Need help with circumventing censorship in China

Ladies and gentlemen, hello. I come from China, a country that is heavily censored on the internet. Yes, you read that right - this terribly oppressive country. I help those around me maintain internet freedom. Due to the various restrictions imposed by the Great Firewall (GFW), there are very few secure protocols available for us to use. Therefore, we use Tor.

My solution is as follows: I purchased a VPS in Switzerland and another in Canada. I connect to the Canadian VPS using the WireGuard protocol and deploy Tor on the Canadian VPS. My friends connect to my network in China and their traffic is directed to Tor as an exit node. However, I don’t trust the Canadian network, so I use the Swiss WireGuard as an inbound proxy for the Canadian Tor.

Now, here’s the problem: The Canadian VPS has a Debian 11 system whose default user is root. Should I create a regular user for Tor? And secondly, and most importantly, I’m not sure if my /etc/tor/torrc configuration file is secure and reasonable. This is because it concerns the safety of my friends’ lives (freedom of speech is a crime here and can land you in jail. Perhaps this is the most ridiculous age and country in human history). Therefore, I am seeking help from the community and hoping that the community management and developers can provide me with the maximum help and support. Thank you, God bless us all. Amen.
This is my configuration and I can’t be sure if it guarantees security and privacy, please review it.
cat /etc/tor/torrc




SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort
SocksPort IsolateDestAddr IsolateDestPort


SOCKSPolicy accept
SOCKSPolicy reject *


EnforceDistinctSubnets 1


AvoidDiskWrites 1
NumEntryGuards 8
CircuitBuildTimeout 30
LearnCircuitBuildTimeout 0
MaxCircuitDirtiness 120
KeepAlivePeriod 60
NewCircuitPeriod 240
MaxClientCircuitsPending 16
UseBridges 0


ExcludeNodes {cn},{hk},{mo},{mn},{tw},{sg},{ph},{my},{th},{vn},{jp},{kr},{pk},{ir},{ae},{sa},{ru},{cu},{br},{kz},{kw},{ci},{sy},{by},{lk},{af}


ExcludeExitNodes {us},{gb},{ca},{au},{nz},{dk},{fr},{nl},{no},{de},{be},{it},{se},{es},{il}
StrictNodes 1


GeoIPFile /usr/share/tor/geoip
GeoIPv6File /usr/share/tor/geoip6
GeoIPExcludeUnknown 1


Log notice file /var/log/tor/notices.log
SafeLogging 1


Sandbox 1

1 Like,is the wireguard CA listening address. CN:

First of all, I would like to give you a big compliment :+1::+1::+1:

I’m also new to this, but I’m willing to follow you on this post!

I really hope that the experts here will help this friend solve his problem!

Thank you for looking forward to a bright future together and working hard to achieve it.

1 Like

The usual Tor user is debian-tor.

ExcludeNodes makes you less anonymous because you will be the only one in the world with the unique combination you specify.

“How can I make it more secure and private? I need to use WireGuard to monitor Tor and establish connections. Are you suggesting that I create a user ‘adduser debian-tor’? Or does installing Tor with ‘apt install tor’ automatically create the ‘debian-tor’ user under root?”

Can you help me modify a torrc configuration according to my needs?

1 Like

I don’t understand why do you need Wireguard. AFAIK, Wireguard traffic is very easy to identify and block by the GFW. Why you don’t run a private obfs4 bridge in your VPS?

1 Like

Because I need to use wireguard-CA and wireguard-CN, the network, by listening to the address of wireguard-CA can socks5-TOR

“So far, there has been no blocking of Wireguard, so we are continuing to use it. Can you configure a torrc configuration for us that we need? To answer your previous question, I don’t run a private obfs4 bridge because I don’t know how to configure it, so I purchased a human Swiss VPS to use as a CA for his Tor pre-proxy.”

I don’t understand.

You have a CN WireGuard peer

You also have a CA WireGuard peer

The CA WireGuard peer runs Tor, configured with SocksPort in the range 19990-19999.

So if a client browser on talks SOCKS5 protocol to IP address and any port 19990-19999, the browser’s traffic will go through the WireGuard tunnel to, and end up passing through Tor? Is that correct?

But where does CH come into the picture?

You are right: the role of CH is to act as a proxy for CA’s Tor as a SOCKS5 endpoint to enter Tor, because I don’t trust the Canadian VPS. So, I use CH as a proxy for him to access Tor.

So CH is running proxy software such as Squid listening on port 10010?

And CH is also a WireGuard peer with IP address on the WireGuard network?

Your torrc seems fine to me, except I would miss out ExcludeNodes, ExcludeExitNodes, and StrictNodes, as these make you unique instead of anonymous.

1 Like

Yes, it runs a SOCKS5 proxy in Switzerland on port 10010 and serves as the preproxy for CA-Tor’s inbound traffic. I am also considering removing the ExcludeNodes, ExcludeExitNodes, and StrictNodes options because excluding countries and exits makes Tor stand out. If I remove them, is there still enough room for further hardening? What is the purpose of IsolateDestAddr and IsolateDestPort? I have never really understood them. Should they be added? Additionally, I want to add “ClientOnly 1”. Do you think it is necessary? Are there any other features worth adding to make it more secure, reliable, and private? As I mentioned earlier, this is crucial for the safety and well-being of dissidents.

I have no experience with the other settings, apart from the ones I have mentioned.

You already have a VPN plus a pre-proxy before Tor. That sounds like a good risk mitigation strategy.

Since you do not mention using the Tor Browser, consider manually disabling JavaScript and/or installing NoScript Security Suite in Firefox.

For a general security guide for activists in China, you can read 为啥朝廷总抓不到俺——十年反党活动的安全经验汇总 @ 编程随想的博客

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.