- 1 What bridges are and when to use them
- 2 Finding a bridge and choosing the right protocol
- 3 How to use bridges in Whonix
- 4 Troubleshooting
- 5 Deprecated Tor pluggable Transports
- 6 See Also
- 7 Footnotes
- 8 License
What bridges are and when to use them
When using Tor with Whonix in its default configuration, anyone who can observe the traffic of your Internet connection (for example your Internet Service Provider and perhaps your government and law enforcement agencies) can know that you are using Tor.
This may be an issue if you are in a country where the following applies:
- Using Tor is blocked by censorship: since all connections to the Internet are forced to go through Tor, this would render Whonix useless for everything except for working offline on documents, etc.
- Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble.
Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor.
If you are in one of the situations described above you might want to use Tor bridges in Whonix. Please also read The Tor Project's dedicated page about bridges to get a general idea about what bridges are. Also, learn about how obfsproxy works. Obfsproxy is the application that Tor uses to connect bridges.
Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.
If you care only about connectivity (getting Whonix connected) and do not need to Hide Tor and Whonix from your ISP and/or ISPs in your country don't usually hinder connections to the public Tor network, then you could try something simpler that does not involve Bridges. See #Better Connectivity without real Censorship Circumvention.
If using Tor is dangerous or seems suspicious in your country
The Tor Project's documentation on bridges mainly focuses on censorship circumvention (i.e. trying to get around ISP or governments from blocking Tor users). If using Tor is dangerous or considered suspicious in your country, then using bridges may be advisable to prevent you from being identified as a Tor user.
Note: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users.
Additional info and recommendations
1. When Whonix starts for the first time, it won't automatically connect to the public Tor network, which is good. Whonix Setup Wizard, which is automatically started, will guide you.
2. Only use obfuscated bridges since they are harder to identify than other bridges.
3. The less publicly known the bridges are, the better. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protection against that, but they are far from being perfect.
So the best is if you can find a trusted friend or an organization in a different country who runs a private obfuscated bridge for you. In this case "private" means that the bridge is configured with the option PublishServerDescriptor 0.  Without this option The Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of your adversary.
See also Hide Tor and Whonix from your ISP!
4. Avoid using a meek provider such as Google's bridge (now defunct), that also runs DNS core servers. Google sees 40% of Tor Exits' DNS traffic and so using them as a bridge aids website fingerprinting attacks. Though there is evidence that website fingerprinting are more difficult to mount than previously thought.
Finding a bridge and choosing the right protocol
In order to use bridges, you must know in advance the address of at least one bridge. It is preferable to have a private obfuscated bridge because the alternative (public obfuscated bridges) have a greater likelihood of being censored, simply due to the fact that public obfuscated bridges are by their very nature publicly listed. The Tor Project distributes public bridge addresses in several ways, for example from their website and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database.
As of August 2015, according to The Tor Project, "obfs3 is currently the recommend type, but depending on where you are located another type may work better for you."  The Tor Project provides a database of public obfs3 bridges A more exhaustive list of public obfuscated bridges is available at The Tor Project Bridge Database. It is not recommended to use obfs and obfs2 bridges, which "are now deprecated and were replaced by obfs3 . . . and obfs4.".
As time goes on and more obfs4 bridge operators go online, it may be preferable to use obfs4 instead of obf3, as obf4 "should be able to defend more effectively against active probing." 
How to use bridges in Whonix
How to use obfuscated, (private) and/or ordinary bridges in Whonix?
Whonix does not include a wizard that guides you through the process of setting up bridges before connecting to Tor. The graphical tor-launcher (screenshots) that you might know from The Tor Project's Tor Browser cannot be used in Whonix.
(Private) Ordinary, obfs2, obfs3 and obfs4 bridges can currently be configured on Whonix-Gateway the same way they would be configured when not using Whonix, i.e. as if you were using Debian, because Whonix is based on Debian. This is done by editing /etc/tor/torrc within the Whonix-Gateway.
Step 1: access /etc/tor/torrc to add bridges
Step 2: edit /etc/tor/torrc (for all Whonix platforms)
Once inside /etc/tor/torrc, scoll all the way to the bottom, and copy-paste the following text:
UseBridges 1 ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed ClientTransportPlugin fte exec /usr/bin/fteproxy --managed
Now you must add IP addresses for your bridges. For finding IP addresses, See section above, titled Finding a bridge and choosing the right protocol.
