Forgot your password?
typodupeerror
Censorship Communications Government The Internet Your Rights Online Politics

Iran Blocks VPN Ports 134

Posted by timothy
from the why-do-you-hate-freedom dept.
First time accepted submitter Parham90 writes "After the Iranian post-election events that led to massive riots and break-outs through the world, the Iranian government started blocking all social websites, including Facebook, Youtube, Orkut, MySpace and Twitter. The Iranians, however, started using VPN (virtual private network) connections to bypass censorship. Since Thursday, September 30, 2011, all VPN ports have however been blocked, in the first attempt to start what the Iranian government calls the 'National Internet.'"
This discussion has been archived. No new comments can be posted.

Iran Blocks VPN Ports

Comments Filter:
  • I run my VPN server on port 80.

  • It is impressive they still manage to run Internet services then.
    • Re:All 65k+ of them? (Score:4, Informative)

      by GameboyRMH (1153867) <[moc.liamg] [ta] [hmryobemag]> on Thursday October 06, 2011 @09:59AM (#37625236) Journal

      They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

      Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

      • Re:All 65k+ of them? (Score:5, Informative)

        by ledow (319597) on Thursday October 06, 2011 @10:16AM (#37625436) Homepage

        Hell, I once saw a VPN that rewrote its traffic to use ICMP messages and other nefarious means of communication in order to transmit packets.

        It'd probably look odd if you KNEW to look at that individual's connection but the chances of finding *every* way that encrypted data can be slipped into another datastream are incredibly minimal.

        Hell, VPN-over-HTTP-proxy is very common.

        • by scubamage (727538)
          I don't envy the guy hired to look at every ICMP packet for an entire country. About the only way he could remain sane is if he was autistic since they tend to be really good at tasks like that.
      • by jrbrtsn (103896)

        Thank goodness for ipv6. Now you can run all services on port 80 and just assign a different ip address for each one!

      • by sosume (680416)

        They could theoretically block everything but 80 and MITM any SSL connections (or did that cert get removed from IE yet?) to check those too, to prevent VPN connections that mimic HTTPS connections (real thing) and VPNs running over port 80 using deep-packet inspection. They'd also have to check for VPN over DNS (also, real thing). Short of this it's impossible to block VPNs.

        How about putting the entire nation's network behind a giant proxy, configured to disallow streams? that would effectively block everything but http..

        • I don't see how that would help, there are VPNs that can mimic HTTP/HTTPS...I've even run one like that over a GPRS connection which doesn't allow streams by its very nature.

        • by Lehk228 (705449)
          counter with a VPN tunnel that formats it's messages as HTTP GET commands, with the GET URI being the send and the reply as the receive

          if paranoid such exchanges could be coded in the form of words rather than hex data, it would be slower to process but almost impossible for a network monitor to find or filter without breaking all internet access
      • by tlhIngan (30335)

        Even then, you could run a VPN over a steganographic connection. In practice I find port 80 is the best - it's never failed me so far. 443 is a good option too, in fact a better option in theory, but keep in mind that a few mobile internet providers in 3rd world countries block 443.

        A number of VPNs these days use HTTPS (443). It's called SSL VPN and you can get access points from the usual vendors (Cisco, Sonicwall, etc). They're all the rage these days as they start up as normal HTTPS connections (and you

        • by Parham90 (2478210)
          Yes. I hear SSTP works very nicely. However, I haven't been able to figure out a way to test it yet.
    • by wmac1 (2478314)
      You do not need to check 65k things. You just check every single packet to see what port it is and whether the content matches that port. That's in fact what they currently do (and have done since 2007). One of their sites which I visited in 2006 contained 30 racks of filtering equipments.
  • by afxgrin (208686) on Thursday October 06, 2011 @09:55AM (#37625214)

    I wonder how far the censorship has to go before we see months of endless street protests again? If they ever expect anything like this to work, they should never have allowed their citizens to be in possession of the technology to begin with. They have an entire generation of people that grew up with cell phones, computers and the internet. There is no hope in hell of this working in the long term.

  • by jidar (83795) on Thursday October 06, 2011 @09:56AM (#37625216)

    "The Net interprets censorship as damage and routes around it." -- John Gilmore

    They will just move to using other ports.

