OONI reports of Tor blocking in certain ISPs since 2021-12-01

Yes, it is still getting blocked, but only on some ISP. Not accessible in Moscow from Beeline, Tele2, Yota, but people report from other cities that ajax.aspnetcdn.com works but Tor relays do not.


Patched snowflake-client builds for testing

@cohosh from the Tor anti-censorship team has made updated Snowflake packages to remove the DTLS fingerprint distinguisher found by @ValdikSS. The change is already merged into Tor Browser and will be available in the next release. But you can test the modified snowflake-client now. If any problems are discovered, there is still a short time to make changes for the next Tor Browser release.

The tests require a moderate level of technical ability—you need to replace a file in the Tor Browser folder, or run a command from the command line. Less technical users, it is better to wait for the next release.

Testing with Tor Browser

Download the .tar.gz file for your platform and extract it. Open your Tor Browser directory and find the snowflake-client binary:

platform location
linux TorBrowser/Tor/PluggableTransports/snowflake-client
osx Contents/MacOS/Tor/PluggableTransports/snowflake-client
windows TorBrowser/Tor/PluggableTransports/snowflake-client.exe

Rename the existing binary to snowflake-client.backup, and copy the binary from the .tar.gz file into its old location.

Start Tor Browser and choose Snowflake from Tor Network Settings.

Testing from the command line

Download the .tar.gz file for your platform and extract it. Go into the directory containing the snowflake-client binary and create a file called torrc.snowflake:

SocksPort auto
UseBridges 1
Bridge snowflake 2B280B23E1107BB62ABFC40DDCC8824814F80A72
ClientTransportPlugin snowflake exec ./snowflake-client -log snowflake-client.log -url https://snowflake-broker.torproject.net.global.prod.fastly.net/ -front cdn.sstatic.net -ice stun:stun.l.google.com:19302,stun:stun.voip.blackberry.com:3478,stun:stun.altar.com.pl:3478,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.sonetel.net:3478,stun:stun.stunprotocol.org:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478

Now run tor using that configuration file:

$ tor -f torrc.snowflake

You will know it is working as soon as you see:

new bridge descriptor 'flakey' (fresh): $2B280B23E1107BB62ABFC40DDCC8824814F80A72~flakey at

You can also try using the Tor SOCKS proxy port shown in the log:

Opened Socks listener on

For example,

$ curl --proxy socks5h:// https://check.torproject.org/ | head
<html lang="en_US">
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />

      Congratulations. This browser is configured to use Tor.

If it does not work, there are logs in the file snowflake-client.log. Logs like the following are a sign of a working connection:

WebRTC: DataChannel.OnOpen
---- Handler: snowflake assigned ----
Traffic Bytes (in|out): 6806 | 134462 -- (19 OnMessages, 138 Sends)
Traffic Bytes (in|out): 1051010 | 33510 -- (854 OnMessages, 169 Sends)
WebRTC: At capacity [1/1]  Retrying...
Traffic Bytes (in|out): 72898 | 10833 -- (85 OnMessages, 29 Sends)
Traffic Bytes (in|out): 3972 | 2363 -- (9 OnMessages, 7 Sends)

Tor Browser for Android with replaced snowflake: tor-browser-10.5.10-android-armv7-multi-aligned-debugSigned.apk

Psiphon capture dumps of failed connections.
psiphon-ru-tele2-09dec2021.7z (332.6 KB)

Many psiphon vpn regions work fine, but some do not. Automatic region selection connects successfully.

The Psiphon Data Engine has a region-specific search:

Public results only go back 14 days, so take a screenshot if you want to make a record. I don’t see any notable change in the graph that ends 2021-12-08.

Updates on Tor obfs4:

Release candidate builds of Tor Browser with the patched Snowflake are available. These builds also have a new default obfs4 bridge. If no problems are discovered during testing, these builds will become release 11.5a1.


For Telegram users, there is also Telegram: Contact @tor_bridges

We need testers to check if our new default bridge is blocked in your ISP. Thanks!

Yota, Beeline, Tele2 — all blocked, as well as my test relay, which was reachable 15 hours ago.

ISP “tiera” from Saint-Petersburg with TSPU. Tor is blocked

When you say “all blocked,” are you talking about the new default bridge mentioned by @gus?

Yes. This new relay is not accessible from these ISP.

So if I am reading this thread correctly, the situation today is:


  • Tor project website
  • Unobfuscated relays
  • Widely publicized obfs4 bridges

Open for now

  • Tor project website mirrors
  • Snowflake alpha with newest patch
  • Newly added obfs4 bridges
  • Meek-azure ?

Last resorts

  • Private obfs4 bridges
  • Private pre-proxy (V2Ray or Shadowsocks)

The “last resorts” are limited to those who have the resources to set up a private server, which they could possibly share with trusted contacts.

Not all of them. I requested some public bridges and they worked

Also, i use tunelled ipv6 and its not filtered
This in torrc worked :

ClientUseIPv4 0
ClientUseIPv6 1

I don’t know whether TSPU equipped ISPs with ipv6 also block ipv6 tor entry ips
Only a few ISPs in Russia have ipv6

ER-Telecom — IPv6 bridges are working fine and all IPv4 bridges are blocked. YOTA — all blocked.

There are three main bridge distribution methods:

  • https (the Tor Project website)
  • moat (inside Tor Browser)
  • email (send request from Gmail or Riseup email address)

If the Tor Project website is blocked, then so is https. That leaves only moat or email.

It would be interesting to know which method censors are using to discover bridge IP addresses to block. Then volunteers setting up new bridges could use the opposite method.

I thought that BridgeDB did not give out IPv6 bridges. Has that changed? Last time I checked, it was not possible to obtain an IPv6 obfs4 bridge from BridgeDB. It was only possibly to obtain “vanilla” (i.e. unencrypted) IPv6 bridges.

Method of testing: Go to https://bridges.torproject.org/options and check the box for " Do you need IPv6 addresses?" If you also request obfs4, you get an error message, BridgeDB encountered an error. There currently aren't any bridges available... Perhaps you should try going back and choosing a different bridge type!

You mean all the built-in IPv4 bridges? Surely not all 1,500 total IPv4 bridges in BridgeDB are blocked?