r/NewIran mod here: Is trusting custom VPN servers like Outline a bad idea for Iranians?

Hi dear PrivacyGuides community!

You are great, thank you for everything you do.

I am Creative from /r/NewIran and we see tons of posts promoting custom VPNs via Outline and similar systems that are to be distributed via Telegram like this one:

As far as my understanding goes, this is a really bad idea, because the issue is trust here.

Anybody could join these kind of initiatives, have traffic by Iranians channeled their way and do with it as they please.

Great honeypots in general.

Even with big VPN providers with long track records it is difficult to have a reasonable basis for trusting them.
As I see it, the risk is the same but much more severe as you blindly trust some random server from some random channel from the internet and you shouldn’t rely on it especially if the consequences can be imprisonment, torture or even death.

I would in general encourage people instead to run and use TOR Snowflakes, even if they aren’t perfect in terms of speed.

Is my view of this accurate?

Yes, your view is accurate.

Tor is the safest option available, and private VPNs can easily be honey pots.

Even “safe” VPNs like Proton free doesn’t give you much anonymity, if your connection is getting monitored they will know your VPN IP address.

2 Likes

Thank you for your input!

Would you recommend anything else that we could push officially on the sub besides running Snowflake?

I was told by somebody from TOR that it’s these days painfully slow because there is an ongoing attack on the network against Tor guard nodes: Performance – Tor Metrics

I think the DDOS stopped, but maybe it has started again.

It might be a good idea to tell people to use bridges, it will make it harder to detect that people are connecting to the Tor network.

Everything besides private bridges and Snowflake stopped working in general anyways :+1:

I find it surprising that anyway so many VPNs still seem to work as well. For a time (maybe still) it was only Wireguard working and everything else was supposedly blocked via DPI.
From what I have gathered it was expected that Wireguard (and others like Proton’s Stealth Protocol) sooner or later would suffer the same faith.

Yeah, all Tor nodes are publicly listed in the directory, it’s easy to block the entire network, that’s why you need bridges and snowflake.

Bridges and VPNs running on private IP addresses are hard to block, someone needs to find and flag them. It’s a cat and mouse game, but it generally takes longer to find and block them, than it takes for new bridges to pop up.

Yes, this is why we don’t recommend any and every VPN provider. We recommend a select few that we know are run by proper people.

Realistically VPNs are not the right tool to circumvent censorship. Iran in particular filters VPN protocols like OpenVPN and Wireguard with DPI anyway.

So in a way I would be suspicious of some magical VPN that works, and doesn’t do anything about that.

1 Like

Realistically VPNs are not the right tool to circumvent censorship. Iran in particular filters VPN protocols like OpenVPN and Wireguard with DPI anyway.

So in a way I would be suspicious of some magical VPN that works, and doesn’t do anything about that.

Thank you for your answer!

What would you consider additional channels besides VPNs? Is TOR the only other choice?

Is there an extended list of VPNs that you have vetted but decided not to include that we could give to people to try out?

Why do you think many of the big VPNs like ExpressVPN still working while Iran should theoretically have been able to block them all via DPI?
I expected all VPNs to stop working much sooner.

What bullet points of do’s and don’ts would you give normal Iranians to protect their identity while accessing the internet via a VPN?

What bullet points of do’s and don’ts would you give to activists that might directly get targeted?

We collected (also with the help of this community) a few guides here:

But none really seem to really address protecting yourself against a state actor.

I hope you don’t mind me extending the scope of this thread with this answer.
If it would be better to create a new one instead, please let me know.

There is V2ray, but it does require some know-how to configure and a server etc.

Believe it or not there aren’t that many good VPNs, most of them are owned by a few mega-corp VPN companies which lack transparency, on a “trust us” basis.

It doesn’t really matter who runs the VPN. The Iranian government does deep packet inspection, that blocks the traffic based on characteristics of the protocol. Picking another one simply won’t work, and they very rarely ban things based on IP address.

This is a good, question, and I wonder sometimes how some of these work inside Russia too, maybe they hand over data, who really knows.

ExpressVPN does have that Lightway protocol, but I doubt it’s difficult to analyze and block and it doesn’t seem to be to circumvent censorship, but rather to increase performance. Unlike ProtonVPN’s stealth protocol.

As far as I’m aware the Iranian government is just using the Chinese infrastructure to block circumvention methods. They seem to follow similar patterns of being more stringent at certain times of day, like the above article suggests.

They’ve been quite widespread with that too

Don’t have anything on your person you shouldn’t.

Even with encrypted disks, and things like that, they may take your equipment, and engage in rubber-hose methods anyway.

Have a look at this guide, might have some useful info for your threat model

That guide, really isn’t that helpful.

In some cases the information it provides is incorrect, in other cases it has a confused threat model. It’s also poorly written and extremely long winded.

That’s interesting, I suspected there were something off, if you feel like to point out what are the main flaws that would be valuable.

The main thing would be, that it isn’t really structured in a way where there is method.

It’s seems just like a someone’s “brain dump”, one minute it’s promising protect you from state agencies, the next it’s disclaiming that it can’t do that. In general it repeats itself a lot, gets fixated on certain things which the author believes are important but aren’t really so. I don’t recommend it as a learning resource because it’s likely to be an information overload, and overlook some of the most simplest things… such as rubber hose cryptoanalysis.

We also do know of the author, they frequented our Matrix rooms some time ago, and they were not well, mentally. Acting under a number of different personas, and pretending to be dead, and then alive again, and wanting XMR for a funeral… yeah…

For people with serious threat models, activists, and people in repressive regimes, that might come under state observation, the best thing you can do is keep it simple. That can actually mean using services provided by commercial organizations, such as Proton Mail, Signal etc can be sufficient.

1 Like