[tor-relays] ExtOrPort settings for obsf4, obfs3 and firewall

Alexander Dietrich alexander at dietrich.cx
Mon Jul 23 21:36:46 UTC 2018 

On 2018-07-23 16:03, Cristian Consonni wrote:

> ```
> [notice] Registered server transport 'obfs4' at '[::]:46396'
> ```
> 
> Remember the random port associated to your bridge needs to be open for
> incoming connections. You can find it from the logs: it's 46396 in this
> example.
> ---
> 
> I can assume that using `ExtORPort auto` would mean that potentially 
> any
> time Tor is restarted or reload a new port will be picked.

I think the documentation is a bit confusing here. The pluggable 
transport is picking a random port because the example doesn't configure 
"ServerTransportListenAddr".

For example, to make obfs4 use port 8000 every time, add this to your 
torrc:
ServerTransportListenAddr obfs4 0.0.0.0:8000

> [...] ExtORPort tells tor to open a local-only (bound to localhost)
> socket for getting information from / communicating with obfsproxy
> ---
> 
> So, if I want to be sure to know in advance which firewall port I 
> should
> let open it is better that I choose a fixed port. Also, that port needs
> only to accept connections from localhost, i.e. the loopback interface?
> The only port that needs to be reachable from anywhere is the ORPort?

The ExtORPort is only used for communication between Tor and the 
pluggable transport. The value "auto" should be ok and you usually don't 
need to do any firewall configuration.

Whatever fixed port you pick for "ServerTransportListenAddr" above needs 
to be open in your firewall, though.

> Also, in this answer on Tor Stack Exchange[2] it is said that is
> possible to run both obfs3 and obfs4 from the same bridge. Is this
> useful/recommended? Also, in the answer:

The last time I asked this question, my understanding was that you 
should not run them on the same bridge.

> Thanks in advance (I am sorry for the flood of stupid question, but I
> prefer to ask a stupid question that having things not work and not
> understanding why...)
> 
> C

Don't worry, I also feel that pluggable transports are the "fun" part of 
configuring Tor. :)

Kind regards,
Alexander

More information about the tor-relays mailing list