Online restrictions in Iran have a long history. For example, many social media platforms, including Facebook, YouTube, and X (formerly Twitter), have been blocked since 2009. In addition, following the U.S. Presidential Executive Order, Mastercard and Visa have suspended their activity in Iran since 1995.
We have been tracking the tightening of internet restrictions in the country after the January 2026 protests. There is reason to believe the authorities are moving away from a “blacklist” model, where access is selectively blocked, toward a more advanced “whitelist” model.
It has come to our attention that Russian censorship agencies' staff helped Iranian authorities configure the equipment used to restrict internet access.
We studied the specifics of internet censorship in Iran and found out why VPN services are struggling to navigate the current situation.
Whitelisting in Iran
We see that the authorities are rolling out a whitelist model and cutting off the external internet. Since the start of the war with the United States, this approach has been applied nationwide on a permanent basis.
Before the conflict, the blocking model could be more accurately described as a “graylist.” Iranian authorities implemented the technology only partially so as not to paralyze the public sector and businesses that depend on the global network. But the situation has changed.
Overview of VPN Services in Iran
Many VPN providers operate in the country, but most of the market is made up of regional projects with hundreds of thousands of users. Some of these companies use the AmneziaWG protocol.
We have been working in Iran for several years now and have more than 300,000 users there, including through the free version of our service, Amnezia Free, which engages split tunneling as well as the aforementioned AmneziaWG protocol. In addition to Iran, Amnezia Free is available in Russia, Brazil, the United Kingdom, Venezuela, and other countries.
In the context of Iran, out-of-the-box split tunneling is especially important because it helps conceal connections from censors more effectively. We also constantly modify signatures — the digital fingerprints of network packets — so that subscribers on even the strictest Iranian ISPs, Irancell and Hamrah Aval, could stay connected.
However, the VPN market in Iran is difficult enough even without direct censorship. A particular threat comes from services that, as we see, may be linked either to government structures or scammers.
Iranian VPNs — Suspicious and Dangerous
We believe some services may be tied to Iranian state actors. The main clue is them using the .ir domain zone. Anyone who wants to register a site within it must provide a national ID and a local phone number. Anonymous users and foreigners cannot register such a domain. In addition, these VPN solutions use servers located in Iran. Buying those also requires the disclosure of personal data.
At the same time, some configurations — the settings used to connect to a server — do not encrypt traffic. It means that anyone can see which websites a user visits. One example that has been shared with us:
vless://*****@***.wolfkaraj.ir:8180?security=none&encryption=none&headerType=none&type=tcp
Note that both security and encryption are set to none. At the same time, the configuration routes user traffic through the .ir domain.
The none value means the configuration is unencrypted. This is concerning because an outside observer — such as a traffic analysis system — can see a user’s behavior and the websites they visit freely.
At the same time, attackers are distributing spyware disguised as legitimate VPN services. Since Google Play availability is inconsistent in Iran, APK files are often distributed through unofficial channels. Some of those files may contain trojans.
The bottom line: legitimate VPN providers are blocked by Iranian censorship, while lesser-known services are often either state-controlled or used by attackers, putting users at risk.
Iranian Internet Censorship: Life During Shutdowns
Earlier this year, Iran imposed a shutdown — a complete cut off from the global net. By January 10, the number of active Amnezia Free connections had dropped to almost zero. Only after 10 days were some connections restored. We believe users in Tehran and other major cities were unable to reconnect — those are the areas where we see the harshest restrictions.
Since February 28, we've been observing a near-complete internet shutdown in Iran following the armed strikes by the US and Israel. It's been this way for over a month at the time of writing.
In parallel to this, we noticed several changes in the way censors operate following the full shutdown in January. For example, strict filtering was applied to the small number of ports that remained unblocked. Still, even traffic passing through those ports is inspected by DPI systems (deep packet inspection).
We assume there is a whitelist of domains within CDN subnetworks. But even if a CDN’s IP and domain are whitelisted, connection problems can still occur. Inside TLS,The protocol that secures data transfer between nodes there is an SNIAn extension of TLS that allows multiple websites with different certificates to be hosted on a single IP address field, which identifies the original domain. If a site uses an SNI that is not on the whitelist, the connection fails.
In addition, some government services — for example, Iran’s “TikTok killer,” — continue to work even during a shutdown. At the same time, there are lists of accessible resources on the Iranian social media during the internet blackout: some news and entertainment sites remain available almost without interruption.
Beyond government-linked services, some online movie platforms and mobile games are also accessible. We believe these projects may also be tied to state structures — likely, their data was added to the whitelist to preserve access even during the shutdown.
After the January protests, Iranian censors — with help from their Russian counterparts to configure the equipment — introduced partial traffic analysis methods. Pre-2026, blocking was done manually: a censorship official would process VPN configurations from individual services, extract the server IPs used for connections, and send those IPs for blocking. After the shutdown, this process was automated. The final decision on blocking servers or ports is still made by operators, but DPI is streamlining the process.
We are also observing blocks aimed at hosting providers associated with VPN services.
Regional Differences Within the Iranian Internet Censorship
We see geographic variation in censorship across the Islamic Republic. For example, the internet in Tehran is practically inaccessible through the two largest carriers: MCI (Hamrah Aval) and Irancell.
Our tests show that East Azerbaijan province is less affected by censorship: local users — even on MCI and Irancell — are more likely to reach the outside internet.
What’s Next for the Internet in Iran
Based on experience from other countries, we presume that:
- Iranian authorities are likely trying to implement a whitelist system, but they are not yet restricting the internet as a whole. That explains the regional differences in connectivity.
- Blocking is driven by partial traffic analysis: the DPI system flags IP addresses and domains, and then the operator manually cuts off the access. Hosting providers used by VPN services are also being restricted.
- Some VPN services offer unsafe configurations and put users at risk of prosecution. At the same time, scammers are distributing malware disguised as APK-files.
This looks a lot like Russia, where local authorities are tightening control over internet access by introducing whitelists. Overall, we are witnessing a global rise in internet censorship, e.g., in Brazil and the United Kingdom, where online age verification becomes mandatory.
We continue to improve our solutions to keep the internet open and secure for everyone. In particular, we upgraded the AmneziaWG protocol to version 2.0 and opened access to it for Self-hosted users on most devices.
3 min