Hi. Is there a guideline for how long a bridge should exist on a particular IP address? For example, does it make sense to keep a bridge on one IP address forever? Or is it better to move a bridge to a new IP address periodically, perhaps every 120 days? I ask because I saw traffic to my bridge ramp-up fairly steadily, and then quickly drop-off to a low number of clients per day. Thanks! hope you are all well t -- Tim Sammut ~ @t1msammut ~ tim@teamsammut.com Ford-Mozilla Fellow at Amnesty International
Five, ten days? I ran a bridge at a provider where IP addresses are easy to release and replace with new ones. Seems to take the censors in China, Iran, Pakistan, etc less than a week to find and block new bridge IPs. I gave up in frustration. Meek is a better solution but is not something an individual can readily put into operation. China has cracked down on all GFW bypasses rather successfully, including VPN providers who have a strong financial incentive to succeed. Iran is nearly as good. I find running a relay more satisfying and would add relays instead of bridges now. At 19:24 8/16/2015 +0100, you wrote:
Hi.
Is there a guideline for how long a bridge should exist on a particular IP address? For example, does it make sense to keep a bridge on one IP address forever? Or is it better to move a bridge to a new IP address periodically, perhaps every 120 days?
I ask because I saw traffic to my bridge ramp-up fairly steadily, and then quickly drop-off to a low number of clients per day.
Thanks!
hope you are all well t
I'd say about a year is ideal. Maybe longer. It takes a long time for your bridge's IP address to be handed out to users. Once they finally have one, the addresses should remain valid, instead of immediately expiring. Of course once it looks like your bridge's IP address has been exposed, drop the bridge and move it. Tom starlight.2015q3@binnacle.cx schreef op 16/08/15 om 20:49:
Five, ten days? I ran a bridge at a provider where IP addresses are easy to release and replace with new ones. Seems to take the censors in China, Iran, Pakistan, etc less than a week to find and block new bridge IPs.
I gave up in frustration. Meek is a better solution but is not something an individual can readily put into operation. China has cracked down on all GFW bypasses rather successfully, including VPN providers who have a strong financial incentive to succeed. Iran is nearly as good.
I find running a relay more satisfying and would add relays instead of bridges now.
At 19:24 8/16/2015 +0100, you wrote:
Hi.
Is there a guideline for how long a bridge should exist on a particular IP address? For example, does it make sense to keep a bridge on one IP address forever? Or is it better to move a bridge to a new IP address periodically, perhaps every 120 days?
I ask because I saw traffic to my bridge ramp-up fairly steadily, and then quickly drop-off to a low number of clients per day.
Thanks!
hope you are all well t
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Tom van der Woerdt transcribed 7.7K bytes:
I'd say about a year is ideal. Maybe longer.
It takes a long time for your bridge's IP address to be handed out to users. Once they finally have one, the addresses should remain valid, instead of immediately expiring.
Of course once it looks like your bridge's IP address has been exposed, drop the bridge and move it.
Tom
Hi, Tom's advice above is pretty solid. Please, do not do as starlight suggested, since (as Tom already mentioned) it takes a while for BridgeDB to distribute your Bridge to enough users. Since you've seen the traffic drop off, you might want to consider changing IP addresses. Also, if you aren't already, you might want to consider running the obfs4 Pluggable Transport if you can, since it is direct probing resistant and DPI-resistant. Thanks for running a Bridge! -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt
Thank you, Isis and Tom. On 08/17/2015 02:04 AM, isis wrote:
Since you've seen the traffic drop off, you might want to consider changing IP addresses. Also, if you aren't already, you might want to consider running the obfs4 Pluggable Transport if you can, since it is direct probing resistant and DPI-resistant.
With possible config changes in mind, is it best to use ports 80 and 443 for pluggable transports? IIRC the bridgeDB prefers to hand out at least one bridge with port 80 or 443 open. Right now the bridge runs obfs3 on 80/tcp and obfs4 on 443/tcp. Is that still a desirable setup (despite having to run bits as root)? thanks again and hope you are well tim -- Tim Sammut ~ @t1msammut ~ tim@teamsammut.com Ford-Mozilla Fellow at Amnesty International
On Mon, 17 Aug 2015 09:13:21 +0100 Tim Sammut <tim@teamsammut.com> wrote:
With possible config changes in mind, is it best to use ports 80 and 443 for pluggable transports?
It'd be nice if more bridges used ports < 1024, yes.
IIRC the bridgeDB prefers to hand out at least one bridge with port 80 or 443 open. Right now the bridge runs obfs3 on 80/tcp and obfs4 on 443/tcp. Is that still a desirable setup (despite having to run bits as root)?
You don't need to run obfs4proxy as root assuming you are on a modern linux system, since obfs4proxy works correctly with capabilities. # setcap 'cap_net_bind_service=+ep' /usr/local/bin/obfs4proxy Note, this will let any user on the system executing the obfs4proxy binary to bind to "privileged" ports, and must be done each time the binary is modified in any way (moved, upgraded, etc). IIRC on Debian an extra package needs to be installed to get the setcap executable, but I don't remember what it is off the top of my head. For more information see setcap(8) and capabilities(7). Regards, -- Yawning Angel
participants (5)
-
isis -
starlight.2015q3@binnacle.cx -
Tim Sammut -
Tom van der Woerdt -
Yawning Angel