This article first appeared on our partner site, Independent Persian
As the widespread internet shutdown in Iran continues, the market for selling VPNs (virtual private networks) and connection ‘configs’ has surged. It is a chaotic and high-risk space where, on one hand, new methods are constantly being used to access the internet, and on the other, fraud and the exploitation of users has also increased.
In this market, the price of ‘configs’ – the configuration files used to set up a connection – has reached between 500,000 to 1 million tomans per gigabyte (approximately £7 to £15). Under current conditions, the issue is no longer just connecting to the internet; it is also about how that connection is established and the risks involved.
Which VPNs still work in Iran?
Reports from network traffic monitoring services show that less than 2 per cent of Iran’s population is currently connected to the internet. A large share of that group consists of users with so-called “white SIM cards” (which are privileged lines with fewer restrictions granted at the government’s discretion). Comments by government spokesperson Fatemeh Mohajerani appear to confirm this. Mohajerani has stated: “Given certain considerations, efforts were made to provide internet access to individuals who can better convey messages.”
The services that have managed to keep users connected no longer function like traditional, single-route VPNs. Instead of relying on a fixed method, these tools use multiple pathways and communication layers to transmit traffic, allowing data to be rerouted if one path is blocked or becomes ineffective.
Over the past month, methods such as DNS tunnelling (via DNSTT and NoizDNS), using ‘slipstream’ techniques to route QUIC traffic over DNS, HTTPS-based tunnelling with NaiveProxy, SSH connections, and encrypting DNS requests via DoH have gained increasing attention.
The defining feature of the tools currently keeping users online is their flexibility. Some services can even chain multiple methods together. For example, SSH can be layered over Slipstream, NoizDNS, or NaiveProxy to add additional layers of encryption and reduce the risk of DNS leaks. As a result, in conditions where network disruption is applied across multiple layers, these tools have a better chance of maintaining connectivity than conventional VPNs.
The risk of surveillance
These methods are typically more effective for users with higher technical knowledge. However, what is currently sold as a ‘config’ is usually designed for less experienced users. In this model, the provider pre-configures the setup, and the user simply receives a file or access key.
In this situation, users must place significant trust in the provider, as the operator potentially has the ability to monitor their activity. In services that use HTTPS encryption, the provider can generally see which services a user visits, but not the specific details of their activity. However, other important risks can still compromise user security.
In recent weeks, due to increased demand, scams have also risen. Independent Persian has seen evidence of Telegram channels emerging that advertise “guaranteed VPNs” or “no-disruption configs,” but are in fact defrauding users.
These scam operations typically fall into two categories: some take payment and deliver no service at all, while others cut off access before the purchased data is fully used.
Many users report, for example, buying a 2GB service that stops working after just one or two days – often after only around 200MB of usage. When they contact the seller, they are asked to pay again for a supposedly “more stable” service.
Can the authorities identify users?
From a security and anonymity perspective, the risk can begin at the very first step: the purchase process. If payment is made through official banking gateways using real identity details, users may already be exposing part of their personal and financial information to the seller. Given that many services currently rely on these official payment channels, users can effectively be identified at the point of purchase – a serious concern for those seeking anonymity.
As some users within Iran report receiving text messages from the police warning them about accessing global internet – along with threats of SIM card disconnection and legal action – many people are now asking whether the authorities can identify VPN users.
There is no definitive evidence to confirm or deny this. However, from a technical standpoint, identifying users who rely on VPNs is not implausible, especially in a situation where more than 98 per cent of users are offline and overall traffic is extremely limited.
Traffic monitoring systems can use deep packet inspection (DPI) and traffic fingerprinting to detect certain VPN protocols. Even when protocols are heavily obfuscated, traffic behaviour patterns can still reveal signs of VPN use.
Indicators such as the sequence and type of exchanged packets, timing patterns, packet size and distribution, and the overall flow of traffic can all play a role in identifying VPN traffic.
Monitoring systems can also infer the nature of a connection based on its structure and behaviour. For example, how the connection is initiated, whether packet exchange is regular or irregular, the ratio of inbound to outbound traffic, and whether consistent patterns persist over time.
Another misconception among some users is the belief that simply using a reputable and secure app is sufficient for safety, and that the config file itself is not particularly important. In reality, the security of a tool is not limited to the application; the configuration file is also a crucial part of the connection mechanism: determining how traffic is routed, which server is used, and what settings are applied.
A config is not inherently dangerous in the same way as malware, but its risk lies in how it can route a user’s connection insecurely. In practice, the config determines which server the user connects to, which protocol and port are used, where DNS requests are routed, and whether certificate verification is properly enforced. If the config is not trustworthy, it may connect the user to a server that logs or monitors traffic, or even allow some sensitive data to pass through unencrypted channels.
When obtaining a config, the first and most important factor is its source. Those shared through unknown or unverified channels should be treated with extreme caution.
Reviewed by Tooba Khokhar and Celine Assaf
