This post discusses possible solutions for Iranians wanting to circumvent Internet censorship.
On May 22, 2023, a user published on GitHub a long report on the state of Internet censorship in Iran. He wrote that restrictions are implemented ISP by ISP. Blocking techniques are different between MCI Hamrah Aval and MTN Irancell. As well as TCP blocking, UDP is commonly throttled, making audio and video calling impractical. In some cases the “GFW Iran” applies a blanket block to entire server IP address ranges. This makes circumvention techniques useless. No proxy server will work on such an IP.
The best protocol this user had found was Xray REALITY. Even here, apart from IP address blocks, you must also pay attention to blocks on certain SNIs. Courtesy of SasukeFreestyle, here is a list of SNIs believed to work in Iran:
The GFW Iran is rapidly implementing new blocking and throttling strategies. A more recent SNI suggestion to reduce throttling:
1
www.speedtest.net
In order to set up Xray REALITY, you will need a virtual private server (VPS). Acquiring a VPS can be a problem. On September 23, 2022, Anthony J. Blinken, U.S. Secretary of State, announced a relaxation of sanctions to allow Iranians to purchase anti-censorship technology. “As a result of this expanded General License,” he wrote, “technology firms will be able to provide more digital services to people in Iran, from access to cloud computing services to better tools to enhance their online security and privacy.” Unfortunately I have heard of few tangible outcomes from the General License. Some VPS providers you might try are AlphaVPS, RackNerd, Noez, or Aeza.
You’ll also need computer knowledge. Although using an installation script makes server set-up easier, administering a Linux server is not a job for beginners.
Manual configuration
Various articles on this blog demonstrate setting up an Xray REALITY server and client:
I also tried another script, the FastReality script. I found this only worked where my user was set up to authenticate with a password. I could not get the script to work on a server that used SSH key authentication. Also, contrary to the instructions in the README, I found it was necessary to run bash as root:
You can change the v2rayN panel language to English or Farsi if you prefer. If you have never done this before, watch the video demonstration How to change v2rayN to English.
To allow you to use any browser, find the v2rayN icon in the system tray, right-click on the icon to bring up the context menu, then select Set system proxy.
Now use the menu option to add a server by the method Scan QR code on the screen. Make sure your QR code is visible when you click this button.
You may need to adjust the parameters. For example, in the screenshot the IP address is an internal IP address. It must be changed to the public IP address of the server.
Click Confirm.
Visit a site outside the firewall to see if you can connect. For example, visit https://www.bbc.com/persian.
The example provides comments on certain attributes in the JSON configuration file for the Xray server:
Attribute
Value
id
Do xray uuid to generate an id, or use any 1-30 byte string
flow
Leave blank
show
If set to true, the program will output debug information
dest
The minimum standard of the destination website is that it be a foreign website, support TLSv1.3, X25519, and H2, and the domain name not be redirected (although the main domain name may be redirected to the www subdomain).
serverNames
The serverName list available to the client. Wildcards * are not supported yet. The server name must match the name on the site’s SSL certificate. You can check the destination site’s SSL certificate details in the developer tools section of your browser.
privateKey
Execute xray x25519 for generation, and fill in the value of Private key here
shortIds
A list of the shortId available to clients, which can be used to distinguish different clients. Each shortId consists of hexadecimal characters 0 through f. The length is a multiple of 2. The upper limit of the length is 16. The value can be left blank, or execute openssl rand -hex 8 to generate a value.
Example of id generation:
1
xray uuid
Results:
1
3b5390c5-52a2-472d-8dc2-103ef508be6c
Example of checking destination site’s SSL certificate details in the developer tools section of a browser:
Example of public key generation:
1
xray x25519
Results:
1 2
Private key: QNraK6EdxPNOzfbL2G1BTl_OeMSxm49H5vps2qzQ3E0 Public key: eZfl07Tg9UII29GaS23QXqB15aqrJ4Khm0vKJIcaMCo
Example of shortId generation:
1
openssl rand -hex 8
Results:
1
77c2358dc476ae9e
Example of a completed server configuration file /usr/local/etc/xray/config.json:
If you want to be sure of having the very latest Xray core, then download the Xray core for Windows 64-bit from https://github.com/XTLS/Xray-core/releases, unzip it, and copy xray.exe into Downloads\v2rayN-With-Core\v2rayN-With-Core\bin\Xray replacing the existing xray.exe.
