[tor-relays] Bridge Questions, Best Practices
Eddie
stunnel at attglobal.net
Thu Dec 19 00:25:17 UTC 2019
Thanks for the follow up.
On 12/18/2019 3:20 PM, Philipp Winter wrote:
> On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
>> I've seen a few comments mentioning the lack of obfs4 bridges using port
>> 443, so as I don't run any kind of webserver on the VPS I can do this. I
>> also wanted to run an obfuscated bridge on port 80, but it seems that you
>> can only run a single instance of obfs4. Searching around, the most common
>> setup I found was this:
>>
>> ServerTransportListenAddr obfs3 [::]:80
>> ServerTransportListenAddr obfs4 [::]:443
>>
>> Is this the best way to support both port 80 and 443, or is there a better
>> way.
> You cannot run two obfs4 instances under one Tor instances. You will
> either have to start two Tor instances or configure a port forward from
> port 80 to 443.
Let me look into the easiest option for this. For now, I've just
dropped the obfs3:80 part.
> Also, there's no point in running both obfs3 and obfs4: If a bridge runs
> multiple transports and some are resistant to active probing attacks
> (scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3,
> fte), then BridgeDB won't hand out the bridge's vulnerable transports
> because they constitute a liability to the resistant transports. See
> the following ticket for more details:
> <https://bugs.torproject.org/28655>
>
>> Next, the ORPort. There seems to be confusing information about setting
>> this up, in conjunction with obfs4proxy. Again, my setup:
>>
>> ORPort 9001
>> ORPort [--my public ipv6 address--]:9002
> Ideally, it shouldn't be necessary to expose an OR port if one is only
> running an obfs4 bridge. Unfortunately, we're not quite there yet:
> <https://bugs.torproject.org/7349>
>
> I suggest selecting a random OR port other than 9001.
Done.
>> Again, is the the best way, as I've seen some information that says avoid
>> 9001, but others say it's OK to use for a bridge, with obfs4proxy.
> It's best to avoid port 9001 because this port is commonly associated
> with Tor. Censors could easily scan the entire IPv4 address space for
> port 9001 and block whatever turns out to be a Tor bridge.
>
> Cheers,
> Philipp
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
Cheers.
More information about the tor-relays
mailing list