Hello,
We’re trying to get a 10GbE dual-stack public obfs4 bridge online, but presumably having some trouble with obfs4. I wished to open a bug, but my request for an account via https://gitlab.onionize.space/ is not being approved.
These two recent tickets appear to be related: https://gitlab.torproject.org/tpo/core/tor/-/issues/40311 https://gitlab.torproject.org/tpo/core/tor/-/issues/40107
Ubuntu Server 20.10 tor 0.4.5.7 obfs4proxy 0.8
Firewall accepts TCP/UDP 80/443.
Metrics link: https://metrics.torproject.org/rs.html#details/7ADC8C6BF93197830FDF3E06DFB4D...
torrc:
BridgeRelay 1 ORPort 80 ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:443 ExtORPort auto ContactInfo tech@emeraldonion.org Nickname EmeraldOnionBridge1 MaxMemInQueues 8192MB Log notice file /var/log/tor/notices.log Log notice syslog
Tor Browser connect errors:
“obfs4 [2620:18c:0:192::194]:443 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”
3/26/21, 18:46:55.269 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [2620:18c:0:192::194]:443 ID=H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA RSA_ID=7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 ("general SOCKS server failure")
“obfs4 [2620:18c:0:192::194]:443”
3/26/21, 18:47:33.467 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [scrubbed] ("general SOCKS server failure")
“[2620:18c:0:192::194]”
3/26/21, 19:03:52.905 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (TLS_ERROR; TLS_ERROR; count 2; recommendation warn; host 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 at 2620:18c:0:192::194:443) 3/26/21, 19:03:52.905 [WARN] 2 connections have failed: 3/26/21, 19:03:52.905 [WARN] 2 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE
“23.129.64.194”
3/26/21, 19:06:43.811 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (DONE; DONE; count 3; recommendation warn; host 0000000000000000000000000000000000000000 at 23.129.64.194:443) 3/26/21, 19:06:43.811 [WARN] 3 connections have failed: 3/26/21, 19:06:43.811 [WARN] 3 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE
No issues:
“[2620:18c:0:192::194]:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”
“23.129.64.194:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”
Notices log output:
Mar 26 11:38:29.000 [notice] Tor 0.4.5.7 opening log file. Mar 26 11:38:29.600 [notice] We compiled with OpenSSL 1010106f: OpenSSL 1.1.1f 31 Mar 2020 and we are running with OpenSSL 1010106f: 1.1.1f. These two versions should be binary compatible. Mar 26 11:38:29.601 [notice] Tor 0.4.5.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1f, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.4.5 and Glibc 2.32 as libc. Mar 26 11:38:29.601 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Mar 26 11:38:29.601 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc". Mar 26 11:38:29.601 [notice] Read configuration file "/etc/tor/torrc". Mar 26 11:38:29.603 [notice] Opening Socks listener on 127.0.0.1:9050 Mar 26 11:38:29.603 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050 Mar 26 11:38:29.603 [notice] Opening OR listener on 0.0.0.0:80 Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on 0.0.0.0:80 Mar 26 11:38:29.603 [notice] Opening OR listener on [::]:80 Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on [::]:80 Mar 26 11:38:29.603 [notice] Opening Extended OR listener on 127.0.0.1:0 Mar 26 11:38:29.603 [notice] Extended OR listener listening on port 40739. Mar 26 11:38:29.603 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:40739 Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Mar 26 11:38:30.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. Mar 26 11:38:30.000 [notice] Your Tor server's identity key fingerprint is 'EmeraldOnionBridge1 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3' Mar 26 11:38:30.000 [notice] Your Tor bridge's hashed identity key fingerprint is 'EmeraldOnionBridge1 09E23FA5AD9CF64DBEFE88A39A2F1EB215E44B53' Mar 26 11:38:30.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'EmeraldOnionBridge1 H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA' Mar 26 11:38:30.000 [notice] Bootstrapped 0% (starting): Starting Mar 26 11:38:36.000 [notice] Starting with guard context "default" Mar 26 11:38:36.000 [notice] Signaled readiness to systemd Mar 26 11:38:36.000 [notice] Registered server transport 'obfs4' at '[::]:443' Mar 26 11:38:37.000 [notice] Bootstrapped 5% (conn): Connecting to a relay Mar 26 11:38:37.000 [notice] Opening Socks listener on /run/tor/socks Mar 26 11:38:37.000 [notice] Opened Socks listener connection (ready) on /run/tor/socks Mar 26 11:38:37.000 [notice] Opening Control listener on /run/tor/control Mar 26 11:38:37.000 [notice] Opened Control listener connection (ready) on /run/tor/control Mar 26 11:38:37.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay Mar 26 11:38:37.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay Mar 26 11:38:37.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done Mar 26 11:38:37.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits Mar 26 11:38:37.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits Mar 26 11:38:37.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit Mar 26 11:38:38.000 [notice] Bootstrapped 100% (done): Done Mar 26 11:38:38.000 [notice] Now checking whether IPv4 ORPort 23.129.64.194:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) Mar 26 11:38:38.000 [notice] Now checking whether IPv6 ORPort [2620:18c:0:192::194]:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort [2620:18c:0:192::194]:80 is reachable from the outside. Excellent. Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort 23.129.64.194:80 is reachable from the outside. Excellent. Publishing server descriptor. Mar 26 11:40:32.000 [notice] Performing bandwidth self-test...done.
A prior torrc config set the IPs explicitly, but had the same result:
ServerTransportListenAddr obfs4 23.129.64.194:443 ServerTransportListenAddr obfs4 [2620:18c:0:192::194]:443
I can provide debug logs as necessary. Possibly of note, our firewall does not use connection tracking and applies the same rules as our exit relays which use the same ports.
Pro-active note: The bridge shares the same 23.129.64.0/24 subnet as Emerald Onion's Tor exit relays, so there is no risk of a user entering and exiting our physical network (see "2.2. Path selection and constraints"): https://github.com/torproject/torspec/blob/master/path-spec.txt
Cheers,
-- Christopher Sheats Executive Director for Emerald Onion Email: yawnbox@emeraldonion.org Phone: +1 206-739-3390 Web: https://emeraldonion.org/
tor-relays@lists.torproject.org