Jump to: navigation, search

Bridges

What bridges are and when to use them[edit]

When using Tor with Whonix in its default configuration, anyone who can observe the traffic of your Internet connection (for example your Internet Service Provider and perhaps your government and law enforcement agencies) can know that you are using Tor.

This may be an issue if you are in a country where the following applies:

  1. Using Tor is blocked by censorship: since all connections to the Internet are forced to go through Tor, this would render Whonix useless for everything except for working offline on documents, etc.
  2. Using Tor is dangerous or considered suspicious: in this case starting Whonix in its default configuration might get you into serious trouble.

Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor.

If you are in one of the situations described above you might want to use Tor bridges in Whonix. Please also read The Tor Project's dedicated page about bridges to get a general idea about what bridges are. Also, learn about how obfsproxy works. Obfsproxy is the application that Tor uses to connect bridges.

Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. Source: bridge vs non-bridge users anonymity.

If you care only about connectivity, getting Whonix connected, that means, if you do not need to Hide Tor and Whonix from your ISP and/or ISPs in your country do usually not hinder connections to the public Tor network, then you could try something simpler that does not involve Bridges. See #Better Connectivity without real Censorship Circumvention.

If using Tor is dangerous or seems suspicious in your country[edit]

The Tor Project's documentation on bridges mainly focuses on censorship circumvention (i.e. trying to get around ISP or governments from blocking Tor users). If using Tor is dangerous or considered suspicious in your country, then using bridges may be advisable to prevent you from being identified as a Tor user.

Note: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users.

Additional info and recommendations[edit]

1. When Whonix starts for the first time, it won't automatically connect to the public Tor network, which is good. Whonix Setup Wizard, which is automatically started, will guide you.

2. Only use obfuscated bridges since they are harder to identify than other bridges.

3. The less publicly known the bridges are, the better. Unfortunately, since some bridge addresses can be obtained by anyone from the Tor website or by email, it is also possible for an adversary to get the same bridge information by the same means. The Tor Project has some protection against that, but they are far from being perfect.

So the best is if you can find a trusted friend or an organization in a different country who runs a private obfuscated bridge for you. In this case "private" means that the bridge is configured with the option PublishServerDescriptor 0. [1] Without this option The Tor Project can learn about the bridge and may distribute its address to others and so it could end up in the hands of your adversary.

See also Hide Tor and Whonix from your ISP!

4. Avoid using a meek provider such as Google's bridge (now defunct), that also runs DNS core servers. Google sees 40% of Tor Exits' DNS traffic and so using them as a bridge aids website fingerprinting attacks. Though there is evidence that website fingerprinting are more difficult to mount than previously thought.[2]

Finding a bridge and choosing the right protocol[edit]

In order to use bridges, you must know in advance the address of at least one bridge. It is preferable to have a private obfuscated bridge because the alternative (public obfuscated bridges) have a greater likelihood of being censored, simply due to the fact that public obfuscated bridges are by their very nature publicly listed. The Tor Project distributes public bridge addresses in several ways, for example from their website and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database.

As of August 2015, according to The Tor Project, "obfs3 is currently the recommend type, but depending on where you are located another type may work better for you." [1] The Tor Project provides a database of public obfs3 bridges A more exhaustive list of public obfuscated bridges is available at The Tor Project Bridge Database. It is not recommended to use obfs and obfs2 bridges, which "are now deprecated and were replaced by obfs3 . . . and obfs4."[2].

As time goes on and more obfs4 bridge operators go online, it may be preferable to use obfs4 instead of obf3, as obf4 "should be able to defend more effectively against active probing." [3]

How to use bridges in Whonix[edit]

Introduction[edit]

How to use obfuscated, (private) and/or ordinary bridges in Whonix?

Whonix does not include a wizard that guides you through the process of setting up bridges before connecting to Tor. The graphical tor-launcher (screenshots) that you might know from The Tor Project's Tor Browser Bundle (TBB) cannot be used in Whonix.

(Private) Ordinary, obfs2, obfs3 and obfs4 bridges can currently be configured on Whonix-Gateway the same way they would be configured when not using Whonix, i.e. as if you were using Debian, because Whonix is based on Debian. This is done by editing /etc/tor/torrc within the Whonix-Gateway.

Step 1: access /etc/tor/torrc to add bridges[edit]

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Step 2: edit /etc/tor/torrc (for all Whonix platforms)[edit]

Once inside /etc/tor/torrc, scoll all the way to the bottom, and copy-paste the following text:

UseBridges 1
ClientTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy managed
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed

Now you must add IP addresses for your bridges. For finding IP addresses, See section above, titled Finding a bridge and choosing the right protocol.

