[tor-relays] issue with setting up a private bridge

Dmitrii Tcvetkov demfloro at demfloro.ru
Sun Feb 4 10:15:27 UTC 2018

On Sun, 4 Feb 2018 09:56:18 +0330
Hamid Safe <hsafe at devopt.net> wrote:

> Hello tor-relays team,
> > 
> > I am facing issue trying to set up a private obfs4proxy+tor relay
> > bridge(centos 7 server) on a vps outside Iran and using the same
> > methodology obfs4+tor client (Arch linux) inside Iran.DPI blocks tor
> > networks and vpn connections are no allowed. Please note that the set up
> > basically needed to access pretty much anything serious in a production env
> > for accessing the sites that will otherwise be blocked in Iran i.e
> > hub.docker.com + my personal use, hence can't really use the tor-browser.
> > 
> > I have successfully followed yawning angel's github to compile and set up
> > the obfs4proxy and also the tor in both ends. Tor service is running , and
> > I attach along this email the config I used both in client and server end.
> > I suspect that there is a key hash issue and the mechanism to obfuscate the
> > traffic that fails and particularly a directory that does not exist in my
> > server which is in a lot of howtos referred to
> > as: /pt_state/obfs4_bridgeline.txt 


Absence of pt_state directory in DataDirectory is odd. You can't use obfs4
without information from obfs4_bridgeline.txt.

I suggest to change line
ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy 
ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed
in server's torrc.

Also you need to connect not to the ORPort itself but to the transport port, so
server config should have line:
ServerTransportListenAddr <ip_address>:<port>

And then in your client torrc you specify bridge like:
Bridge obfs4 <ip_address>:<port> <fingerprint> cert=<line from obfs4_bridgeline.txt> iat-mode=0

If it still doesn't work you can add line
ServerTransportOptions obfs4 iat-mode=1
to bridge's torrc and also change iat-mode=1 in clients bridge line, so like this:
Bridge obfs4 ip_address:port <fingerprint> cert=<line from obfs4_bridgeline.txt> iat-mode=1

iat-mode allows to enable additional obfuscation, it works only for sending traffic, so for 
2-way obfuscation needs to be enabled on both ends.

More information about the tor-relays mailing list