[tor-relays] Multiple obsf4 Bridge Relays on macOS

Wed Apr 15 08:53:32 UTC 2020

Hi,

> On 15 Apr 2020, at 01:45, Wilton Gorske <wilton at riseup.net> wrote:
> 
> Secondly, and mainly, I am working on setting up ten obsf4 bridge relays
> on macOS and keep running into port issues, so I'm hoping to get some
> general advice and guidance about how to set this up in the absence of
> updated macOS tutorials online.

Thanks for running Tor bridges!

> These bridge relays are going to run on one macOS server. Knowing that
> they can each have their own dedicated IP address, could someone advise
> how to best set up these multiple obsf4 bridge instances so each can be
> run (tor -f /usr/local/etc/tor/torrc.1, torrc.2, torrc.3, etc...) under
> one non-root user

It's slightly safer to run each instance under its own user.

Then the keys for each instance aren't available to the other instances.

You might find Debian's tor-instance-create script useful:
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor-instance-create

In particular, you can have a defaults torrc for each instance, and then
just change the addresses and ports in each instance's torrc.

> with only two public ports open on the data center
> network (80 and 443)? I'm getting stuck at the port reachability phase,
> and even more so when trying to run multiple instances with
> forwarding/binding warnings.
> 
> The Application Level Firewall allows certain granted programs
> (tor/tor-gencert/tor-print-ed-signing-cert/tor-resolve/torify/obfs4proxy)
> the ability to open or accept a network socket. By editing the macOS
> network system settings to route port 80 to 9005, and noting ORPort 80
> NoListen ORPort 0.0.0.0:9005 NoAdvertise in the torrc, that works
> correctly (including routing 443 for obfs4proxy). Running a second
> instance is where it seems to break down. Is there a way to have
> multiple tor instances sharing a port?

No, tor doesn't support port multiplexing across multiple tor
processes,

Instead, tor automatically multiplexes multiple clients over the same
port, without any special configuration on the server.

> My guess is the main issue is that at the system routing level, I need a
> way to note each IP and port so it goes to the right tor instance.
> Currently, the forwarding is set up like:
> rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port
> 9005
> I'm guessing I need some way to designate IP XX.XXX.XX.120 -> port 9005
> (torrc.1), XX.XXX.XX.121 -> port 9006 (torrc.2), XX.XXX.XX.122 -> port
> 9007 (torrc.3), etc. Is that correct?

Yes, that sounds sensible.

> A copy of my notes and configurations so far can be found here:
> http://5jp7xtmox6jyoqd5.onion/p/ISjeXEW-vt8H1s89bwSW
> 
> Please feel free to make suggestions or edits directly in that etherpad.
> I'm sure there are multiple ways to do this, but I definitely want to
> make sure I am using the most secure method as opposed to the easiest or
> quickest... Thanks for any help in advance.

T

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200415/2f22509e/attachment-0001.html>