A comprehensive suite of Ansible-automated privacy protection solutions using Raspberry Pi, designed to protect Starlink users in Iran from identity correlation attacks.
Author: Iman Samizadeh Licence: MIT Repository: https://github.com/Iman/javid-mask Last Updated: 2026-02-01
When a Starlink user in Iran accidentally visits an Iranian website, their identity can be exposed through cookies, browser fingerprints, or login sessions:
BEFORE (Normal Iranian ISP):
ββββββββββββββββ βββββββββββββββββββ
β User βββββββΊβ Iranian Website β
β Cookie: Reza β β (digikala.com) β
β IP: Iran β β Logs: Reza=Iran β
ββββββββββββββββ βββββββββββββββββββ
AFTER (Starlink - DANGEROUS):
ββββββββββββββββ βββββββββββββββββββ
β User βββββββΊβ Iranian Website β
β Cookie: Reza β β (digikala.com) β
β IP: USA! β β Logs: Reza=USA!!β βββ RED FLAG
ββββββββββββββββ βββββββββββββββββββ "Reza has Starlink"
The risk: Iranian authorities can identify Starlink users by correlating:
- Same cookies/fingerprints + foreign IP = Starlink user identified
- Login sessions from foreign IPs = identity exposed
- Browser fingerprints (Canvas, WebGL) identify devices across IPs
This project provides three complementary architectures, each offering different levels of protection:
| Architecture | Sifter | Singleton | Triangle |
|---|---|---|---|
| Complexity | Simple | Moderate | Advanced |
| Primary Use | DNS Server | WiFi Gateway | VPN Gateway |
| WiFi Access Point | β | β | β |
| Proxy (VLESS/VMess) | β | β | β |
| VPN (WireGuard) | β | β | β |
| Traffic Encryption | DNS only | Full (via proxy) | Full (via VPN) |
| Exit IP | Your IP | Your IP | VPS IP |
| Kill Switch | β | β | β |
| VPS Required | β | β | β |
| DNS Filtering | 1.6M+ | 1.6M+ | 3.2M+ (double) |
| Iranian Domains Blocked | 131K+ | 131K+ | 131K+ |
| Iranian IPs Blocked | 763 CIDRs | 763 CIDRs | 763 CIDRs |
The simplest architecture - a pure DNS server that all your home devices point to.
Best for:
- Users wanting minimal setup
- Protecting all devices on existing network
- DNS-level blocking only
Features:
- Pi-hole DNS filtering (1.6M+ domains)
- Iranian domain blocking (131,576+ domains)
- Iranian IP blocking (763 CIDRs)
- DNS-over-HTTPS (Cloudflare)
- IPv6 leak prevention
Home Devices β DNS to Pi β Pi-hole β Cloudflared β Internet
β
Iranian domains blocked
View Singleton Documentation β
A self-contained WiFi access point with built-in proxy support for VLESS/VMess protocols.
Best for:
- Users needing isolated WiFi network
- Proxy protocol support (anti-DPI)
- Single-device deployment
Features:
- Isolated WiFi network (10.50.0.0/24)
- Pi-hole DNS filtering (1.6M+ domains)
- 3x-UI/Xray proxy (VLESS/VMess/Reality)
- Iranian IP/domain blocking
- DNS-over-HTTPS
WiFi Clients β WiFi AP β Pi-hole β nftables β Xray Proxy β Internet
β β
DNS filtered Iranian IPs blocked
View Triangle Documentation β
A distributed architecture with WireGuard VPN tunnel to a VPS, providing IP masking and kill switch.
Best for:
- Maximum privacy protection
- Geographic IP masking
- ISP surveillance protection
Features:
- WireGuard VPN tunnel to VPS
- Double Pi-hole (Pi + VPS)
- All traffic exits via VPS IP
- Kill switch (blocks if tunnel fails)
- Iranian IP/domain blocking on both nodes
WiFi Clients β WiFi AP β Pi-hole β WireGuard β VPS Pi-hole β Internet
β β
DNS filtered (2x) Traffic exits via VPS IP
| Leak Type | Sifter | Singleton | Triangle |
|---|---|---|---|
| DNS Leak | β DoH | β DoH | β Double DoH |
| IPv6 Leak | β Disabled | β Disabled | β Disabled |
| Iranian Domain | β 131K+ | β 131K+ | β 131K+ |
| Iranian IP | β 763 CIDRs | β 763 CIDRs | β 763 CIDRs |
| Cookie Correlation | β Blocked | β Blocked | β Blocked |
| WebRTC Leak | |||
| IP Masking | β | β | β VPS IP |
| Kill Switch | β | β | β |
| DPI Resistance | β | β Reality | β WireGuard |
All architectures protect at the network level (automatic), but some threats require browser configuration (manual):
NETWORK LEVEL (Automatic):
βββ DNS filtering (Pi-hole)
βββ Iranian domain blocking (131K+)
βββ Iranian IP blocking (763 CIDRs)
βββ DNS encryption (DoH)
βββ IPv6 blocking
BROWSER LEVEL (User must configure):
βββ WebRTC leak prevention
βββ Canvas/WebGL fingerprinting
βββ Cookie management
βββ JavaScript fingerprinting
