Actions

Configure (Private) (Obfuscated) Tor Bridges

From Whonix


Bridges Description and User Groups[edit]

Introduction[edit]

Info If a website cannot be reached over Tor, this does not necessarily relate to network level censorship that requires a bridge to be configured; it may relate to blacklisting of Tor IP addresses by the server. In that case, simple bypass methods usually succeed in circumventing censorship by destination servers. It is rarely necessary to combine Tor with a proxy, VPN or SSH tunnel in order to access content or services that are blocked.

When Tor is used with Whonix ™ in the default configuration, anybody observing the flow of network traffic from the Internet connection can determine that Tor is being used. Potential observers include the Internet Service Provider (ISP), advanced adversaries, censorship enforcement bodies and other interested parties.

Tor bridges ("Tor bridge relays") [archive] are alternative entry points to the Tor network, not all of which are listed publicly. Using a bridge makes it harder, but not impossible, for the ISP to determine a user is connecting to Tor.

Intended User Groups[edit]

Info Tor non-functionality is often related to local configuration problems [archive] rather than ISP or state-level censorship.

For the majority of Whonix ™ users, connecting to Tor with the default configuration is appropriate and will work successfully. The minority of users requiring a bridge normally fall into three categories: [1]

  • Tor is blocked, and some way - any way - to reach the network has to be found. The adversary is not very dangerous, but very annoying.
  • Tor may or may not be blocked, but the user is trying to hide the fact they're using Tor. The adversary may be extremely dangerous.
  • Other bridge users: Testing whether the bridge works (automated or manual), probing, people using bridges without their knowledge because they came pre-configured in their bundle.

The first group of users is only concerned with circumventing Tor censorship that is based on IP address or fingerprinting of protocols. Circumvention is necessary because Whonix ™ would otherwise be rendered useless for most activities except working offline on documents and so on, since all Internet traffic is routed through Tor by default. This group is not worried about hiding the use of Tor and will need to use bridges or possibly other circumvention tools.

The second user group is unable to safely start Whonix ™ in the default configuration due to Tor being considered dangerous or suspicious in their locality. In this case private bridges or a VPN/SSH tunnel should be utilized instead of public obfuscated bridges, as this makes it harder (not impossible) to detect Tor. [2]

Note that the meek_azure pluggable transport may be necessary to deal with highly aggressive ISP censorship or national firewalls, like those found in China and the Middle East.

The third group is only concerned with testing bridge connections.

Before Configuring a Bridge[edit]

Ambox warning pn.svg.png Warning: Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress an adversary might make in identifying Tor users. Using bridges might be advisable to prevent identification as a Tor user, but the Tor Project's bridges documentation [archive] is primarily focused on censorship circumvention, that is, overcoming attempts by ISPs or government to block Tor use.

Users falling into one of the three groups described above should consider using Tor bridges. Before taking this step, please review The Tor Project's dedicated bridges page [archive] to better understand their design and operation. It is also recommended to review how Obfsproxy works [archive], since it is the most commonly used application for connecting bridges.

Always remember that bridges are not bullet-proof. The following is a reminder about bridge versus non-bridge anonymity:

Quote [archive] Roger Dingledine, cofounder of Tor:

[...] Bridges are less reliable and tend to have lower performance than other entry points. If you live in a uncensored area, they are not necessarily more secure than entry guards. [...]

Quote question:

If that is true, that also means, that bridge users are sufficiently more vulnerable to attacks, which are circumvented by entry guards?

Quote [archive] Roger Dingledine, cofounder of Tor:

[...] They're probably more vulnerable, but I don't know if I'd say "sufficiently". [...]

If a user is only concerned with connectivity (getting Whonix connected) and local ISPs do not usually hinder connections to the public Tor network, then something simpler than Bridges can be tried; see: Better Connectivity without Real Censorship Circumvention.

Additional Information and Recommendations[edit]

Info For safety reasons, the first run of Whonix ™ will not automatically connect to the public Tor network. Instead, user networking decisions are guided by Anon Connection Wizard which automatically starts.

