[tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!

gus gus at torproject.org
Sat Jul 22 15:12:17 UTC 2023 

Hi,

Great question. First, it is important to highlight that sometimes
censorship is not implemented uniformly across all ISPs in a country.
For example, see Tor Metrics in Russia:
- https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-23&end=2023-07-22&country=ru&events=off
- https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-23&end=2023-07-22&country=ru

And sometimes you'll find some interesting metrics anomalies, e.g., in
China:
- Vanilla Tor connections spikes:
  https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-23&end=2023-07-22&country=cn&events=off
- Bridge users:
  https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-23&end=2023-07-22&country=cn

Second, in Turkmenistan case, it appears that one ISP (AGTS) had different
censorship rules compared to their main ISP, Turkmentelecom. As a result,
AGTS clients were able to use tools like tor-relay-scanner[1] to find
unblocked Tor relays and use them as Tor "vanilla OR bridges" to bypass
the block.

But, this workaround was blocked in AGTS/Turkmenistan last week and it
is no longer effective.

Gus

[1] https://github.com/ValdikSS/tor-relay-scanner

On Sat, Jul 22, 2023 at 03:47:18PM +0200, telekobold wrote:
> Hi,
> 
> just a question out of interest: If there is such a massive blocking of Tor
> in Turkmenistan, how can it be that there seem to have been measured between
> 1500 and 10000 direct connections with Tor from Turkmenistan this year [1]?
> The curve has had a very sharp drop to almost zero recently, but I would
> have expected it to be close to zero all along given the reports.
> 
> The number of clients directly connected to Tor seems to be even comparable
> to the number of clients connected via bridges for the last months [2].
> 
> Kind regards
> telekobold
> 
> [1] https://metrics.torproject.org/userstats-relay-country.html?start=2023-01-01&end=2023-07-22&country=tm
> [2] https://metrics.torproject.org/userstats-bridge-country.html?start=2023-01-01&end=2023-07-22&country=tm
> 
> On 21.07.23 18:07, gus wrote:
> > Hi,
> > 
> > New update: In the last few weeks, internal political conflicts and
> > other events[1] in Turkmenistan have led to another wave of censorship
> > on Tor and anti-censorship tools. Tor bridges have been one of the few
> > free alternatives for people in Turkmenistan to connect with the world
> > and access the open Internet.
> > 
> > If you have access to an IP range that has never seen the light of day,
> > a stable residential connection, or access to your university network,
> > you can help thousands of people connect to the internet in
> > Turkmenistan.
> > 
> > Tor bridges running on residential connections, on dynamic IPv4 address,
> > or on unblocked IP ranges are effective, but are regularly discovered
> > and blocked by censors, thus making us to call for new bridges. These
> > bridges must run on specific obfs4 ports: 80, 8080, or 443. See below
> > the example of torrc for your bridge. If it's your first time running a
> > bridge, please follow our official guide:
> > <https://community.torproject.org/relay/setup/bridge/>.
> > 
> > Finding an IP range that is unblocked-in the country is not easy.
> > However, bridges in universities and IP ranges in US have been of great
> > help to people in Turkmenistan.
> > Please note that it's not possible to run IPv6-only bridges and
> > Turkmenistan has a very small adoption of IPv6.
> > 
> > If you run a bridge to help people in Turkmenistan, send your bridge
> > line to frontdesk at torproject.org. We will share your bridge with people
> > that really need it!
> > 
> > A bridge line is composed of:
> > 
> > IP:OBFS4_PORT FINGERPRINT cert=obfs4-certificate iat-mode=0
> > 
> > If you need help to build your bridge line, please check the official
> > guide: https://community.torproject.org/relay/setup/bridge/post-install/
> > 
> > ## Other Pluggable Transports
> > 
> > - Snowflake has been blocked in the country since 2021:
> >      - STUN servers are running on blocked IP ranges
> >      - When we found an available STUN server, it didn't find a proxy to
> >        match (probably because of the TM's IP range rules). For more
