The problem
You must have heard about the news in Iran. Millions of people had taken to the streets in peaceful protest of a rigged election, and the authorities used violence to suppress them. Videos of these protests ended up on YouTube, and eyewitness reports on Twitter. But now they have expelled or arrested all journalists, and have blocked off sites like YouTube and Twitter from Iran with internet filters. It is very important for the Iranian people to be able to bypass these internet filters. Who knows how far the regime will go once the world can no longer bear witness to their actions.
An early effort by the internet community was to set up a large number of web proxy servers. This let people bypass the government firewalls for a while, but now the regime has closed this hole. If they see that someone is using a proxy server, thier connection will get blocked, and they may get arrested too on top of that.
A different attempt used encryption to hide the data that Iranians were downloading from the internet-- the regime can't block it if they don't know what is being downloaded right? But they responded by throttling ALL encrypted internet connections (such as SSH and SSL), making them slow to a crawl. It happens automatically through the use of deep packet inspection (DPI) equipment that looks for a telltale "handshake" that occurs whenever encryption is used. All data following that handshake gets throttled to the point of being unusable.
One good solution (not mine)
Bruce Leidl has created an awesome patch for openssh. It obfuscates the handshake used when creating an encrypted SSH connection. A secret handshake, so to speak, that will fool the oppressive DPI apparatus. With this, Iranians can safely use the internet again at reasonable speeds. But they will need servers that support this patch.
Please download the obfuscated-openssh patch.
Compile and install it the usual way:
make
make install
"Wait, doesn't SSH let people log in to my server?" you might ask. Normally yes, but not necessarily. You can disable shell access and let users use your server only as a secure SOCKS proxy. You will need to create a dedicated user account for that. This example adds a user "iran" with password "iran", that cannot log in.
And here is a sample sshd_config file you can use. It will allow only the user "iran" to connect. With this configuration, users should execute something like this on their computer:
sshd_config
# sshd_config(5) for more information.
#
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# This ssh daemon is meant to be run separately from the regular
# non-obfuscated sshd. A single user account is enough for this purpose.
# You should make sure this user does not have shell access, by changing
# the shell to /usr/sbin/nologin. This example adds a new user "iran" with
# password "iran".
# sudo useradd -m -s /usr/sbin/nologin -p '$1$jt0IIfj/$U9oLm33s7F.3OKUa.8JD3.' iran
#
AllowUsers iran
# To set up a SOCKS proxy, execute an obfuscated-openssh client like so:
# ssh -ND 9999 -z -Z fnord -p 587 iran@<hostname> &
# The client will now be running a SOCKS proxy on localhost:9999 and forwarding
# all traffic to the ssh server. User will need to configure web browsers and
# such to use the SOCKS proxy.
#
Protocol 2
ObfuscatedPort 587
ObfuscateKeyword fnord
#Port 22
SyslogFacility AUTH
LogLevel ERROR
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
PermitEmptyPasswords no
AllowAgentForwarding no
AllowTcpForwarding yes
PrintLastLog no
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3
PidFile /var/run/obf_sshd.pid
#MaxStartups 10
#PermitTunnel no
ChrootDirectory /home/iran
# no default banner path
#Banner none