Tor in Russia: A call for more WebTunnel bridges

by gus | November 28, 2024

Recent reports from Tor users in Russia indicate an escalation in online censorship with the goal of blocking access to Tor and other circumvention tools. This new wave includes attempts to block Tor bridges and pluggable transports developed by the Tor Project, removal of circumvention apps from stores, and targeting popular hosting providers, shrinking the space for bypassing censorship. Despite these ongoing actions, Tor remains effective.

One alarming trend is the targeted blocking of popular hosting providers by Roscomnadzor. As many circumvention tools are using them, this action made some Tor bridges inaccessible to many users in Russia. As Roscomnadzor and internet service providers in Russia are increasing their blocking efforts, the need for more WebTunnel bridges has become urgent.

Why WebTunnel bridges?

WebTunnel is a new type of bridge that is particularly effective at flying under a censor's radar. Its design blends itself into other web traffic, allowing a user to hide in plain sight. And since its launch earlier this year, we've made sure to prioritize small download sizes for more convenient distribution and simplified the support of uTLS integration further mimicking the characteristics of more widespread browsers. This makes WebTunnel safe for general users because it helps conceal the fact that a tool like Tor is being used.

We are calling on the Tor community and the Internet freedom community to help us scale up WebTunnel bridges. If you've ever thought about running a Tor bridge, now is the time. Our goal is to deploy 200 new WebTunnel bridges by the end of this December (2024) to open secure access for users in Russia.

How to run a Tor WebTunnel bridge

On the International Day Against Online Censorship in March, we published a blog post introducing WebTunnel: "Hiding in Plain Sight". Setting up a WebTunnel bridge requires some system administration skills, but we've streamlined the process to make it as straightforward as possible.

1. Using Docker: We offer a Docker image that simplifies deploying the Tor bridge and WebTunnel transport. Some additional configuration of your web server is required.

2. Ansible automation: A WebTunnel Ansible role, created by community member Jacobo Nájera, provides another way to set up a WebTunnel bridge quickly.

You can find the technical requirements in our WebTunnel guide. In short, you'll need:

  • A static IPv4 address (preferred)
  • A self-hosted website
  • A valid SSL/TLS certificate (e.g., Let's Encrypt)
  • Bandwidth usage: at least 1 TB/month, but more is recommendable.

Important: Avoid using free shared DNS services, as they are frequently blocked in Russia and other regions. Consult our community Good/Bad ISPs page for finding a provider for your WebTunnel bridge and avoiding popular hosting companies.

Bridge campaign rules for participation

The campaign starts today, November 28, 2024, and will run until March 10, 2025. As a token of our appreciation for your volunteer work, we're offering a Tor t-shirt to operators who run 5 or more WebTunnel bridges during this period. Please note: Only one t-shirt will be awarded per operator. See the technical requirements below to participate in the campaign.

Technical requirements for campaign

  1. Operators must run one WebTunnel bridge per IPv4. It is acceptable to use multiple subdomains or distinct domains.
  2. Include a valid email address as your contact information. Or we won't be able to confirm and validate your participation in the campaign.
  3. Maintain your bridges running for at least 1 year.
  4. Ensure your bridges have a solid uptime, operating close to 24/7. Reboots for updates are fine.
  5. Your bridge must remain functional during the campaign period.
  6. Do not host your bridges with Hetzner.

How to participate

After spinning up and verifying that your five WebTunnel bridges are working, confirm your participation by emailing frontdesk@torproject.org with the following template:


Subject: Participation in Bridge Campaign 2025
Body:
Hi, I'm signing up for the Tor Bridge Campaign. These are my bridges:

My t-shirt is (pick your size: https://gitlab.torproject.org/tpo/community/team/-/wikis/tshirts/tshirt-size-charts).

To validate your participation, please contact us using the same email address listed in your contactinfo. You can expect your reward to be shipped in Q2 2025.

Russian censors targeting pluggable transports

Tor-powered applications like Tor Browser include built-in censorship circumvention features, but censors in Russia are increasingly targeting these mechanisms. For example, user reports suggest that obfs4 connections are being blocked on some 4G mobile networks in Russia. Despite this, obfs4 remains the most widely used pluggable transport for Tor users in the country. Snowflake has also experienced partial blocks at certain providers and Tor's Anti-Censorship Team have been investigating.

