Censorship circumvention for iOS (iPhone) and iPadOS (iPad)

This page introduces some possible solutions for penetrating restrictive firewalls from iOS (iPhone) or iPadOS (iPad) devices.

A word of caution before you begin. Mobile devices are inherently insecure. The phone company knows exactly who you are. Every cell tower in the neighborhood knows exactly where you are. Make sure you stay safe. Exercise judgment over what you do on a mobile device.

In certain countries, governments have banned some of the apps on this page. They do not appear in your App Store. To get around this ban, you may have to change the region of your Apple ID account, not just the region settings on your device.

1. Tor

Apple requires all browsers in its App Store to use the WebKit browser engine. However, Tor Browser is based on Firefox, which uses Mozilla's Gecko engine. This means that there can never be a version of Tor Browser for Apple mobile devices.

The Tor Project therefore recommends, as the next best thing, the Onion Browser by Mike Tigas. This developer works closely with the Tor Project team. The Onion Browser needs to be combined with the Orbot app to reach the Tor network. Beware of confusingly similarly named apps on the App Store!

Here is the link to the Onion Browser by Mike Tigas: https://apps.apple.com/us/app/onion-browser/id519296448.

Here is the link to Orbot by The Tor Project: https://apps.apple.com/us/app/orbot/id1609461599.

All of this leaves Tor on iOS a bit rough around the edges. If you can get it to work, then fine. If not, then there are better options.

2. Psiphon

Psiphon (賽風) is a Canadian company specializing in censorship circumvention. It started out in 2008 as a project of the University of Toronto's Citizen Lab. The code for Psiphon is open source.

Here is the link to Psiphon by Psiphon Inc.: https://apps.apple.com/us/app/psiphon/id1276263909.

3. Lantern

Lantern (蓝灯) is a U.S.-based censorship circumvention tool. It uses a variety of stealth protocols to penetrate firewalls. Lantern was used in Iran during the "Woman, Life, Freedom" protests and also in Russia during the recent surge in censorship. Lantern is open source.

Here is the link to Lantern by Brave New Software Project, Inc.: https://apps.apple.com/us/app/lantern-fast-secure-vpn/id1457872372.

4. Ultrasurf

Ultrasurf (无界浏览) is an old censorship circumvention tool which has been around since 2002. Originally designed for China, it has since been used in Iran, Saudi Arabia, Syria, Egypt, Burma, and Vietnam. Ultrasurf is closed source.

Here is the link to Ultrasurf VPN by UltraReach Internet Corp: https://apps.apple.com/us/app/ultrasurf-vpn/id1563051300.

5. Commercial VPNs

Censors usually block commercial VPNs, but sometimes they do work in some countries. Here are a couple of reputable paid VPNs that may or may not work in your country.

Proton VPN by Proton AG: https://apps.apple.com/us/app/proton-vpn-fast-secure/id1437005085.

Mullvad VPN by Mullvad VPN AB: https://apps.apple.com/us/app/mullvad-vpn/id1488466513.

6. Self-hosted Sing-box and Shadowrocket

There are many, many self-hosted solutions. This section will use the popular choices of Sing-box for the server and Shadowrocket for the client.

6.1. Sing-box server

Sing-box by SagerNet is a universal proxy platform supporting multiple protocols on one piece of software.

It is possible to set up a server without having access to a computer workstation, using only your phone ot tablet. A good choice for an SSH client on Apple mobile devices is Termius.

Here is the link to Termius Terminal & SSH client by Termius Corporation: https://apps.apple.com/us/app/termius-terminal-ssh-client/id549039908.

Now for setting up your server. The sing-box script from 233boy offers many choices of protocol (Shadowsocks, VMess, VLESS, Hysteria2, etc., etc., etc.). The script is hosted at https://github.com/233boy/sing-box. The documentation is in a blog post at https://233boy.com/sing-box/sing-box-script.

Following is how to create a Sing-box server using the sing-box script from 233boy.

SSH into your server as root.

Update the server:

apt update && apt upgrade -y && apt autoremove -y

Download and run the sing-box installer script from 233boy with the next command, as documented in the blog post mentioned above:

bash <(wget -qO- -o- https://github.com/233boy/sing-box/raw/main/install.sh)

At the end of its run, the script automatically generates a VLESS Reality configuration for you. It displays this configuration's details:

Let's suppose you do not want the default Reality configuration. You can delete it by issuing this command:

sb del reality

Then you decide you want a Reality HTTP/2 server listening on port 443. Of course, port 443 must be open in your firewall and/or server security groups for this to work. Issue the command specified in the blog post:

sb add rh2 443 auto dl.google.com

dl.google.com is the intended Server Name Indicator (SNI). The minimum standards for a Reality SNI are that it be an international website; that it support TLSv1.3 and HTTP/2; and that it have a URL that is not redirected elsewhere. The sing-box script has its own built-in suggestions for SNI. Here are some others you can try:

• https://www.apple.com
• https://www.amazon.com
• https://www.bing.com
• https://www.speedtest.net

The script displays the new Reality HTTP/2 configuration details:

If you ever forget this information and need to re-display it, issue the command:

sb info

6.2. Shadowrocket client

Shadowrocket is a popular choice on iOS devices (iPhone) and iPadOS devices (iPad). It supports a huge variety of protocols (Shadowsocks, VMess, VLESS, Hysteria2, etc., etc., etc.). One criticism is that, despite being a paid app, it does not always include the most up-to-date protocol variants.

Here is the link to Shadowrocket by Shadow Launch Technology Limited: https://apps.apple.com/us/app/shadowrocket/id932747118.

Pay for and install Shadowrocket.

Then copy, paste, and activate the connection from Shadowrocket like this:

1. Select and copy (Ctrl+c) your configuration's VLESS URL from Termius (it is the line beginning vless://).
2. Paste (Ctrl+v) your configuration's VLESS URL into Shadowrocket.
3. Tap Allow Paste to paste the VLESS URL into Shadowrocket from Termius.
4. Look for the configuration on the Home tab of Shadowrocket, under Local Servers.
5. Set Global Routing to Proxy.
6. Toggle the connection button to the on position.
7. Tap OK to allow the VPN profile to be installed.
8. Tap Allow to let Shadowrocket add a VPN configuration.
9. Your Shadowrocket client is connected to your Sing-box server. The connection button is toggled to the on position. A small VPN in a rectangular box appears toward the top right of your screen.