← Back to signal log

Pluggable Transports: Defeating Deep Packet Inspection with obfs4

How obfs4 and lyrebird hide your Tor traffic from ISPs and national firewalls.

The problem: Tor traffic is recognizable

Unobfuscated Tor traffic has a distinctive TLS fingerprint. The client-hello handshake, the cipher suite ordering, and the packet timing patterns are all recognizable to deep packet inspection (DPI) systems. ISPs, mobile carriers, and national firewalls can and do block Tor connections by fingerprint alone — without needing to decrypt a single byte.

This is the problem pluggable transports were designed to solve.

How pluggable transports work

A pluggable transport sits between your Tor client and the bridge relay. Instead of sending Tor's raw traffic over the wire, it wraps the data in a different protocol that looks innocuous to DPI. The bridge on the far end unwraps it and forwards to the Tor network.

obfs4 (obfuscation protocol 4) is the current gold-standard transport. It: - Randomizes packet sizes and timing to defeat traffic-flow analysis. - Uses an Elligator2-encoded Diffie-Hellman key exchange that produces statistically uniform random bytes — indistinguishable from noise to an observer. - Authenticates the bridge using a node ID and public key embedded in the bridge line, preventing active probing attacks.

lyrebird

lyrebird is the Go implementation of obfs4 (and several other transports). It ships inside the Tor Expert Bundle at resources/tor/pluggable_transports/lyrebird[.exe]. KillNode does not download any additional binary — it uses what is already in the bundle.

Using bridges in KillNode

  1. Visit bridges.torproject.org and request obfs4 bridges.
  2. Copy the bridge lines (they look like: obfs4 1.2.3.4:12345 FINGERPRINT cert=... iat-mode=0).
  3. In KillNode, toggle Bridges (obfs4 / lyrebird) and paste the lines into the textarea.
  4. Restart Tor (Stop → Activate). KillNode writes the correct torrc directives automatically.

The torrc section KillNode generates:

UseBridges 1
ClientTransportPlugin obfs4 exec /path/to/lyrebird
Bridge obfs4 1.2.3.4:12345 FINGERPRINT cert=... iat-mode=0

When you need bridges

  • Your ISP or country actively blocks Tor (common in China, Iran, Russia, Belarus).
  • You are on a corporate network with DPI that filters non-whitelisted TLS.
  • You want to reduce the probability of passive detection even where Tor is not blocked.

Bridges are slower than direct Tor connections — expect 30–90 seconds of extra bootstrap time. Once connected, throughput is comparable.

← All posts