V2Ray functions as a modular proxy platform, not a single “VPN protocol,” so security outcomes depend more on configuration choices and the server operator than on the V2Ray software name alone. 1
Public evidence supports a generally serious engineering posture for the upstream V2Ray community codebase through a funded 2024 penetration test and whitebox review commissioned by 2 and executed by 1. Audit findings focused mainly on fingerprinting and hardening gaps rather than on a direct “data theft” mechanism. 3
Risk for users across 4 clusters: state-level network visibility and blocking capabilities, unsafe client distribution channels (trojanized “VPN” installers), and trust gaps around local resellers who control the server side and user accounting. Research and reporting describe deep packet inspection, selective protocol blocking, and whitelisting-style restrictions as recurring Iranian techniques, especially during crisis periods. 5
Searches did not uncover credible, sourced evidence that V2Ray upstream maintainers operate under Iranian government control, nor did they uncover credible reporting linking the specific seller contact “@cafinetalmas_admin” to Iranian security organs. Available open-source indicators point instead to a small local business channel associated with an internet café. Still, a domestic provider inside Iranian jurisdiction faces substantial coercion risk and logging/identification pressure under Iran’s tightening policy environment. 6
Advertisement claims and provider attribution
Advertising materials tie the offer to a V2Ray “config” subscription, branded as “V2RAY / V2RAY config,” and promoted through a Telegram channel that lists the contact “@cafinetalmas_admin.” The same post claims: fast configs, “easy and without disconnection,” unlimited users, “national internet” compatibility, Android/iPhone/Windows support, compatibility with all Iranian ISPs, international servers with fixed IPs, volume and subscription-time visibility, high security, low ping, and 24-hour support. 6
The uploaded Persian PDF price sheet lists the Instagram page as “almascafinet” and advertises “unlimited users” across multiple plans with defined volume (GB) and validity (days).
Open web listings connect “almascafinet” and “@cafinetalmas_admin” to a physical internet café business, 7, rather than to a formally branded VPN company. 8
Extracted plan details from the PDF price sheet
The PDF advertises “unlimited users” across all plans and varies pricing by data cap and duration.
| Plan validity | Data cap | Users | Advertised price (toman) |
| 30 days | 20 GB | “unlimited” | 95,000 |
| 30 days | 30 GB | “unlimited” | 135,000 |
| 30 days | 40 GB | “unlimited” | 180,000 |
| 30 days | 50 GB | “unlimited” | 220,000 |
| 30 days | 60 GB | “unlimited” | 265,000 |
| 30 days | 70 GB | “unlimited” | 305,000 |
| 30 days | 100 GB | “unlimited” | 395,000 |
| 30 days | 200 GB | “unlimited” | 780,000 |
| 30 days | 300 GB | “unlimited” | 1,185,000 |
| 60 days | 40 GB | “unlimited” | 195,000 |
| 60 days | 60 GB | “unlimited” | 280,000 |
| 60 days | 80 GB | “unlimited” | 375,000 |
| 60 days | 100 GB | “unlimited” | 405,000 |
| 60 days | 120 GB | “unlimited” | 505,000 |
| 60 days | 150 GB | “unlimited” | 610,000 |
| 60 days | 200 GB | “unlimited” | 790,000 |
| 60 days | 300 GB | “unlimited” | 1,195,000 |
| 90 days | 60 GB | “unlimited” | 295,000 |
| 90 days | 80 GB | “unlimited” | 360,000 |
| 90 days | 90 GB | “unlimited” | 405,000 |
| 90 days | 100 GB | “unlimited” | 450,000 |
| 90 days | 120 GB | “unlimited” | 535,000 |
| 90 days | 150 GB | “unlimited” | 675,000 |
| 90 days | 180 GB | “unlimited” | 715,000 |
| 90 days | 200 GB | “unlimited” | 825,000 |
| 90 days | 300 GB | “unlimited” | 1,250,000 |
Interpretation note: sellers in this market often refer to subscription links, UUID-based profiles, or server access credentials as “کانفینگ / config.” The term does not imply a standard consumer VPN provider with audited policies, independent reviews, and published transparency reporting. 6
V2Ray architecture and what “security” means in practice
V2Ray comes from the Project V ecosystem, and the 2 community maintains the mainstream open-source “v2ray-core” implementation. Upstream documentation describes a single V2Ray process that accepts traffic through one or more “inbounds,” applies routing/dispatch logic, and forwards traffic through one or more “outbounds.” 4
