TORZON GATEWAY — BRIDGE CONFIGURATION GUIDE

Open Tor Browser and click Connect. Watch the bootstrap progress closely.

• Reaches 100% in < 30s: Your network is unrestricted. Skip directly to step 5.
• Stalls at 10–25%: The ISP is blocking guard relay IPs. You need a bridge with any transport.
• Bootstrap completes but .onion times out: DPI is fingerprinting Tor TLS post-handshake. You need obfuscated traffic — obfs4 or meek.
• Bridge connects then drops: Active probing is identifying bridges by behaviour. snowflake (which moves) is your best option.

obfs4 is the right starting point for ~80% of blocked networks. It wraps Tor traffic in a randomized byte stream that defeats most DPI signatures. Configure inside Tor Browser:

1. Open Settings → Connection
2. Under Bridges, choose Use a bridge
3. Select Use a built-in bridge → obfs4 for the easy path, or Add a bridge manually to paste a fingerprint-rotated line from our signed list
4. A bridge line looks like: obfs4 IP:PORT FINGERPRINT cert=<base64> iat-mode=0
5. Click Connect — the bootstrap should now complete in 30–90 seconds

Some firewalls enumerate published obfs4 bridge IPs and block them faster than the directory rotates. Snowflake routes through ephemeral WebRTC proxies hosted by volunteers — the proxy IPs change constantly, making bulk blocklists impractical.

• In Settings → Connection → Bridges, pick Use a built-in bridge → snowflake
• Tor will now use a STUN signaling broker to rendezvous with a random WebRTC proxy
• Your traffic looks like a video call to passive observers — same WebRTC handshake, same UDP/TLS fingerprint
• Expect higher latency (200–400 ms) but considerable resilience against IP enumeration

Snowflake pairs particularly well with Mirror β — that endpoint's upstream relays are tuned for snowflake's jitter profile.

Some networks — corporate offices, hotel WiFi, university LANs — only allow outbound HTTPS to a small set of well-known CDN domains. meek-azure tunnels Tor traffic inside an HTTPS connection to *.azureedge.net, which the firewall sees as innocuous Microsoft traffic.

• In Settings → Connection → Bridges, pick Use a built-in bridge → meek-azure
• Tor wraps the entire circuit inside HTTPS to a Microsoft Azure edge node
• Domain fronting puts a different SNI on the wire than the host header — the CDN, not the firewall, decides where to route
• Expect the highest latency of the three transports (250–500 ms) — but it works through almost any TLS-permitting filter

Even with a pluggable transport, your ISP sees that you connect to a single odd endpoint for hours at a time. Adding a no-log VPN as the outer layer means the ISP sees only well-known VPN protocol traffic to a generic VPN provider — Tor usage becomes invisible at the ISP level.

• Connect the VPN before launching Tor Browser (the VPN → Tor configuration)
• Pick a provider in a privacy-friendly jurisdiction that accepts cryptocurrency for signup
• Verify the VPN does not perform DNS leaks: visit dnsleaktest.com via the VPN before opening Tor
• If the VPN itself is blocked locally, use a VPN obfuscation mode (WireGuard over WebSocket, or Shadowsocks)

Do not use the inverse Tor → VPN layout. It exposes you to the VPN provider as a Tor exit, which is not what you want.

When desktop access is unavailable, mobile remains a viable path. Both major platforms have battle-tested Tor clients with full bridge support.

Android — Orbot 17+:

1. Install Orbot from F-Droid (preferred) or Google Play
2. Open Settings → Bridges — paste an obfs4 line, scan a bridge QR, or pick snowflake
3. Toggle VPN Mode to route the entire phone through Tor, or pick per-app to limit it to Tor Browser for Android
4. Open Tor Browser for Android, paste a Torzon mirror address, browse

iOS — Onion Browser 3+:

1. Install Onion Browser from the App Store
2. On first launch choose Configure bridges — built-in obfs4, snowflake or meek-azure are all available
3. Tap Connect, wait for the circuit, then load a Torzon mirror
4. Set the security slider to Gold for the equivalent of Tor Browser's "Safest" setting

When every public transport is blocked — and for hostile jurisdictions this does happen — running your own bridge is the most reliable solution. A private bridge IP that has never been published cannot be on any blocklist.

1. Rent a $5/month VPS in a privacy-friendly jurisdiction. Pay in XMR if possible
2. Install Tor with obfs4 support: apt install tor obfs4proxy
3. Add to /etc/tor/torrc:

   BridgeRelay 1
   ORPort 443
   ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
   ServerTransportListenAddr obfs4 0.0.0.0:9001
   ExtORPort auto
   ContactInfo your-pgp-keyid
   PublishServerDescriptor 0

4. The PublishServerDescriptor 0 line is critical — it keeps the bridge unlisted in any directory
5. Restart tor and read the bridge line from /var/lib/tor/pt_state/obfs4_bridgeline.txt
6. Paste that bridge line into Tor Browser back home, behind the firewall

A single private bridge can comfortably serve 5–10 users — enough for a household, a newsroom, or a small civil-society organization in a censored region. Share the bridge line out-of-band, never via channels likely to be monitored.