[tor-relays] Protecting the bridge port from active probes
Alexander Nasonov
alnsn at yandex.ru
Sat Mar 30 20:44:45 UTC 2019
Dmitrii Tcvetkov wrote:
> On Thu, 28 Mar 2019 17:08:38 +0000
> Marek Szuba <scriptkiddie at wp.pl> wrote:
>
> > Anyway, here is my logic. In order to operate properly, my bridge must
> > have its ORPort reachable from the Internet.
>
> I might be wrong, but I got impression that if bridge is using
> pluggable transports (obfs3, obfs4, meek, snowflake, etc) then ORPort is
> only useful for bridge authority and users which want to use the bridge
> without pluggable transports. Communication between pluggable transport
> and Tor process is going via ExtORPort which isn't public by default
> (binds to localhost). Clients connect to pluggable transport port and
> their traffic is obufscated by the transport.
>
> Since your bridge is private then bridge authority is none of your
> concerns. In that case you need ORPort reachable only if you have
> bridge clients which use bridge without pluggable transports.
This works for me:
AssumeReachable 1
PublishServerDescriptor 0
ORPort PUBLIC-IP:2345 NoListen
ORPort 127.0.0.1:2345 NoAdvertise
ExtORPort 127.0.0.1:3456 # you can try auto
ServerTransportListenAddr obfs4 PUBLIC-IP:4567
ServerTransportPlugin obfs4 exec /path/to/obfs4proxy
--
Alex
More information about the tor-relays
mailing list