Copy-paste the IP addresses at the bottom of /etc/tor/torrc. Make sure to manually add the text "bridge" at the beginning of each line entry.
Example of text to add to /etc/tor/torrc. (Note: do not copy-paste this list; these IP's will not work.) (Use either obfs3 or obfs4. Not both at the same time.) Get your own obfs3 bridges or better obfs4 bridges from Tor:
bridge obfs3 18.104.22.168:22321 4352e58420e68f5e40bf7c74faddccd9d1349413 bridge obfs3 22.214.171.124:38123 4352e58420e68f5e40bf7c74faddccd9d1349413 bridge obfs3 126.96.36.1993:62389 4352e58420e68f5e40bf7c74faddccd9d1349413 bridge obfs4 188.8.131.52:42086 0EEB10BF4B4FAF56D46E cert=oue8sYYw5wi4n3mf2WDOg iat-mode=0 bridge obfs4 184.108.40.206:43263 DD21A551767816A0C9495 cert=7qzS6KASquPvJU82Fm7qoJw iat-mode=0 bridge obfs4 220.127.116.11:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0 ## fte is not yet supported. Wait for Whonix 14. ## https://phabricator.whonix.org/T520 Bridge fte 10.200.100.60:95128 4352e58420e68f5e40bf7c74faddccd9d1349413 Bridge fte 300.100.300.80:23521 4352e58420e68f5e40bf7c74faddccd9d1349413
Once you have completed editing /etc/tor/torrc, now save and exit.
<Ctrl-X> --> press Y --> <Enter>
Step 3: enable Tor
If you do not previously have already...
Enable Tor using the whonix-setup-wizard.
Choose the Enable Tor option. Press next.
Step 4: make changes to /etc/tor/torrc take effect
Perhaps you are behind a firewall that blocks outgoing connections to the ports the bridge is providing? How do you know what port the bridge is using? See the following example.
IP would be 18.104.22.168.
Port would be 22321.
Try using a [private] [obfuscated] bridge that uses port 80 or 443. 
Trying packet size and timing obfuscation for obfs4
In case your provided obfs4 bridge doesn't work, you may try to enable packet size and timing obfuscation by changing the
iat-mode value in each last line to either
Better Connectivity without real Censorship Circumvention
Better Connectivity without "real" Censorship Circumvention
If you care only about connectivity (getting Whonix connected) and do not need to Hide Tor and Whonix from your ISP and/or ISPs in your country don't usually hinder connections to the public Tor network, then you could try something simpler that does not involve Bridges.
The following will limit Tor to establish only connections to the public Tor network relays that listen on ports 80 and 443. 
Missing ClientTransportPlugin line
When one is using
bridge obfs4 ...:... ... cert=... iat-mode=0
but misses the corresponding
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
line, then only a warning will be shown in the logs.
[warn] We were supposed to connect to bridge '...:...' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
Missing ClientTransportPlugin executable
[warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('No such file or directory').
Deprecated Tor pluggable Transports
scramblesuit: Forget about it. Use the above obfs4. 
flashproxy: Forget about it. Use the above obfs4. 
- Lantern - Alternative censorship circumvention tool documented for Qubes-Whonix only.
- Unfinished: Other Censorship Circumvention Tools than Bridges
- Unfinished: Using Tor / Pluggable Transports from the Tor Browser Bundle
- Tor manual: PublishServerDescriptor
- The Effect of DNS on Tor’s Anonymity
- These are ports mostly used for web browsing that are often unblocked.
- * 1 = Enabled, ScrambleSuit-style with bulk throughput optimizations. * 2 = Paranoid, Each IAT write will send a length sampled from the length distribution. (EXPENSIVE). https://lists.torproject.org/pipermail/tor-commits/2014-August/079402.html
Quote intrigeri (Tails developer):
On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it's superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 [obfs4 support] instead.
- old instructions: Deprecated#scramblesuit
- Flashproxy has been removed from Tor Browser. Therefore it can be considered deprecated.
Whonix Bridges wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix Bridges wiki page Copyright (C) 2012 -2014 Patrick Schleizer <firstname.lastname@example.org> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.