[tor-bugs] #20943 [Obfuscation/Obfsproxy]: Clarify documentation for obfs4 setup

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 10 20:20:28 UTC 2016


#20943: Clarify documentation for obfs4 setup
---------------------------------------+-----------------
     Reporter:  kaie                   |      Owner:  asn
         Type:  task                   |     Status:  new
     Priority:  Medium                 |  Milestone:
    Component:  Obfuscation/Obfsproxy  |    Version:
     Severity:  Normal                 |   Keywords:
Actual Points:                         |  Parent ID:
       Points:                         |   Reviewer:
      Sponsor:                         |
---------------------------------------+-----------------
 I'd like to provide feedback on configuring a Tor bridge with obfs4
 enabled.

 It was difficult, and it took me several hours to figure it out, because
 the installation guides that I found weren't clear enough.

 Maybe this feedback can help to clarify the existing guides that talk
 about obfs4 configuration.


 First, I read a suggestion somewhere to use
   ExtORPort auto
 which defines the port used by obfs(4)proxy, and that port should ideally
 be bound to localhost only.

 The above was a major source of confusion, it never worked for me. Only
 when I eventually looked at the README for obfs4proxy, which suggested to
 use a
   ServerTransportListenAddr
 configuration, I realized that the earlier statement might have been
 incorrect.

 Second, it seems that ORPort must be port 443. With other ports, TBB gave
 me complaints that it failed to access the bridge IP with the configured
 bridge port, although that port was clearly reachable. Only after I
 configured ORPort to use 443 that error message on the client side went
 away.

 Third, it was confusing which hash/fingerprint must to be used in the
 bridge configuration line.
 Looking at the tor logfile, it prints two different lines with
 fingerprints:
     Your Tor server's identity key fingerprint is '...first-hash...'
     Your Tor bridge's hashed identity key fingerprint is '...second-
 hash...'

 From my naive point of view, it seemed obvious to use the second-hash,
 because it's labeled as being the bridge hash.
 But I found that it only works, if I use the first server identity hash.

 Fourth, for the configuration values PORT-FOR-OBFS4 and PORT-FOR-OBFS3,
 you should pick numbers greater than 1024, because otherwise obfs4proxy
 might have trouble using that port.

 Also, because I am installing on a host with multiple IP addresses, I'm
 providing the additional configuration parameters that are required to
 bind everything to the correct IP.


 Below is what I use in /etc/tor/torrc:
 --------
 ORPort IPADDRESS:443
 Address IPADDRESS
 OutboundBindAddress IPADDRESS

 ## 0 means: private bridge, do not publish
 ## 1 means: bridge information automatically published
 PublishServerDescriptor 0

 SocksPort 0
 BridgeRelay 1
 Exitpolicy reject *:*

 ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
 --enableLogging --logLevel=INFO
 ServerTransportListenAddr obfs4 IPADDRESS:PORT-FOR-OBFS4
 ServerTransportListenAddr obfs3 IPADDRESS:PORT-FOR-OBFS3

 NickName BRIDGE-NICKNAME

 Log notice file /var/log/tor/notice.log
 --------

 Note you must replace all of the following identifiers with your own
 values:
 - BRIDGE-NICKNAME
 - IPADDRESS
 - PORT-FOR-OBFS4
 - PORT-FOR-OBFS3

 Start Tor (e.g. service tor start)

 Search for your fingerprint:
 grep -i "server.*fingerprint" /var/log/tor/notice.log | tail -1

 In the line that is printed, Use the code at the end, which looks like:
 ABDEF1234567890ABDEF1234567890ABDEF12345
 (And use your own code below, where this document uses
 ABDEF1234567890ABDEF1234567890ABDEF12345)

 Get some additional parameters that the obfs4 client configuration
 requires:
 cat /var/lib/tor/pt_state/obfs4_bridgeline.txt

 You need information from the line that looks like:
 Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=bla-bla-bla-bla-bla-
 bla-bla-bla iat-mode=0


 Now you can assemble the complete line to use your bridge, again, replace
 the values with the correct ones:

 obfs4 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345
 cert=bla-bla-bla-bla-bla-bla-bla-bla iat-mode=0

 The above configuration also enabled obfs3 on a separate port. The
 configuration line for the obfs3 bridge is simpler:

 obfs3 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20943>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list