For Iranians: build your own VPN / connection via f.e. AWS safe?

Hey dear community!

Creative here again with another request for input.

We see lots of users advocating for “DIY” VPNs that you control as a viable way of circumventing censorship and staying safe.

An example:

You can set up yor own VPN on a VPS server. Say on amazon aws, microsoft azure, google cloud etc… you can get an entry level hosting for abot 5$/months. And you can share this VPN server between your friends too. I do not suppose amazon or ovhcloud would let anyone in unless there is a court order, or let anyone watch your traffic. Just fyi.

It can even be free: Free Cloud Computing Services - AWS Free Tier.

Also, full “VPN” isn’t even needed, just SSH with dynamic port forwarding to the VPS, i.e. ‘ssh -D 1080’ (or equivalent with putty, in Connection > SSH > Tunnels), creates a SOCKS proxy on localhost:1080, don’t need to do anything at all in the VPS once it’s running.

What is your opinion about this?

As we see it currently this would:

  1. Only be viable for advanced users
  2. Even for those advanced users be a bad idea (no “test of time”, all it takes is one mistake, likely not active in the space and therefore lots of unknown-unknowns, …)
  3. Would provide a false sense of security
  4. Would open up many attack vectors that wouldn’t exist with services used by many thousand users (if that is accurate, which ones?)

Would you say that that is a sound assessment and that we should challenge and delete comments and posts that advocate for this?

Where would you see the main dangers with this approach?

Nothing particularly wrong with it. The purpose is to circumvent local censorship, not remote anonymity

Yes, it does require some manual work.

Whenever putting a new machine online publicly facing the internet, I always portscan, and verify that the nftables/iptables is correctly blocking what it should. I also only ever install absolutely the minimal amount of services.

In regard to setting up things like OpenVPN, servers and Wireguard, one should always read the man files/documentation on the official website, and not just follow some “short” version blog article, because that may not have best practices.

Unfortunately with official documentation there’s generally more complexity as it details all the features, so that in turn requires some background.

Not that I can see. It wouldn’t be any works than a company using a VPN to access their internal network for remote users.

I suppose the server may be more susceptable to DDoS attacks from the Iranian government, but I doubt they would bother if it’s only a few users using it.

Well some basic recommendations would be only have SSH Public/Private keys, disable password authentication for example. There may be other things one can do, but that would be the most major one.

Private VPN servers, like the one suggested in The Iran Firewall - A preliminary report are likely the only way. V2Ray is built with various obfuscation methods, and as far as I know not offered by any public VPN provider.

1 Like

Hey Daniel, thank you for your answer!

What about local anonymity? And why wouldn’t remote anonymity be a goal as well? (f.e. not only consuming news sources, but actively participating in communities and activism and having the account tied back to a certain connection)

The assumption here would be an average computer user that creates this kind of setup for the first time. No prior experience with anything privacy / security / anonymity related.

Especially the caveats regarding possible setups you wrote further down make it seem like there are a lot of opportunities for misconfiguration.

Would you trust a completely non-technical person with the setup who would later use the VPN for themselves and their family and friends?

Thank you for sharing your approach, that is really good to know.

Okay, so nothing directly to worry about in terms of how easy accounts / online activity can be tied back to certain connections because of the lack of a big user pool? Nothing along the lines of more attack surface in terms of meta data?

In what way did you mean “only way” here? In the sense of being the only way that wouldn’t be blocked and detected as well?

How your assessment regarding the average user using V2Ray and the related (misconfiguration?) risks look like? Would it essential stay the same as above?

What is your opinion about Shadowsocks / Outline in this context?

Thank you for your awesome help, Daniel!

I don’t see why not. I wouldn’t use a server hosted inside Iran, for thos purpose though, unless you’re doing something like what was suggested in that article:

Addition: After writing this article I got asked about the most reliable way to circumvent the GFI. A relay host inside of Iran is needed (Iran-Relay) and an EXIT node outside of Iran (EU-EXIT). The Iran-User and the EU-EXIT node both need to connect TO the Iran-Relay (connecting from the Iran-Relay TO EU-EXIT is sometimes blocked). Iran-User and EU-EXIT “meet” at the Iran-Relay. Iran-User TO Iran-Relay traffic needs to be obfuscated (V2ray/Shadowsocks/ssh is effective). EU-EXIT to Iran-Relay needs to be less obfuscate (SSH works just fine). No software needs to run on the Iran-Relay to give Iran-Relay admin plausible deniability. No IP must be logged. This is the setup that THC is providing.

The most widely adopted solution however is a V2Ray/Shadowsock connection from Iran-User to the Iran-Relay and the iptables DNAT to EU-EXIT - It seems to work most (but not all) of the times.

It’s not completely newbie friendly to set up, the above method that THC suggested is what you could write a guide about though.

This is because the threat model is primarily the Iranian government. Overseas governments are unlikely to comply with any requests from the Iranian government, unless users are directly doing something considered against international norms, and putting providers outside of Iran at legal risk within their own countries.

Yes, if the Iranian government is using DPI to detect tunnels, you’re going to need something to obfuscate that like V2Ray, or Tor bridges.

There’s always things that can be “less secure” if mis-configured, like any piece of machinery if it’s set up wrong, or without knowledge.

Haven’t used either of those. I know that Shadowsocks has fallen out of fashion amongst the Chinese trying to bypass the GFW though. They seem to now prefer V2Ray, though I don’t have anything concrete on that.

1 Like