When deciding on the type of bridge to configure, it is recommended to:

  • Prefer obfuscated bridges [archive], since they are harder to identify than other bridges.
  • Use less well-known bridges, since it is safer. [3]
  • Avoid using a meek provider that also runs DNS core servers, like Google's (now defunct) bridge. [4]
  • Note that domain fronting has been pulled by Google and Amazon [archive], limiting the meek pluggable transport options to meek_azure only in Anon Connection Wizard.
  • For greater safety, use a private obfuscated bridge bridge run by a trusted friend or organization in a different country. In this case "private" means that the bridge is configured with the option PublishServerDescriptor 0. [5]

Please note that it has been assessed as difficult beyond practicality to Hide Tor use from the Internet Service Provider with proxies, bridges, VPNs or SSH tunnels.

Finding a Bridge and Choosing the Right Protocol[edit]

In order to use bridges, the address of at least one bridge must be known in advance. It is preferable to have a private obfuscated bridge because the alternative -- public obfuscated bridges -- are more likely to be censored, since they are publicly listed. The Tor Project distributes public bridge addresses in several ways, including from their website [archive] and via email. The easiest way to find a list of public bridges is from The Tor Project Bridge Database [archive].

In early 2017, The Tor Project advice regarding recommended bridges changed: [6] [7]

... in Tor Browser to obfs4, given that we now have several high capacity obfs4 bridges and obfs4 is more likely to work in more regions than obfs3."

As time has gone on, more obfs4 bridge operators have come online, and obfs4 is now routinely recommended by Tor developers over obfs3, because the former: [8]

... should be able to defend more effectively against active probing.

As a consequence, obfs3 bridges have been deprecated as a configurable pluggable transport option in Tor Browser. [9] [10] Also see: obfs4 Transport Evaluation [archive]. [11]

The Tor Project provides a database of public obfs4 bridges [archive]. A more exhaustive list of public obfuscated bridges is available at The Tor Project Bridge Database [archive]. obfs and obfs2 bridges are no longer available since they: [12]

... are now deprecated and were replaced by obfs3 . . . and obfs4.

Do not select the "IPv6 compatible" check box when sourcing bridges [archive] from the database, as they cannot be used in Whonix ™ [archive] yet.

How to Use Bridges in Whonix ™[edit]

It is possible to configure obfs4 and meek_azure bridges.

For most users, the Anon Connection Wizard GUI application is recommended. Advanced users also have the option of Manual Bridge Configuration.

1. Start Anon Connection Wizard.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Anon Connection Wizard

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemAnon Connection Wizard

If you are using a terminal Whonix-Gateway ™, type.

kdesudo anon-connection-wizard

2. Use the Bridge Configuration Page

Option 1: Anon Connection Wizard has some built-in bridges. To use them, complete the following steps.

Select "Configure" in the beginning pageSelect "I need Tor bridges to bypass the Tor censorship" Select "Connect with provided bridges" Select a transport type that is suitable.

Info Tip: If it is unknown which transport type is the most suitable or likely to work, then simply try them all until one is functional. It is recommended to first start with obfs4, and then only try meek if it does not work.

Option 2: If none of the default bridges work, the user can try to obtain a set of bridges manually. See Finding a Bridge and Choosing the Right Protocol. After obtaining a set of Tor bridges, complete the following step.

Select "Configure" in the beginning pageSelect "I need Tor bridges to bypass the Tor censorship"Select "Enter custom bridges"Copy and paste the set of bridges to that input box(one bridge per line)

Experimental Bridges[edit]

Snowflake[edit]

The Tor Project describes the design of the Snowflake pluggable transport: [13]

Snowflake is a pluggable transport [archive] that proxies traffic through temporary proxies using ​WebRTC [archive], a peer-to-peer protocol with built-in NAT punching. It aims to work kind of like flash proxy, but without flash proxy's problems with NAT.

Configuration of Snowflake in Whonix ™ is only recommended for advanced users because it is difficult to get the snowflake-client into Whonix-Gateway ™ (Qubes-Whonix: whonix-gw-15).

