How to Run a Private Obfs4 Bridge on Windows

This article shows you how to use a Windows 10 computer as a private obfs4 bridge to the Tor network. You could use this arrangement if you want extra privacy while you are traveling and using public Wi-Fi. You could also use it to allow a friend in a foreign country to connect to your home PC as a bridge to the Tor network.

Prerequisites

Before you attempt to follow this procedure, check that you meet these prerequisites:

• You will not be able to use your computer as a bridge if your ISP implements Carrier-Grade Network Address Translation (CGNAT). This is common in some countries and results in many customers sharing the same public IP address. The procedure on this page will not work with CGNAT.
• You need a stable and predictable public IP address. Note that some ISPs will change your IP address if, for example, you experience an extended power cut.
• Your PC’s system time must be correct.
• In a typical home or office network, your Windows computer is behind a router. You will need to have access to your router login screen, and you will need to know the admin user id and password for the router.
• Choose a port number to be your obfs4 port. In the rest of this article, we will use port 12345 as our obfs4 port. It is recommended that you change this example to a number of your own choosing.
• Choose a port number to be your OR port. In the rest of this article, we will use port 3456 as our OR port. It is recommended that you change this example to a number of your own choosing.
• You will need to open your router firewall’s obfs4 port and OR port. You will also need to configure port forwarding from the public obfs4 port to your Windows computer’s obfs4 port, and from the public OR port to your Windows computer’s OR port. The procedure for doing this varies from router to router. Consult your router’s documentation for instructions.
• You will have problems connecting to your bridge if your computer is asleep when you attempt to connect. Set your Windows power options so that your computer never goes to sleep.

1. Open Windows firewall

As well as opening ports in your router’s firewall, you must also open the obfs4 port and OR port in your computer’s firewall:

1. In the Windows desktop search box, search for firewall.
2. Open Windows Defender Firewall.
3. Click Advanced Settings.
4. In the left pane, select Inbound Rules.
5. In the right pane, click New Rule....
6. In the New Inbound Rule Wizard, select Port, and click Next.
7. Select TCP, Specific local ports, type your chosen obfs4 port number (12345 in our example), and click Next.
8. Select Allow the connection, and click Next.
9. Leave Domain, Public, and Private checked, and click Next.
10. Enter the rule name obfs4, and click Finish.
11. Repeat the process of adding a new rule, but this time create a rule for the OR port (3456 in our example) named orport.
12. Close Windows Defender Firewall with Advanced Security.
13. Close Windows Defender Firewall.

2. Download Windows Expert Bundle

The command-line version of Tor for Windows is called the “Windows Expert Bundle.” Download and extract Windows Expert Bundle like this:

1. Open a browser, and head over to https://www.torproject.org.
2. Click the link Download Tor Browser.
3. Scroll down, and click the link Download Tor Source Code.
4. Scroll down to the heading Windows Expert Bundle, and click the Download link.
5. Extract the downloaded file tor-win32-x.x.x.x.zip.
6. In File Manager, create a new folder named C:\Tor.
7. Copy the folders Downloads\tor-win32-x.x.x.x\Data and Downloads\tor-win32-x.x.x.x\Tor.
8. Paste into C:\Tor.

3. Download Windows obfs4proxy

The obfs4 executable for Windows is contained in the Tor Browser Bundle. Therefore download the TBB and extract obfs4proxy.exe as follows:

1. In your browser, visit the page to Download Tor Browser.
2. Click the link marked Download for Windows.
3. Run the downloaded installer executable.
4. Follow the prompts to install Tor Browser.
5. There is no need to run Tor Browser at this stage. Just click Finish at the end of the install.
6. In File Manager, navigate to C:\Users\sig\Desktop\Tor Browser\Browser\TorBrowser\Tor, replacing sig in the file name by your actual Windows user name.
7. Copy the folder PluggableTransports and its contents.
8. Paste into C:\Tor\Tor.

4. Create torrc

Open Windows Notepad. Insert the template below:

Log notice file C:\Tor\Tor\log.txt
GeoIPFile C:\Tor\Data\Tor\geoip
GeoIPv6File C:\Tor\Data\Tor\geoip6
DataDirectory C:\Tor\Data
ORPort 0.0.0.0:3456
ExtORPort auto
BridgeRelay 1
PublishServerDescriptor 1
BridgeDistribution none
ExitPolicy reject *:*
ServerTransportPlugin obfs4 exec C:\Tor\Tor\PluggableTransports\obfs4proxy.exe
ServerTransportListenAddr obfs4 0.0.0.0:12345
ContactInfo yourname@example.com
Nickname PonteMilvio

Change the values to match your environment. In particular, substitute in your own email address and choice of bridge nickname. Also change the OR port number and the obfs4 port number to match your choices of port numbers.

Save the file as C:\Tor\Tor\torrc. Make sure you have saved it with no file extension. It should be named torrc, not torrc.txt. Go into File Explorer, and check the View option for File name extensions. If necessary, rename the file from torrc.txt to simply torrc.

5. Start your bridge running as a Windows service

Install Tor as a new service:

1. In the Windows desktop search box, search for command.
2. Select Command Prompt, and click Run as administrator.
3. Issue the command:

C:\Tor\Tor\tor.exe --service install -options -f C:\Tor\Tor\torrc

Check that your service is started in the service management console:

1. In the Windows desktop search box, search for services.
2. Open the Services app.
3. Locate the Tor Win32 Service you just created.
4. Make sure it is started. If necessary, click the Start button to start the service now.

Look in your specified log file, C:\Tor\Tor\log.txt. After a couple of minutes, you should see a line:

[notice] Bootstrapped 100% (done): Done.

6. Construct your bridge line

Open File Explorer. Locate and examine the file C:\Tor\Data\pt_state\obfs4_bridgeline.txt. You will see a starter template for your bridge line in this format:

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=WZglM4wOpFMokeKggz1KwUWcDbt3BTjPtPJZ8vLayK2a01aX//qa9EpAB18E6QaKHSs2KQ iat-mode=0

Look in your log file, C:\Tor\Tor\log.txt. You should see a line that includes the fingerprint and looks like this:

[notice] Your Tor server's identity key fingerprint is 'PonteMilvio 577BBCF6AA0079EAE2FBE25E6A8919E460598D52'

Substitute your actual values into the template. Here is an example of a completed bridge line:

Bridge obfs4 12.34.56.78:12345 577BBCF6AA0079EAE2FBE25E6A8919E460598D52 cert=WZglM4wOpFMokeKggz1KwUWcDbt3BTjPtPJZ8vLayK2a01aX//qa9EpAB18E6QaKHSs2KQ iat-mode=0

7. Test your bridge

Carry out an end-to-end test using Tor Browser from a PC with a different public IP address. Provide your obfs4 bridge line during network configuration.

8. Final notes

If you have any problems, examine the log file, C:\Tor\Tor\log.txt.

If you need support, have a look at the Tor Project Getting Help page.

If your bridge is running correctly, after a few hours it will be searchable by fingerprint only (not by IP address) at https://metrics.torproject.org/rs.html.