[tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!
telekobold
torproject-ml at telekobold.de
Sun Jul 23 19:29:30 UTC 2023
Hi Gus,
thank you for the clarification.
Kind regards
telekobold
On 22.07.23 17:12, gus wrote:
> Hi,
>
> Great question. First, it is important to highlight that sometimes
> censorship is not implemented uniformly across all ISPs in a country.
> For example, see Tor Metrics in Russia:
> - https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-23&end=2023-07-22&country=ru&events=off
> - https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-23&end=2023-07-22&country=ru
>
> And sometimes you'll find some interesting metrics anomalies, e.g., in
> China:
> - Vanilla Tor connections spikes:
> https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-23&end=2023-07-22&country=cn&events=off
> - Bridge users:
> https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-23&end=2023-07-22&country=cn
>
> Second, in Turkmenistan case, it appears that one ISP (AGTS) had different
> censorship rules compared to their main ISP, Turkmentelecom. As a result,
> AGTS clients were able to use tools like tor-relay-scanner[1] to find
> unblocked Tor relays and use them as Tor "vanilla OR bridges" to bypass
> the block.
>
> But, this workaround was blocked in AGTS/Turkmenistan last week and it
> is no longer effective.
>
> Gus
>
> [1] https://github.com/ValdikSS/tor-relay-scanner
>
> On Sat, Jul 22, 2023 at 03:47:18PM +0200, telekobold wrote:
>> Hi,
>>
>> just a question out of interest: If there is such a massive blocking of Tor
>> in Turkmenistan, how can it be that there seem to have been measured between
>> 1500 and 10000 direct connections with Tor from Turkmenistan this year [1]?
>> The curve has had a very sharp drop to almost zero recently, but I would
>> have expected it to be close to zero all along given the reports.
>>
>> The number of clients directly connected to Tor seems to be even comparable
>> to the number of clients connected via bridges for the last months [2].
>>
>> Kind regards
>> telekobold
>>
>> [1] https://metrics.torproject.org/userstats-relay-country.html?start=2023-01-01&end=2023-07-22&country=tm
>> [2] https://metrics.torproject.org/userstats-bridge-country.html?start=2023-01-01&end=2023-07-22&country=tm
>>
>> On 21.07.23 18:07, gus wrote:
>>> Hi,
>>>
>>> New update: In the last few weeks, internal political conflicts and
>>> other events[1] in Turkmenistan have led to another wave of censorship
>>> on Tor and anti-censorship tools. Tor bridges have been one of the few
>>> free alternatives for people in Turkmenistan to connect with the world
>>> and access the open Internet.
>>>
>>> If you have access to an IP range that has never seen the light of day,
>>> a stable residential connection, or access to your university network,
>>> you can help thousands of people connect to the internet in
>>> Turkmenistan.
>>>
>>> Tor bridges running on residential connections, on dynamic IPv4 address,
>>> or on unblocked IP ranges are effective, but are regularly discovered
>>> and blocked by censors, thus making us to call for new bridges. These
>>> bridges must run on specific obfs4 ports: 80, 8080, or 443. See below
>>> the example of torrc for your bridge. If it's your first time running a
>>> bridge, please follow our official guide:
>>> <https://community.torproject.org/relay/setup/bridge/>.
>>>
>>> Finding an IP range that is unblocked-in the country is not easy.
>>> However, bridges in universities and IP ranges in US have been of great
>>> help to people in Turkmenistan.
>>> Please note that it's not possible to run IPv6-only bridges and
>>> Turkmenistan has a very small adoption of IPv6.
>>>
>>> If you run a bridge to help people in Turkmenistan, send your bridge
>>> line to frontdesk at torproject.org. We will share your bridge with people
>>> that really need it!
>>>
>>> A bridge line is composed of:
>>>
>>> IP:OBFS4_PORT FINGERPRINT cert=obfs4-certificate iat-mode=0
>>>
>>> If you need help to build your bridge line, please check the official
>>> guide: https://community.torproject.org/relay/setup/bridge/post-install/
>>>
>>> ## Other Pluggable Transports
>>>
>>> - Snowflake has been blocked in the country since 2021:
>>> - STUN servers are running on blocked IP ranges
>>> - When we found an available STUN server, it didn't find a proxy to
>>> match (probably because of the TM's IP range rules). For more
>>> information, see this ticket[2].
>>>
>>> - Meek[3] (domain fronting) is one of the few techniques that
>>> consistently works, but with reduced speed. While there is a dedicated
>>> bridge for TM, its cost is high.
