Hi,
Just setting up a new bridge, on a new VPS, to complement the relay I run at home and have a couple of questions regarding best practices.
I set the bridge up from scratch, so it has no connections back to my relay fingerprint etc. as I understand that's "a bad thing".
I've seen a few comments mentioning the lack of obfs4 bridges using port 443, so as I don't run any kind of webserver on the VPS I can do this. I also wanted to run an obfuscated bridge on port 80, but it seems that you can only run a single instance of obfs4. Searching around, the most common setup I found was this:
ServerTransportListenAddr obfs3 [::]:80 ServerTransportListenAddr obfs4 [::]:443
Is this the best way to support both port 80 and 443, or is there a better way.
Next, the ORPort. There seems to be confusing information about setting this up, in conjunction with obfs4proxy. Again, my setup:
ORPort 9001 ORPort [--my public ipv6 address--]:9002
Again, is the the best way, as I've seen some information that says avoid 9001, but others say it's OK to use for a bridge, with obfs4proxy.
Cheers.
On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
I've seen a few comments mentioning the lack of obfs4 bridges using port 443, so as I don't run any kind of webserver on the VPS I can do this. I also wanted to run an obfuscated bridge on port 80, but it seems that you can only run a single instance of obfs4. Searching around, the most common setup I found was this:
ServerTransportListenAddr obfs3 [::]:80 ServerTransportListenAddr obfs4 [::]:443
Is this the best way to support both port 80 and 443, or is there a better way.
You cannot run two obfs4 instances under one Tor instances. You will either have to start two Tor instances or configure a port forward from port 80 to 443.
Also, there's no point in running both obfs3 and obfs4: If a bridge runs multiple transports and some are resistant to active probing attacks (scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3, fte), then BridgeDB won't hand out the bridge's vulnerable transports because they constitute a liability to the resistant transports. See the following ticket for more details: https://bugs.torproject.org/28655
Next, the ORPort. There seems to be confusing information about setting this up, in conjunction with obfs4proxy. Again, my setup:
ORPort 9001 ORPort [--my public ipv6 address--]:9002
Ideally, it shouldn't be necessary to expose an OR port if one is only running an obfs4 bridge. Unfortunately, we're not quite there yet: https://bugs.torproject.org/7349
I suggest selecting a random OR port other than 9001.
Again, is the the best way, as I've seen some information that says avoid 9001, but others say it's OK to use for a bridge, with obfs4proxy.
It's best to avoid port 9001 because this port is commonly associated with Tor. Censors could easily scan the entire IPv4 address space for port 9001 and block whatever turns out to be a Tor bridge.
Cheers, Philipp
Thanks for the follow up.
On 12/18/2019 3:20 PM, Philipp Winter wrote:
On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
I've seen a few comments mentioning the lack of obfs4 bridges using port 443, so as I don't run any kind of webserver on the VPS I can do this. I also wanted to run an obfuscated bridge on port 80, but it seems that you can only run a single instance of obfs4. Searching around, the most common setup I found was this:
ServerTransportListenAddr obfs3 [::]:80 ServerTransportListenAddr obfs4 [::]:443
Is this the best way to support both port 80 and 443, or is there a better way.
You cannot run two obfs4 instances under one Tor instances. You will either have to start two Tor instances or configure a port forward from port 80 to 443.
Let me look into the easiest option for this. For now, I've just dropped the obfs3:80 part.
Also, there's no point in running both obfs3 and obfs4: If a bridge runs multiple transports and some are resistant to active probing attacks (scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3, fte), then BridgeDB won't hand out the bridge's vulnerable transports because they constitute a liability to the resistant transports. See the following ticket for more details: https://bugs.torproject.org/28655
Next, the ORPort. There seems to be confusing information about setting this up, in conjunction with obfs4proxy. Again, my setup:
ORPort 9001 ORPort [--my public ipv6 address--]:9002
Ideally, it shouldn't be necessary to expose an OR port if one is only running an obfs4 bridge. Unfortunately, we're not quite there yet: https://bugs.torproject.org/7349
I suggest selecting a random OR port other than 9001.
Done.
Again, is the the best way, as I've seen some information that says avoid 9001, but others say it's OK to use for a bridge, with obfs4proxy.
It's best to avoid port 9001 because this port is commonly associated with Tor. Censors could easily scan the entire IPv4 address space for port 9001 and block whatever turns out to be a Tor bridge.
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Cheers.
tor-relays@lists.torproject.org
-
Eddie -
Philipp Winter