It's a weird feeling, typing this. My fingers remember how to do it, but something feels off... like coming back to an instrument after months of not playing and your muscle memory works but your head keeps second-guessing every note.
That's what the internet is like for me right now. It's here, technically. But 88 days of near-total silence changes you in ways you don't notice until you're back and realize you'd already started building a life that didn't need it.
So let me tell you what actually happened. Not the sanitized version, not the diplomatic roundtable summary. The real version — the technical guts of how a government flips a switch and takes 90 million people offline, what it cost us, and what people were doing in the dark trying to stay connected.
The Switch Flips
January 8th, 2026. Evening. I remember because I was in the middle of a deploy — a painfully boring deployment that I'd been pushing off for two days — when everything just... stopped responding. Ping timeouts. DNS queries going nowhere. I rebooted the router out of habit. Nothing. Checked if it was just my ISP. Called my friend across town. Same thing.
Within the hour it became clear this wasn't a routing hiccup.
Protests had been building for almost two weeks by then — nationwide, spreading fast — and the government's answer was a move that's been in their playbook since 2019: shut the whole thing down. Not throttle it. Not block a few apps. All of it. NetBlocks, the internet monitoring outfit, called it a "regime-imposed national shutdown" and clocked connectivity at roughly 1% of normal levels within hours. Not 10%. Not 20%. One. Percent.
That 1% was probably some government server somewhere, still talking to itself.
How You Actually Kill an Entire Country's Internet
Most people picture a kill switch — one red button, one guy in a server room, everything goes dark. The real architecture is messier and more disturbing.
Iran's filtering infrastructure operates through something called SIAM — Sāmāneh-ye Etelā'āt-e Moshtarekān, the System for Intelligence Activity Monitoring — which sits at the core of the National Information Network (NIN). Every ISP in Iran is legally required to route traffic through state-controlled choke points. That's not a metaphor. The traffic literally has to physically pass through government-controlled exchange points before it exits to the international internet. This isn't difficult to exploit for shutdown purposes — you just stop forwarding at the border.
But the shutdown capability is only half the picture. The surveillance capability is the scarier half, and that's where Deep Packet Inspection comes in.
What DPI Actually Is (and Why It's Worse Than It Sounds)
Normal firewalls and routers check a packet's header — the equivalent of reading the address on an envelope. They see "this packet is going to 8.8.8.8 on port 443" and decide to allow or deny it. Easy. Bypassable.
Deep Packet Inspection opens the envelope. It reads the letter inside.
DPI hardware sits inline on the network and analyzes not just where traffic is going but what kind of traffic it is. It can fingerprint VPN protocols at the packet level — the statistical signature of OpenVPN handshakes, the timing patterns of WireGuard, the TLS fingerprint of Shadowsocks — and drop or throttle them without ever needing to see a domain name. Even if you encrypt your traffic, the shape of the encryption betrays you.
Iran's DPI infrastructure has been a decade in the making, and here's the part that made my stomach drop when I read it last week: a senior Iranian official confirmed during the blackout that Chinese Deep Packet Inspection hardware is now installed nationwide, purpose-built for exactly this use case. The manufacturer is legally obligated under China's National Intelligence Law to cooperate with Beijing's intelligence services if asked. Iran just bought itself a surveillance grid that has a foreign master key.
The security contractors Yaftar and Doran were reportedly tasked with deploying DPI updates specifically designed to fingerprint and flag VPN traffic routed through Starlink terminals. They weren't playing defense. They were hunting.
Whitelisting: The Move That Changes Everything
The thing that made this blackout different from 2019 or 2022 wasn't just the scale. It was the methodology. Instead of maintaining a blocklist — a list of bad IPs and domains that you refuse — the government flipped to a whitelist model.
Blocklist: everything is allowed unless it's on the list. Whitelist: everything is blocked unless it's on the list.
That's a completely different posture. Blocklists are reactive and leaky — people find unlisted proxies and waltz through. Whitelisting forces the government to explicitly approve every single external endpoint that Iranians can access. The burden flips entirely. Instead of trying to enumerate the entire bad internet, they just enumerate the small set of approved internet and permit nothing else.
Combined with DPI, this created an almost hermetic seal. Your packet goes out, hits the border, the DPI box identifies it as anything other than an approved protocol to an approved destination, and it dies. No error. No redirect. Just a timeout.
Surviving in the Dark: The Bypass Methods
When you tell a country of engineers and developers that the internet is off, the response is exactly what you'd expect: an arms race fought in Telegram group chats, shared configs on smuggled USB drives, and voice calls explaining router settings to relatives.
Here's what people were actually using.
SNI Spoofing
The Server Name Indication field is a small but critical piece of every TLS handshake. When your browser connects to yourfavoritesite.com over HTTPS, it sends the domain name in plaintext at the start of the connection — before the encryption is established — so the server knows which certificate to present. This is SNI.
Iran's DPI machines read that field. If the domain is blocked, the connection gets terminated right there, before any encrypted data ever flows.
SNI Spoofing exploits a timing gap. You send a fake SNI field that points to an allowed domain — something whitelisted, like a CDN endpoint or an approved domestic service — while the actual destination of your traffic is different. Some implementations send the fake SNI in the initial fragment only, then switch to the real destination after the handshake completes. Others use padding and fragmentation to confuse the DPI inspection engine.
This worked for a long time in Iran because the filtering system was designed around blocklists — it was checking for bad SNI values rather than verifying that the SNI matched the actual certificate. For a good stretch of the blackout, people with the right config were able to slide traffic past the inspectors by wearing the mask of an allowed domain.