> > information, see this ticket[2].
> > 
> > - Meek[3] (domain fronting) is one of the few techniques that
> >    consistently works, but with reduced speed. While there is a dedicated
> > bridge for TM, its cost is high.
> > 
> > - Conjure[4] was successfully tested, but more development hours are
> >    still needed for its maintenance and stabilization. Currently it is
> > only available on Tor Browser Alpha and some other Tor powered apps.
> > 
> > - WebTunnel[5] could potentially work, but like obfs4 bridges, it
> >    depends on whether the website is hosted on an IP range that is not
> > blocked in Turkmenistan.
> > 
> > ## Research and other resources
> > 
> > If you would like to learn more about censorship in Turkmenistan,
> > ntc.party is a great resource (posts in Russian):
> > https://ntc.party/c/internet-censorship-all-around-the-world/turkmenistan/17
> > 
> > And this paper (2023) about measuring Internet censorship in TM:
> > 
> > "Measuring and Evading Turkmenistan's Internet Censorship: A Case Study
> > in Large-Scale Measurements of a Low-Penetration Country" (Sadia Nourin,
> > Van Tran, Xi Jiang, Kevin Bock, Nick Feamster, Nguyen Phong Hoang, Dave
> > Levin) 2023-04-17
> > https://arxiv.org/abs/2304.04835
> > https://tmc.np-tokumei.net/
> > 
> > ## Tor metrics
> > 
> > You can follow a rough estimate of Tor usage in Turkmenistan here:
> > - https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-21&end=2023-07-20&country=tm
> > - https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-21&end=2023-07-20&country=tm&events=off
> > 
> > ## torrc example
> > 
> > BridgeRelay 1
> > ORPort 127.0.0.1:auto
> > AssumeReachable 1
> > ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
> > ServerTransportListenAddr obfs4 0.0.0.0:8080
> > ExtORPort auto
> > Nickname helptm
> > ContactInfo <please-add-your-email-here>
> > Log notice file /var/log/tor/notices.log
> > # If you set BridgeDistribution none, please remember to email
> > # your bridge line to us: frontdesk at torproject.org
> > BridgeDistribution none
> > 
> > Thank you,
> > Gus
> > 
> > Notes
> > 
> > [1]
> > https://www.rferl.org/a/turkmenistan-top-officials-fired/32507072.html
> > https://www.reuters.com/world/asia-pacific/turkmenistan-opens-futuristic-city-dedicated-leader-2023-06-29/
> > [2]
> > https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024
> > [3]
> > https://metrics.torproject.org/rs.html#details/A77AB4544CEB3AB8155FC5D18E69651BD31596F2
> > [4]
> > https://forum.torproject.org/t/call-for-testers-help-the-tor-project-to-test-conjure-on-tor-browser-alpha/7815
> > [5]
> > https://forum.torproject.org/t/tor-relays-announcement-webtunnel-a-new-pluggable-transport-for-bridges-now-available-for-deployment/8180
> > 
> > 
> > On Tue, Apr 04, 2023 at 12:46:47AM -0300, gus wrote:
> > > Hello,
> > > 
> > > Another update:
> > > 
> > > As it's very hard to get a vantage point in the country[1], we've asked
> > > feedback from users to understand what works there. But, if by any chance
> > > you have access to a machine hosted there, do let me know! You can
> > > contact me in private. :)
> > > 
> > > Based on user feedback, we learned that obfs4 bridges running on
> > > residential connections + port 80, 443 or 8080 works in Turkmenistan.
> > > Last week I asked some operators to change their bridge obfs4 port and
> > > it worked!
> > > 
> > > Unfortunately, users reported that censors blocked some bridges. You can
> > > even see that on Tor Metrics graph. For example:
> > > - https://metrics.torproject.org/rs.html#details/D1302AC19A71BED956C568AC79DF0048E61D8A2E
> > > - https://metrics.torproject.org/rs.html#details/A811AAB7771434CE0DD4D3942173E65DEC49B962
> > > 
> > > If you're operating these bridges and can easily rotate the IP address, please
> > > do!
> > > 
> > > Finally, if you want to learn more about censorship in Turkmenistan, you
> > > can check this great presentation[2] from last year.
> > > 
> > > Thanks for running bridges!
> > > Gus
> > > 
> > > [1] https://ntc.party/t/vps/2804/9
> > > [2] https://drive.google.com/file/d/1odIO1Bi9laU-B-JZMoZFWGEwkTl95oq9/view
> > > 
> > > On Thu, Mar 23, 2023 at 01:00:17PM -0300, gus wrote:
> > > > Hello, just a quick update:
> > > > 
> > > > Some friends from Turkmenistan told me that they don't think this new
