OpenVPN, Strongswan, Tinc, Wireguard and even Tor without obfuscation modules and without private entry nodes are all trivial to detect and block. Assuming one can reach a VPS provider outside of the country, the most likely solution would be an HTTPS enabled proxy using SNI and a wildcard cert that makes it look like one is just pushing code to a git repo. HAProxy could peel off the default traffic to an actual Gitea git repo and forward the proxy traffic to a Squid SSL-Bump proxy. Create a VM somewhere, give it a DNS name like "git.yourdomain.tld" and then proxy through that HTTPS connection from a different SNI name like "artifacts.yourdomain.tld". This isn't perfect but may work.

Another option if SSH is still permitted to VPS providers, one could tunnel over SOCKS connections through a VPS VM initially as the first hop, then through a friends home in that same region outside of Iran as the second hop to minimize the number of CATPCHA's one is subjected to. SSH can make multiple hops transparent to the client. Ensure DNS resolution in the browser is set to use the upstream SOCKS connection. As with the previous proposal, try to make the VM look like a git repo or something else work related.

One could find some examples of both of the above ideas on SuperUser, StackExchange and ServerFault.

Here [1] is a previous discussion on the topic or Iran internet lock-down.

[1] - https://news.ycombinator.com/item?id=33025954

CONNECT requests in Squid or similar proxies are very easy to detect as they happen before encryption

I would suggest using Outline (based on Shadowsocks but with easy interface)

Or set up OpenConnect Server on Cisco Anyconnect mode, it is based on HTTPS and it looks exactly as https on the wire

CONNECT is not required if using a Squid SSL Bump MiTM proxy. Squid can intercept HTTPS requests provided one generates a cert on the proxy and installs it in the OS or browser. The one thing that might stand out to the adversary is that this is a self signed certificate but that is not uncommon for developers to create. If people are interested I can post the config that includes commented steps for generating the certs. I'm not sure if it will fit in a HN comment however.

Either way, I agree Shadowsocks is another great option. The more options people have the better.

Outline on the other hand appears to be a service that someone would have to trust and pay for. Commercial VPN providers are a great targets for swooping up large swaths of dissenting citizens. I believe people should stick with tools they can entirely host themselves. Using a VPN provider is probably fine for things like Netflix region selection but very much not for subverting a states control. It's risky enough to pay for a VM. People outside of Iran could contribute VM's for this purpose.

I should also add for clarification that if going the Squid SSL Bump route, the VPS VM should only be hosting HAProxy using a Layer 4 TCP VIP and nothing else. HAproxy should be routing the Squid Intercept to a private home in the region of the VPS provider and outside of Iran. Using Squid from a VPS directly nearly guarantees one will experience non-stop Captchas.

    Iranian HTTPS Client with cert installed -> HAProxy Layer 4 TCP listener on a VPS VM -> Squid SSL Bump running on a home router at someones house or business.

Also important is to not do any of this from a cell phone.

This looks like a classic DPI based blocking. My university had one and it was freaking annoying. Apparantly OpenVPN TLS handshake is subtly different from mainstream ones that DPI firewalls can know the difference.

In the end I found the easiest solution was to use SSTP (which is just PPP over TLS). I just used this [1] for the server implementation. And Windows has built in support for it so saves a lot of trouble if you wanna share it with family.

1. https://www.softether.org/

If they use the same great firewall to do the blocking, then yes, you will need to adopt the Chinese netizen rulebook and hopping the firewall.

https://www.iranintl.com/en/202202123131

I hate to make light of a terrible situation, but this really highlights whether or not a private connection over various technologies is truly private.

If state actors can see you wearing a mask, it still means you're visible.

It might really be worth going oldskool:

Make a website. HTTPS. Put something like PHProxy on it. If you really want to, stick on some messaging, like a BBS. Then you can upload stuff. It's not going to be quite as quick as snapping a pic on WhatsApp or Twitter, but it's not bad.

Then put a plausible front on the website. Like, if you're in the grains business, put some public data about grain prices, trade broker services, weather, that sort of thing.

You could set up a Tor bridge with an obfs4 pluggable transport. That works even in China, because it resists DPI and probing. Does your VPN protocol resist probing? If not, that may be how they are blocking it. Also if the government goes hard enough on manually requesting Tor bridges, you will have to distribute bridges yourself (which you seem to already be doing with VPN server addresses).

does this work? -> OnionShare 2.6 – Released → (October 9, 2022) : https://news.ycombinator.com/item?id=33155721

FYI: Tor Browser (Bundle) 11.5.4 – (All Platforms) release is due, probably within a few hours

Help people in Iran reconnect to Signal – a request to our community : https://www.signal.org/blog/run-a-proxy/

Also, what DNS are they using, is DoH or DoT able to be used?

FYI: Tor Browser – 11.5.4 (Android, Windows, macOS, Linux) Released → (October 12, 2022) : https://news.ycombinator.com/item?id=33183581

Starlink works if you can hide or camouflage the dish:

https://www.wsj.com/articles/iranian-protesters-struggle-to-...

Detecting starlink terminals is really easy for the government. Jamming transmission is not hard either.

I don't have personal experience with this, but https://getoutline.org/ is designed to be resistant to blocking and may be worth trying.

Check this post from a few days ago on HN:

Tell HN: The Internet situation inside Iran

https://news.ycombinator.com/item?id=33025954

Try shadowsocks.

Definitely look into Chinese technology here, they're much further along this curve.

Not just ss but also xray/v2ray, cloak, goodbyedpi, trojan-gfw etc.

Any eli5 why these work well?

Fruits of evolution. Blocking information is a battlefield where the overseer can either win very easily or cannot be able to win---the only fundamental way to block anything is to block everything.

Imagine if your ISP blocks the front page of The Post yet you are still allowed to talk to me. Well, I can simply read the information to you over the phone under a plausibly deniable "eg even number of words in a sentence =1" algorithm.

Because any channel that allows messages/information can be “piggy backed?” - is there a loss of bandwidth at each layer of indirection?

Years and years of cat-and-mouse between people wanting to jump the Great Firewall and people maintaining the Great Firewall.

Try ProtonVPN with Stealth protocol

just curious: what about telephone calls? are international voice calls allowed?

btw https://news.ycombinator.com/item?id=33170028

may help

does TOR work ?