You can check which version you have by opening a command prompt in that folder and issuing the command:
1
xray --version
Example of results:
1 2
Xray 1.8.3 (Xray, Penetrates Everything.) Custom (go1.20.5 windows/amd64) A unified platform for anti-censorship.
Launch the v2rayN application.
Click the v2rayN icon in the Windows system tray to bring up the GUI.
Configure the v2rayN GUI for a new VLESS server, using the same values as went in the configuration JSON file for the CLI client:
You can alternatively download it from one of the official Tor Project mirrors. Do not download Tor Browser from any other site, as there have been incidents of malware in unofficial imitations of Tor Browser. Do not use scripts or loaders you find on the internet. Use only the official Tor Project site or one of its mirrors.
It is a large download of over 100 MB.
On a typical Linux desktop, your download goes into your ~/Downloads folder. It will have a name that looks like tor-browser-linux64-12.0.6_ALL.tar.xz.
Open a terminal emulator. Change into your ~/Downloads directory:
1
cd ~/Downloads
Extract the archive:
1
tar -xvf tor-browser-linux64-*.tar.xz
Change into the extracted directory:
1
cd tor-browser
From inside the Tor Browser directory, register Tor Browser as a desktop application:
1
./start-tor-browser.desktop --register-app
(If this produces an error message, try running the script as just ./start-tor-browser.desktop, close Tor Browser if it is open, then re-try ./start-tor-browser.desktop --register-app.)
Registering the app adds Tor Browser to ~/.local/share/applications. From now on, Tor Browser shows up in your list of desktop applications.
Launch Tor Brower from your list of desktop applications.
In Ubuntu Linux, you can right-click on the Tor Browser icon in the launcher and add it to your favorites.
Click the Connect button to connect to the Tor network.
If you need support or more information, consult the offical Tor Browser manual:
These are methods people have used to penetrate the Great Firewall (GFW) of China. Be aware that we don’t live in a static universe. The GFW fights back. It will attempt to block more and more of these methods as time goes by.
V2Ray version 5.7.0 introduces the possibility of using meek transport protocol.
Meek is a censorship-resistant protocol that encodes traffic as plain HTTP requests and responses. This allows traffic to penetrate environments where it would otherwise be blocked.
The performance of meek is low. It is not intended for situations where you want a speedy ping or to transfer gigabytes and gigabytes of data. Meek is intended for situations where most other protocols are blocked and you need a last resort.
This post gives an example of configuring V2Ray with meek.
With thanks to @xiaokangwang and to David Fifield, the developer of the original implementation of meek.
VPS
You will need your own virtual private server or VPS.
We will run Ubuntu 22.04 on the demonstration VPS. This server has 1 GB of RAM.
Domain name
You will need your own domain name. Our examples will use the domain name:
1
cscot.buzz
Create a DNS A record pointing from the hostname of the server to the IP address of the server. Our example:
1
www.cscot.buzz
Universally unique id
On Linux servers, you can generate a UUID with the command:
The certbot packages on your system come with a cron job or systemd timer that will renew your certificate automatically before it expires. You can test automatic renewal by running the command below:
1
certbot renew --dry-run
If you are using Cloudflare CDN, visit the SSL/TLS page for your domain. Make sure your SSL/TLS encryption mode is set to Full (strict).
To confirm that your site is set up properly, visit:
1
https://www.cscot.buzz
in your browser and look for the padlock icon in the address bar.
