Bridges
Contents
What bridges are and when to use them
When using Tor with Whonix in its default configuration, anyone who can observe the traffic of your Internet connection (for example your Internet Service Provider and perhaps your government and law enforcement agencies) can know that you are using Tor.
This may be an issue if you are in a country where the following applies:
- Using Tor is blocked by censorship: since all connections to the Internet are forced to go through Tor, this would render Whonix useless for everything except for working offline on documents, etc.
- Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble.
Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor.
If you are in one of the situations described above you might want to use Tor bridges in Whonix. Please also read The Tor Project's dedicated page about bridges to get a general idea about what bridges are.
In order to use bridges, you must know in advance the address of at least one bridge. The Tor Project distributes bridge addresses in several ways, for example from their website and via email.
Bridges are less reliable and tend to have lower performance than other entry points. If you life in a uncensored are, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.
If using Tor is dangerous in your country
The Tor Project's documentation on bridges mainly focuses on censorship circumvention, this means when the usage of Tor is blocked by censorship. If using Tor is dangerous or considered suspicious in your country, then there are some extra rules that you should follow in order to prevent you from being identified as a Tor user.
Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users.
1. When Whonix starts for the first time, it won't automatically connect to the public Tor network, which is good. whonixsetup, which is automatically started, will guide you.
2. Only use obfuscated bridges since they are harder to identify than other bridges.
3. The less publicly known the bridges are, the better. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protection against that, but they are far from being perfect.
So the best is if you can find a trusted friend or an organization in a different country who runs a private obfuscated bridge for you. In this case "private" means that the bridge is configured with the option PublishServerDescriptor 0. Without this option The Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of your adversary.
See also Hide Tor and Whonix from your ISP!
How to use bridges in Whonix
Using obfuscated, (private) and/or ordinary bridges
Whonix does not yet include a wizard that guides you through the process of setting up bridges before connecting to Tor. You must add bridges manually to /etc/tor/torrc.
(Private) Ordinary, obfs2, obfs3 and obfs4 bridges can currently be configured on Whonix-Gateway the same way, they would be configured when not using Whonix, i.e. just like on a server without graphical user interface. Have a look at /etc/tor/torrc [1].
If you are using a graphical Whonix-Gateway, for more documentation and examples, see:
Start Menu -> Applications -> Settings -> /etc/tor/torrc.examples
To edit your /etc/tor/torrc.
Start Menu -> Applications -> Settings -> /etc/tor/torrc
After editing your /etc/tor/torrc you must reload Tor so your changes take effect.
Start Menu -> Applications -> Settings -> Reload Tor
If you are using a terminal-only Whonix-Gateway, click on expand on the right side.
For more documentation and examples, see:
nano /etc/tor/torrc.examples
To edit your /etc/tor/torrc.
sudo nano /etc/tor/torrc
After editing your /etc/tor/torrc you must reload Tor so your changes take effect.
sudo service tor reload
If you would like to see an example using obfs3 bridges, click on expand on the right.
You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in /etc/tor/torrc.examples.
UseBridges 1 ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed bridge obfs3 141.201.27.48:420 4352e58420e68f5e40bf7c74faddccd9d1349413
If you would like to see an example using obfs4 bridges, click on expand on the right.
Requires Whonix 11 or higher.
You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in /etc/tor/torrc.examples.
UseBridges 1 ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed Bridge obfs4 141.201.27.48:420 gibberish cert=more-gibberish iat-mode=0
scramblesuit: In short, forget about it. Use the above obfs4. More more information, click on expand on the right.
Quote intrigeri (Tails developer):
On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it's superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 instead.
AppArmor issue. Probably not been reported anywhere yet.
audit: type=1400 audit(1439818522.818:9): apparmor="DENIED" operation="mkdir" profile="/usr/bin/obfsproxy" name="/var/lib/tor/pt_state/scramblesuit/" pid=11163 comm="obfsproxy" requested_mask="c" denied_mask="c" fsuid=106 ouid=106
ClientTransportPlugin obfs2,obfs3,scramblesuit exec /usr/bin/obfsproxy managed Bridge scramblesuit 141.201.27.48:420 gliberish password=more-gliberish
Flash Proxy Bridges
Untested!
Unfinished!
This has NOTHING to do with Adobe Flash.
If you would like to see the unfinished documentation, please press on expand on the right.
Should work in Whonix-Gateway as well, but require some fiddling. See also Forum topic.
1. Enable port forwarding from your host operating system to Whonix-Gateway. Enter this command in a terminal on the host.
VBoxManage modifyvm "Whonix-Gateway" --natpf1 "9000",tcp,127.0.0.1,9000,,9000
2. Create a file /etc/whonix_firewall.d/50_user (Or if you using a graphical Whonix-Gateway, you can use the desktop shortcut.)
kdesudo kwrite /etc/whonix_firewall.d/50_user
3. Add the following content.
GATEWAY_ALLOW_INCOMING_FLASHPROXY=1 FLASHPROXY_PORT=9000
4. Reload Whonix Firewall. (Or if you using a graphical Whonix-Gateway, you can use the desktop shortcut.)
sudo whonix_firewall
5. Install flashproxy.
Ok, this is a bit tricky, since there is no Debian package with the flashproxy-client. [2]
Either get it from here: https://crypto.stanford.edu/flashproxy/#how-to
Or...
Go to the Tor Blog and look for the latest pluggable transports bundle. This has not been documented yet: https://github.com/Whonix/Whonix/issues/53
6. Set up a Port Forwarding from your Router to your Computer
https://trac.torproject.org/projects/tor/wiki/FlashProxyHowto#Settingupportforwarding
Using Tor / Pluggable Transports from the Tor Browser Bundle
Untested!
Unfinished!
https://phabricator.whonix.org/T116
Install the Tor Browser Updater by Whonix developers (tb-updater). [3] [4] [5]
sudo apt-get install --no-install-recommends tb-updater
Create a new home folder for user debian-tor.
sudo mkdir /home/user/debian-tor
Fix permissions.
sudo chown --recursive debian-tor:debian-tor /home/user/debian-tor
Allow login as user debian-tor by modifying it's default shell false to /bin/bash.
sudo usermod debian-tor -s /bin/bash
Login as user debian-tor.
sudo su debian-tor
Change directory into /home/debian-tor. (Do not use ~. [6])
cd /home/debian-tor
Download and install Tor Browser.
update-torbrowser
Security warning: Do not start Tor Browser on Whonix-Gateway for any purpose other than configuring Tor. Use Whonix-Workstation to browse the web using Tor Browser.
Apply Whonix's Tor config to TBB.
cp /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults
TODO for developers:
- Install tb-updater by default on Whonix-Gateway?
- Install Tor Browser by default on Whonix-Gateway?
mv /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults /home/user/debian-tor
Eventual apparmor issues? Copy is better?
ln -s /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults
Footnotes
- ↑ /etc/tor/torrc on github.
- ↑ feature request: make a deb of flashproxy and get into Debian
- ↑ https://github.com/Whonix/tb-updater
- ↑ Tor Browser
- ↑
Using
--no-install-recommendsto prevent installing tb-starter and tb-default-browser. - ↑ Because that is set to /var/lib/tor for user debian-tor.
License
Whonix Bridges wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix Bridges wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)