WebTunnel Tor Bridge Setup: HTTPS Traffic Obfuscation Guide

WebTunnel requires three components: (1) a Tor relay running the WebTunnel server transport plugin, (2) a domain name pointing to your server, (3) a valid TLS certificate for the domain (issued by a trusted CA like Let's Encrypt). The WebTunnel client (integrated in Tor Browser 13.5+) connects to your domain via HTTPS using the WebSocket upgrade protocol. From the perspective of a network observer or DPI system, the connection looks like a WebSocket connection to a legitimate web server - a common pattern for web applications. The actual Tor traffic is wrapped inside the WebSocket frames, which are encrypted by TLS, making the inner content invisible to DPI. The domain must be resolvable via public DNS and the TLS certificate must be valid - this is what makes WebTunnel look legitimate.

Obtain a domain name for your WebTunnel bridge. Register a domain (or use a subdomain of an existing domain) that does not obviously identify it as a Tor bridge. Use a registrar that does not require ID documents for domain registration if possible (Njalla, EPIK with pseudonymous registration, or similar). Point the domain's A record to your VPS IP address. Install Certbot for Let's Encrypt certificate: apt install certbot python3-certbot-nginx. Run certbot --nginx -d yourbridge.example.com. This creates a valid TLS certificate that browsers trust, making WebTunnel connections appear as connections to a real HTTPS server. Renew certificates automatically: certbot renews automatically via the systemd timer installed by the certbot package. Verify renewal: systemctl status certbot.timer.

Install Tor and the WebTunnel transport plugin: add the Tor Project's repository: curl -fsSL https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/tor.gpg, then add deb.torproject.org to apt sources. Install: apt install tor tor-geoipdb webtunnel. Configure torrc for WebTunnel: BridgeRelay 1, PublishServerDescriptor bridge, ServerTransportPlugin webtunnel exec /usr/bin/webtunnel, ServerTransportListenAddr webtunnel 127.0.0.1:15000, ServerTransportOptions webtunnel url=https://yourbridge.example.com/PATH (replace PATH with a random string that serves as the WebSocket endpoint path), ORPort 443. The random path (e.g., /aBc3dEf7gHi) is part of the bridge line that users need to connect. It is not secret (it appears in the bridge line) but using a non-obvious path reduces casual discovery.

Configure Nginx to serve both a legitimate web page (so the domain looks real) and to proxy WebSocket connections to the WebTunnel transport plugin. nginx.conf: server { listen 443 ssl; server_name yourbridge.example.com; ssl_certificate /etc/letsencrypt/live/yourbridge.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourbridge.example.com/privkey.pem; location / { root /var/www/html; index index.html; } location /aBc3dEf7gHi { proxy_pass http://127.0.0.1:15000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; } }. The root location serves a legitimate-looking HTML page (a simple blog, personal homepage, or placeholder). The /path location proxies WebSocket connections to WebTunnel. A network observer sees HTTPS traffic to your domain with WebSocket upgrade requests to a specific path - indistinguishable from any modern web application using WebSockets.

After starting Tor, retrieve the bridge line: grep 'webtunnel' /var/lib/tor/pt_state/webtunnel_bridgeline.txt or check the Tor logs for the bridge line. The bridge line format: webtunnel yourIP:443 FINGERPRINT url=https://yourbridge.example.com/aBc3dEf7gHi. Share this bridge line via BridgeDB (set BridgeDistribution via-bridgedb) or distribute directly to censored users. For BridgeDB distribution: set BridgeDistribution in torrc (https, email, or any). For private bridges (not in BridgeDB): share directly with trusted contacts. WebTunnel bridges are scarce compared to obfs4 bridges - your contribution is particularly valuable. After 2-4 weeks, check Tor Metrics to confirm users from censored countries are connecting.