[tor-relays] Multiple obsf4 Bridge Relays on macOS

Wilton Gorske wilton at riseup.net
Tue Apr 14 15:34:07 UTC 2020


Hi all,

Firstly, I hope you're taking care and staying safe (against pandemics
and surveillance, especially considering how the latter is taking
advantage of the former).

Secondly, and mainly, I am working on setting up ten obsf4 bridge relays
on macOS and keep running into port issues, so I'm hoping to get some
general advice and guidance about how to set this up in the absence of
updated macOS tutorials online.

These bridge relays are going to run on one macOS server. Knowing that
they can each have their own dedicated IP address, could someone advise
how to best set up these multiple obsf4 bridge instances so each can be
run (tor -f /usr/local/etc/tor/torrc.1, torrc.2, torrc.3, etc...) under
one non-root user with only two public ports open on the data center
network (80 and 443)? I'm getting stuck at the port reachability phase,
and even more so when trying to run multiple instances with
forwarding/binding warnings.

The Application Level Firewall allows certain granted programs
(tor/tor-gencert/tor-print-ed-signing-cert/tor-resolve/torify/obfs4proxy)
the ability to open or accept a network socket. By editing the macOS
network system settings to route port 80 to 9005, and noting ORPort 80
NoListen ORPort 0.0.0.0:9005 NoAdvertise in the torrc, that works
correctly (including routing 443 for obfs4proxy). Running a second
instance is where it seems to break down. Is there a way to have
multiple tor instances sharing a port?

My guess is the main issue is that at the system routing level, I need a
way to note each IP and port so it goes to the right tor instance.
Currently, the forwarding is set up like:
rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port
9005
I'm guessing I need some way to designate IP XX.XXX.XX.120 -> port 9005
(torrc.1), XX.XXX.XX.121 -> port 9006 (torrc.2), XX.XXX.XX.122 -> port
9007 (torrc.3), etc. Is that correct?

A copy of my notes and configurations so far can be found here:
http://5jp7xtmox6jyoqd5.onion/p/ISjeXEW-vt8H1s89bwSW

Please feel free to make suggestions or edits directly in that etherpad.
I'm sure there are multiple ways to do this, but I definitely want to
make sure I am using the most secure method as opposed to the easiest or
quickest... Thanks for any help in advance.

All the best,
Wilton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200414/f8b8c28c/attachment.sig>


More information about the tor-relays mailing list