[tor-relays] How to reduce tor CPU load on a single bridge?

[David Fifield]

On Fri, Dec 16, 2022 at 04:27:06AM +0000, Gary C. New via tor-relays wrote:
> On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield
> <david at bamsoftware.com> wrote:
> 
> On Tue, Dec 13, 2022 at 07:29:45PM +0000, Gary C. New via tor-relays wrote:
> >> On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield
> >> <david at bamsoftware.com> wrote:
> >>
> >> Am I correct in assuming extor-static-cookie is only useful within the context
> >> of bridging connections between snowflake-server and tor (not as a pluggable
> >> transport similar to obfs4proxy)?
> 
> > That's correct. extor-static-cookie is a workaround for a technical
> > problem with tor's Extended ORPort. It serves a narrow and specialized
> > purpose. It happens to use the normal pluggable transports machinery,
> > but it is not a circumvention transport on its own. It's strictly for
> > interprocess communication and is not exposed to the Internet. You don't
> > need it to run a Snowflake proxy.
> 
> Created a Makefile for extra-static-cookie for OpenWRT and Entware:
> 
> https://forum.openwrt.org/t/extor-static-cookie-makefile/145694

I appreciate the enthusiasm, but I should reiterate: there is no reason
to ever use this tool on OpenWRT. Packaging it is a mistake. If you
think you need it, you misunderstand what it is for.

> > I am not sure what your plans are with running multiple obfs4proxy, but
> > if you just want multiple obfs4 listeners, with different keys, running
> > on different ports on the same host, you don't need a load balancer,
> > extor-static-cookie, or any of that. Just run multiple instances of tor,
> > each with its corresponding instance of obfs4proxy. The separate
> > instances don't need any coordination or communication.
> 
> The goal of running multiple obfs4proxy listeners is to offer numerous, unique
> bridges distributed across several servers maximizing resources and
> availability.

If the purpose is running on several different servers, you don't need a
load balancer and you don't need extor-static-cookie. Those tools are
meant for running *one* instance of a pluggable transport on *one*
server. If you want to distribute bridges over multiple servers, just
run one instance each of tor and obfs4proxy on multiple servers, in the
normal way. You don't need anything fancy.

> > You could, in principle, use the same load-balanced setup with
> > obfs4proxy, but I expect that a normal bridge will not get enough users
> > to justify it. It only makes sense when the tor process hits 100% CPU
> > and becomes  a bottleneck, which for the Snowflake bridge only started
> > to happen at around 6,000 simultaneous users.
> 
> Hmm... If normal bridges will not see enough users to justify the deployment
> of numerous, unique bridges distributed over several servers--this may be a
> deciding factor. I don't have enough experience with normal bridges to know.

Some pluggable transports, like obfs4, need there to be many bridges,
because they are vulnerable to being blocked by IP address. Each
individual bridge does not get much traffic, because there are so many
of them. With obfs4, it's not about load, it's about address diversity.
Just run multiple independent bridges if you want to increase your
contribution.

Snowflake is unlike obfs4 in that it does not depends on there being
multiple bridges for its blocking resistance. Snowflake gets its address
diversity at a different layer—the Snowflake proxies. There are many
proxies, but there only needs to be one bridge. However, that one
bridge, because it receives the concentrated traffic of many users,
needs special scaling techniques.

> >> What about a connection flow of haproxy/nginx => (snowflake-server =>
> >> extor-static-cookie => tor) on separate servers?
> 
> > You have the order wrong (it's snowflake-server → haproxy →
> > extor-static-cookie → tor), but yes, you could divide the chain at any
> > of the arrows and run things on different hosts. You could also run half
> > the extor-static-cookie + tor on one host and half on another, etc.
> 
> I've installed and started configuring snowflake-server and have some questions
> after reading the README:
> 
> In short, I'm trying to get a sense of whether it makes sense to run a
> Snowflake Bridge and Normal Bridge on the same public addresses?

There is no reason at all to run a Snowflake bridge. No user will ever
connect to it, because Snowflake bridges are not distributed through
BridgeDB like obfs4 bridges are; they are shipping in configuration
files with Tor Browser or Orbot. There is no need for volunteers to run
Snowflake bridges, and no benefit to them doing so. If you want to help,
run a Snowflake proxy.

There is no reason for a volunteer bridge operator to run
snowflake-server or extor-static-cookie, ever. Packaging them for
OpenWRT can only cause confusion. You do not need these programs.