    • by Anonymous Coward

      Censorship interprets the net as damage and routes around it.

    • by Anonymous Coward

      Changing ports does nothing if they use deep packet inspection.

    • by gandhi_2 (1108023)

      In Soviet China, The censors interpret internets as damage and wall around it. -- me

  • by kju (327)

    This sounds like nonsense. There are VPN providers on non-standard ports. If you have your own server and a spare IP, you can even use some netfilter rewrite magic to allow connection on ANY port of that IP which is helpful in a lot of situations.

  • Use OpenVPN (Score:5, Interesting)

    by kandresen (712861) on Thursday October 06, 2011 @10:05AM (#37625334)

    OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

    • by malraid (592373)

      +1 for OpenVPN

    • Re: (Score:2, Informative)

      by Anonymous Coward

      OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

      OpenVPN has not functioned properly in Iran for a while now, on any port. The same goes for Syria.

    • by NevarMore (248971)

      OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

      How is OpenVPN not detected as regular VPN communication?
      Does it have its own signatures and patterns which are detectable?

    • Re:Use OpenVPN (Score:5, Informative)

      by cdp0 (1979036) on Thursday October 06, 2011 @10:36AM (#37625662)

      OpenVPN can use any port and is not detected as regular VPN communication, and can thus bypass firewalls that blocks VPN communication.

      OpenVPN was blocked even in 2010. No protocol (UDP or TCP) and port combination worked. Both normal and static key configuration were detected and blocked.

      tcpdump showed a short packet exchange between the client and the server, and after that the connection completely died. Subsequent tries on the same protocol and port were completely blocked too (probably blacklisted).

      Even so, I find it weird that OpenVPN was blocked while PPTP was allowed. Maybe they had/have a way of attacking PPTP ?

      What worked back then and might still work is SSH (including tunneling). With access to a server outside Iran and a bit of imagination many things can be done with SSH tunneling.

      • by Parham90 (2478210)
        Yes, SSH tunneling is what I'm using right now. Still, VPNs would be much easier to use when you have multiple application needing to be proxified (yes, you can use Proxifier too, but VPN is as easy as plug-and-play).
        • I would have thought this would work pretty well:

          1) Install squid on the server in a non-oppressive country
          2) ssh user@server -L 3128:localhost:3128
          3) Configure the system proxy settings to use localhost on port 3128

          Also, there is a (relatively new) VPN feature in OpenSSH. Look at the -w option.

        • by WhiteDragon (4556)

          you can also use ssh to provide a generic SOCKS proxy:

          ssh -D 1234 some.host.example.com

          then just tell your apps to use a SOCKS proxy of localhost, port 1234

          There are plenty of SOCKS wrappers for apps that don't have SOCKS code built in.

        • by blop (71154)

          You can actually run a proper VPN with ssh and not just tunnel individual ports:

          https://help.ubuntu.com/community/SSH_VPN [ubuntu.com]

          This creates a point-to-point layer 2 or 3 tunnel between 2 hosts. This is great for proxying TCP, UDP, ethernet frames...

      • by OdinOdin_ (266277)

        With OpenVPN permutate the data with a random IV and CBC XOR derived from a secret key you agree with website (via an independant channel). This will remove markers easily identifiable from the observable stream during the connection/handshake process before payload data is conveyed.

        Put an agreed about of fixed or variable length random data on the front of the TCP connection data (just after connect) send in random chunk sizes with random time delays, if using variable length random data this can be encod

    • by scubamage (727538)
      I'm trying to find out more of what they're blocking... TLS? L2TP? PPTP? IPSEC? These are all styles of VPN, and even more exist. I highly doubt they're blocking them all.
    • by gad_zuki! (70830)

      This isn't about ports. I'm not sure how it suddenly became about ports (poor writeup?).

      Iran uses packet inspection. They're getting good at it. They took down Tor for a little while before those guys found a work around. A lot VPNs don't work in Iran. Lots of things don't work. Simple work arounds like port numbers don't work.

