A technical look at Iran's internet shutdowns
43 comments
·July 13, 2025ZoomZoomZoom
dongcarl
At Obscura we just tunnel WireGuard over QUIC's unreliable datagram mechanism to make it look like HTTP/3 (for DPI): https://github.com/Sovereign-Engineering/obscuravpn-client/b...
We just upstreamed our patch to quinn-rs that pads Datagrams to MTU: https://github.com/quinn-rs/quinn/pull/2274
antonkochubey
Some DPIs just flat out block HTTP/3 already.
RiverCrochet
I wish this article went into more details on what the "National Information Network" is. I would guess it's at least a set of nationally managed DNS servers that will always resolve national IPs even if upstream global DNS is cut off.
Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
It's simply not going to be possible to meaningfully use the Internet unauthenticated and unapproved in a few years. Costs to reach mass audiences online will increase until only the big players can do it, and it'll be their platforms or nothing. There's going to be no room for anything that those with millions and billions of dollars don't want or can't make money off of in some way.
Overall, this makes me want to reduce the role of the Internet and tech in my life. I don't need the fastest data plan, latest PC, newest phone, or whatever AI trend is hot to use the apps I need for daily life or to line up events and meetings with others that I actually know.
joecool1029
> Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
This is defeatist. You're probably right 'for the masses' but there will always be those networking and collaborating and bypassing whatever restrictions get put in place. I have online contacts in 'firewalled' regimes that use v2ray/shadowsocks or whatever the thing of the now is to get around the restrictions.
There's a ton of cheap tools now that can be used for running local or citywide networks, hams have their own packet radio stuff. There's now all those new LoRa networks that only really popped up in the past few years.
What I'm trying to say is the stuff is there and it's accessible, but it's only going to be a minority of people that use it just as it's a small minority that comments on posts like this (people like us) and even smaller yet again that write content on how to do it and create those tools to begin with. But it has always been this way....
coderatlarge
it seems to me that a nation determined to control wired network traffic within its borders cannot be circumvented. if they can control the ISPs and observe packet flows then they can just obstruct any connection they cannot conclusively prove is acceptable.
it seems then that store-and-forward ad hoc p2p (ie extremely high unpredictable latency) is the only option for those who can reach some node with a connection to the outside (maybe laser near the border). or perhaps really clever steganography with outside partners assisting.
Ray20
>there will always be those networking and collaborating and bypassing whatever restrictions get put in place.
I don't think so. It's just a question of the severity of the punishment for violating regulations. A couple of small fines for an unlicensed networking and collaborating - and there will be no one left.
>There's a ton of cheap tools now that can be used for running local or citywide networks, hams have their own packet radio stuff.
The issue has never been in the technical plane. The equipment for building and operating networks has become dozens of times more accessible over the past couple of decades. The problem is in the increasing number of regulations that purposefully lock all clients into a few select controlled service providers. They have a goal and they have the tools to achieve it, so it's only a matter of time before they reach the minority of network-enthusiasts.
ZoomZoomZoom
> What I'm trying to say is the stuff is there and it's accessible, but it's only going to be a minority of people that use it
Exactly. This is why the tech has to be made resistant to surveillance and censorship by default. Until usage of alternative connectivity and circumvention methods sticks out as a sore thumb (turns out, for most tools it does), it applies a constant pressure on anyone under oppression to stop, increasing the risks for those who continue to use them.
rs186
Live in China/Iran for a few years and see if you would still post this same comment.
mschuster91
> hams have their own packet radio stuff
We got basically three different things. First we got APRS, mostly used for position reports (go on aprs.fi for a map). That is pretty nice but unusable for anything more than a SMS worth of things, and you need repeaters and not just internet gateway collectors to actually have something that's resilient.
Next thing is AX25, the technical foundation behind APRS. Yes you can use it to create actual data links, but it's about modem speeds so virtually useless outside of toying around.
And finally there is HamNet but it's line of sight based and not cross routed to the internet, and identically to all things ham radio, encryption is banned by law.
And on top of that, you can expect regulatory agencies to crack down on ham radio fast and hard, should it be used for political dissency motives at scale. It's already against ham practice to talk politics, especially with people in repressive countries - we don't want more countries other than Yemen and North Korea to just blanket ban ham radio.
swores
Am I right to assume that it's easy to locate the source of ham radio signals?
i.e. if there's a blanket ban, can you use your radio hidden in your house or can the government easily find out that the user they've noticed on the airwaves is located there and knock down your door?
kortilla
> but it's about modem speeds so virtually useless outside of toying around.
I don’t understand this sentiment. For exchanging information, modem speeds were great. Wikipedia, forums like this one, instant messengers, etc all worked fine
Aurornis
> Looking at a bigger picture though, honestly I think we're seeing the end of the raw global Internet for the masses. 20 years ago, it seemed impossible, but here we are.
I feel like I’ve been hearing this for decades. During the initial wave of Napster-era piracy debates a lot of people assumed the end of the free internet was near because corporations wouldn’t allow it.
> It's simply not going to be possible to meaningfully use the Internet unauthenticated and unapproved in a few years.
I will take the opposite of that bet any day. Certain countries like Iran will impose their restrictions, but if you think the average country is going to restrict internet access in only a couple of years I don’t know what to say.
hexomancer
I wrote a blog post which hopefully clears up the "National Network": https://ahrm.github.io/jekyll/update/2025/06/20/iran-interne...