Simplified architecture diagram
Public Internet destination (HTTPS sites, apps, APIs)
Upstream documentation treats inbounds/outbounds and routing as first-class design features, and notes that a single server instance supports multiple devices and traffic-splitting rules after configuration. 4
Encryption layers in typical V2Ray deployments
Security marketing often compresses three different protections into one word:
TLS often provides network-path confidentiality between the device and the proxy server at the transport layer (“streamSettings.security: tls”). Documentation lists TLS as an optional transport security mode and notes Go-based TLS support, including TLS 1.3. 9
Payload confidentiality inside the V2Ray protocol depends on the selected protocol and settings. VMess configuration documentation lists authenticated-encryption options, including aes-128-gcm and chacha20-poly1305, and allows none (no payload encryption). 10
Misconfiguration risk remains concrete. VMess inbound settings include an option to reject insecure client encryption settings (disableInsecureEncryption), which otherwise defaults to allowing weaker modes unless operators change it. 10
VLESS has a different security story. VLESS documentation emphasizes that VLESS itself does not provide encryption and relies on TLS for confidentiality; documentation also flags deprecation status and points users toward alternatives. 11
Privacy boundary that matters most
Server operators sit at the trust chokepoint. Encryption between the device and the server blocks ISP content inspection, but the server still sees the client’s IP address, connection timing, and data volume. Application-layer encryption (HTTPS) protects content from the proxy server for modern encrypted sites, yet the proxy server still observes metadata such as destination IP and traffic patterns, and the proxy server performs DNS resolution in many configurations unless the client applies strict DNS handling. 4
Security posture of upstream V2Ray and known weaknesses
Funded audit results and what they imply
The 2024 audit, funded by 2, describes a penetration test and whitebox review of V2Ray, executed over 32 working days and defined as the first such penetration test for the project. The audit team reported 3 “identified vulnerabilities” and 7 hardening recommendations, plus a supply-chain review aligned to SLSA guidance. 3
Findings matter for Iranian users because censors often rely on traffic identification as much as on decryption. The audit describes multiple fingerprinting and denial-of-service scenarios involving TLS handshake fingerprints (JA3) and HTTP behavior, and proposes randomization and stricter adherence to RFCs to make identification harder. 3
One medium-severity item describes a fingerprinting vector created by an HTTP proxy default that strips the User-Agent header (setting it to an empty string), creating an unusual signature relative to typical clients. 3
Another medium-severity item describes the identification of V2Ray servers via Keep-Alive header handling that violates RFC behavior and leaks proxy traits, aiding fingerprinting. 3
A low-severity item flags a TLS minimum-version mismatch risk in Go defaults when configurations omit MinVersion, leading servers to default to TLS 1.0 unless operators set explicit minimums, which creates downgrade and interception exposure under some attack conditions. 3
Configuration pitfalls documented by upstream maintainers
Upstream release notes warn that “allowInsecure” TLS settings without certificate pinning fail to protect data against interception from a privileged network position, such as an ISP or censorship infrastructure. The same advisory also warns of risk amplification when users combine allowInsecure with unprotected protocols or unencrypted settings, such as VLESS, VMess “none/zero,” or Trojan, which can expose plaintext data and even proxy credentials. 12
Historical protocol weaknesses and subsequent mitigation
Independent researchers documented VMess weaknesses in 2020 that supported replay-based probing and fingerprinting, along with TLS client-hello fingerprints and HTTP mimic issues that aided identification. 13
