[tor-project] Arranging new default obfs4 bridges
David Fifield
david at bamsoftware.com
Mon Mar 20 00:26:00 UTC 2017
On Tue, Mar 14, 2017 at 04:13:13PM +0100, Mart van Santen wrote:
> In that case I do not see any problems to run a few, to a maximum of 4.
> For example 2 in Europe, and 2 in Asia.
>
> Please let me know if you want us to move forward with this.
Yes, I think we're ready for you to move forward. Please send me the
bridge lines in private email and I will take of filing the necessary
tickets.
We need a slightly special configuration for the default bridges. The
main thing is that the ORPort should be firewalled off, so the bridge
stays out of BridgeDB. I think it's worth setting iat-mode=1 for these
new bridges, because most of the existing bridges use iat-mode=0.
These are the essential things to have in the torrc configuration file:
BridgeRelay 1
ExtORPort auto
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportOptions obfs4 iat-mode=1
One tor is running, we will need to know the "bridge line" which
includes the IP address, port, relay fingerprint, and obfs4 parameters.
The fingerprint is in
<tor datadir>/hashed-fingerprint
and the obfs4 parameters are in
<tor datadir>/pt_state/obfs4_bridgeline.txt
Example:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=hLMtj0qIlIL1/gz/LrfRsA8wQDKWlz20aMzELFNtCctJvEcd/9vTD4fJP02KcjcTCviuUQ iat-mode=1
On its first run, obfs4 will choose a random high-numbered port to
listen on. We've found it is helpful for bridges also to listen on ports
80 and 443, if possible. Unfortunately, the best way to do this is via
iptables rules, separate from the Tor configuration:
https://tor.stackexchange.com/questions/543/how-to-set-up-an-obfs3-bridge-on-port-80-and-or-443
For example:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port <obfs4 port>
More information about the tor-project
mailing list