Ghandchiقندچي Bypassing IRI National Internet Wall-How to Neutralize IRI Filtering-Part 3

Sam Ghandchi

Persian Version


Over a year ago Islamic Republic of Iran (IRI) announced that it is building for Iran, what it called, a "National Internet," and said the project's goal was to improve price-performance for the domestic Internet users. 


Regardless of the above irreproachable declared objectives, a group in IRI has been very clear about its own agenda for pushing this IT architecture for Iran.  Their goal was to turn the global Internet in Iran, into one giant *Intranet* network, where *all* Internet services can easily be filtered on a fly, by applying policies on the national border routers, as they recently did with Google in Iran, and later said it was just an error, but I think they were testing their new super expensive infrastructure of their so-called "National Internet".


The way IRI blocks with this new architecture is by having someone who catches the announcement of a service address for any Internet service they want to block.  Blocking Google was no doubt by null routing it- basically, they don't advertise the route through the ISPs, or they advertise it and say that the next hop address is an address that goes to /dev/null. In other words, they null route the address, instead of using the method they have been using to filter the web sites in the last 5 years, by blocking millions of sites at the ISPs. 


Therefore there will not be the lapse time from creating lists by intelligence authorities, to the implementing of filtering at ISP's, as it has been in the last 5 years. Also they can implement all kinds of policies, for example, not just web sites. but they can even block emails based on semantic rules, even those originating from Google, Yahoo, or MSN, when a blocked URL or the latest proxy addresses are found in the body of the email.  They have been doing that to email customers of Iran_based ISPs for a few years now, but with their new National Internet structure they will extend this censorship to Google, Yahoo, and MSN email customers and this is what they were testing when they killed all Google access including its search engine in Iran. If it was up to security officials, they would have blocked all services of Google, Yahoo, and MSN a long time ago but they know that these are critical to Iranian businesses and even after spending all their money on the so-called National Internet, they well know that Internet is a global phenomena and they cannot replace such global services and their main goal is not to replace them, but is to raise the fences for whatever is not amiable to IRI.  Yes, this iron curtain is a new system to reinforce the prison walls blocking Iranian Internet users from accessing the "undesired" content in the outside world in the most efficient way possible.


Most of the past methods the Iranian opposition has been using to pass through filtering will not work once this new National Internet infrastructure is in place, and from what we witnessed recently in the case of Google, it seems like we are not that far from the point when this new iron curtain will be what we, in the opposition, need to deal with.  Most of the suggestions I made in the last two parts of this series, to neutralize IRI filtering, will not work soon.  Public http proxies and even the secured types (https) may not work in a few months. Of course personal solutions like psiphone, which requires having a friend with good technical expertise outside Iran, will still work, although it is not a very comfortable solution to use.  I discussed that solution in details in my interview with Mr. Ahmad Baharloo of VOA nine months ago for those who may still be interested to set it up:


Also another solution I mentioned in the above interview, namely using Peer-to-Peer (P2P) networks inside Iran, will work, but it requires one user in the network to be able to bring in the content of the banned sites.  So for that one person, the question of how to do it by other methods, will still need to be solved.  Also I should say that P2P networks such as BitTorrent, are still not that wide-spread in Iran, and it may not work as a solution for most of the Internet users, because not all P2P networks would be open to providing banned content, as it is a shared environment.  At any rate, I discussed P2P networks and TOR in the second part of this series and those interested can refer to that article:


My topic in this article is how to deal with the new situation and actually the sooner we build the new response structure to what is happening the better off we will be when the National Internet wall of Iran is fully operational because that will be like being in a jail with the thickest stonewalls surrounding us.



A former colleague of mine and an Internet guru, in a conversation with me, when discussing the situation of National Internet wall of Iran and the ways to tunnel to the outside world, defined a whole new paradigm for approaching the filtering issue in his following statement:


"Imagine just for yucks if every router in the region became a proxy server"


The above is such a great response to IRI.  Yes IRI's new National Internet is turning every router owned by the Minister of Information and Communication Technology (ICT) of Islamic Republic of Iran into a prison citadel and my friend is suggesting to turn every router *outside* of those prison walls into a proxy server.  His suggestion is in my opinion the most ingenious thought I had ever heard in dealing with the issue of filtering.


My friend continued that every router out there already has the capability, given appropriate configuration. For example, he noted that Cisco isn't going to predetermine its customer's configurations. 


Tunneling can be configured using a number of different technologies.  IP/IP, GRE, IPsec, SSH, etc. For example, one can SSH to quite a variety of places, and they don't have to be either near or far.  Only the router needs to configure its SSH server for those who have the key, to be able to access it.  For example a user using an IPsec tunnel infrastructure, may have a dozen places in the world where s/he can set an encrypted tunnel from a laptop. Another word for any kind of tunnel infrastructure is "VPN".  Anything that allows you to set up an ad hoc VPN accomplishes the goal.


In other words, if owners of routers such as those who are currently making http proxies available for Iranians, such as VOA, can turn their routers into VPN servers, to help Iranian users to tunnel to the outside world.  If they distribute a great number of VPN keys to the users, and a number of generalized one, before the email blocks of IRI National Internet prevent most of the contacts with the outside world, then a lot of people will have the tunneling capability to the outside world when that happens.


Here are some useful documents about tunneling for those who have Cisco routers which they can use to turn them into VPN servers:


As my friend said, "imagine just for yucks if every router in the region became an SSH proxy, perhaps using randomized port numbers and advertising multiple router addresses to prevent filtering of SSH. You can tell people to SSH to an outside system with a well-known key (everyone is supposed to get their own, but there's no reason that one couldn't use a *generalized* one for this purpose) and then redirect their traffic through the tunnel."  Yes, he is right, this is doable and I am sure Iranian technical experts and friends of Iranians in the outside world, who have helped us so much all these years with making http proxies, will set up many of these VPN servers for people to use, and in this Dark Ages of Islamic Republic, Iranian Internet users will still be able to have Internet as a *global* network and *not* a National Intranet with IRI's Iron Curtain blocking Iranians from the rest of the world, as these petrified IRI officials want to deform it.


I should note that there is a company in Iran that sells VPN service:


They may be worth looking at, but unfortunately I do not know them personally. 


I hope those who have been providing the Iranian Internet community with great proxy service in the last few years to help out now with providing free VPN service for those living in Iran.  Actually I hope they do, because people who have trusted a provider for proxy service in the last 5 years, can also trust them for VPN service, because whoever owns the server, can see people's addresses, just like the way the proxy server providers today are able to see them.  At least in most of the solutions that I am aware of, this is the case, including psiphone. As a little digression, I should note that sites like do not collect statistics on the traffic that goes thru proxies even if they can, because of their privacy policy therefore their stats for banned sites are totally wrong.


Let's return to our topic, in the past, I refrained from recommending VPN because it used to cost a lot to make it available to thousands of people. But nowadays with every Cisco router having the capability to become a VPN server, it is only a matter of configuring the router, for those owning routers, to offer this service.

Hoping for a day to live in an Iran with no censorship,



Sam Ghandchi, Editor/Publisher


October 12, 2007



Related Articles:


How to Neutralize IRI Filtering-Part 1


How to Neutralize IRI Filtering-Part 2





All Articles