>>>
>>> - Conjure[4] was successfully tested, but more development hours are
>>> still needed for its maintenance and stabilization. Currently it is
>>> only available on Tor Browser Alpha and some other Tor powered apps.
>>>
>>> - WebTunnel[5] could potentially work, but like obfs4 bridges, it
>>> depends on whether the website is hosted on an IP range that is not
>>> blocked in Turkmenistan.
>>>
>>> ## Research and other resources
>>>
>>> If you would like to learn more about censorship in Turkmenistan,
>>> ntc.party is a great resource (posts in Russian):
>>> https://ntc.party/c/internet-censorship-all-around-the-world/turkmenistan/17
>>>
>>> And this paper (2023) about measuring Internet censorship in TM:
>>>
>>> "Measuring and Evading Turkmenistan's Internet Censorship: A Case Study
>>> in Large-Scale Measurements of a Low-Penetration Country" (Sadia Nourin,
>>> Van Tran, Xi Jiang, Kevin Bock, Nick Feamster, Nguyen Phong Hoang, Dave
>>> Levin) 2023-04-17
>>> https://arxiv.org/abs/2304.04835
>>> https://tmc.np-tokumei.net/
>>>
>>> ## Tor metrics
>>>
>>> You can follow a rough estimate of Tor usage in Turkmenistan here:
>>> - https://metrics.torproject.org/userstats-bridge-combined.html?start=2023-04-21&end=2023-07-20&country=tm
>>> - https://metrics.torproject.org/userstats-relay-country.html?start=2023-04-21&end=2023-07-20&country=tm&events=off
>>>
>>> ## torrc example
>>>
>>> BridgeRelay 1
>>> ORPort 127.0.0.1:auto
>>> AssumeReachable 1
>>> ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
>>> ServerTransportListenAddr obfs4 0.0.0.0:8080
>>> ExtORPort auto
>>> Nickname helptm
>>> ContactInfo <please-add-your-email-here>
>>> Log notice file /var/log/tor/notices.log
>>> # If you set BridgeDistribution none, please remember to email
>>> # your bridge line to us: frontdesk at torproject.org
>>> BridgeDistribution none
>>>
>>> Thank you,
>>> Gus
>>>
>>> Notes
>>>
>>> [1]
>>> https://www.rferl.org/a/turkmenistan-top-officials-fired/32507072.html
>>> https://www.reuters.com/world/asia-pacific/turkmenistan-opens-futuristic-city-dedicated-leader-2023-06-29/
>>> [2]
>>> https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024
>>> [3]
>>> https://metrics.torproject.org/rs.html#details/A77AB4544CEB3AB8155FC5D18E69651BD31596F2
>>> [4]
>>> https://forum.torproject.org/t/call-for-testers-help-the-tor-project-to-test-conjure-on-tor-browser-alpha/7815
>>> [5]
>>> https://forum.torproject.org/t/tor-relays-announcement-webtunnel-a-new-pluggable-transport-for-bridges-now-available-for-deployment/8180
>>>
>>>
>>> On Tue, Apr 04, 2023 at 12:46:47AM -0300, gus wrote:
>>>> Hello,
>>>>
>>>> Another update:
>>>>
>>>> As it's very hard to get a vantage point in the country[1], we've asked
>>>> feedback from users to understand what works there. But, if by any chance
>>>> you have access to a machine hosted there, do let me know! You can
>>>> contact me in private. :)
>>>>
>>>> Based on user feedback, we learned that obfs4 bridges running on
>>>> residential connections + port 80, 443 or 8080 works in Turkmenistan.
>>>> Last week I asked some operators to change their bridge obfs4 port and
>>>> it worked!
>>>>
>>>> Unfortunately, users reported that censors blocked some bridges. You can
>>>> even see that on Tor Metrics graph. For example:
>>>> - https://metrics.torproject.org/rs.html#details/D1302AC19A71BED956C568AC79DF0048E61D8A2E
>>>> - https://metrics.torproject.org/rs.html#details/A811AAB7771434CE0DD4D3942173E65DEC49B962
>>>>
>>>> If you're operating these bridges and can easily rotate the IP address, please
>>>> do!
>>>>
>>>> Finally, if you want to learn more about censorship in Turkmenistan, you
>>>> can check this great presentation[2] from last year.
>>>>
>>>> Thanks for running bridges!