Some users may ask if a MikroTik router can provide the same protection. While MikroTik is excellent networking hardware, it has critical limitations for this privacy protection use case:
| Feature | MikroTik | Raspberry Pi | Winner |
|---|---|---|---|
| DNS Blocking (1.6M+ domains) | β Max ~100K | β 1.6M+ unlimited | Raspberry Pi |
| Iranian Domain Blocking (131K+) | β Insufficient resources | β Full support | Raspberry Pi |
| DNS-over-HTTPS (DoH) | β Full (Cloudflared) | Raspberry Pi | |
| VLESS/VMess Proxy | β Not supported | β Xray with Reality | Raspberry Pi |
| Reality Protocol (Anti-DPI) | β Not supported | β Full support | Raspberry Pi |
| WireGuard VPN | β Supported | β Full support | Tie |
| Double DNS Filtering | β Complex | β Easy (Pi + VPS) | Raspberry Pi |
| Iranian IP Blocking (763 CIDRs) | β Supported | β Supported | Tie |
| Web Management | β WebFig/WinBox | β Pi-hole/3x-UI | Tie |
| Power Consumption | β ~5W | MikroTik | |
| Cost | ~$50-100 | ~$80-120 (Pi 5 + SD) | Tie |
| Software Flexibility | β Full Linux | Raspberry Pi |
1. DNS Blocklist Capacity
MikroTik devices have hardware limits on DNS regex entries:
- Entry-level models: ~10,000 entries
- Mid-range models: ~50,000 entries
- High-end models: ~100,000 entries
Our use case requires:
- Pi-hole blocklists: 1.6M+ domains
- Iranian domains: 131,576+ domains
- Total: Need 1.7M+ domain capacity
2. No Proxy Protocol Support
MikroTik cannot:
- Run VLESS/VMess proxies
- Implement Reality protocol (anti-DPI)
- Act as Xray endpoint
- Provide application-layer obfuscation
3. DoH Limitations
- Only RouterOS v7+ supports DoH
- More complex configuration than Cloudflared
- Lower performance under heavy load
MikroTik is excellent for:
- β Simple DNS filtering (thousands, not millions)
- β WireGuard/IPsec routing
- β Bandwidth management and QoS
- β Enterprise networks with advanced switching
- β Implementations needing IP blocking only
For our specific scenario (Starlink identity protection with comprehensive DNS filtering, Iranian domains, and proxy obfuscation), Raspberry Pi is the only practical choice.
- Sifter - If you want DNS-only protection with minimal setup
- Singleton - If you want WiFi AP with proxy support
- Triangle - If you want maximum protection with VPN and kill switch
| Component | Minimum | Recommended |
|---|---|---|
| Raspberry Pi | Pi 3B+ | Pi 5 (4GB) |
| MicroSD Card | 16GB Class 10 | 32GB A2 |
| Ethernet | 100Mbps | 1Gbps |
| Power Supply | 5V 2.5A | 5V 5A (Pi 5) |
| VPS (Triangle only) | 512MB RAM | 1GB+ RAM |
- Raspberry Pi OS (Debian 13 "Trixie" or newer)
- Ansible 2.9+ on control machine
- SSH access to Raspberry Pi
javid-mask/
βββ README.md # This file
βββ README.fa.md # Persian documentation
β
βββ sifter/ # DNS-Only Architecture
β βββ README.md
β βββ README.fa.md
β βββ ansible/
β βββ diagrams/
β
βββ singleton/ # WiFi AP + Proxy Architecture
β βββ README.md
β βββ README.fa.md
β βββ ansible/
β βββ diagrams/
β
βββ triangle/ # WiFi AP + VPN Architecture
βββ README.md
βββ README.fa.md
βββ ansible/
βββ diagrams/
All architectures use the same comprehensive blocklists:
| Source | Type | Count | Updates |
|---|---|---|---|
| bootmortis/iran-hosted-domains | Domains | 131,576+ | Weekly |
| liketolivefree/iran_domain-ip | Domains | ~50,000 | Weekly |
| herrbischoff/country-ip-blocks | IPs | 763 CIDRs | Daily |
Network-level protection blocks Iranian connections, but browser-level threats require manual configuration:
about:config settings:
βββ media.peerconnection.enabled β false (Disable WebRTC)
βββ privacy.resistFingerprinting β true (Anti-fingerprinting)
βββ network.dns.disableIPv6 β true (Disable IPv6 DNS)
βββ geo.enabled β false (Disable geolocation)
βββ privacy.trackingprotection.enabled β true
| Extension | Purpose |
|---|---|
| uBlock Origin | Ad/tracker blocking, WebRTC control |
| NoScript | JavaScript control |
| Cookie AutoDelete | Automatic cookie cleanup |
MIT Licence
Copyright (c) 2026 Iman Samizadeh
- Pi-hole: https://pi-hole.net/
- WireGuard: https://www.wireguard.com/
- 3x-UI/Xray: https://github.com/MHSanaei/3x-ui
- Cloudflared: https://developers.cloudflare.com/
- Iranian Domains: https://github.com/bootmortis/iran-hosted-domains
- Iranian IPs: https://github.com/herrbischoff/country-ip-blocks
Maintainer: Iman Samizadeh Project: javid-mask (Starlink Privacy Protection Suite)