[tor-relays] problem with new obfs4 bridge

Christopher Sheats yawnbox at emeraldonion.org
Fri Mar 26 19:35:12 UTC 2021 

Hello,

We’re trying to get a 10GbE dual-stack public obfs4 bridge online, but presumably having some trouble with obfs4.
I wished to open a bug, but my request for an account via https://gitlab.onionize.space/ is not being approved.

These two recent tickets appear to be related:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40311
https://gitlab.torproject.org/tpo/core/tor/-/issues/40107

Ubuntu Server 20.10
tor 0.4.5.7
obfs4proxy 0.8

Firewall accepts TCP/UDP 80/443.

Metrics link: https://metrics.torproject.org/rs.html#details/7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3

torrc:

BridgeRelay 1
ORPort 80
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:443
ExtORPort auto
ContactInfo tech at emeraldonion.org
Nickname EmeraldOnionBridge1
MaxMemInQueues 8192MB
Log notice file /var/log/tor/notices.log
Log notice syslog

Tor Browser connect errors:

“obfs4 [2620:18c:0:192::194]:443 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

3/26/21, 18:46:55.269 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [2620:18c:0:192::194]:443 ID=H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA RSA_ID=7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 ("general SOCKS server failure")

“obfs4 [2620:18c:0:192::194]:443”

3/26/21, 18:47:33.467 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [scrubbed] ("general SOCKS server failure")

“[2620:18c:0:192::194]”

3/26/21, 19:03:52.905 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (TLS_ERROR; TLS_ERROR; count 2; recommendation warn; host 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3 at 2620:18c:0:192::194:443)
3/26/21, 19:03:52.905 [WARN] 2 connections have failed:
3/26/21, 19:03:52.905 [WARN] 2 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE

“23.129.64.194”

3/26/21, 19:06:43.811 [WARN] Problem bootstrapping. Stuck at 10% (conn_done): Connected to a relay. (DONE; DONE; count 3; recommendation warn; host 0000000000000000000000000000000000000000 at 23.129.64.194:443)
3/26/21, 19:06:43.811 [WARN] 3 connections have failed:
3/26/21, 19:06:43.811 [WARN] 3 connections died in state handshaking (TLS) with SSL state SSLv3/TLS write client hello in HANDSHAKE

No issues:

“[2620:18c:0:192::194]:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

“23.129.64.194:80 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3”

Notices log output:

Mar 26 11:38:29.000 [notice] Tor 0.4.5.7 opening log file.
Mar 26 11:38:29.600 [notice] We compiled with OpenSSL 1010106f: OpenSSL 1.1.1f  31 Mar 2020 and we are running with OpenSSL 1010106f: 1.1.1f. These two versions should be binary compatible.
Mar 26 11:38:29.601 [notice] Tor 0.4.5.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1f, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.4.5 and Glibc 2.32 as libc.
Mar 26 11:38:29.601 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 26 11:38:29.601 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar 26 11:38:29.601 [notice] Read configuration file "/etc/tor/torrc".
Mar 26 11:38:29.603 [notice] Opening Socks listener on 127.0.0.1:9050
Mar 26 11:38:29.603 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Mar 26 11:38:29.603 [notice] Opening OR listener on 0.0.0.0:80
Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on 0.0.0.0:80
Mar 26 11:38:29.603 [notice] Opening OR listener on [::]:80
Mar 26 11:38:29.603 [notice] Opened OR listener connection (ready) on [::]:80
Mar 26 11:38:29.603 [notice] Opening Extended OR listener on 127.0.0.1:0
Mar 26 11:38:29.603 [notice] Extended OR listener listening on port 40739.
Mar 26 11:38:29.603 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:40739
Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar 26 11:38:30.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar 26 11:38:30.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Mar 26 11:38:30.000 [notice] Your Tor server's identity key  fingerprint is 'EmeraldOnionBridge1 7ADC8C6BF93197830FDF3E06DFB4D96E7CFEDCF3'
Mar 26 11:38:30.000 [notice] Your Tor bridge's hashed identity key  fingerprint is 'EmeraldOnionBridge1 09E23FA5AD9CF64DBEFE88A39A2F1EB215E44B53'
Mar 26 11:38:30.000 [notice] Your Tor server's identity key ed25519 fingerprint is 'EmeraldOnionBridge1 H50HNwR2NkpCR9QPST8MdPfmTC43YyZ7sswt9yDTJGA'
Mar 26 11:38:30.000 [notice] Bootstrapped 0% (starting): Starting
Mar 26 11:38:36.000 [notice] Starting with guard context "default"
Mar 26 11:38:36.000 [notice] Signaled readiness to systemd
Mar 26 11:38:36.000 [notice] Registered server transport 'obfs4' at '[::]:443'
Mar 26 11:38:37.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Mar 26 11:38:37.000 [notice] Opening Socks listener on /run/tor/socks
Mar 26 11:38:37.000 [notice] Opened Socks listener connection (ready) on /run/tor/socks
Mar 26 11:38:37.000 [notice] Opening Control listener on /run/tor/control
Mar 26 11:38:37.000 [notice] Opened Control listener connection (ready) on /run/tor/control
Mar 26 11:38:37.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Mar 26 11:38:37.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Mar 26 11:38:37.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Mar 26 11:38:37.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Mar 26 11:38:37.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Mar 26 11:38:37.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Mar 26 11:38:38.000 [notice] Bootstrapped 100% (done): Done
Mar 26 11:38:38.000 [notice] Now checking whether IPv4 ORPort 23.129.64.194:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Mar 26 11:38:38.000 [notice] Now checking whether IPv6 ORPort [2620:18c:0:192::194]:80 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort [2620:18c:0:192::194]:80 is reachable from the outside. Excellent.
Mar 26 11:38:39.000 [notice] Self-testing indicates your ORPort 23.129.64.194:80 is reachable from the outside. Excellent. Publishing server descriptor.
Mar 26 11:40:32.000 [notice] Performing bandwidth self-test...done.

A prior torrc config set the IPs explicitly, but had the same result:

ServerTransportListenAddr obfs4 23.129.64.194:443
ServerTransportListenAddr obfs4 [2620:18c:0:192::194]:443

I can provide debug logs as necessary. Possibly of note, our firewall does not use connection tracking and applies the same rules as our exit relays which use the same ports.

Pro-active note: The bridge shares the same 23.129.64.0/24 subnet as Emerald Onion's Tor exit relays, so there is no risk of a user entering and exiting our physical network (see "2.2. Path selection and constraints"): https://github.com/torproject/torspec/blob/master/path-spec.txt

Cheers,

--
Christopher Sheats
Executive Director for Emerald Onion
Email: yawnbox at emeraldonion.org
Phone: +1 206-739-3390
Web: https://emeraldonion.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20210326/42f70592/attachment-0001.htm>

More information about the tor-relays mailing list