Analyzing censorship tactics, developing fixes, and implementing new mitigations takes time and resources. In the meantime, Tor WebTunnel bridges serve as an urgent and immediate way to bypass censorship in Russia.

Tor-powered applications are critical for combating online censorship in heavily restricted regions. In a country where "the biggest banks were instructed to punish customers using credit cards to pay for VPN services", free and open source tools like Tor are some of the few remaining alternatives for keeping users connected.

Background: Tor blocked in Russia (2021)

In late 2021, the Russian government attempted to block Tor, as we detailed in our blog post. Despite the censors' best efforts, Russian users were able to circumvent the block using Tor bridges.

Upon launch of WebTunnel in early 2024, we only had 60 WebTunnel bridges. Today, the number has more than doubled to 143. However, we must improve our efforts to meet the rising demand and counter the evolving censorship landscape.

If you've ever considered running a Tor bridge, now is an excellent time to get started. Please help us spread the word as your help is urgently needed.

I want to help, but I am not tech-savvy

No problem, you can help us spread the word. Now, more so than ever, it is important to speak up. Share this in your social networks–online AND offline. If enough people read this, we can reach those who can support with the technical aspects of this ask.

You can also make a donation to the Tor Project. Right now, all donations are matched. That means when you donate $25, your donation will be matched by a generous donor, meaning Tor receives a total of $50. Every donation helps build our power in this fight.

Other resources

4 Likes

I’d posted earlier about seeing a sudden drop in Russian traffic on my obsf4 bridge at Sudden drop in traffic on Tor Bridge - on a list?.

I guess it’s somewhat related.

Followup: If I’m already running an obsf4 bridge on port 443, is it worth it to move to webtunnel instead?

How can I help with this? Is it possible to run several Tor WebTunnel bridges on one VPS?

Hi, the embedded link seems somehow broken. At least on my side. :sunny:
Thanks!

PSA: Tor Project Gitlab is temporarily down for a server migration (GitLab migration to another machine cluster | Tor Project status) and it should be back online today (November 29).

We’ve added 5 high-performance WebTunnel relays, prepaid with our provider for 1 year.

4 Likes

It is acceptable to use multiple subdomains or distinct domains.

Can I use domains in .nip.io or alternatives? This is a wildcard domain that can map to the IP of my webserver directly.

:computer: This is my favorite new WebTunnel bridge so far*(not mine)*:
rsoc_in@rkn.gov.ru

transport:webtunnel

2 Likes

Contact
rsoc_in@rkn.gov.ru

@atari is that a joke?

1 Like

You’ll never know, but I guess they would not use that address if trying to understand WebTunnels, but you never know… :wink: Hybrid warfare^^

I’m still getting connections from RU on my standalone snowflake proxies. I would run a webtunnel bridge but I keep borking up my webserver when trying to update the cert @@. Until I fix that, I’m hoping that the snowflake traffic is helping.

2 Likes

Update Dec-11: We’re now at 125 new WebTunnel bridges! To reach our goal, we need 75 more bridges.

5 Likes

Due to the call to provide a WebTunnel Bridge, I have set one up.

But in this context I must once again express my complaint and lack of understanding. The project is asking volunteers for help…

But instead of making sure that an updated Docker image is provided before the campaign, you have to use one that is already 10 months old, has not been updated since then, contains an old Tor version (0.4.8.10?) and exposes the ORPort.

1 Like

Only one of my webtunnel bridges which have no bridge distribution method set in torrc ( #BridgeDistribution) and thus were assigned to a random distribution pool shows traffic, the others just idle, except the regular check from bridgestrap.

They were either assigned HTTPS or settings, so it does not really seem random.

The one showing traffic was in the rotation on the bridges.torproject.org. When will the settings webtunnel bridges see some traffic? Guess the expectation for new bridge operators would be to get some users/traffic…

And is there any possibility to search on metrics for Bridge distribution mechanism like it is possible for Transport protocols? Like https://metrics.torproject.org/rs.html#search/transport:webtunnel