      In other words, when your country is a theocratic dictatorship, bad things happen. Considering how Iran is also a police state, there's little to no chance of anything stopping this

  • by captainpanic (1173915) on Thursday October 06, 2011 @10:06AM (#37625336)

    Governments have tried that since the 15th-16th century, and failed every time.

    • by Anonymous Coward

      Except for North Korea, of course.

    • Define "failed". USSR, for example, was quite successful at it for most of its existence. Oh sure, there was a leak here and there, but it had to run against a massive government propaganda campaign. End result is that most citizens were quite convinced that things are much better for them than they were in practice.

  • It's somehow done (Score:4, Interesting)

    by Parham90 (2478210) on Thursday October 06, 2011 @10:08AM (#37625358)
    Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)
    • Since I live in Iran, I can vouch for it being true. The government-run media claims that the "PPTP" (and some other) protocols have been blocked, although I'm not sure how this works. I, for sure, can't access the VPN connections I used to be able to access. So I'm going to find a friend outside of Iran and ask them to start a VPN connection on port 80; just to see if they are feeding people another lie or not. :-)

      Probably shouldn't post this kind of thing over an unencrypted connection.

      >_>
      <_<
      >_>

      • Re: (Score:3, Insightful)

        by Parham90 (2478210)
        I do have my connection encrypted now, but not through VPN. *smile*
        • by scubamage (727538)
          If you won't endanger yourself by poking it too much, I'm curious what exactly they blocked. IPSEC, L2TP, PPTP, TLS... there are a ton of possibilities. Heck, you can even proxy everything via SSH if you want.
          • Re: (Score:3, Informative)

            by Parham90 (2478210)
            I have tried SSH tunneling. Right now, that's how I am encrypting my connection. I've tried OpenVPN and PPTP and IpSec, and also L2TP. These are blocked (as far as I can gather). Haven't tried connecting to non-standard ports, however.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          More power to the people of Iran. You make the Internets proud.

          But, still, please be careful.

  • Can't stop the signal.
  • Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.
    • by WhiteDragon (4556)

      Run your VPN over port 80 and 443 let them block those as well. They may as well just switch it all off at the mains and be done with it.

      Well, as other posters have pointed out, Iran is using Deep Packet Inspection, so they don't care about port numbers, just about the type of data that's being sent. I'm kind of surprised that according to some posters, they aren't blocking ssh.

  • Wrong Info (Score:4, Informative)

    by I'm Not There (1956) (1823304) on Thursday October 06, 2011 @10:38AM (#37625694)
    The summary says Iran started internet censorship after the election and people started using VPN from then. No, it's not like that. First, internet censorship goes back to at 7 or 8 years, IIRC. Long before the election. Second, anti-censorship tools have always been changing in all these years. VPN is just the main tool of most of people now, but even two years ago (right after election) few people knew VPN and used other tools. So, things look tough, but it's not that we are going to lose our connection with the world. We always find a solution. Even right now I'm using a PPTP VPN and if you see this comment it works well. The only solution to prevent people from accessing sites the government doesn't like would be to shut down internet connection with the outside world completely. And I hope they won't do that, at least not for long.
    • by Parham90 (2478210)
      Ah. If that is the message that came across, I'm quite sorry. That was meant to say, "there was censorship, but these social websites were censored since then." Facebook and Youtube weren't censored prior to the elections. The VPN connections, also, gained a wider use after the iTunes store and such were blocked, which happened after the elections. I didn't want to give a long history of what has happened in Iran, so I'm, again, sorry if I came across as incorrect.
    • by Parham90 (2478210)
      Also, I'm curious to know how your PPTP still works. Have you changed the port?
      • Talking in public about these is not a good idea (specially that you're name in the story links directly to your Gmail address), but no, I didn't have to change the port. It stopped working last week, but that was for a few days only. Anyway, I suggest that you never rely on only one anti-censorship solution. Have a handful of them at your disposal, and switch to another when one of them doesn't work.
  • Ummm, so does that mean they shut down their internet entirely? Port 80 is simple enough to use or even daresay a little perl script using email, yeah the latency sucks, but still works. Getting past port blocking is pretty simple.

    Hmmm, sending traffic through stenography via email attachments would be interesting. Wonder how long it would take to code that up.

