VPN Server protocol or trick work in iran

Question

I hope this question is consistent with the rules of the forum. Our access to the international internet from Iran has become very difficult. Only some specific VPNs work.

Do you have any suggestions for me to set up a vpn server to work in Iran? For example, a specific protocol - a specific trick - using a specific type of data center.

sorry but we can't tell you how to break the law. mostly I wozld say, use 443 as a port — djdomi, Oct 06 '22 at 08:13
Actually we can, since we clearly don't support any supressive regimes as we aren't hired by'em. — drookie, Oct 06 '22 at 08:56

drookie · Accepted Answer · 2022-10-15T10:23:50.820

So far there is a handful of VPN protocols that you can try. I'll try to summarize'em along with my observations of how easily they can be distinguished (and blocked) with or without DPI.

This post is not a recommendation of any commercial or free to use VPN service, but a review of some popular existing protocols that you can use to construct your own services.

Protos that can be easily blocked on any simple packet filter:

PPTP, tcp/1723 - control, gre - data. Proto is hardcoded (port numbers/underlying proto cannot be changed). Can be easily blocked.
L2TP plain. udp/1701. Proto is hardcoded. Can be easily blocked.
L2TP/IPSec, with NAT-T or w/o. udp/4500 with NAT-T or plain ESP without. Can be easily blocked.
GRE/IP-in-IP encapsulation, plain. Can be easily blocked using IP header analysis.
IPSec of any sort (on top of GRE/IP-in-IP tunnel, or w/o) - VTI, legacy tunnels, etc. Same - Can be easily blocked using IP header analysis.

Protos that can only be blocked using DPI, and only when applying certain DPI skill level:

openvpn. proto isn't hardcoded, ports changeable, using tcp or udp (tcp is a subject for TCP meltdown, and openvpn in general is poorly implemented).
wireguard. udp/custom. ports changeable.
ssh tunnel (ssh -w [...]), using dedicated tunnel interface. tcp/custom port, or just tcp/22 - which cannot be easily distinguished from plain SSH, which is, in turn, one of the most used protos in the Internet. though also a subject for TCP meltdown, this is the most hard case to sniff.

Least but not last: the most simple way to access the Internet resources of the free world is, from my experience, to use TLS-encrypted HTTP-proxy without VPN: for instance this can be merely a squid proxy working with TLS support (which, for squid is a bit tricky to configure, but still) and a Firefox with FoxyProxy addon (the latter is needed since FF out-of-the box cannot use HTTPS-enabled proxy). This traffic is indistinguisheable from custom TLS traffic on port 3128 (or any other port your squid is configured to listen on) even with DPI.

Goofs:

there's also a ICMP tunnel implementation, but the overhead is so enormous that I cannot recommend it.
there's also a VPN written using TypeScript, a VPN written using Visual Basic for Applications and a VPN written using canvas for Microsoft Paint: all of these, while nominally working, cannot be recommended due to terminally inacceptable performance.

Greetings from Mordor, and good luck.

OpenVPN over TCP allows for very unusual but hard to discover setup: you can use `port-share` feature to run VPN on the port tcp/443 and yet have the normal SSL web server appear there if accessed by the browser! This fools away many tools that perform various checks that there is actual HTTPS server and calm down when they found it. Also `sslh` gives such possibility. Also it is worth noting that OpenVPN's `tls-crypt` feature allows it to hide the traffic in a way that it is impossible to reliably identify it as OpenVPN. — Nikita Kipriyanov, Oct 06 '22 at 10:09
Also there is even a DNS tunnel (`iodine`), but it is very inefficient. — Nikita Kipriyanov, Oct 06 '22 at 10:11
Well, a VPN written using TypeScript.... hilarious. Why not on bash itself ? Lol. Nah, deadborn. — drookie, Oct 15 '22 at 08:40

VPN Server protocol or trick work in iran

1 Answers1