[tor-relays] Bridge Questions, Best Practices

Eddie stunnel at attglobal.net
Thu Dec 19 00:25:17 UTC 2019

Thanks for the follow up.

On 12/18/2019 3:20 PM, Philipp Winter wrote:
> On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
>> I've seen a few comments mentioning the lack of obfs4 bridges using port
>> 443, so as I don't run any kind of webserver on the VPS I can do this.  I
>> also wanted to run an obfuscated bridge on port 80, but it seems that you
>> can only run a single instance of obfs4. Searching around, the most common
>> setup I found was this:
>> ServerTransportListenAddr obfs3 [::]:80
>> ServerTransportListenAddr obfs4 [::]:443
>> Is this the best way to support both port 80 and 443, or is there a better
>> way.
> You cannot run two obfs4 instances under one Tor instances.  You will
> either have to start two Tor instances or configure a port forward from
> port 80 to 443.
Let me look into the easiest option for this.  For now, I've just 
dropped the obfs3:80 part.
> Also, there's no point in running both obfs3 and obfs4: If a bridge runs
> multiple transports and some are resistant to active probing attacks
> (scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3,
> fte), then BridgeDB won't hand out the bridge's vulnerable transports
> because they constitute a liability to the resistant transports.  See
> the following ticket for more details:
> <https://bugs.torproject.org/28655>
>> Next, the ORPort.  There seems to be confusing information about setting
>> this up, in conjunction with obfs4proxy.  Again, my setup:
>> ORPort 9001
>> ORPort [--my public ipv6 address--]:9002
> Ideally, it shouldn't be necessary to expose an OR port if one is only
> running an obfs4 bridge.  Unfortunately, we're not quite there yet:
> <https://bugs.torproject.org/7349>
> I suggest selecting a random OR port other than 9001.
>> Again, is the the best way, as I've seen some information that says avoid
>> 9001, but others say it's OK to use for a bridge, with obfs4proxy.
> It's best to avoid port 9001 because this port is commonly associated
> with Tor.  Censors could easily scan the entire IPv4 address space for
> port 9001 and block whatever turns out to be a Tor bridge.
> Cheers,
> Philipp
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list