The government, of course, adapted. But it bought time.
MasterHTTPRelay — The Google Script Trick
This one is clever in a way that made me genuinely appreciate the person who built it.
Google Apps Script is a platform that lets you write JavaScript functions and expose them as HTTPS endpoints — under domains like script.google.com and *.googleapis.com. These endpoints come with Google's infrastructure behind them, and in the early phases of the blackout, Google's core services were partially whitelisted because cutting them entirely would have broken too many internal government systems that rely on Google APIs.
MasterHTTPRelay turned a Google Script endpoint into an HTTP proxy. Your traffic hits the Apps Script URL — which is allowed through — the script forwards your request to the actual destination, gets the response, and sends it back to you. From the DPI system's perspective, you're just talking to Google. From your perspective, you're browsing the open internet.
The catch: it only works when Google's endpoints are accessible, which wasn't always the case. The whitelist kept changing. There were days when googleapis.com was fully open and MasterHTTPRelay configs were being passed around like lifelines. There were other days when even that narrow window slammed shut. It was a cat and mouse game measured in hours.
MikroTik + Starlink: The Hardware Underground
This is the one that genuinely impressed me, and also the one that required resources most people simply didn't have.
Before the blackout, an estimated 50,000 to 100,000 Starlink terminals had been smuggled into Iran — an operation that accelerated after the 2022 Mahsa Amini protests and intensified again after the June 2025 twelve-day war with Israel. Possession is illegal. Confiscation is certain if found. People were hiding them on rooftops under water tanks, in stairwells, wrapped in tarps.
The MikroTik approach worked like this: someone with a Starlink terminal configures a MikroTik router as a traffic relay — setting up policy-based routing rules that tunnel specific flows (usually by destination IP range or by protocol fingerprint) through the Starlink uplink while letting domestic traffic continue through the normal ISP connection. Done right, your laptop has no idea it's doing anything special. You configure a specific destination in your browser or app, the MikroTik intercepts that traffic and re-routes it to the Starlink terminal, and the DPI box at the ISP border never sees it because it never passed through the ISP connection.
The government responded by jamming Starlink signals. Filter.Watch reported packet loss surging from 30% to over 80% in Tehran within days of the blackout starting — the first verified instance of a nation successfully degrading Starlink at national scale. It wasn't total, and it wasn't consistent across the country. Rural areas were less affected. Some neighborhoods had working windows for hours at a time before the jamming resumed.
The Black Market
Let me be real about this part: I couldn't afford it.
By February, people with Starlink access were selling connectivity. Not VPN subscriptions — bandwidth. You'd pay per gigabyte to have your traffic relayed through someone's smuggled terminal. The pricing varied wildly by city and by who was selling, but the numbers I kept hearing were enough to make your stomach turn — especially when your income had flatlined because every project requiring a connection to the outside world was frozen.
The "Internet Pro" program that eventually leaked out made it worse. Apparently there was a tiered access system — certain SIM cards with government blessing could route through unrestricted gateways. One-year packages. Activation fees. Reserved for people who weren't supposed to feel the pain. IRGC-adjacent businesses, government contractors, people who needed to know what we were saying while we couldn't say anything.
My projects sat dead. Client communication went dark. Two contracts evaporated because I couldn't respond fast enough, couldn't push code, couldn't join calls. I watched 88 days pass in a kind of suspended professional animation — not fired, not resigned, just... stopped. Like someone had paused the clock on a version of my life and I had to wait for them to hit play.
May 26th. Back Online. Kind Of.
Traffic came back in stages. You'd ping something and it would reply and you'd feel this pathetic rush — is it working? — and then timeout again. Cloudflare Radar showed connectivity stabilizing at around 40% of pre-blackout levels as of May 26th. Forty percent. That's not restoration. That's a partial reprieve.
WhatsApp still needs a circumvention tool. YouTube is still blocked. Instagram hasn't come back. A court challenged the restoration order within 24 hours of it being issued — four hardline Supreme Council members went straight to an administrative court to have it suspended. The legal fight is ongoing.
And then there's the hardware.
The Chinese DPI boxes aren't going anywhere. They're installed. They're operational. The infrastructure for the next shutdown is faster, more precise, and more comprehensive than anything that existed in January. Whatever happened over the past 88 days, whoever decided to end it — the capability to do it again didn't leave with them. It got upgraded.
What ended on May 26th wasn't the blackout. It was the most extreme phase of it. The architecture remains. The whitelist model remains. The 40% traffic figure isn't a bug in the restoration — it might be closer to what "normal" looks like now.
I Don't Know How to End This
I'm back online. I'm writing this. I've got tabs open that feel almost decadent — GitHub loading in full, my deployment dashboard green, a Zoom call scheduled for tomorrow that I actually expect to work.
But I keep thinking about the DPI boxes. About how 88 days was enough to reshape habits, kill businesses, isolate families, and silence an entire economy — and at the end of it, the people who did it got better at it. The cost was somewhere between $1.5 and $3 billion, depending on whose estimate you believe. That number was paid by 90 million people, most of whom had no say in any of it.
The internet is back. The firewall is more sophisticated than it was before.
I guess what I'm trying to say is: I'm not celebrating.
If you want to understand what's technically possible from inside Iran right now in terms of circumvention, or if you've got questions about the SIAM system, SNI spoofing configs, or the MikroTik relay setup — drop it in the comments. I'll write a follow-up that gets more into the weeds. There's a lot more to cover.