OONI reports of Tor blocking in certain ISPs since 2021-12-01

For some reason, Psiphon on Domru is now fine, while TOR on Megafon is even more degraded:

Now: Tor censorship test result in Russia
Was: Tor censorship test result in Russia

:thinking: :thinking: :thinking:

The filtering towards IP addresses of Tor relays is in effect in Moscow, Tomsk (Zelenaya Tochka TOMSK LLC), Penza (ER-Telecom), Perm (ER-Telecom), Medvedevo (ER-Telecom), Khabarovsk (Transtelecom), Kemerovo (Regional Information Technologies Ltd.), UFA (JSC Ufanet), Ulyanovsk (MTS), Kazan (two unnamed ISP), Novosibirsk (Sibirskie Seti, Truenetwork), Armavir (CityTelekom), Chita (Chitatehenergy), Omsk (RusHost), Voronezh (Transtelecom), Volzhskiy.

Latest RIPE Atlas measurements (sort by “majority” and watch for timeouts)


Is the block on ajax.aspnetcdn.com still present? In the OONI web connectivity test, I see anomalies between 2021-12-01 and 2021-12-08, but the most recent anomaly is 2021-12-08 13:07, and there are many “accessible” measurements since then.

Yes, it is still getting blocked, but only on some ISP. Not accessible in Moscow from Beeline, Tele2, Yota, but people report from other cities that ajax.aspnetcdn.com works but Tor relays do not.


Patched snowflake-client builds for testing

@cohosh from the Tor anti-censorship team has made updated Snowflake packages to remove the DTLS fingerprint distinguisher found by @ValdikSS. The change is already merged into Tor Browser and will be available in the next release. But you can test the modified snowflake-client now. If any problems are discovered, there is still a short time to make changes for the next Tor Browser release.

The tests require a moderate level of technical ability—you need to replace a file in the Tor Browser folder, or run a command from the command line. Less technical users, it is better to wait for the next release.

Testing with Tor Browser

Download the .tar.gz file for your platform and extract it. Open your Tor Browser directory and find the snowflake-client binary:

platform location
linux TorBrowser/Tor/PluggableTransports/snowflake-client
osx Contents/MacOS/Tor/PluggableTransports/snowflake-client
windows TorBrowser/Tor/PluggableTransports/snowflake-client.exe

Rename the existing binary to snowflake-client.backup, and copy the binary from the .tar.gz file into its old location.

Start Tor Browser and choose Snowflake from Tor Network Settings.

Testing from the command line

Download the .tar.gz file for your platform and extract it. Go into the directory containing the snowflake-client binary and create a file called torrc.snowflake:

SocksPort auto
UseBridges 1
Bridge snowflake 2B280B23E1107BB62ABFC40DDCC8824814F80A72
ClientTransportPlugin snowflake exec ./snowflake-client -log snowflake-client.log -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

Now run tor using that configuration file:

$ tor -f torrc.snowflake

You will know it is working as soon as you see:

new bridge descriptor 'flakey' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey at

You can also try using the Tor SOCKS proxy port shown in the log:

Opened Socks listener on

For example,

$ curl --proxy socks5h:// https://check.torproject.org/ | head
<html lang="en_US">
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />

      Congratulations. This browser is configured to use Tor.

If it does not work, there are logs in the file snowflake-client.log. Logs like the following are a sign of a working connection:

WebRTC: DataChannel.OnOpen
---- Handler: snowflake assigned ----
Traffic Bytes (in|out): 6806 | 134462 -- (19 OnMessages, 138 Sends)
Traffic Bytes (in|out): 1051010 | 33510 -- (854 OnMessages, 169 Sends)
WebRTC: At capacity [1/1]  Retrying...
Traffic Bytes (in|out): 72898 | 10833 -- (85 OnMessages, 29 Sends)
Traffic Bytes (in|out): 3972 | 2363 -- (9 OnMessages, 7 Sends)

Tor Browser for Android with replaced snowflake: tor-browser-10.5.10-android-armv7-multi-aligned-debugSigned.apk

Psiphon capture dumps of failed connections.
psiphon-ru-tele2-09dec2021.7z (332.6 KB)

Many psiphon vpn regions work fine, but some do not. Automatic region selection connects successfully.

The Psiphon Data Engine has a region-specific search:

Public results only go back 14 days, so take a screenshot if you want to make a record. I don’t see any notable change in the graph that ends 2021-12-08.

Updates on Tor obfs4:

Release candidate builds of Tor Browser with the patched Snowflake are available. These builds also have a new default obfs4 bridge. If no problems are discovered during testing, these builds will become release 11.5a1.


For Telegram users, there is also Telegram: Contact @tor_bridges

We need testers to check if our new default bridge is blocked in your ISP. Thanks!

Yota, Beeline, Tele2 — all blocked, as well as my test relay, which was reachable 15 hours ago.

ISP “tiera” from Saint-Petersburg with TSPU. Tor is blocked

When you say “all blocked,” are you talking about the new default bridge mentioned by @gus?

Yes. This new relay is not accessible from these ISP.

So if I am reading this thread correctly, the situation today is:


  • Tor project website
  • Unobfuscated relays
  • Widely publicized obfs4 bridges

Open for now

  • Tor project website mirrors
  • Snowflake alpha with newest patch
  • Newly added obfs4 bridges
  • Meek-azure ?

Last resorts

  • Private obfs4 bridges
  • Private pre-proxy (V2Ray or Shadowsocks)

The “last resorts” are limited to those who have the resources to set up a private server, which they could possibly share with trusted contacts.

Not all of them. I requested some public bridges and they worked

Also, i use tunelled ipv6 and its not filtered
This in torrc worked :

ClientUseIPv4 0
ClientUseIPv6 1

I don’t know whether TSPU equipped ISPs with ipv6 also block ipv6 tor entry ips
Only a few ISPs in Russia have ipv6