Tor Obfuscation Protocols Compared: obfs4, meek, Snowflake, WebTunnel

**obfs4:** - Traffic appearance: random bytes (no recognizable protocol pattern) - Bridge type: requires an obfs4 bridge server IP to connect to - Bandwidth: good (minimal overhead) - Detection resistance: High against passive DPI; vulnerable to active probing (GFW finds bridge servers via probing) - Status in China (2026): bridges blocked quickly (hours to days after becoming public) - Getting bridges: bridges.torproject.org or built into Tor Browser **meek-azure / meek-amazon:** - Traffic appearance: HTTPS web traffic to Azure or Amazon CDN - Bridge type: domain fronting - goes to Azure/Amazon CDN first - Bandwidth: limited (CDN rate limiting, typically 2-5 Mbps) - Detection resistance: Very high (blocking it means blocking all Azure/Amazon traffic - unacceptable for China) - Status in China (2026): meek-azure typically works because China cannot block Azure CDN comprehensively - Weakness: very slow, high latency **Snowflake:** - Traffic appearance: WebRTC (video conferencing protocol) - Bridge type: volunteer-operated browser proxies - Bandwidth: variable (depends on volunteer bridge capacity) - Detection resistance: High (WebRTC blocking would break video conferencing) - Status in China (2026): generally works, periodically slowed - Getting bridges: automatically embedded in Tor Browser **WebTunnel (new in 2024-2025):** - Traffic appearance: legitimate HTTPS WebSocket - Bridge type: bridge runs behind real HTTPS website on same IP - Bandwidth: good - Detection resistance: Very high - indistinguishable from real HTTPS traffic - Status: newer, still expanding bridge pool

**China:** First choice: Snowflake (reliable WebRTC traffic, widely available) Second: meek-azure (always works but slow) Third: obfs4 with fresh private bridges (public bridges get blocked quickly; private bridges from bridges.torproject.org's CAPTCHA have longer lifespan) Avoid: plain obfs4 with stale bridges **Iran:** First choice: Snowflake (recommended by digital rights organizations) Second: obfs4 (Iran's DPI is less aggressive against obfs4 than China's GFW) Both work reliably in most periods **Russia:** First choice: obfs4 (works well in Russia, blocking is less systematic than China) Second: Snowflake Russia blocks Tor direct connections but bridge users generally work **Belarus:** obfs4 or Snowflake both work. Belarus has demonstrated complete internet shutdown capability but normally obfs4 is accessible. **Setting up bridges in Tor Browser:** Settings -> Connection -> Use a bridge -> Select from built-in bridges or provide bridge address. For Snowflake: just enable it, no address needed.

Running your own private obfs4 bridge on a VPS provides more reliable bypass than public bridges (which get blocked quickly). Your bridge is not listed publicly, so it is not proactively blocked. On Anubiz Host Iceland VPS: ```bash apt update && apt install tor obfs4proxy -y cat >> /etc/tor/torrc << 'EOF' BridgeRelay 1 ORPort 9001 ExtORPort auto ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:47843 PublishServerDescriptor bridge EOF systemctl restart tor # Get your bridge line: cat /var/lib/tor/pt_state/obfs4_bridgeline.txt ``` Share this bridge line (obfs4 YOUR_IP:47843 FINGERPRINT cert=...) only with trusted users. Private bridge lines are not in the public bridge database and resist probing-based blocking. This is also how Tor anti-censorship teams deploy bridges - individual private bridges with limited distribution.