loading...

A message from Iran, asking for help on creating better proxies

mcsh profile image Sajjad Heydari ・1 min read

Dear dev.to,

I'm Iranian. I'm studying abroad and no longer live in Iran, but I have friends and families in Iran who are dear to me, and whom I love with all my heart.

Iran has a tendency to disconnect the citizens from internet whenever there are protests going on. I don't want to go on a political rant and tell you why they are protesting now, that is a long story and might put my immediate family in danger. Instead, let me talk to you about my disconnected friends.

The internet has been down for at least 30 hours now. This is a huge loss for many. Almost all businesses are losing money for this matter, freelancers can't communicate with the project owners, the protestors aren't aware of the dangers coming their way, and we are disconnected from our friends and families. The only places that still have internet access are the banks, some universities, and the internal servers in Iran.

A few of my friends managed to set proxies, tor hidden bridges, ssh tunnels on their internal servers, and connect them to the internet using yet another proxy, etc. The problem is, the government identifies these servers, shut them down and bully the server owner.

I'm asking dev.to to give them ideas about creating these connection to minimize the gov's suspicion. I hope this message is not against dev.to's policy, and I hope you can help them.

Discussion

pic
Editor guide
Collapse
ben profile image
Ben Halpern

A few things that come to mind, but not my area of expertise...

Anything peer-to-peer seems vital to the health of anything to upkeep any solutions. I imagine this is already in place in some capacity, eh?

Reverse proxies or basically cached versions of certain resources and generally the encouragement of downloading libraries such as offline versions of Stack Overflow to ensure you always have access to information in general.

For an interesting read which could provide some food for thought... The Cuban CDN where content is literally driven around and delivered via USB drives.

The Art of Invisibility is a book that comes to mind that could provide a general guide to help avoid the detection. Of course I don't endorse the use of any of this information for unethical uses, which probably goes without saying.

Good luck, stay safe.

Collapse
senaps profile image
Maysam Senaps

okay im disconnected, hope we can fix the connection and get this message out too, till then, about what we have:

we are building up a network. some people have teamspeak servers setup and are using that to talk, some p2p chat applications are being shared, but people have no way of installing those apps, so they need to download it from other people in the street...
the problem is, we can't launch an active group to provide help for people since police is just randomly shooting masses and has snipers setup on the rooftops to shoot people of interest.
and government has some basiji forces being used as a bot army to overload the networks and communities with false news and or taking people to wrong streets and getting them cought.

Collapse
idanarye profile image
Idan Arye

I haven't tried it myself, but you should check out Bridgefy - and SDK for Bluetooth based mesh networking. There is also a chat app based on it, that the Hong Kong protesters use so that the Chinese government can't cut off their communication and trace it (OK, I seriously doubt they can't trace it - but it's supposed to be harder than regular internet)

Probably won't be a good fit for business though, but at least it can help the protesters...

Collapse
xowap profile image
Rémy 🤖

I'm curious, what can you reach and from where?

Usually an efficient way to setup communication with the outside world in a restrained environment is to use a DNS tunnel, yet I'm really not sure at which level the censorship operates so it's hard to tell if it would work or not

Collapse
senaps profile image
Maysam Senaps

hi there, there are two problems:
1- only a single datacenter is still connected to the outside world, people are getting notices for their proxies being identified and that they need to get to the Iranian police of cyber crimes and report their activites and well, actually we don't know what would happen when we are there! by the looks of it, they could have execution pools ni the back yard and just kill people there :/

2- there is no connection at all. I can't ping the 8.8.8.8 or 4.2.2.4.
we need to setup tor on the server(inside Iran) and hope it can connect, but again, we need to connect our friends too, so we could get identified. (to register a server, one would need to give their national identification number)

so, two problems. how we can securely connect to our machines in Iran? how can we hide the traffic that we are using a proxy, and how can we hide the traffic of this server to the outside world?

there sure is a Deep Packet Inspection in place. we tried a mirror for pypi server, docker registery and etc. and tried to use that for a cover and I just got noticed that the owner (my friend) is asked to get his licenses and papers and go to the Iranian cyber police.

so even covers are failing. we don't know how are they finding out about the proxies, we don't know which level should be worked on so they can identify us.

(belive it or not, with every siren and AK47 round going off in our street, I think this one is for my house and me and my wife, and am writing it with shaky hands. so sorry if it's hard to understand, im really risking my life here with this message)

Collapse
xowap profile image
Rémy 🤖

At the risk of understating this, it's a fucking serious situation.

I'm trying to see what kind of options you have but I'm only going to talk about technology and have no idea what means are put in place to fight against this.