> > > > round of online censorship is related to the upcoming elections,
> > > > because it's just a "formal" event. In general, they said, shutdowns and
> > > > internet disruptions are motivated by other events like:
> > > >   - when Russian Duma speaker arrived in TM
> > > >   - the wedding day of the president's grandson
> > > > 
> > > > Anyway, today we tested some of bridges that you shared with us and I replied
> > > > back saying which ones worked and which ones didn't.
> > > > 
> > > > Thank you for running a bridge!,
> > > > Gus
> > > > 
> > > > On Wed, Mar 22, 2023 at 04:25:05PM -0300, gus wrote:
> > > > > Dear Relay operators community,
> > > > > 
> > > > > The parliamentary elections in Turkmenistan are coming up very soon on
> > > > > March 26th[1], and the Turkmen government has tightened internet censorship
> > > > > and restrictions even more. In the last few months, the Anti-censorship
> > > > > community has learned that different pluggable transports, like
> > > > > Snowflake, and entire IP ranges, have been blocked in the country.
> > > > > Therefore, running a bridge on popular hosting providers like Hetzner,
> > > > > Digital Ocean, Linode, and AWS won't help as these providers' IP ranges
> > > > > are completely blocked in Turkmenistan.
> > > > > 
> > > > > Recently, we learned from the Anti-censorship community[2] and via Tor user
> > > > > support channels that Tor bridges running on residential connections
> > > > > were working fine. Although they were blocked after some days or a week,
> > > > > these bridges received a lot of users and were very important to keep
> > > > > Turkmens connected.
> > > > > 
> > > > > How to help Turkmens to access the Internet
> > > > > ===========================================
> > > > > 
> > > > > You can help Turkmens to access the free and open internet by running an
> > > > > obfs4 Tor bridge! But here's the trick: you need to run it on a
> > > > > residential connection -- you won't need a static IPv4 --, and it would
> > > > > ideally be run on more robust hardware than just a Raspberry Pi
> > > > > (although that can help, we have found they can get overloaded).
> > > > > 
> > > > > You can set up an obfs4 bridge by following our official guide:
> > > > >      https://community.torproject.org/relay/setup/bridge/
> > > > > 
> > > > > After you setup a new bridge, you can share your bridge line with the
> > > > > Tor support team at frontdesk at torproject.org, and we will share it with
> > > > > users.
> > > > > 
> > > > > A complete bridge line is composed of:
> > > > > 
> > > > >      IP:OBFS4_PORT FINGERPRINT cert=obfs4-certificate iat-mode=0
> > > > > 
> > > > > Check this documentation to learn how to share your bridge line:
> > > > > https://community.torproject.org/relay/setup/bridge/post-install/
> > > > > 
> > > > > Just sharing your bridge fingerprint is not the best, but it's fine.
> > > > > 
> > > > > You can read more about censorship against Tor in Turkmenistan here:
> > > > >    - https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40029
> > > > >    - Snowflake blocked:
> > > > >      https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024
> > > > > 
> > > > > Thank you for your support in helping to keep the internet free and open
> > > > > for everyone.
> > > > > 
> > > > > Gus
> > > > > 
> > > > > [1] https://en.wikipedia.org/wiki/2023_Turkmen_parliamentary_election
> > > > > [2] https://ntc.party/c/internet-censorship-all-around-the-world/turkmenistan/17
> > > > > https://github.com/net4people/bbs/issues/80
> > > > > 
> > > > > -- 
> > > > > The Tor Project
> > > > > Community Team Lead
> > > > 
> > > > 
> > > > 
> > > > > _______________________________________________
> > > > > tor-relays mailing list
> > > > > tor-relays at lists.torproject.org
> > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > > > 
> > > > 
> > > > -- 
> > > > The Tor Project
> > > > Community Team Lead
> > > 
> > > 
> > > 
> > > -- 
> > > The Tor Project
> > > Community Team Lead
> > 
> > 
> > 
> > 
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
The Tor Project
Community Team Lead
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230722/5d480a78/attachment-0001.sig>

More information about the tor-relays mailing list