The Tor Project anti-censorship team’s 2020 discussion summarized a VMess replay/active-probing weakness and described upstream fixes that focused on “draining” behavior rather than immediate close patterns, specifically to complicate replay-and-observe probes. 14
Publicly tracked vulnerabilities
Public advisories list at least one high-severity memory safety issue in older v2ray-core versions (off-by-one error) tracked as CVE-2021-4070 / GHSA-4cxw-hq44-r344, which affected versions before 4.44.0. 15
The upstream project security policy documentation states that the 16 master branch receives the primary focus on features and security maintenance due to limited resources and project complexity, reinforcing the need for current versions and cautious downstream packaging. 17
Iranian threat model and practical risk to users
State capability relevant to VPN/proxy users
Research describes Iranian information controls supported by a centralized architecture capable of DNS poisoning and traffic interception, plus periods of protocol whitelisting and selective protocol blocking during crisis events. 5
The 6 has played a central policy role in tightening VPN control, and reporting describes a legal/regulated VPN model coupled with approval requirements. 2
Mobile network surveillance research by 16 describes an Iranian mobile “legal intercept” vision that integrates into operator systems and, if fully implemented, enables state authorities to monitor and intercept large portions of mobile communications. That capability increases risk for any tool that relies on Iran-based infrastructure or Iran-based service providers. 18
Malware and client-distribution risk in Iran
Iranian users face recurring supply-chain threats through trojanized “VPN installers.” 4 documented “EyeSpy” spyware deliveries through VPN installers targeting Iranian users and described evidence pointing to Iran-focused victim distribution. 19
Reporting in 2025 described Iran-linked Android spyware campaigns that disguised themselves as VPN apps and spread via file-sharing channels, including distribution through Telegram-hosted APK sharing. 20
Practical implication: trusted client sourcing matters as much as protocol choice. Official app stores and upstream release channels provide more precise provenance than random APK reposts. 21
Trust assessment of the advertised seller
Open-source checks connected “@cafinetalmas_admin” to marketing posts for V2Ray configs and to a local internet café identity, not to a known state agency front. 6
Searches did not yield credible investigative reporting, court records, or reputable security write-ups alleging Iranian government affiliation for the seller’s identity or for V2Ray upstream itself. The absence of evidence does not remove coercion risk for any seller operating inside Iran’s legal and surveillance environment. 2
Domestic-provider risk follows a simple logic: Iranian authorities already control major network chokepoints and enforce regulation against unauthorized circumvention tools, so a reseller operating inside Iran likely faces higher compliance pressure than an operator outside Iran. 2
Claim-by-claim evaluation of the advertisement
The table below treats the advertised claims as operational assertions rather than as cryptographic guarantees. Evidence comes from the ad itself, plus upstream documentation and research describing Iranian network conditions. 6
| Advertisement claim | Mechanism that could produce it | User-verifiable signals | Main risks and failure modes |
| “Fast” and “without disconnection.” | Low server load, good routing, modern transports that blend with HTTPS, tuned MTU/DNS | consistent speed tests across several hours; stable latency to multiple destinations | Iran’s throttling, selective blocking, and whitelisting periods break consistency; oversold servers raise congestion 5 |
| “Unlimited users” | Shared credentials or a panel that allows multiple simultaneous sessions | The service continues with various devices at the same time | Heavy shared use increases detection and IP blocking pressure; shared credentials reduce accountability and increase tracing risk inside the provider’s logs 6 |
