Using Tor is straightforward in most countries — you download the browser, click Connect, and you’re in. But in countries that block Tor (China, Iran, Russia, Belarus, and others), a direct connection fails. The Tor Project has built two layers of defense against this: bridges and pluggable transports.
Bridges hide who you’re connecting to. Pluggable transports hide what kind of traffic you’re sending. Together, they make it nearly impossible for censors to block Tor.
- Bridges are private, unlisted Tor relays — censors can’t block them by IP because they don’t know the IPs
- Pluggable transports transform Tor traffic to look like something innocent — random noise, a video call, or regular HTTPS
- Four transports are built into Tor Browser: obfs4, Snowflake, WebTunnel, and meek
- obfs4 is the best general-purpose transport — makes traffic look like random data
- Snowflake routes through volunteer proxies — looks like a WebRTC video call
- WebTunnel hides inside regular HTTPS — newest and hardest to detect
- meek routes through major CDNs — works but slower
Why Bridges Exist
Tor’s network has roughly 7,000 public relays (as of 2026). Their IP addresses are published so clients can find them. That’s also the problem — censors download the same list and block every IP.
Bridges solve this by being unlisted. A bridge relay is not in the public directory. Its IP address is distributed through private channels:
- The Tor Project’s bridge website (bridges.torproject.org)
- Email (bridges@torproject.org from a Gmail or Outlook address)
- Telegram bot (@GetBridgesBot)
- Built-in bridge requests in Tor Browser (Moat API)
A censor who doesn’t know the bridge’s IP cannot block it. But a bridge alone doesn’t solve the entire problem.
Why You Also Need Pluggable Transports
Even with a bridge, your connection to it looks like a Tor connection. The Tor protocol has recognizable characteristics — TLS handshake patterns, cell sizes, timing. Censors with Deep Packet Inspection (DPI) equipment can identify Tor traffic even when it’s connecting to an unknown IP.
Pluggable transports transform the traffic so it no longer looks like Tor. To the censor, it looks like random noise, a video call, or an HTTPS request to a regular website.
| Transport | What It Looks Like | Year Deployed | Detection Risk |
|---|---|---|---|
| obfs4 | Random noise (no recognizable pattern) | 2014 | Low — looks like nothing |
| Snowflake | WebRTC video call (like Google Meet) | 2021 | Low — looks like everyday traffic |
| WebTunnel | Regular HTTPS to a normal website | 2024 | Very low — hardest to distinguish |
| meek | HTTPS to a major CDN (Azure, CloudFront) | 2013 | Medium — domain fronting is known |
The Four Pluggable Transports Explained
obfs4 — The Workhorse
obfs4 makes every byte of Tor traffic statistically indistinguishable from random data. There is no TLS handshake, no protocol header, no structure that a censor could fingerprint.
A passive observer sees a stream of random bytes. To block obfs4, a censor would have to block all traffic that looks random — which is essentially all encrypted traffic. That’s not practical.
obfs4 also prevents censors from finding bridges through Internet scanning. Even if a censor scans the entire IPv4 space, they cannot distinguish an obfs4 bridge from any other server running an encrypted service.
Best for: Most censorship scenarios. Start here.
Snowflake — The Proxy Network
Snowflake takes a different approach. Instead of obfuscating traffic, it routes it through short-lived proxies running in volunteers’ browsers. To the censor, the connection looks like a WebRTC video call — the same protocol used by Google Meet, Zoom, and Discord.
When you use Snowflake:
- Your Tor client contacts a “broker” server to find a proxy
- The broker connects you with a volunteer running Snowflake in their browser
- Your traffic goes through their browser as a WebRTC stream
- The volunteer’s browser relays it to the Tor network
Since Snowflake proxies run in ordinary browsers, blocking Snowflake means blocking WebRTC — which would break video calling, gaming, and other popular services.
Best for: When obfs4 is blocked. Light censorship scenarios.
WebTunnel — The Newcomer
WebTunnel is the newest transport, deployed in 2024. It wraps Tor traffic inside an HTTPS WebSocket connection to what appears to be a normal web server.
The bridge operator runs a real website alongside the WebTunnel service. Visitors using a regular browser see a normal-looking site. Only Tor clients presenting the correct authentication key get upgraded to a Tor tunnel.
To a censor, the bridge looks indistinguishable from any other small website on a VPS. No high-entropy noise, no domain fronting, no WebRTC signaling. Just a normal HTTPS connection.
Best for: High-risk censorship environments where other transports are detected.
meek — The CDN Router
meek routes traffic through major content delivery networks (CDNs). It uses domain fronting — the TLS Server Name Indication (SNI) says the connection is going to a benign site (like www.google.com), but the HTTP Host header inside the encrypted tunnel actually routes to the bridge.
The censor sees an HTTPS connection to a CDN they can’t block without breaking the Internet. The actual destination is hidden inside the encrypted tunnel.
meek was effective when deployed but has become less useful as CDNs have cracked down on domain fronting. It still works with some providers but is generally slower than obfs4 or Snowflake.
