Tor can be configured with pluggable transport modules - amongst which, the ability to use obfuscated bridges that have the capability of obfuscating tor traffic such that an upstream ISP will only see random traffic instead of Tor traffic. The current effort is to bypass the Great Firewall of China (GCF), although it can have its applications in other states practicing mass surveillance of its citizens.
You can always build all the necessary packages from source, but it is usually more convenient to rely on a managed distribution such as Red Hat or Debian to get pre-compiled packages. You will need to locate the packages:
tor
obfsproxy
via your distribution's package manager and install them.
Tor supports several types of obfuscated bridges - this tutorial will settle for obfs4
. In order to use obfs4
with tor, you will need to get a client transport plugin for obfs4
.
Install the packages:
git
golang
(Google language)create a directory for go:
mkdir -p /usr/src/go
and then set the GOPATH
path in your shell:
export GOPATH=/usr/src/go
Change directory to the GOPATH
directory and issue:
go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
after a while, a binary will be generated at $GOPATH/bin/obfs4proxy
.
Copy the binary to /usr/bin/
next to the standard obfsproxy
:
cp $GOPATH/bin/obfs4proxy /usr/bin/
and you are done.
It is of course best to find out some private and non-public bridges to use with tor. However, if you are just testing, you can use the bridges provided by the tor project bridge retrieval system.
Compose an E-Mail from either a Google or Yahoo account (otherwise, you will not get a reply) and address it to bridges@bridges.torproject.org
. The subject can be left blank but the body must contain just the phrase:
get transport obfs4
Within some time you should receive some obfs4
bridges.
So, let me get this straight… You are sending an E-Mail from a Google account because the Tor project claims that Google accounts are less accessible to spammers all the while being aware that Google stores all your private information and thereby is able to link your "real, most likely not a spammer's" identity to the highly private bridges you are going to use?
Alternatively, you can use the tor project website to get bridges.
To configure Tor to use your bridges, edit /etc/tor/torrc
and add the lines:
UseBridges 1 bridge obfs4 19.35.10.100:41826 8C193FFE274CEFA347E45BB1136831359A39AAFE cert=nGDCCQWqeUlQMMyvB8hLxnzAHV6XBffo9vJ0ZuAA+HyJZlLjxgT4Am3psKVCYBcvta/799 iat-mode=0 bridge obfs4 72.237.281.11:58250 4E47E8DA7BAA63E3236A8CE92C92C9E560C79C04 cert=Ju0NexLVeYvXCRAjLfPoY0SQhCWaaCENIdRVMSqO+BcvtYIRUn0CmClGxOPDW1ATn1xnzp iat-mode=0 ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
where:
UseBridges
instructs tor
to use the supplied bridges.bridge
represents a bridge, you should replace everything after obfs4
with your own bridges.ClientTransportPlugin
starts the obfuscation proxy fetched earlier.
Restart tor
as usual, and verify that the bootstrap process completed. You should now be able to browse using obfuscated bridges.
The Snowflake transport is particularly attractive since it just requires a browser addon to be installed in order to contribute to the tor network with WebRTC entry points for bridges.