[tor-relays] [tor-assistants] Running obfs4proxy on Debian Stable

Tue Feb 3 00:14:14 UTC 2015

On Mon, 2 Feb 2015 22:41:40 +0000
isis <isis at torproject.org> wrote:
> I requested that the obfs4proxy package in Debian jessie be ported to
> wheezy-backports, [0] however, it seems this is extremely unlikely to
> happen because it would mean backporting pretty much every Golang
> package in existence.

Last I heard, that was mostly unnecessary, though how exactly this apt
pinning stuff works is a mystery to me[0].

> I would be super stoked if we could make it as easy and seamless as
> possible for the Bridge operators who are still running obfs2 (!!) to
> move to supporting better, newer Pluggable Transports.  Currently
> recommended PTs to run are: obfs3, obfs4, scramblesuit, and
> fteproxy.  When Tor Browser 4.5 becomes stable (probably in mid-April
> 2015), we'll want lots more obfs4 Bridges!  For the super adventurous
> sysadmins who'd like to try Yawning's experimental new post-quantum
> PT, Basket [1] is one of the newest PTs.

More obfs4 bridges would be amazing.  It's worth noting that obfs4proxy
can also handle obfs2 and 3 (and with a branch that I need to
test/merge soon, a ScrambleSuit client), and it even is easy to run
bridges on ports < 1024 without messing with port forwarding.

Basket is still a research project and non-researchers shouldn't deploy
it because the wire format may change (and it consumes a hilarious
amount of bandwidth).

> We should probably come up with some easy instructions for operators
> of Tor Bridge relays who are running Debian stable, such as adding an
> Apt pin to pull in only the obfs4proxy package and its dependencies
> from Debian jessie and keep everything else pinned to stable.  If
> someone has done this, or has another simple solution, would you mind
> writing up some short how-to on the steps you took, please?
> 
> [0]:
> http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/Week-of-Mon-20150202/001119.html
> [1]: https://github.com/yawning/basket

All of obfs4proxy's dependencies are build time.  The binary is
statically linked because that's what Go does.  David S.'s ansible-tor
package does it like this:

https://github.com/david415/ansible-tor/commit/f897581daa79389ddcb28c7dae601473e85e8226

So the documentation should be a matter of "how to setup the apt pin
for a single package".  I've heard someone complaining about the tor
AppArmor profile but that also isn't something I've dealt with ever.

Regards,

-- 
Yawning Angel

[0]: I just scp the binary to my bridge whenever I need to update it,
and my idea of how to update all my linux systems starts with "pacman"
and not "apt-get".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150203/91e3ad23/attachment.sig>