About 7 years ago, Astrill sent out an email accusing its customers of belonging to “dumbclub.” Ever since then, the subreddit for penetrating the GFW has celebrated this incident by calling itself “dumbclub.” In r/China user u/kanevast explained: “I don’t mean using a VPN is being part of a dumb club, I mean using Astrill means you’re part of the ‘dumb club’ as per their message to all of their clients a month or so ago.” From the Astrill communication of December 2015:
Due to increased censorship, use of VPN from China may not be possible at this time. We believe the situation will be back to normal after the holidays. While our engineers worked tirelessly to fix “issue” with our iOS app, some users were not that smart and helping Chinese censors by spreading news about new Astrill software all over the web. It appears some of the customers show no appreciation for our efforts nor they want open internet. Now you got what you asked for… It’s not working anymore. We can invent new technologies, we can defeat GFW but we don’t have a solution for stupidity. Dear “journalists” please spread this message as usual, all over the web and join DUMB CLUB.
Dumbclub FAQ #1
Q: I’m going to China to visit family for around a month and a half. How can I use things that are blocked in China, like YouTube and Google?
A: Astrill, Wannaflix, LetsVPN, Hong Kong SIM card, or self-hosted (e.g. Xray on VPS).
Q: I installed a VPN, but now my device doesn’t work without the VPN. Why is that?
A: Probably your VPN installed some kind of kill-switch, or made a DNS server change, that hasn’t been cleared properly. Unless you have computer skills, you’ll need to contact your VPN provider for a solution. As a last resort, some operating systems (e.g. Windows) allow you to completely reset your networking.
VPN FAQ #4
Q: How do websites or streaming services know I’m using a VPN and block me?
A: Websites that don’t want you using a VPN block known VPN node IP addresses. Your only solution is to find a VPN provider with IP addresses your destination site doesn’t know about. Even so, it’ll only work until the site or streaming service updates its list of IP addresses.
Yes, it is possible to host a Tor obfs4 bridge on a Windows PC. Here’s how.
Decisions
You have a couple of decisions to make before you set up an obfs4 bridge.
Is this intended to be a public bridge or a private bridge? A public bridge can be used by strangers all over the world, whereas a private bridge is just for you and your friends or co-workers.
Which port numbers will you use? You’ll need two ports, one for communicating with the rest of the Tor network (the ORPort), and one for accepting input from your obfs4 bridge users (the ServerTransportListenAddr).
In the rest of this article, we’ll use as our examples:
9167 as the ORPort
9168 as the ServerTransportListenAddr
Home PC considerations
To be useful to users over the long term, you’ll need a more or less static IP address from your Internet service provider (ISP). It doesn’t have to be technically a “static” IP, but it does need to remain unchanged for months or years at a time.
Your ISP must not provide you with Internet service over Carrier-Grade NAT. CGNAT is a variant of Network Address Translation that is used by internet service providers (ISPs). CGNAT allows multiple customers to share a single, public IP address. You, on the contrary, must have your own IP address that is just for your household.
You must also have control over your home router. On that router, you need to know how to open ports and how to set up port forwarding. Your ORPort and your ServerTransportListenAddr need to be open and forwarded to the PC that’s going to host your obfs4 bridge. In both cases, the protocol to forward is TCP only. Consult the manual for your router to learn how to do this.
Finally, you must leave your PC permanently switched on, and you must configure Windows Settings so that your PC never goes to sleep.
Open Windows Firewall
In the Windows search box, type firewall.
Open Windows Defender Firewall with Advanced Security.
In the left pane, click Inbound Rules.
In the right pane, click New Rule.
Add a Port rule to open port 9167/tcp, and name it Tor Bridge ORPort.
Add a Port rule to open port 9168/tcp, and name it Tor Bridge ServerTransportListenAddr.
Close Windows Defender Firewall with Advanced Security.
Right-click on the installer, select Properties, then select the Digital Signatures tab. Check the signature against the one displayed on the page https://www.gpg4win.org/package-integrity.html.