1. Locate the snowflake-client client.

The binary snowflake-client can be found in:

  • /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client in Whonix-Workstation ™ [14]; or
  • in the Tor Browser alpha download for Linux from torproject.org [15] -- once extracted it is found in the tor-browser folder in sub folder ./Browser/TorBrowser/Tor/PluggableTransports/snowflake-client.

2. Move the snowflake-client client.

Move the snowflake-client to a location in Whonix-Gateway ™. Afterward it needs to be copied to /usr/bin/snowflake-client.

The following command assumes the user is directly inside the home folder /home/user (which is the default when starting a terminal emulator) on Whonix-Gateway ™, and already has the file /home/user/snowflake-client. The path to snowflake-client might need to be adjusted.

sudo cp snowflake-client /usr/bin/snowflake-client

3. Make snowflake-client readable and executable.

sudo chmod og+rx /usr/bin/snowflake-client

4. Edit the Tor configuration file.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

5. Paste the following setting.

UseBridges 1
ClientTransportPlugin snowflake exec /usr/bin/snowflake-client -url https://snowflake-broker.azureedge.net/ -front ajax.aspnetcdn.com -ice stun:stun.l.google.com:19302
Bridge snowflake 0.0.3.0:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72

6. Save the file and have the changes take effect.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

The procedure is complete.

[16]

Snowflake forum discussion:
https://forums.whonix.org/t/replacing-meek-snowflake/5190 [archive]

Troubleshooting[edit]

Check Tor Network Connection is Using a Tor Bridge[edit]

Concerned bridge users can complete a simple check.

1. Open Nyx as follows.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Nyx - Status Monitor for Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSystemNyx - Status Monitor for Tor

If you are using a terminal Whonix-Gateway ™, type.

nyx

2. Use the right arrow button to navigate to page 2 of 5 in Nyx.

3. If a bridge is in use, the circuit information will be similar to this.

192.168.0.1 UNKNOWN 1 / Guard

4. If a bridge is not in use, the circuit information will be similar to this.

IP Nickname 1 / Guard

The IP is the real IP (not 192.168.0.1) of the Guard, and the Nickname is the name of that Guard relay.

5. Exit Nyx by pressing the following.

q
q

Connection Issues[edit]

After configuration, connection problems can relate to firewall settings that block outgoing connections to the ports provided by the bridge. To check the port the bridge is using, see the following example.

bridge 109.195.132.77:22321

In this example, the IP address is 109.195.132.77, while the the port is 22321.

Try using a (private) (obfuscated) bridge that uses port 80 or 443, as these ports are mostly used for web browsing and therefore usually unblocked.

Trying Packet Size and Timing Obfuscation for obfs4[edit]

If a provided obfs4 bridge does not work, the user can try enabling packet size and timing obfuscation by changing the iat-mode value in each last line to either 1 or 2. [17]

Better Connectivity without Real Censorship Circumvention[edit]

If a user is only concerned with connectivity (getting Whonix connected) and there is no need to attempt to Hide Tor use from the Internet Service Provider and/or local ISPs do not usually hinder connections to the public Tor network, then something simpler than Bridges can be tried.

The following setting only establishes Tor connections to public Tor network relays that listen on ports 80 and 443.

1. Edit the Tor configuration file.

Open /usr/local/etc/torrc.d/50_user.conf.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named sys-whonix)Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettings/usr/local/etc/torrc.d/50_user.conf

If you are using a terminal-only Whonix-Gateway ™, complete the following steps.

sudo nano /usr/local/etc/torrc.d/50_user.conf

2. Add the following setting. [18]

FascistFirewall 1

3. Save the file and have the changes take effect.

Reload Tor.

After editing /usr/local/etc/torrc.d/50_user.conf, Tor must be reloaded for changes to take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /usr/local/etc/torrc.d/50_user.conf and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

If you are using Qubes-Whonix ™, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Gateway ™ ProxyVM (commonly named 'sys-whonix')Reload Tor

If you are using a graphical Whonix-Gateway ™, complete the following steps.

Start MenuApplicationsSettingsReload Tor

If you are using a terminal-only Whonix-Gateway ™, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/usr/local/etc/torrc.d/50_user.conf".
Configuration was valid

The procedure is complete.

