual but hard to discover setup: you can use `port-share` feature to run VPN on the port tcp/443 and yet have the normal SSL web server appear there if accessed by the browser! This fools away many tools that perform various checks that there is actual HTTPS server and calm down when they found it. Also `sslh` gives such possibility. Also it is worth noting that OpenVPN's `tls-crypt` feature allows it to hide the traffic in a way that it is impossible to reliably identify it as OpenVPN.
5
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Also there is even a DNS tunnel (`iodine`), but it is very inefficient.
2
Reply
hfm avatar
it flag
hfm
What about Outline VPN (Shadowsocks protocol)?
0
Reply
drookie avatar
za flag
drookie
Never heard of.
0
Reply
drookie avatar
za flag
drookie
Well, a VPN written using TypeScript.... hilarious. Why not on bash itself ? Lol. Nah, deadborn.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.