| “Works with the national internet.” | Ambiguous: domestic relay nodes or routing that survives a partial shutdown | connectivity during periods when foreign access degrades | Domestic relays inside Iran raise coercion and monitoring risk; whitelisting periods often restrict outbound protocols altogether 6 |
| Android / iPhone / Windows support | third-party clients and subscription links | clients available via GitHub or app stores; subscription imports | iOS clients vary; many iOS clients remain closed-source; unofficial APK sources raise spyware risk 22 |
| “Compatible with all Iranian ISPs” | multi-transport rotation (WS/gRPC/TCP), fallback nodes, frequent IP changes | works on at least two different networks (mobile + fixed) | ISP-specific blocking still happens; fingerprinting and JA3-based blocks target recognizable TLS handshakes 3 |
| “International servers with fixed IP” | VPS servers outside Iran with static IP addresses | IP geolocation reflects the advertised region; consistency across days | Fixed IP blocks grow easier for censors; traffic concentration triggers bans; fixed IP increases attribution stability 6 |
| “See data volume and subscription time.” | user accounting in server panel and telemetry | dashboard screenshots; accurate decrementing | accounting implies user records; records enable correlation of user activity with times and IPs 6 |
| “High security” | TLS transport, VMess AEAD payload encryption, strict certificate validation, modern defaults | TLS errors on MITM attempts; no use of allowInsecure; recent core versions | allowInsecure without pinning enables interception; VMess allows “none”; VLESS relies on TLS for encryption 12 |
| “Low ping” | nearby exit locations, good peering | stable latency to multiple regions | national throttling and congestion override server quality 5 |
| “24-hour support” | operator staffing | response times and problem resolution history | support requires identity/contact and increases personal-data exposure to the seller 6 |
Comparison with other tools commonly used in Iran
Iranian users rely on a shifting mix of proxies and VPNs because Iranian censors adapt quickly and target recognizable protocol fingerprints. Academic and measurement work describes DPI-based analysis of TLS/VPN protocols, and recent reporting describes occasional success for Psiphon, Tor Snowflake, and WireGuard-based tools during restrictive periods. 23
Comparative chart
Judgments below reflect typical trust boundaries and documented censorship pressures rather than guarantees of performance in any given week.
| Tool family | Primary trust boundary | Strengths relevant to Iranian users | Common weaknesses in Iran |
| V2Ray / Xray-style proxies (VMess/VLESS + TLS/WS/gRPC/Reality) | server operator controls logs and routing | flexible transports that mimic common web traffic; rich routing and protocol mix; active community focus on censorship evasion 24 | fingerprinting risk (JA3, HTTP traits); misuse of allowInsecure breaks confidentiality; reseller trust dominates safety 3 |
| WireGuard-based VPN | VPN provider controls server; protocol simplicity reduces code complexity | strong academic cryptographic analysis and formal proofs; simple design and small attack surface claims in official materials 25 | Iranian blocking often targets UDP and recognizable VPN patterns; simple protocol does not equal censorship resistance 16 |
| OpenVPN-style VPN | VPN provider controls server; TLS-based handshake | mature ecosystem and extensive documentation | DPI often identifies TLS VPN handshakes, performance overhead, and easier recognition under aggressive filtering 26 |
| Shadowsocks / Outline | server operator controls logs; protocol often simpler than V2Ray stacks | Outline server runs Shadowsocks and provides managed access keys; service-provider guidance exists for WebSockets transport 27 | protocol fingerprinting and probing threats in adversarial environments; static IP blocks happen quickly under sustained use 28 |
| Tor + Snowflake/WebRTC transports | The Tor network reduces reliance on a single operator | Snowflake research describes volunteer WebRTC proxies that increase blocking cost; Tor community documents active anti-censorship work 7 | performance often degrades; Iran blocks Tor at times and applies selective protocol blocks during crisis periods 16 |