Best for: A fallback when other transports fail.
How to Set Up Bridges in Tor Browser
Method 1: Use Built-In Bridges (Easiest)
- Open Tor Browser
- Click “Configure Connection” instead of “Connect”
- Under Bridges, select “Choose from one of Tor Browser’s built-in bridges”
- Click “Select a Built-In Bridge”
- Try each option in this order:
- obfs4 — most reliable transport
- WebTunnel — newest, hardest to detect
- Snowflake — good when other transports are blocked
- meek — fallback option
- Click Connect
Method 2: Request a Bridge (When Built-In Don’t Work)
If none of the built-in bridges connect:
- Visit
https://bridges.torproject.org(use a regular browser or a friend’s internet) - Complete the CAPTCHA
- Choose “obfs4” as the transport type
- Copy the bridge lines (they look like
bridge obfs4 <ip>:<port> <fingerprint> ...) - In Tor Browser’s Configure Connection screen, select “Enter a bridge address that you already know”
- Paste the bridge lines
- Click Connect
Method 3: Request Bridges via Email
Send an email to bridges@torproject.org from a Gmail or Outlook address:
- Subject and body:
get transport obfs4(orget transport snowflake)
You’ll receive bridge lines by reply.
Method 4: Request via Telegram
Add @GetBridgesBot on Telegram and send:
/bridgesThe bot sends bridge lines directly in the chat.
Connection Assist — Tor Browser’s Auto-Configuration
Tor Browser 15.0+ includes Connection Assist, a feature that automatically detects when Tor is blocked and tries built-in bridges without manual intervention.
When you click Connect and it fails, Connection Assist:
- Detects that Tor is being blocked
- Automatically tries obfs4 bridges
- If that fails, tries Snowflake
- If that fails, tries WebTunnel
This works for most users. You only need manual configuration if Connection Assist exhausts all options.
How to Check If Bridges Are Working
Visit https://check.torproject.org in Tor Browser. If you see a green onion icon saying “Congratulations. This browser is configured to use Tor,” bridges are working.
For advanced diagnostics, open the Tor Browser console (about:tor) or check the connection log. You should see a successful circuit established through your bridge.
Running Your Own Bridge
Any Linux server with internet access can run a Tor bridge. This helps the Tor network and provides bandwidth to censored users.
Quick Setup for obfs4 Bridge
On a Debian/Ubuntu server:
sudo apt update
sudo apt install tor obfs4proxyEdit /etc/tor/torrc:
BridgeRelay 1
ORPort auto
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort autoRestart Tor:
sudo systemctl restart torYour bridge will automatically register with the Tor Project’s bridge database. The bridge’s fingerprint and obfs4 parameters are logged in /var/log/tor/log when Tor starts.
Requirements:
- Publicly reachable IP (no CGNAT or strict NAT)
- 5-10 Mbps bandwidth (up and down)
- 24/7 uptime preferred
Frequently Asked Questions
Do bridges slow down Tor?
Yes. Bridges add an extra hop and obfuscation overhead. Expect connections to be somewhat slower than using public relays directly.
Are bridges legal?
In most countries, running a bridge is legal. Check your local laws. Some countries (China, Russia) treat operating circumvention technology as illegal.
Can I be a Snowflake proxy?
Yes. Anyone with a browser can become a Snowflake proxy:
- Visit
https://snowflake.torproject.org - Click “Run a proxy”
- Leave the tab open
The proxy only activates when a censored user needs it and uses minimal bandwidth when idle.
What’s the difference between a bridge and a pluggable transport?
A bridge is a relay (a server). A pluggable transport is a protocol (how traffic is disguised). Bridges often use pluggable transports, but they’re different things.
Which transport should I try first?
obfs4. It’s the most battle-tested, widely deployed, and effective for general censorship. Only try Snowflake, WebTunnel, or meek if obfs4 doesn’t work in your region.
What to Read Next
- What Is Tor? A Beginner’s Guide — How Tor works, key terms, and the dark web explained
- How to Install Tor Browser Step by Step — Download, install, and configure Tor on all platforms
- How to Stay Safe on the Dark Web — Security protocols, Tails OS, verifying .onion sites, and a pre-session checklist
Related Articles
Deepen your understanding with these curated continuations.
Tor vs VPN: Which One Do You Actually Need?
Tor and VPNs both protect your privacy, but they work very differently. Here's a clear comparison of when to use each, when to use both, and when neither is the right choice.
How to Install Tor Browser: Step-by-Step Guide (2026)
Complete walkthrough for installing Tor Browser on Windows, macOS, Linux, and Android. Includes first-run configuration, bridge setup, security slider settings, and troubleshooting common issues.
What Is Tor? The Onion Router Explained for Beginners
Tor is free software that bounces your internet traffic through three layers of encryption. Here's how it works, what the dark web actually is, key terms explained, and when you should — and shouldn't — use it.