Help users in Iran reconnect to Signal
Just over a week ago, we announced that Iranian censors had started blocking all Signal traffic in the country. As an interim solution to help people in Iran get connected again, we’ve added support in Signal for a simple TLS proxy that is easy to set up, can be used to bypass the network block, and will securely route traffic to the Signal service.
This new connection method is supported in the latest Signal Android beta release, and will be rolling out to production users in a few days. Our hope is that this will help many people in Iran start sending and receiving messages again while we continue to explore additional censorship circumvention techniques that will work there.
An unorthodox-y proxy
Unlike a standard HTTP proxy, connections to the Signal TLS Proxy look just like regular encrypted web traffic. There’s no CONNECT method in a plaintext request to reveal to censors that a proxy is being used. Valid TLS certificates are provisioned for every proxy server, making it more difficult for censors to fingerprint the traffic than it would be if static self-signed certificates were used instead. In short, everything is designed to blend into the background as much as possible.
The Signal client establishes a normal TLS connection with the proxy, and the proxy simply forwards any bytes it receives to the actual Signal service. Any non-Signal traffic is blocked. Additionally, the Signal client still negotiates its standard TLS connection with the Signal endpoints through the tunnel.
This means that in addition to the end-to-end encryption that protects everything in Signal, all traffic remains opaque to the proxy operator.
If you set up a Signal Proxy and you want to let the world know, you can use the hashtag IRanASignalProxy.
When you publicly post a signal.tube link, or if a particular server becomes too popular, it increases the chance that Iranian censors will simply add those IPs to their block list.
A more discreet approach would be to only send the link via a DM or a non-public message. You can post something like this on your favorite social network:
IRanASignalProxy Reply to this thread if you want the connection details, and follow me so I can DM you the link.
Although it’s easy to launch new proxies if one gets blocked, we want to do everything we can to make things as difficult for Iranian censors as possible. As long as there are servers in the world, there is no limit to the number of Signal TLS Proxies that people can run.
Only the start of the proxy battle
We hope that organizations and individuals will step up to run Signal TLS Proxy servers for Iranian users and help coordinate their distribution. We’re also continuing to investigate other techniques that are more automated and convenient.
Iranian people deserve privacy. We hope this helps.
My #IRanASignalProxy is running
cxxxxxxxxxxxx certbot/certbot "/bin/sh -c 'trap ex…" 29 seconds ago Up 29 seconds 80/tcp, 443/tcp signal-tls-proxy_certbot_1
6xxxxxxxxxxxx signal-tls-proxy_nginx-terminate "/bin/sh -c 'while :…" 29 seconds ago Up 29 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp signal-tls-proxy_nginx-terminate_1
2xxxxxxxxxxxx signal-tls-proxy_nginx-relay "/bin/sh -c 'while :…" 29 seconds ago Up 29 seconds 443/tcp signal-tls-proxy_nginx-relay_1
Act as a proxy
If you want to help by running a proxy, to get started you only need the following:
- A server with ports 80 and 443 available.
- A domain name (or subdomain) that points to the server’s IP address.
- A and AAAA point to domain or subdomain
The proxy is extremely lightweight. An inexpensive and tiny VPS can easily handle hundreds of concurrent users. Here’s how to make it work:
- SSH into the server.
- Install Docker, Docker Compose, and git:
$sudo apt update && sudo apt install docker docker-compose git
- Clone the Signal TLS Proxy repository:
$git clone https://github.com/signalapp/Signal-TLS-Proxy.git
- Enter the repo directory:
$ cd Signal-TLS-Proxy
- Run the helper script that configures and provisions a TLS certificate from Let’s Encrypt
$ sudo ./init-certificate.sh
- You will be prompt`ed to enter the domain or subdomain that is pointing to this server’s IP address.
- Use Docker Compose to launch the proxy:
$ sudo docker-compose up --detach
Your proxy is now running! You can share your proxy with friends and family using this URL format: https://signal.tube/#