| Psiphon-style systems | Psiphon operator infrastructure | large-scale adoption in Iran has historical measurement support; research documents evolving censorship tactics against Psiphon 29 | operator trust still matters; censors adapt over time and target access mechanisms 30 |
Judgment on safety and trustworthiness for Iranian users
V2Ray upstream software merits cautious confidence as an open-source proxy platform with sustained community maintenance and a recent funded audit that identified mostly hardening and fingerprinting issues, not a built-in extraction channel for user data. 3
High-risk failure modes appear most often when users accept unsafe settings or trust unsafe distribution channels. Upstream maintainers explicitly warn that TLS “allowInsecure” without certificate pinning exposes user data to interception, and the VMess configuration documentation shows that some modes turn off payload encryption entirely. 12
Provider trust dominates the outcome for the specific advertised service. The contact “@cafinetalmas_admin” appears tied to a local internet café brand and a Telegram marketing channel rather than to a formally audited VPN company, and public sources do not show credible evidence of direct Iranian government affiliation. 6
Coercion and surveillance risk remain structurally high for any Iran-based operator. Iranian policy and technical reporting describe strong state control over network chokepoints, pressure toward regulated VPN access, and sophisticated traffic control and interception architectures, which collectively raise the probability that a domestic reseller logs user metadata and yields to state demands when pressured. 2
V2Ray software provides a flexible proxy platform with strong security potential under correct configuration, supported by a credible third-party 2024 audit that reports 3 identified vulnerabilities and 7 hardening recommendations, plus ongoing security advisories and versioning guidance from V2Fly. 4
Security and privacy outcomes depend more on configuration correctness and server operator trust than on the V2Ray brand label. VMess permits “none” payload encryption, VLESS provides no encryption without TLS, and insecure TLS validation settings create a direct interception risk without certificate pinning. 12
Open evidence does not show Iranian government control of upstream V2Ray development, and open evidence ties @cafinetalmas_admin to a local internet café business in Pardis rather than to a known security institution. Domestic jurisdiction and Iran’s surveillance capabilities still generate high structural risk for any Iran-based reseller, especially during “national internet” periods when authorities tighten control and whitelisting patterns intensify. 6
Overall assessment: V2Ray, as open-source software, reaches a strong security baseline when users select TLS transport, enforce certificate validation, avoid insecure encryption modes, and keep cores updated. The specific reseller offer advertised through a militarism channel deserves heightened caution due to limited transparency, strong incentives for logging and account management, and Iran’s coercive environment for operators. 36
- Almas Cafinet. (n.d.). تعرفه کانفینگهای V2RAY [PDF]. Instagram: almascafinet.
تعرفه_کانفینگV2RAY
- ARTICLE 19. (2024, August). Tightening the Net: The Supreme Council of Cyberspace and Iran’s internet governance [PDF]. https://www.article19.org/wp-content/uploads/2024/08/Supreme-Council-of-Cyberspace_final-3.pdf
- Asr Iran. (2025, September 22). تلآویو چگونه رد شما را میزند؟ / شورای عالی فضای مجازی کاربران را در تله جاسوسی انداخت. https://www.asriran.com/fa/news/1096189/
- Balad. (n.d.). کافینت الماس | پردیس فاز ۸؛ آدرس، تلفن، ساعت کاری. https://balad.ir/p/%DA%A9%D8%A7%D9%81%DB%8C-%D9%86%D8%AA-%D8%A7%D9%84%D9%85%D8%A7%D8%B3_internet-cafe-6Jqk6f8BRJr29Q
- Bitdefender. (2023, January 11). EyeSpy: Iranian spyware delivered in VPN installers. https://www.bitdefender.com/en-us/blog/labs/eyespy-iranian-spyware-delivered-in-vpn-installers
- Bitdefender. (2023, January). EyeSpy VPN: Iranian spyware delivered in VPN installers [White paper PDF]. https://www.bitdefender.com/files/News/CaseStudies/study/427/Bitdefender-PR-Whitepaper-EyeSpyVPN-creat625-en-EN.pdf