If the signatures match, run the installer. Accept the installer’s defaults. This includes the installation of the Kleopatra graphical user interface for Gpg4win.
Run Kleopatra.
Click Lookup on server. Search for the key with fingerprint 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290. Kleopatra should find the Tor Browser Developers (signing key) for email address torbrowser@torproject.org. Select and import the Tor Browser Developers (signing key).
Now run the installer. In our example, that is the application named torbrowser-install-win64-12.0.4_ALL.exe.
You can uncheck the box to run Tor Browser.
After the install is complete, the folder on your desktop Tor Browser\Browser\TorBrowser\Tor\PluggableTransports contains an application named obfs4proxy.exe.
Copy obfs4proxy.exe into C:\tor\tor (i.e., the same folder as your main tor.exe application).
Update July 2, 2023
tor2: Hi, I’m attempting to follow the instructions for setting up a obfs4 bridge on Windows. In my instance, it is Windows 10. The instructions say to copy out the obfs4proxy.exe from: C:\Users\Desktop\Tor Browser\Browser\TorBrowser\Tor\PluggableTransports. However, there is no obfs4 file in this location or anywhere else within the tor browser bundle. In this location, there are only a snowflake exe and a lyrebird exe. I also checked the tor expert bundle and there is no obfs4 exe there. Any suggestions as to where I may find the obfs4 exe for Windows?
trinity-1686a: Hi, For reasons not totally clear to me (something related to meek and uTLS I think?) TorProject forked obfs4. To disambiguate with Yawning’s obfs4, the project was renamed to lyrebird. It should work the same as obfs4.exe for your use case. Would you mind creating a ticket in The Tor Project / Web / community · GitLab, or possibly a Merge Request, to update the documentation?
Install Tor as a service
Open a Command Prompt window with the option Run as administrator.
Issue the command:
1
C:\tor\tor\tor.exe --service install
You should see messages:
1 2 3 4 5 6 7 8 9
Running on a Post-Win2K OS, so we'll assume that the LocalService account exists. IMPORTANT NOTE: The Tor service will run under the account "NT AUTHORITY\LocalService". This means that Tor will look for its configuration file under that account's Application Data directory, which is probably not the same as yours. Done with CreateService. Service installed successfully Service started successfully
Configure Tor
Open Notepad with the option Run as administrator.
Create a torrc file, modeling the contents on the samples below.
Save the finished torrc file as C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\tor\torrc (with no extension). You’ll need to have the option checked to view hidden items to see AppData folders.
In Windows File Explorer, check the box to view file extensions. See if Notepad has saved your torrc with .txt on the end. If so, rename the file so that there is no .txt on the end. It should be just torrc with no extension.
In the Windows search box type services, and open the Services app with the option Run as administrator.
Select the service Tor Win32 Service.
Stop and then Start the service.
Find your obfs4 bridge line
Your folder C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\tor should contain a folder pt_state. Within that is a file obfs4_bridgeline.txt that shows your obfs4 bridge line.
Example before substituting in values for placeholders:
The <IP ADDRESS> is the public IP address of your PC, which in a typical home set-up is actually the public IP address of your home router.
The <PORT> in our example is 9168.
The <FINGERPRINT> (e.g. 12D1EC86ACB21C1F4820915787E89F51C431F284) is shown in the log file C:\tor\tor\log.txt. Example:
1
Your Tor server's identity key fingerprint is 'ChooseNameHere 12D1EC86ACB21C1F4820915787E89F51C431F284'
Test your bridge
Test your access to the Tor network, using your bridge, from a PC outside your home network.
If you have any problems, see if you can telnet to your bridge IP address and port.
Also check the log file C:\tor\tor\log.txt for messages.
Publicize bridge
A public bridge is automatically distributed to anonymous users by the Tor Project.
For a private bridge, you must manually distribute the obfs4 bridge line to your friends or co-workers. You must also explain to them how to configure their Tor Browser to use your obfs4 bridge line.