Copy-paste the IP addresses at the bottom of /etc/tor/torrc. Make sure to manually add the text "bridge" at the beginning of each line entry.

Example of text to add to /etc/tor/torrc. (Note: do not copy-paste this list; these IP's will not work.) (Use either obfs3 or obfs4. Not both at the same time.) Get your own obfs3 bridges or better obfs4 bridges from Tor:

bridge obfs3 109.195.132.77:22321 4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 55.32.27.22:38123  4352e58420e68f5e40bf7c74faddccd9d1349413
bridge obfs3 192.24.131.513:62389 4352e58420e68f5e40bf7c74faddccd9d1349413

bridge obfs4 192.235.207.85:42086 0EEB10BF4B4FAF56D46E cert=oue8sYYw5wi4n3mf2WDOg iat-mode=0
bridge obfs4 34.218.26.20:43263 DD21A551767816A0C9495 cert=7qzS6KASquPvJU82Fm7qoJw iat-mode=0
bridge obfs4 161.217.177.95:10703 B3B8009D01BB7E5FDFAEC cert=4RaIqGiOytEXm6Hw iat-mode=0

Once you have completed editing /etc/tor/torrc, now save and exit.

<Ctrl-X> --> press Y --> <Enter>

Step 3: enable Tor[edit]

If you do not previously have already...

Enable Tor using whonix-setup-wizard.

Start whonixsetup.

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Whonix Setup

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> System -> Whonix Setup Wizard

For terminal-only Whonix-Gateway, use.

sudo whonixsetup

Choose the Enable Tor option. Press next.

Step 4: make changes to /etc/tor/torrc take effect[edit]

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Troubleshooting[edit]

Connection Issues[edit]

Perhaps you are behind a firewall that blocks outgoing connections to the ports the bridge is providing? How do you know what port the bridge is using? See the following example.

bridge 109.195.132.77:22321

IP would be 109.195.132.77.
Port would be 22321.

Try using a [private] [obfuscated] bridge that uses port 80 or 443. [3]

Better Connectivity without real Censorship Circumvention[edit]

Better Connectivity without "real" Censorship Circumvention

If you care only about connectivity, getting Whonix connected, that means, if you do not need to Hide Tor and Whonix from your ISP and/or ISPs in your country do usually not hinder connections to the public Tor network, then you could try something simpler that does not involve Bridges.

The following will limit Tor to establish only connections to the public Tor network relays that listen on ports 80 and 443. [3]

Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps:

sudo nano /etc/tor/torrc

Add. [4]

FascistFirewall 1

Save.

Reload Tor.

After editing /etc/tor/torrc you must reload Tor so your changes take effect. (Note: if after completing all these steps and you are not able to connect to Tor, you have most likely done something wrong. Go back and check your /etc/tor/torrc and redo the steps outlined in the sections above. If your are able to connect to Tor, then you have completed your changes correctly.)

For Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps:

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on expand on the right.

Complete the following steps:

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

Should show something like the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Done.

Missing ClientTransportPlugin line[edit]

When one is using

bridge obfs4 ...:... ... cert=... iat-mode=0

but misses the corresponding

ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed

line, then only a warning will be shown in the logs.

[warn] We were supposed to connect to bridge '...:...' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

Missing ClientTransportPlugin executable[edit]

[warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('No such file or directory').

Deprecated Tor pluggable Transports[edit]

scramblesuit[edit]

scramblesuit: Forget about it. Use the above obfs4. [5]

flashproxy[edit]

flashproxy: Forget about it. Use the above obfs4. [6]

See Also[edit]

Footnotes[edit]

  1. Tor manual: PublishServerDescriptor
  2. The Effect of DNS on Tor’s Anonymity
  3. 3.0 3.1 These are ports mostly used for web browsing that are often unblocked.
  4. https://www.torproject.org/docs/tor-manual.html.en#FascistFirewall
  5. Quote intrigeri (Tails developer):

    On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it's superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 [obfs4 support] instead.

    Also see Tor Announcement under heading "obfs4 and scramblesuit"

  6. Flashproxy has been removed from TBB. Therefore it can be considered deprecated.

License[edit]

Whonix Bridges wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Bridges wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Do you know our Documentation, Technical Design and Developer Portal already?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.