    • by smash (1351)
      read up on deep packet inspection
      • by Lando (9348)

        All that deep packet inspection means is that you have to create another protocol to transfer information that they are either unfamiliar with or that they classify as something else.

    • Not sure how translating everything into shorthand would help much, I'm sure the Iranians have a few people around who can read it.

      Steganography might be fun to try, though ;)

  • Gosh... wouldn't it be simpler if they just cut off everyone's fingers so they couldn't type... and cut out their tongues so the couldn't talk. Oh and poke out their eyes so they can't see sign languate... oh and rip off their ears so they can't hear... and... ... or how about they realise that talk and speech is inevitable and trying to censor it only makes yourself unpopular and your demise as ruler more likely.

    • by gtall (79522)

      Now, now. Sharia law does not condone any of those...unless the sentence dutifully made by a registered mullah, imam, or any other anal retentive neurotic nostalgic for the good old days of medieval torture.

      • by Parham90 (2478210)
        LOL! Guys, you might want to start ducking when you start a religious argument. As for myself, *slides safely under his desk*
  • When I was in high school, in the 70's, we "studied" the book "1984". We all assumed, I assume, that "1984" would happen in Russia or in a bizarro America. I do not remember anyone suggesting that religion would be the driver. ( I don't include the Chinese government in this particular assumption as China, to me, seems to have simply re-introduced the feudal system for the masses with a "ruling committee" replacing the emperor at the top.) What a mess.
  • Or they're going to block internet banking now?
    • by cpghost (719344)
      How many of them are doing online banking with foreign banks anyway? If they blocked encrypted traffic at the international peering point(s), it wouldn't break their internal internet banking system at all.
      • by Parham90 (2478210)
        This seems to have happened, in fact. I can access HTTPS inside of Iran, but accessing Google AdWords, for example, over https is impossible.
    • by Geminii (954348)
      Or just insist that all internet banking go through bank sites hosted on country-internal servers.
  • by cpghost (719344) on Thursday October 06, 2011 @12:01PM (#37626962) Homepage
    I'm working at the Network Operation Center (NOC) of a major Tier-1 backbone operator, and I'm somewhat familiar with the Nokia-Siemens DPI software used in some places of the world, including Iran. And guess what? I'm NOT surprised that they were able to block VPN traffic, even encrypted one at this point.

    Unencrypted VPN traffic is incredibly easy to flag anyway, and even the handshake of popular encrypted VPN tunnels has a pattern that's predictable enough to be quite effective. I don't need to point out that ALL ports are affected. Switching to another port is basically useless in this context.

    All this DPI doesn't require huge CPU processing power, as one would naively expect; since it (currently) happens only at the beginning of a session (yes, including UDP). And that is currently the Achilles' heel of this filter: if you initiate a "harmless" (as in allowed-by-policy) connection, and switch to encryption a couple of 10k packets later, you slip right through the firewall. Try it. If it doesn't work, they've upgraded to a new release and had to invest heavily in additional routers.

  • by WhiteDragon (4556) on Thursday October 06, 2011 @01:14PM (#37628182) Homepage Journal

    Iodine [code.kryo.se] is IP over DNS. Since it is actually the DNS protocol (and not just using the DNS ports), it might not be susceptible to Deep Packet Inspection. However, it could presumably still be detected.

  • Looks like it's time for a VPN that uses stego. Sure, it might slow the connection down quite a bit, but if it's the difference between no access and (ideally almost undetectable) access, it'll have to do.

  • Just use IP over Avian Carriers [wikipedia.org]. Sure, latency is a bitch, but otherwise it's probably safer.
  • Question is, to what extent does a "national internet" affect the economy? I know my productivity at least would drop seriously w/o global communication channels. But then, I'm not Iranian.
  • I know Skype isn't open source, but I also know that Skype is good at getting through all sorts of blocks, and I know that Skype works in Iran. Since Skype text chats can be automated with their development API couldn't you Base 64 encode packets and send them via Skype to an endpoint outside the country?

    I guess this would work with pretty much any text based chat application that is successful at getting out of , even SMS.

  • Simple solution : change the port to 80 or 443 server side...

If you have to ask how much it is, you can't afford it.

Working...