>>>> Gus
>>>>
>>>> [1] https://ntc.party/t/vps/2804/9
>>>> [2] https://drive.google.com/file/d/1odIO1Bi9laU-B-JZMoZFWGEwkTl95oq9/view
>>>>
>>>> On Thu, Mar 23, 2023 at 01:00:17PM -0300, gus wrote:
>>>>> Hello, just a quick update:
>>>>>
>>>>> Some friends from Turkmenistan told me that they don't think this new
>>>>> round of online censorship is related to the upcoming elections,
>>>>> because it's just a "formal" event. In general, they said, shutdowns and
>>>>> internet disruptions are motivated by other events like:
>>>>> - when Russian Duma speaker arrived in TM
>>>>> - the wedding day of the president's grandson
>>>>>
>>>>> Anyway, today we tested some of bridges that you shared with us and I replied
>>>>> back saying which ones worked and which ones didn't.
>>>>>
>>>>> Thank you for running a bridge!,
>>>>> Gus
>>>>>
>>>>> On Wed, Mar 22, 2023 at 04:25:05PM -0300, gus wrote:
>>>>>> Dear Relay operators community,
>>>>>>
>>>>>> The parliamentary elections in Turkmenistan are coming up very soon on
>>>>>> March 26th[1], and the Turkmen government has tightened internet censorship
>>>>>> and restrictions even more. In the last few months, the Anti-censorship
>>>>>> community has learned that different pluggable transports, like
>>>>>> Snowflake, and entire IP ranges, have been blocked in the country.
>>>>>> Therefore, running a bridge on popular hosting providers like Hetzner,
>>>>>> Digital Ocean, Linode, and AWS won't help as these providers' IP ranges
>>>>>> are completely blocked in Turkmenistan.
>>>>>>
>>>>>> Recently, we learned from the Anti-censorship community[2] and via Tor user
>>>>>> support channels that Tor bridges running on residential connections
>>>>>> were working fine. Although they were blocked after some days or a week,
>>>>>> these bridges received a lot of users and were very important to keep
>>>>>> Turkmens connected.
>>>>>>
>>>>>> How to help Turkmens to access the Internet
>>>>>> ===========================================
>>>>>>
>>>>>> You can help Turkmens to access the free and open internet by running an
>>>>>> obfs4 Tor bridge! But here's the trick: you need to run it on a
>>>>>> residential connection -- you won't need a static IPv4 --, and it would
>>>>>> ideally be run on more robust hardware than just a Raspberry Pi
>>>>>> (although that can help, we have found they can get overloaded).
>>>>>>
>>>>>> You can set up an obfs4 bridge by following our official guide:
>>>>>> https://community.torproject.org/relay/setup/bridge/
>>>>>>
>>>>>> After you setup a new bridge, you can share your bridge line with the
>>>>>> Tor support team at frontdesk at torproject.org, and we will share it with
>>>>>> users.
>>>>>>
>>>>>> A complete bridge line is composed of:
>>>>>>
>>>>>> IP:OBFS4_PORT FINGERPRINT cert=obfs4-certificate iat-mode=0
>>>>>>
>>>>>> Check this documentation to learn how to share your bridge line:
>>>>>> https://community.torproject.org/relay/setup/bridge/post-install/
>>>>>>
>>>>>> Just sharing your bridge fingerprint is not the best, but it's fine.
>>>>>>
>>>>>> You can read more about censorship against Tor in Turkmenistan here:
>>>>>> - https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40029
>>>>>> - Snowflake blocked:
>>>>>> https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/issues/40024
>>>>>>
>>>>>> Thank you for your support in helping to keep the internet free and open
>>>>>> for everyone.
>>>>>>
>>>>>> Gus
>>>>>>
>>>>>> [1] https://en.wikipedia.org/wiki/2023_Turkmen_parliamentary_election
>>>>>> [2] https://ntc.party/c/internet-censorship-all-around-the-world/turkmenistan/17
>>>>>> https://github.com/net4people/bbs/issues/80
>>>>>>
>>>>>> --
>>>>>> The Tor Project
>>>>>> Community Team Lead
>>>>>
>>>>>
>>>>>
>>>>>> _______________________________________________
>>>>>> tor-relays mailing list
>>>>>> tor-relays at lists.torproject.org
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>>
>>>>>
>>>>> --
>>>>> The Tor Project
>>>>> Community Team Lead
>>>>
>>>>
>>>>
>>>> --
>>>> The Tor Project
>>>> Community Team Lead
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list