What bridges are and when to use them

When using Tor with Whonix in its default configuration, anyone who can observe the traffic of your Internet connection (for example your Internet Service Provider and perhaps your government and law enforcement agencies) can know that you are using Tor.

This may be an issue if you are in a country where the following applies:

1. Using Tor is blocked by censorship: since all connections to the Internet are forced to go through Tor, this would render Whonix useless for everything except for working offline on documents, etc.
2. Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble.

Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor.

If you are in one of the situations described above you might want to use Tor bridges in Whonix. Please also read The Tor Project's dedicated page about bridges to get a general idea about what bridges are. Also, learn about how obfsproxy works. Obfsproxy is the application that Tor uses to connect bridges.

Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.

If using Tor is dangerous or seems suspicious in your country

The Tor Project's documentation on bridges mainly focuses on censorship circumvention (i.e. trying to get around ISP or governments from blocking Tor users). If using Tor is dangerous or considered suspicious in your country, then using bridges may be advisable to prevent you from being identified as a Tor user.

Note: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users.

Additional info and recommendations

1. When Whonix starts for the first time, it won't automatically connect to the public Tor network, which is good. Whonix Setup Wizard, which is automatically started, will guide you.

2. Only use obfuscated bridges since they are harder to identify than other bridges.

3. The less publicly known the bridges are, the better. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protection against that, but they are far from being perfect.

So the best is if you can find a trusted friend or an organization in a different country who runs a private obfuscated bridge for you. In this case "private" means that the bridge is configured with the option PublishServerDescriptor 0. ^[1] Without this option The Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of your adversary.

See also Hide Tor and Whonix from your ISP!

Finding a bridge and choosing the right protocol

In order to use bridges, you must know in advance the address of at least one bridge. It is preferable to have a private obfuscated bridge because the alternative (public obfuscated bridges) have a greater likelihood of being censored, simply due to the fact that public obfuscated bridges are by their very nature publicly listed. The Tor Project distributes public bridge addresses in several ways, for example from their website and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database

As of August 2015, according to The Tor Project, "obfs3 is currently the recommend type, but depending on where you are located another type may work better for you." [1] The Tor Project provides a database of public obfs3 bridges A more exhaustive list of public obfuscated bridges is available at The Tor Project Bridge Database. It is not recommended to use obfs and obfs2 bridges, which "are now deprecated and were replaced by obfs3 . . . and obfs4."[2].

As time goes on and more obfs4 bridge operators go online, it may be preferable to use obfs4 instead of obf3, as obf4 "should be able to defend more effectively against active probing." [3]

How to use bridges in Whonix

Using obfuscated, (private) and/or ordinary bridges

Introduction

Whonix does not include a wizard that guides you through the process of setting up bridges before connecting to Tor. The graphical tor-launcher (screenshots) that you might now from The Tor Project's Tor Browser Bundle (TBB) cannot be used in Whonix yet. (TODO) You must add bridges manually to /etc/tor/torrc.

(Private) Ordinary, obfs2, obfs3 and obfs4 bridges can currently be configured on Whonix-Gateway the same way they would be configured when not using Whonix, i.e. as if you were using Debian, because Whonix is based on Debian. This is done by editing /etc/tor/torrc within the Whonix-Gateway.

Step 1: access /etc/tor/torrc to add bridges

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Step 2: edit /etc/tor/torrc (for all Whonix platforms)

Once inside /etc/tor/torrc, scoll all the way to the bottom, and copy-paste the following text:

UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed

Now you must add IP addresses for your bridges. For finding IP addresses, See section above, titled Finding a bridge and choosing the right protocol.

Copy-paste the IP addresses at the bottom of /etc/tor/torrc. Make sure to manually add the text "bridge" at the beginning of each line entry.

