[tor-relays] Relay configuration for FreedomBox

[Roger Dingledine]

On Sat, Mar 22, 2014 at 01:03:43PM -0700, Lance Hathaway wrote:
> On the plus side, obfs3 is still pretty strong, and it's one of the
> common pluggable transports right now. Scramblesuit is not live in the
> official bundles yet (AFAIK), but it just released and has some pretty
> robust-looking defenses against active probing and other attacks. If
> you're working on something new to deploy, these should be included,
> without a doubt. They may indeed be deprecated in future, and in the
> worst case may become unusable or make the bridge more susceptible to
> being blocked. But if you go with a plain bridge or obfs2, you're
> already in your worst-case scenario. You have nothing to lose and
> everything to gain by enabling the newest pluggable transports.

Agreed. If the goal in setting it up as a bridge is to be useful to
users who are otherwise censored from the Tor network, then running
pluggable transports like obfs3 and ScrambleSuit will go a long way
towards actually doing that.

For context, currently Tor works out-of-the-box (you don't even need a
bridge) in nearly all countries except China, where vanilla bridges and
obfs2 don't work currently:
https://blog.torproject.org/blog/how-to-read-our-china-usage-graphs

Periodically Iran and Syria block SSL by DPI, which also takes out
vanilla bridges.

If you want to be conservative, pick obfs3 and wait for ScrambleSuit
to get more mature.

> I would highly recommend adding the Tor package repository to the
> FreedomBoxes. As explained in [0], this won't always give you the
> latest version of tor, but it will provide security fixes. My hunch is
> that it will almost always also be a little fresher than Debian
> stable.

Yes -- I would consider doing this as much for security as for anything
else. Debian stable can lag pretty far behind the actual Tor stable
releases (depending on which year you're looking).

--Roger