Hello,

 

We’re trying to get a 10GbE dual-stack public obfs4 bridge online, but presumably having some trouble with obfs4.

I wished to open a bug, but my request for an account via https://gitlab.onionize.space/ is not being approved.

 

These two recent tickets appear to be related:

https://gitlab.torproject.org/tpo/core/tor/-/issues/40311

https://gitlab.torproject.org/tpo/core/tor/-/issues/40107

 

Ubuntu Server 20.10

tor 0.4.5.7

obfs4proxy 0.8

 

Firewall accepts TCP/UDP 80/443.

 

Metrics link: https://metrics.torproject.org/rs.html#details/7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3

 

torrc:

 

BridgeRelay 1

ORPort 80

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

ServerTransportListenAddr obfs4 0.0.0.0:443

ExtORPort auto

ContactInfo tech@emeraldonion.org

Nickname EmeraldOnionBridge1

MaxMemInQueues 8192MB

Log notice file /var/log/tor/notices.log

Log notice syslog

 

Tor Browser connect errors:

 

“obfs4 [2620:18c:0:192::194]:443 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

 

3/26/21, 18:46:55.269 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [2620:18c:0:192::194]:443 ID=H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA RSA_ID=7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 ("general SOCKS server failure")

 

“obfs4 [2620:18c:0:192::194]:443”

 

3/26/21, 18:47:33.467 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [scrubbed] ("general SOCKS server failure")

 

“[2620:18c:0:192::194]”

 

3/26/21, 19:03:52.905 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (TLS_ERROR; TLS_ERROR; count 2; recommendation warn; host 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 at 2620:18c:0:192::194:443)

3/26/21, 19:03:52.905 [WARN] 2 connections have failed:

3/26/21, 19:03:52.905 [WARN] 2 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE

 

“23.129.64.194”

 

3/26/21, 19:06:43.811 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (DONE; DONE; count 3; recommendation warn; host 0000000000000000000000000000000000000000 at 23.129.64.194:443)

3/26/21, 19:06:43.811 [WARN] 3 connections have failed:

3/26/21, 19:06:43.811 [WARN] 3 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE

 

No issues:

 

“[2620:18c:0:192::194]:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

 

“23.129.64.194:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

 

Notices log output:

 

Mar 26 11:38:29.000 [notice] Tor 0.4.5.7 opening log file.

Mar 26 11:38:29.600 [notice] We compiled with OpenSSL 1010106f: OpenSSL 1.1.1f  31 Mar 2020 and we are running with OpenSSL 1010106f: 1.1.1f. These two versions should be binary compatible.

Mar 26 11:38:29.601 [notice] Tor 0.4.5.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1f, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.4.5 and Glibc 2.32 as libc.

Mar 26 11:38:29.601 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning

Mar 26 11:38:29.601 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".

Mar 26 11:38:29.601 [notice] Read configuration file "/etc/tor/torrc".

Mar 26 11:38:29.603 [notice] Opening Socks listener on 127.0.0.1:9050

Mar 26 11:38:29.603 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050

Mar 26 11:38:29.603 [notice] Opening OR listener on 0.0.0.0:80

Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on 0.0.0.0:80

Mar 26 11:38:29.603 [notice] Opening OR listener on [::]:80

Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on [::]:80

Mar 26 11:38:29.603 [notice] Opening Extended OR listener on 127.0.0.1:0

Mar 26 11:38:29.603 [notice] Extended OR listener listening on port 40739.

Mar 26 11:38:29.603 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:40739

Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.

Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.

Mar 26 11:38:30.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.

Mar 26 11:38:30.000 [notice] Your Tor server's identity key  fingerprint is 'EmeraldOnionBridge1 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3'

Mar 26 11:38:30.000 [notice] Your Tor bridge's hashed identity key  fingerprint is 'EmeraldOnionBridge1 09E23FA5AD9CF64DBEFE88A39A2F1EB215E44B53'

Mar 26 11:38:30.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'EmeraldOnionBridge1 H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA'

Mar 26 11:38:30.000 [notice] Bootstrapped 0% (starting): Starting

Mar 26 11:38:36.000 [notice] Starting with guard context "default"

Mar 26 11:38:36.000 [notice] Signaled readiness to systemd

Mar 26 11:38:36.000 [notice] Registered server transport 'obfs4' at '[::]:443'

Mar 26 11:38:37.000 [notice] Bootstrapped 5% (conn): Connecting to a relay

Mar 26 11:38:37.000 [notice] Opening Socks listener on /run/tor/socks

Mar 26 11:38:37.000 [notice] Opened Socks listener connection (ready) on /run/tor/socks

Mar 26 11:38:37.000 [notice] Opening Control listener on /run/tor/control

Mar 26 11:38:37.000 [notice] Opened Control listener connection (ready) on /run/tor/control

Mar 26 11:38:37.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay

Mar 26 11:38:37.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay

Mar 26 11:38:37.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done

Mar 26 11:38:37.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits

Mar 26 11:38:37.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits

Mar 26 11:38:37.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit

Mar 26 11:38:38.000 [notice] Bootstrapped 100% (done): Done

Mar 26 11:38:38.000 [notice] Now checking whether IPv4 ORPort 23.129.64.194:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)

Mar 26 11:38:38.000 [notice] Now checking whether IPv6 ORPort [2620:18c:0:192::194]:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)

Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort [2620:18c:0:192::194]:80 is reachable from the outside. Excellent.

Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort 23.129.64.194:80 is reachable from the outside. Excellent. Publishing server descriptor.

Mar 26 11:40:32.000 [notice] Performing bandwidth self-test...done.

 

A prior torrc config set the IPs explicitly, but had the same result:

 

ServerTransportListenAddr obfs4 23.129.64.194:443

ServerTransportListenAddr obfs4 [2620:18c:0:192::194]:443

 

I can provide debug logs as necessary. Possibly of note, our firewall does not use connection tracking and applies the same rules as our exit relays which use the same ports.

 

Pro-active note: The bridge shares the same 23.129.64.0/24 subnet as Emerald Onion's Tor exit relays, so there is no risk of a user entering and exiting our physical network (see "2.2. Path selection and constraints"): https://github.com/torproject/torspec/blob/master/path-spec.txt

 

Cheers,

 

--

Christopher Sheats

Executive Director for Emerald Onion

Email: yawnbox@emeraldonion.org

Phone: +1 206-739-3390

Web: https://emeraldonion.org/