It is way more than just DNS.
alephnerd
Is Google's AI Mode working? That might solve the problem you mentioned.
hexomancer
Well, the internet is not national anymore (for now!), but isn't Google AI Mode US only? Anyway, the only google service that did work at that time was google search as far as I know nothing else worked (no gmail, maps, etc.).
one-note
The only way to have global uncensored sharing of information is shortwave radio. Always has been, always will be.
mensetmanusman
Maybe, or Starlink and software destabilize the authoritarians.
immibis
The current global Internet is an anomaly in space and time, and it's held together by spit, prayers, and the hope the reliability gains from multiple redundant paths outweigh the reliability losses from so many distinct actors being involved. It would be quite easy for any major government to cause major problems in global connectivity. So far, they mostly seem content to only cut themselves off, and the ones with the power to mess up the global net don't seem to want to. But the NSA was diverting a whole lot of intra-Europe traffic via the USA at one time so they could snoop it.
alephnerd
> more details on what the "National Information Network" is
Some sources [0][1]
> I would guess it's at least a set of nationally managed DNS servers that will always resolve national IPs even if upstream global DNS is cut off.
Yep. Along with an entire ecosystem of domestically created and regulated search engines, DPI, centrally managed certs, AV, networking backbone, etc.
It's similar in intention to the Great Firewall in China, except much more restrictive.
Imagine corporate IT restrictions and posture being deployed nationwide on all endpoints, that's how these kind of initiatives tend to architected.
SSE/Zero Trust, DPI, Cert Mgmt, etc are all dual-use, and it's essentially a logistics and organization problem.
[0] - https://apps.dtic.mil/sti/pdfs/AD1107324.pdf
[1] - https://www.article19.org/data/files/medialibrary/38316/The-...
hed
The Starlink gateway out is a good solution, but I sure wouldn't share it with friends/family over the ISP networks if at all possible.
bawolff
> IPv4 addresses are limited and constantly reallocated. Most are rented and passed between hosting providers, resold between datacenters, or migrated across regions. The Iranian filtering system uses GeoIP databases and BGP information to decide which IP ranges to trust and which to block. But those records lag behind the changes.
This is surprising to me. Surely iranian ISPs would have directly allocated IP space?
Or alternatively, surely Iran's gov would be in the routers and be able to blackhole any routes leaving the country?
immibis
Are they sanctioned away from RIPE? Russia is. Russia isn't allowed to be allocated any IP addresses they don't already have. They're Russia, so they already have a bunch, but if they didn't, they'd have to keep borrowing them on grey markets, possibly different ones each time.
(Fun fact about sanctions: the International Criminal Court is sanctioned away from Microsoft, so they can't legally get access to Windows or Office. This is because they prosecuted a war criminal the USA likes.)
elternal_love
If you are ever thinking of writing somethings like this: please be aware that people could be executed based upon the validity of your assumptions and advice offered.
naryJane
I appreciate the final paragraphs which suggest a solid method for those inside the country and under this oppressive regime to remain connected without surveillance. I wonder how many are up to this, and what active resistance or movements inside the country look like these days.
joecool1029
Synapse sucks to run and it doesn't minimize metadata collection. It's not a great choice unless you're running it outside the country where they can't seize the server (but then you have all the problems of not being able to access it when the country is cut off from the rest of the world). It's a pig on resources which means it has to be run on hardware that can handle it, barely runs on SBC's.
Other stuff is weird in their post and suggests they are speaking for Iranians without actually knowing any online. I know a few from the Cellmapper community and SMS is very much not expensive. 1000 SMS costs around 0.03USD worst case: https://irancell.ir/en/p/3771/tariffs-and-voice-packages-en
Finally it's not really that Starlink uses proprietary encryption that's special. They can use any sort of common encryption standard and there's not much Iran can do but locate and seize the terminal since they don't have the keys to it. I imagine at some point they were start looking for signal emissions in known Starlink bands and use that to locate terminals. Allegedly Russia has a detection system 'Kalinka' already built: https://www.space.com/space-exploration/tech/russia-and-chin...
justusthane
Does it, though? It doesn’t mention whether or not hosting your own encrypted messaging platform is illegal, what the repercussions are, or how to hide that you are doing so.
I found the whole article to be unfortunately light on both technical details and practical details, and certainly wouldn’t suggest that anyone use it as a guide.
Vulturus
I was wondering myself, if it isn't very dangerous to host those kinds of services in an opressive state such as Iran? Hosting a site on Iranian IPs certainly sounds easy to track and I'm sure a Starlink receiver also makes substential RF noise. Anyone has any information about how likely is the Iranian government is to shut down such a site/service? Also, doesn't encrypted traffic in general (like Matrix servers) fall into this category?
immibis
> whether or not hosting your own encrypted messaging platform is illegal
Matrix isn't meaningfully encrypted, so it's mostly irrelevant, hooray!
heraldgeezer
>SMS in Iran is unencrypted.
SMS everywhere is unencrypted
bawolff
Yes, although many people probably don't know the difference between SMS and RCS and use SMS to refer to both.
heraldgeezer
Just
enable
configure terminal
router bgp <your-AS-number>
neighbor <neighbor-IP-address> shutdown
end
Easy
xkcd1963
How do people do this in China?
mmh0000
Shadowsocks is the common method
heavyset_go
This has been DPI'd to death in China and hasn't been useful in a while.
mohas
this is much more severe than in China. I've never been completely shut of Internet before. each time one of my servers had access to global Internet. this time no connection whatsoever. I hope people realise that encryption needs transmission, with no wire to transfer data encryption won't help you
> WireGuard uses UDP and a small handshake footprint, making detection and blocking via DPI harder.
Not quite true. Wireguard is already actively detected and suppressed if necessary. There's already a fork that employs basic changes to improve the protocol in this regard. AmneziaWG was shown to be more robust to detection for now.
https://docs.amnezia.org/documentation/amnezia-wg/
Too bad managing WG is such a pain and Tailscale/Netbird don't support this protocol yet. The following two issues need attention:
https://github.com/tailscale/tailscale/issues/10696
https://github.com/netbirdio/netbird/issues/1096