These VPN providers are the best to use in Iran — they use obfuscation technology to bypass Deep Packet Inspection:
- ExpressVPN (fast, excellent customer support) — uses a confidential method of packet obfuscation
- VPN.AC uses TLS-authentication to mask OpenVPN handshake packets (thus hiding it from Deep Packet Inspection)
- Proxy.SH uses “obsf proxy” (good privacy options)
If you need a introductions to VPNs (Virtual Private Networks), please see this article.
The Iranian government uses DPI (Deep Packet Inspection) to limit internet access. To avoid these restrictions, you need to make use of a VPN that uses of obfuscation technology. Basically, this camouflages your VPN traffic, and make it look like regular internet traffic.
OpenVPN is generally best type of VPN connection to use, because it cannot be blocked simply by cutting off traffic to a specific port.
All the VPN providers listed above support OpenVPN obfuscation in some form.
Another Option: Hosting Your Own VPN on a VPS
You may want to create your own VPS with an OpenVPN installation and obfuscation. I recommend using a reliable VPS like Digital Ocean. You can purchase their $5 per month plan, and see my article How To Set Your Own VPN.
Once you have the VPN set-up, you can then install a SSL tunnel:
Using OpenVPN through a SSL tunnel
You can make you OpenVPN traffic virtually indistinguishable from regular SSL traffic by tunnelling it through SSL, because Deep Packet Inspection cannot penetrate this addition layer of encryption.
Note that using a SSL tunnel will slow down your internet connections.
UDP is better for any kind of tunnel because it’s lower overhead and doesn’t try to retransmit packets unnecessarily. In certain instances retransmitting packets could be counterproductive. Basically, anything that needs to either have a stateful connection or a connection that is “reliable” (i.e. TCP) already has packet retransmission built into the protocol. If you run two of these protocols on top of each other (such as TCP over a TCP tunnel), then bad things start to happen as now you have more than one layer trying to retransmit packets. So really you should use UDP unless there’s a very specific reason you need to use TCP, such as a firewall restriction or something.
OpenVPN through an SSH tunnel
Using OpenVPN with a SSH tunnel is very similar to using it with a SSL tunnel. The difference is that you wrap your OpenVPN traffic with SSH encryption instead of SSL encryption. SSH is the “secure shell” software used to make connections to shell accounts in Unix. You can find SSH clients for most operating systems — see PuTTY for example.
When using SSH tunnels, note that:
- SSH is much more than just encryption, therefore you will see more overhead with SSH tunnels
- SSH is difficult to set up on Windows whereas stunnel is cross platform
Obfsproxy is a tool designed to make VPN connections difficult to detect. It was created by the Tor network when China started blocking Tor nodes — but it can be used outside of the Tor network to mask VPN connections.
There are instruction for setting up Obsfproxy with OpenVPN on this page.
The Future Of Internet Blocking In Iran
There are over 36 million Internet users in Iran, according to EFF. These users are subject to very limited access to the Internet, however, and the restrictions appear to be getting worse. The Iranian government has expressed interest in filtering the Internet completely so that it meets their standard — and this means that there may be further restrictions coming down the line for Iranian Internet users. Already, bloggers and other individuals who have spoken out against the government online have been punished. EFF mentions that one Iranian blogger’s wife was beaten because of complaining of how security forces in the nation conducted themselves.
In October 2006, all Internet Service Providers (ISP) were mandated to cut down their download speed to 128kbits for private and commercial Internet users. In order to restrict internet access in Iran, the government uses SmartFilter content control software by Secure Computing which is based in San Jose. Also, it is alleged that Iran has electronic surveillance system made by Nokia Siemens Networks (NSN).
Recently, Iran passed legislation which stipulates that Iranian ISPs must keep all data received and sent data, and the data is not deleted until 3 months after the contract of the client has expired. ISPs also filter sites with pornographic and political content in nature.