Low tech is probably best, the priority could be in establishing a working email relay. You probably already have the binaries for that. Those use files as sending pools, you can probably use USB drives to move emails around in a meshed way. Sign/encrypt them with GPG when possible. Also, put a lot of noise in there (fake/meaningless content).

WiFi sounds like a good option to establish a meshed network. The only issue is that it's very easy to spot WiFi networks. I'm thinking about 5Ghz WiFi networks because there is less compatible equipment so probably less scanners available also. I'm guessing that if you don't want to be easy to track down you need to produce a lot of noise on the same channel.

Satellite communication is probably harder to detect as it's a very narrow beam. Unsure about that but if you can have a directional antenna aiming at a satellite link you can probably get something. Unless the government ruled that out as well?

I'll post more ideas here if I have. I can also provide servers outside of Iran, so let me know if I can help.

Thread Thread
mcsh profile image
Sajjad Heydari Author

If you can run secure obfs4 tor bridges (that are hidden) please send them to me (or others you know) to distribute. Just don't publish them within the default registry, they'll be closed really fast then

Collapse
mcsh profile image
Sajjad Heydari Author

I think they have a whitelist of IPs and domains that citizens can connect to, but the internal servers have access to an internet where some domains and some IPs are blocked. It's a little bit messy, to be honest.

Collapse
v6 profile image
🦄N B🛡

// , Welcome to one of the increasingly important new frontiers in IT innovation: Information Security

I expect the stories like this, that motivate InfoSec applications, to become increasingly dark, and, as you have directly pointed out, tied to one's physical security.

I have an intuition that what you're really looking for are not just proxies, but a solution to the most ham-handed form of censorship: blackouts.

I recommend taking a brief look into applications of the Tox protocol that go beyond just chat, and if you're ready to go full data-guerilla mode, consider looking into getting your own "copper."

I don't see a PGP key in your profile (dev.to seems to have prioritized profile fields for Twitch, Behance, and Dribbble (whatever that is) over infosec stuff like PGP or keybase.io).

But if you send it to me I'll send you some more info I have.

Collapse
mcsh profile image
Sajjad Heydari Author

Thank you! I don't live in Iran personally, although my pgp public key is here: keys.gnupg.net/pks/lookup?op=vinde...

Collapse
devdrake0 profile image
Si

Thanks for your submisson, but it does not meet the help tag requirements. Please review the sidebar for more information.

Collapse
mcsh profile image
Sajjad Heydari Author

Hi, I'm clearly asking for help, I provided description of the problem and asked on pointers regarding creating proxies, how can I improve this so that you'd allow the help tag on it?

Collapse
devdrake0 profile image
Si

The #help tag is more for specific development issues, not for very broad "how do I do x" type questions. More information can be found here

Thread Thread
eli profile image
Eli Bierman

I don't think there are tutorials for accessing internet during an internet lockdown, and Sajjad was very clear in his question. Also given the circumstances he described, do you think you could just relax about the #help tag here? Stack Overflow is a great site for being pedantic about asking questions, this site is supposed to be more welcoming.

Thread Thread
devdrake0 profile image
Si

There are far better tags for this question, such as the #discuss one that has been used.

Collapse
svitekpavel profile image
Pavel Svitek

Are those people able to download the Brave browser? It has integrated Tor network in incognito mode.

Collapse
mcsh profile image
Sajjad Heydari Author

We all have tor installed, but they keep banning the bridges

Collapse
pcmagas profile image
Dimitrios Desyllas

Hmm, how about a wireless p2p network using yagi tv antennas if each house used its own TV antenna for transmission and receive of data then each house actually participates into a p2p wireless network. If you could hide the required hardware into an tv-amplifier-sized box then also can be easily conceivable from police as well.

Also, if you could also detect police signals close by then you could temporally close of each node until police passes by. Then it could start up again. Also, for outside access you could use wireless links in a close-to-borders town.

Collapse
oxyo profile image
oxyo

You can use wireguard on port 53 to interconnect your pcs. Currently no one can intercept this. Another option to use TunSafe.

Collapse
projectmagenta profile image
Project-Magenta

unfortunately, wireguard may secure communication, but it is not meant to be hidden, perhaps tunsafe combined with shadowsocks will do?

EDIT: on second thought, obfs4 would be harder to detect.

Collapse
denisnutiu profile image
Denis Nuțiu

Have you tried using Tor over an obsf4 bridge hosted on Google Cloud/Azure?

Collapse
talentlessguy profile image
v 1 r t l

I recommend trying ShadowSocks. It is fast SOCKS5 proxy with custom encryption