[tor-relays] bridge not accessible through obfs4 port

Roger Dingledine arma at mit.edu
Fri Jul 13 14:11:01 UTC 2018

On Fri, Jul 13, 2018 at 02:24:53PM +0200, entensaison at use.startmail.com wrote:
> I am uncuccessfully running a bridge that uses obfs4 as pluggable transport.
> (At least it should.)
> Today I actually tried to connect to it and it is possible to connect to the
> bridge using the ORport.
> But when I tried to start tor browser with this setting to use obfs4:
> obfs4 12.345.67.89:1111 (only with the right numbers)
> it got stuck at "establishing an encrypted network connection".
> I checked on canyouseeme.org and both the vanilla ORport and the obfs4 port
> seem to be accessible from outside.

The obfs4 protocol needs to have not just the IP and port, but also
the shared secret.

For example, a valid obfs4 bridge line looks like:

obfs4 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0

The other parameters are needed because the client needs to prove
knowledge of the shared secret before the bridge will admit to being a

That's because one of the steps in the arms race has been "active probing"
by China, where they use DPI to notice connections that might be obfs4,
and then do their own follow-up connection speaking the obfs4 protocol,
and if it talks obfs4 back, they know they can block it:

> My router is set to allow TCP and UDP on the port for obfs4.

obfs4 only needs TCP.


More information about the tor-relays mailing list