Missing ClientTransportPlugin Line[edit]

When a user has configured the following.

bridge obfs4 ...:... ... cert=... iat-mode=0

But forgot to add the corresponding line.

ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy

Then warnings will only be shown in logs.

[warn] We were supposed to connect to bridge '...:...' using pluggable transport 'obfs4', but we can't find a pluggable transport proxy supporting 'obfs4'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.

Missing ClientTransportPlugin Executable[edit]

[warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('No such file or directory').

Deprecated Tor Pluggable Transports[edit]

Scramblesuit[edit]

scramblesuit: Unrecommended (see footnote). Use the provided obfs4 instructions instead. [19]

Flashproxy[edit]

flashproxy: Unrecommended (see footnote). Use the provided obfs4 instructions instead. [20]

See Also[edit]

Footnotes[edit]

  1. https://blog.torproject.org/different-ways-use-bridge [archive]
  2. Over time, censors have gotten better at detecting Tor network traffic between the client and the first hop, even with the use of more advanced pluggable transports. There is a cyber-censorship arms race in effect.
  3. Some bridge addresses are freely provided by the Tor website or by email upon request, meaning adversaries likely use these methods to obtain bridge information. The Tor Project has some protection against adversary threats, but they are far from perfect.
  4. Google sees forty percent of Tor Exits' DNS traffic and so using them as a bridge aids website fingerprinting attacks. That said, there is evidence that website fingerprinting is more difficult to mount than previously thought. See: The Effect of DNS on Tor’s Anonymity [archive]
  5. Tor manual: PublishServerDescriptor [archive] Without this option set, The Tor Project can learn about the bridge and may distribute its address to others, potentially handing this information to an adversary seeking to generate a list of all known bridges.
  6. https://trac.torproject.org/projects/tor/ticket/18072 [archive]
  7. This pluggable transport has been deprecated by The Tor Project in favor of obfs4, meek, Format-Transforming Encryption (FTE) and ScrambleSuit [archive].
  8. https://blog.torproject.org/blog/recent-and-upcoming-developments-pluggable-transports#obfs2_deprecation [archive]
  9. https://2019.www.torproject.org/docs/bridges.html.en#PluggableTransports [archive]
  10. https://2019.www.torproject.org/docs/pluggable-transports.html.en [archive]
  11. The obfs4 protocol was developed and is in the process of being deployed by the Tor Project in response to the vulnerability of the obfs3 protocol to detection via active probing attacks. It is expected to supersede the obfs3 protocol as the front-line Pluggable Transport used by most Tor users.

  12. https://www.torproject.org/docs/bridges.html.en#PluggableTransports [archive]
  13. https://trac.torproject.org/projects/tor/wiki/doc/Snowflake [archive]
  14. /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client
  15. https://trac.torproject.org/projects/tor/ticket/19001 [archive]
  16. Fortunately snowflake-client is a standalone binary that can be easily copied. AppArmor has appropriate permissions for Snowflake operation. /etc/apparmor.d/local/system_tor [archive] already contains /usr/bin/snowflake-client ix,.
  17. 1 = Enabled: ScrambleSuit-style with bulk throughput optimizations. 2 = Paranoid: Each IAT write will send a length sampled from the length distribution (expensive). See: https://lists.torproject.org/pipermail/tor-commits/2014-August/079402.html [archive]
  18. https://www.torproject.org/docs/tor-manual.html.en#FascistFirewall [archive]
  19. Quote intrigeri [archive] (Tails developer):

    On tor-talk we've been told "You shouldn't prioritise ScrambleSuit because it is superseded by obfs4", and there are now pressing plans in the Tor Project to deprecate obfs2 and obfs3 in favour of obfs4. Hence rejecting this ticket, and focusing on #7980 [archive] [obfs4 support] instead.

    Also see Tor Announcement under heading "obfs4 and scramblesuit" [archive]

  20. Flashproxy has been removed from Tor Browser [archive], therefore it can be considered deprecated.

License[edit]

Whonix ™ Bridges wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Bridges wiki page Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.



Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues [archive] and development forum [archive].

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png