The anti-censorship team has been investigating connectivity issues to some of our circumvention tools after receiving reports[1,2] from community members in China and Russia. After investigating the cause, we believe that this issue may be more widespread and affecting users in other regions as well.
The cause of the problem seems to be that the cdn77 domain fronts that we are currently using to make initial connections for tools like snowflake and conjure have been blocked. This happens from time to time and it is necessary to change the fronts we use in order to regain access to the circumvention tools affected.
The symptom of the problem is that Tor doesn’t make progress in bootstrapping. If you look at the Tor log, you will see messages like this:
Snowflake:
2025/09/24 13:02:52 Negotiating via HTTP rendezvous...
2025/09/24 13:02:52 Target URL: 1098762253.rsc.cdn77.org
2025/09/24 13:02:52 Front URL: www.phpmyadmin.net
2025/09/24 13:02:53 WebRTC: closing DataChannel
2025/09/24 13:02:53 WebRTC: closing PeerConnection
2025/09/24 13:02:53 WebRTC: Closing
2025/09/24 13:02:53 WebRTC: read tcp [scrubbed]->[scrubbed]: read: connection reset by peer Retrying...
...repeat...
Conjure:
2025-09-11 16:14:17.947
[NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/conjure-client": retrying conjure registration, station is under high load.
2025-09-11 16:14:19.394
[NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/conjure-client": retrying conjure registration, station is under high load.
2025-09-11 16:14:23.235
[NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/conjure-client": retrying conjure registration, station is under high load.
2025-09-11 16:14:23.536
[NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/conjure-client": retrying conjure registration, station is under high load.
...repeat...
Manual Workarounds
You can try working around this problem yourself for snowflake by changing the domain fronting specific flags in the snowflake bridge line manually. This is done by changing the url and front flags to different values that are not blocked. In this case, url=https://bespoke-strudel-c243cc.netlify.app and front=vuejs.org an example of the required changes to a snowflake bridge line are below:
Current blocked bridge line:
snowflake 192.0.2.4:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://1098762253.rsc.cdn77.org/ fronts=www.cdn77.com,www.phpmyadmin.net ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.net:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
Change to bridge line with updated domain fronts:
snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://bespoke-strudel-c243cc.netlify.app front=vuejs.org ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478 utls-imitate=hellorandomizedalpn
The domain fronting addresses have already been updated in Tor browser alpha and we plan to update these for the next stable release which will be coming out next week.
Users in Russia can also use the following ampcachebridgelines:
snowflake 192.0.2.5:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72 fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72 url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.rtc.yandex.net,stun:stun.epygi.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.mixvoip.com:3478,stun:stun.nextcloud.com:3478,stun:stun.bethesda.net:3478,stun:stun.nextcloud.com:443 utls-imitate=hellorandomizedalpn
snowflake 192.0.2.6:80 8838024498816A039FCBBAB14E6F40A0843051FA fingerprint=8838024498816A039FCBBAB14E6F40A0843051FA url=https://snowflake-broker.torproject.net/ ampcache=https://cdn.ampproject.org/ front=www.google.com ice=stun:stun.rtc.yandex.net,stun:stun.epygi.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.mixvoip.com:3478,stun:stun.nextcloud.com:3478,stun:stun.bethesda.net:3478,stun:stun.nextcloud.com:443 utls-imitate=hellorandomizedalpn
Unfortunately, we have not yet found a fix for conjure users in China. Along with the cdn77 fronts, both ampcache and dns registration methods are blocked in China. We will continue to work on this and will update when we have made further progress.