[tor-relays] Bridge Questions, Best Practices

[Philipp Winter]

On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
> I've seen a few comments mentioning the lack of obfs4 bridges using port
> 443, so as I don't run any kind of webserver on the VPS I can do this.  I
> also wanted to run an obfuscated bridge on port 80, but it seems that you
> can only run a single instance of obfs4. Searching around, the most common
> setup I found was this:
> 
> ServerTransportListenAddr obfs3 [::]:80
> ServerTransportListenAddr obfs4 [::]:443
> 
> Is this the best way to support both port 80 and 443, or is there a better
> way.

You cannot run two obfs4 instances under one Tor instances.  You will
either have to start two Tor instances or configure a port forward from
port 80 to 443.

Also, there's no point in running both obfs3 and obfs4: If a bridge runs
multiple transports and some are resistant to active probing attacks
(scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3,
fte), then BridgeDB won't hand out the bridge's vulnerable transports
because they constitute a liability to the resistant transports.  See
the following ticket for more details:
<https://bugs.torproject.org/28655>

> Next, the ORPort.  There seems to be confusing information about setting
> this up, in conjunction with obfs4proxy.  Again, my setup:
> 
> ORPort 9001
> ORPort [--my public ipv6 address--]:9002

Ideally, it shouldn't be necessary to expose an OR port if one is only
running an obfs4 bridge.  Unfortunately, we're not quite there yet:
<https://bugs.torproject.org/7349>

I suggest selecting a random OR port other than 9001.

> Again, is the the best way, as I've seen some information that says avoid
> 9001, but others say it's OK to use for a bridge, with obfs4proxy.

It's best to avoid port 9001 because this port is commonly associated
with Tor.  Censors could easily scan the entire IPv4 address space for
port 9001 and block whatever turns out to be a Tor bridge.

Cheers,
Philipp