Not sure if this is the right place to post or if this will help anybody, but I think I figured out how to run a standalone (NOT managed) obfs3 obfsproxy on Ubuntu 14.04 with a somewhat confined apparmor profile running under the debian-tor user. I verified this by looking at ps and it shows "debian-tor [...] /usr/bin/python /usr/bin/obfsproxy obfs3[...]". AA-STATUS says /usr/bin/obfsproxy is in enforce mode, and removing "network inet stream," for example from the aa profile results in obfsproxy failing to start. The line in the profile for "/usr/** r," is ugly, but replacing it with "/usr/bin/** r," didn't work. Obfsproxy log messages also seem to be going to /dev/null, so I'm missing something there. So Linux/Apparmor experts, is there anything bad/wrong with this setup? Am I relatively safe from bad guys hacking into my obfsproxy ports? How can I see if the good guys are using it successfully? The aa profile does not work for managed instances of obfsproxy. It complained about wanting read access to nsswitch.conf and /etc/passwd and I don't know enough python to understand why it wants that, so I didn't add it. Below is also attached: /etc/tor/torrc [just the relevant lines, using iptables to redirect from advertised obfs3port to actual] ------------------- ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port] ExtORPort auto ------------------- /etc/apparmor.d/usr.bin.obfsproxy ------------------- # vim:syntax=apparmor #include <tunables/global> /usr/bin/obfsproxy { #include <abstractions/base> #include <abstractions/python> network inet stream, /var/log/tor/log rw, /dev/urandom r, /dev/random r, /usr/** r, /usr/bin/obfsproxy rix, } ------------------- /etc/init.d/obfsproxy ------------------- #!/bin/bash PIDFILE="/var/run/obfsproxy/obfsproxy.pid" DEST="127.0.0.1:[ORPort]" SERVER="a.b.c.d:[obfs3port]" DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy obfs3 --dest $DEST server $SERVER" ### BEGIN INIT INFO # Provides: Obfsproxy # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Obfsproxy ### END INIT INFO case "$1" in start) echo "Starting Obfsproxy" /sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \ --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON ;; stop) echo "Stopping Obfsproxy" /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose ;; restart|reload) /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose sleep 1 /sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \ --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON ;; *) echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}" exit 1 ;; esac exit 0 -------------------