[tor-relays] Protecting the bridge port from active probes

Alexander Nasonov alnsn at yandex.ru
Sat Mar 30 20:44:45 UTC 2019

Dmitrii Tcvetkov wrote:
> On Thu, 28 Mar 2019 17:08:38 +0000
> Marek Szuba <scriptkiddie at wp.pl> wrote:
> > Anyway, here is my logic. In order to operate properly, my bridge must
> > have its ORPort reachable from the Internet.
> I might be wrong, but I got impression that if bridge is using
> pluggable transports (obfs3, obfs4, meek, snowflake, etc) then ORPort is
> only useful for bridge authority and users which want to use the bridge
> without pluggable transports. Communication between pluggable transport
> and Tor process is going via ExtORPort which isn't public by default
> (binds to localhost). Clients connect to pluggable transport port and
> their traffic is obufscated by the transport.
> Since your bridge is private then bridge authority is none of your
> concerns. In that case you need ORPort reachable only if you have
> bridge clients which use bridge without pluggable transports.

This works for me:

AssumeReachable 1
PublishServerDescriptor 0
ORPort PUBLIC-IP:2345 NoListen
ORPort NoAdvertise
ExtORPort # you can try auto
ServerTransportListenAddr obfs4 PUBLIC-IP:4567
ServerTransportPlugin obfs4 exec /path/to/obfs4proxy


More information about the tor-relays mailing list