- Citizen Lab. (2023, January 16). Uncovering Iran’s mobile legal intercept system. https://citizenlab.ca/research/uncovering-irans-mobile-legal-intercept-system/
- Citizen Lab. (2019, March 18). Iranian censorship strategy shows increasing political sophistication, research reveals. https://citizenlab.ca/iranian-censorship-strategy-shows-increasing-political-sophistication-research-reveals/
- Deibert, R. (2019). Censors get smart: Evidence from Psiphon in Iran. Review of Policy Research. https://onlinelibrary.wiley.com/doi/abs/10.1111/ropr.12333
- Donenfeld, J. A. (2017). WireGuard: Next generation kernel network tunnel [PDF]. NDSS Symposium. https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_04A-3_Donenfeld_paper.pdf
- Donenfeld, J. A. (n.d.). Formal verification of the WireGuard protocol [PDF]. https://www.wireguard.com/papers/wireguard-formal-verification.pdf
- Eitaa. (n.d.). راهنمای پردیسان [Channel page]. https://eitaa.com/rahnamaye_pardisan
- GFW Report. (2020, June 16). Summary on recently discovered V2Ray weaknesses. https://gfw.report/blog/v2ray_weaknesses/en/
- GFW Report. (2020, October 7). How China detects and blocks Shadowsocks. https://gfw.report/publications/imc20/en/
- GitHub. (2022, February 23). Off-by-one error in v2fly/v2ray-core (CVE-2021-4070; GHSA-4cxw-hq44-r344). https://github.com/advisories/GHSA-4cxw-hq44-r344
- GitHub. (n.d.). v2fly/v2ray-core security overview. https://github.com/v2fly/v2ray-core/security
- GitHub. (n.d.). v2fly/v2ray-core repository. https://github.com/v2fly/v2ray-core
- GitHub. (n.d.). v2fly/v2ray-core Discussion #915 (release notes and security notes). https://github.com/v2fly/v2ray-core/discussions/915
- Google (Apple App Store). (n.d.). Shadowrocket [App listing]. https://apps.apple.com/my/app/shadowrocket/id932747118
- Joshua Hu. (2025, June 18). On Iranian censorship, bypasses, browser extensions, and circumvention methods. https://joshua.hu/iranian-browser-extension-addon-censorship-bypasses
- Neshan. (n.d.). کافی نت الماس (پردیس فاز ۸) شهرستان پردیس [Map listing]. https://neshan.org/maps/places/57c7d446ba6de54bd8939bcd1797d088
- OONI Explorer. (n.d.). Internet censorship measurements for Iran. https://explorer.ooni.org/country/IR
- Open Technology Fund. (2024, July). V2R-01: V2Ray audit (Public RC1.1) [PDF]. https://www.opentech.fund/wp-content/uploads/2024/07/V2R-01-V2Ray-Audit-Public-RC1.1.pdf
- OpenVPN. (n.d.). OpenVPN cryptographic layer. https://openvpn.net/community-docs/openvpn-cryptographic-layer.html
- OpenVPN. (n.d.). OpenVPN protocol. https://openvpn.net/community-docs/openvpn-protocol.html
- Pardis Shahreman (Telegram). (n.d.). Posts mentioning @cafinetalmas_admin [Channel page]. https://t.me/s/Pardisshahreman
- Reuters. (2024, August 27). Iran’s Supreme Leader calls for regulation of cyberspace. https://www.reuters.com/world/middle-east/irans-supreme-leader-calls-regulation-cyberspace-2024-08-27/
- Shadowsocks. (2025, March 7). AEAD ciphers. https://shadowsocks.org/doc/aead.html
- Tavaanatech (Telegram). (n.d.). Posts discussing VPN bots and proxy configs [Channel page]. https://t.me/s/tavaanatech
- TechRadar. (2025). Beware: Iran-linked fake VPN apps found to spy on Android users. https://www.techradar.com/vpn/vpn-privacy-security/beware-iran-linked-fake-vpn-apps-found-to-spy-on-android-users
- Telegram. (n.d.). Iranian Militarism channel post advertising V2Ray configs [Channel post]. https://t.me/s/Iranian_Militarism/73666
- The Guardian. (2026, January 17). Iran plans permanent break from global internet, say activists. https://www.theguardian.com/world/2026/jan/17/iran-plans-permanent-break-from-global-internet-say-activists
- USENIX. (2024). Bocovich, C. Snowflake, a censorship circumvention system using temporary WebRTC proxies [Conference presentation page]. https://www.usenix.org/conference/usenixsecurity24/presentation/bocovich
- V2Fly. (n.d.). Project V / V2Ray documentation hub. https://www.v2fly.org/en_US/
- V2Fly. (n.d.). Transport configuration (TLS and related settings). https://www.v2fly.org/en_US/config/transport.html
- V2Ray Project. (n.d.). VMess protocol configuration (Project V Official site). https://www.v2ray.com/en/configuration/protocols/vmess.html
