This CpC guide is, in our view, important because in countries like Iran the risk is neither abstract nor theoretical. This is not about digital privacy in the comfortable European sense of the word, nor about protecting data from advertising or companies. It is about protecting real people from arbitrary detention, coercion of family members, forced confessions and charges built from minimal traces. In this context, a small technical mistake or a naïve decision can have very concrete physical, legal and family consequences.

The Iranian regime does not rely only on sophisticated technology. It relies above all on human control, fear, psychological pressure and guilt by association. A computer history, an installed application, a forgotten file, a repeated connection pattern or the mixing of personal life with sensitive activity are often enough to turn suspicion into accusation. Technology is used as a pretext; repression is carried out by people.

That is why “miracle” solutions are dangerous. VPNs sold as total invisibility, simplistic tutorials or heroic talk about bypassing censorship ignore the operational reality on the ground. In Iran, it is not enough to get online. You must ensure that when the connection fails, when a device is seized or when someone knocks on the door, there is no local evidence that compromises the user or third parties. The priority is not speed or convenience. It is discreet survival.

This guide starts from that harsh and old premise: always assume the worst-case scenario. Assume that any network may be monitored, any device may be confiscated and any session may be the last before a raid. From there, it organises tools like TAILS, Tor, Psiphon and Conduit not as symbols of digital resistance, but as pragmatic instruments, each with a limited and well-defined role.

The importance of this text lies precisely in refocusing the discussion. It is not about “hacking” the regime, nor about technological bravado. It is about reducing harm, avoiding common mistakes and protecting ordinary people who just want to communicate, get information or help others without putting their families at risk. In repressive contexts, badly applied digital security is worse than none at all. This guide exists to avoid that.

That said, it must be understood that the TAILS + Psiphon + Conduit combination makes sense only if it is thought of as layers with different functions, not as a magic solution. Used naïvely, they can even cancel out each other’s advantages. Used with discipline, they complement each other well.

The starting point is understanding the role of each piece. Tails OS is the base of physical and forensic security. Its purpose is not to “break censorship”, but to leave no trace, protect against equipment seizure and drastically reduce the impact of a detention or raid. Tor inside TAILS handles anonymisation and dissociation between user, device and traffic destination. Psiphon and Psiphon Conduit exist for a different problem: bypassing active and unstable blocking when Tor is degraded, blocked or too slow.

The golden rule is this: TAILS remains the operating system, Tor remains the base anonymity layer, Psiphon only comes in as an access layer when Tor does not get through. Reversing this is a common mistake.

In a realistic Iranian scenario, the user always boots into TAILS from a USB stick, never from an operating system installed on a disk. This ensures that every session starts “clean”. The first connection attempt should always be via Tor, using bridges if necessary. This keeps the threat model as robust as possible, because Tor was designed to minimise traffic correlation and structural exposure.

Psiphon comes in when Tor simply does not connect or is under aggressive blocking. Here there is a critical point that many people ignore: Psiphon does not replace Tor in terms of anonymity. The project itself is clear about this. Psiphon prioritises availability, not total invisibility. Therefore, the correct way to combine them is to use Psiphon as an initial access tunnel and, whenever possible, layer Tor on top. In practical terms, Psiphon provides basic connectivity outside the national blockade, and sensitive traffic continues to be handled through the Tor Browser inside TAILS.

Conduit adds another dimension. When someone outside Iran provides a Conduit, they are creating an additional exit point, decentralised and less predictable, which helps fragment censorship. For those inside Iran, this increases the chances of finding a working path in a dynamic blocking environment. From the end user’s point of view, this does not change operational discipline: you still boot into TAILS, still assume the device may be seized, still do not trust persistence of anything.

Where this really matters is indirect physical security. The Iranian regime makes heavy use of “guilt by association”: computer histories, installed apps, connection logs, residual files. TAILS cuts this off almost at the root. Even if the regime can prove that someone used Psiphon or Tor from a given network, the absence of local evidence makes it much harder to turn technical suspicion into a concrete accusation, especially when they want to pressure families or third parties.

There is also an often underestimated aspect: visual and social behaviour. Using TAILS with a banal appearance, not opening “strange” tools in public, not mixing personal accounts with sensitive activities and not reusing patterns are measures just as important as the technology itself. Repression in Iran is not only algorithmic; it is human, opportunistic and fear-based.

In short, the correct combination is not technological, it is conceptual. TAILS protects the user’s body and health, and their family, while Tor protects identity; Psiphon and Conduit protect connectivity when the network is under attack. Mixing these roles or trusting too much in a single layer is what creates real risk.

---

A practical, conservative how-to for people in Iran, focused on physical security first and without romanticising technology. Not for “hackers”, but for ordinary people trying not to put their families at risk.

1. The starting point is to accept a hard reality: any device can be seized and any network can be monitored. The goal is not to be invisible; it is to leave no local evidence and reduce easy correlations.
2. Always start by using a computer that is not exclusively yours, if possible outside your home. An old laptop, a borrowed or shared device, or a public PC reduces the risk of direct association. Never install anything on the disk. Always boot from a USB stick with Tails OS. If you shut down the computer, the session ends, the memory ends, the trace ends. This is what protects your home and your family in a raid.
3. After booting TAILS, connect to the internet in the most banal way possible. Public Wi-Fi, shared networks, nothing that screams “activism”. The first attempt should always be via Tor, using the system’s own Tor Browser. Tor is not perfect, but it remains the best way to separate who you are from what you do online. If Tor connects, stay there. Do not complicate it.
4. When Tor does not connect, is far too slow or is clearly blocked, Psiphon comes in. Use it only as an access bridge, not as a guarantee of anonymity. Psiphon exists to bypass censorship, not to make you invisible. The idea is simple: Psiphon helps you exit the national network, and within that connection you continue to use the Tor Browser for anything sensitive. Do not log into personal accounts outside Tor just because “it works now”.
5. If you have access to routes via Psiphon Conduit, treat that as just another possible route, not as something special or inherently safe. For you, the end user, discipline does not change. Do not assume extra trust just because the connection worked. Conduit helps the network survive; it does not remove the need for basic precautions.
6. During the session, do less, not more. Do not open ten tabs. Do not download files unless strictly necessary. Do not store documents locally. Read, send, close. Avoid repeated patterns of time and place. Repressive surveillance feeds on predictable routines.
7. When you are done, close everything and shut down the computer. Do not suspend, do not hibernate, shut it down fully. Remove the USB stick and store it separately from the computer. If there is pressure, fear or suspicion, assume the USB stick may have to disappear. The system was designed for that.
8. In public spaces, pay attention to the screen. Use banal visual settings. An environment that looks like “normal Windows” avoids unnecessary questions. In Iran, many approaches start with human curiosity, not sophisticated technology.
9. There is one final rule that matters more than any software: do not mix lives. Activism never in the same session as personal email, personal social networks or family contacts. One mistake like that cancels half of the technical protections.

This is not digital heroism. It is old-fashioned prudence applied to modern technology. TAILS exists to protect people when everything else fails. Tor exists to dilute identities. Psiphon and Conduit exist for when the network is under attack. If each thing stays in its place, risk goes down. If you start improvising, risk rises fast.