Example of text to add to /etc/tor/torrc. (Note: do not copy-paste this list; these IP's will not work.) Get your own obfs3 bridges and obfs4 bridges from Tor:

bridge obfs3 109.195.132.77:22321 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 55.32.27.22:38123  4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 192.24.131.513:62389 4352e58420e68f5e40bf7c74faddccd9d1349413

bridge obfs4 192.235.207.85:42086 0EEB10BF4B4FAF56D46E cert=oue8sYYw5wi4n3mf2WDOg iat-mode=0
bridge obfs4 34.218.26.20:43263 DD21A551767816A0C9495 cert=7qzS6KASquPvJU82Fm7qoJw iat-mode=0
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0

Once you have completed editing /etc/tor/torrc, now save and exit.

<Ctrl-X> --> press Y --> <Enter>

Step 3: make changes to /etc/tor/torrc take effect

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix

The Whonix-Gateway and any dependent AppVMs now must be shutdown and restarted for the changes to take effect.

For graphical Whonix-Gateway

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway

sudo service tor reload

obfs3

Example of using obfs3 bridges: You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in the section above, titled Finding a bridge and choosing the right protocol.

UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
bridge obfs3 141.201.27.48:420 4352e58420e68f5e40bf7c74faddccd9d1349413

obfs4

Example using obfs4 bridges (Note: Requires Whonix 11 or higher).

You cannot use the example bridge 141.201.27.48:420 below, because it's only an example. You still need to find your own bridges as explained in the section above, titled Finding a bridge and choosing the right protocol.

UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0

scramblesuit

scramblesuit: In short, forget about it. Use the above obfs4. Quote intrigeri (Tails developer):

On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it's superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 [obfs4 support] instead.

Also see Tor Announcement under heading "obfs4 and scramblesuit"

ClientTransportPlugin obfs2,obfs3,scramblesuit exec /usr/bin/obfsproxy managed
Bridge scramblesuit 141.201.27.48:420 gliberish password=more-gliberish

AppArmor issue. Probably not been reported anywhere yet.

audit: type=1400 audit(1439818522.818:9): apparmor="DENIED" operation="mkdir" profile="/usr/bin/obfsproxy" name="/var/lib/tor/pt_state/scramblesuit/" pid=11163 comm="obfsproxy" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

Flash Proxy Bridges

VBoxManage modifyvm "Whonix-Gateway" --natpf1 "9000",tcp,127.0.0.1,9000,,9000

kdesudo kwrite /etc/whonix_firewall.d/50_user

GATEWAY_ALLOW_INCOMING_FLASHPROXY=1
FLASHPROXY_PORT=9000

sudo whonix_firewall

Using Tor / Pluggable Transports from the Tor Browser Bundle

Untested!

Unfinished!

TODO:
Figure out and document below here how to use TBB as "system Tor" inside Whonix-Gateway. (ticket)

Install the Tor Browser Updater by Whonix developers (tb-updater). ^{[3] [4] [5]}

sudo apt-get install --no-install-recommends tb-updater

Create a new home folder for user debian-tor.

sudo mkdir /home/user/debian-tor

Fix permissions.

sudo chown --recursive debian-tor:debian-tor /home/user/debian-tor

Allow login as user debian-tor by modifying it's default shell false to /bin/bash.

sudo usermod debian-tor -s /bin/bash

Login as user debian-tor.

sudo su debian-tor

Change directory into /home/debian-tor. (Do not use ~. ^[6])

cd /home/debian-tor

Download and install Tor Browser.

update-torbrowser

Security warning: Do not start Tor Browser on Whonix-Gateway for any purpose other than configuring Tor. Use Whonix-Workstation to browse the web using Tor Browser.

Apply Whonix's Tor config to TBB.

cp /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults

TODO for developers:

• Install tb-updater by default on Whonix-Gateway?
• Install Tor Browser by default on Whonix-Gateway?

mv /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults /home/user/debian-tor

Eventual apparmor issues? Copy is better?

ln -s /usr/share/tor/tor-service-defaults-torrc /home/debian-tor/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults

Future work:
Simplify this setup for users by installing this by default. Ticket: make TBB usable as "system Tor", so latest pluggable transports and the tor-launcher graphical user interface can be used in Whonix

Footnotes

License

Whonix Bridges wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Bridges wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)