Tor obfs4 bridge
The design of the Tor network means that the IP address of Tor relays is public. However, one of the ways Tor can be blocked by governments or ISPs is by blocklisting the IP addresses of these public Tor nodes. Tor Bridges are nodes in the network that are not listed in the public Tor directory, which makes it harder for ISPs and governments to block them. We are going to use a kind of pluggable transport called obfs4, a special kind of bridge, to address this by adding a layer of obfuscation.
USE WITH CAUTION - For this guide to work properly, you will need to open ports too are reachable from outside
Difficulty: Medium
Requirements
Preparations
Install dependencies
obfs4 makes Tor traffic look random and also prevents censors from finding bridges by Internet scanning. One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so we can configure all.
Ensure you are logged in with the user
admin
and install obfs4 proxy
Installation
Ensure you have Tor daemon installed in your system
Example of expected output:
If not obtain results, follow the Privacy section to install it
Configuration
Stay logged in with
admin
user, edit the torrc config file
Add the next lines at the end of the file. We will use 2 ports: <TODO1> and <TODO2>, make sure you replace them. Save and exit
Don't forget to change the ORPort <TODO1>, ServerTransportListenAddr <TODO2>, ContactInfo [email protected], and Nickname <PickANickname> options.
By default, Tor will advertise your bridge to users through various mechanisms. If you want to run a private bridge, for example, you'll give out your bridge address manually to your friends. Add the next line at the end of the torrc file:
Currently valid, recognized options are: none
| any
| https
| email
| moat
If you don't specify this line, by default the method will be any
, this means that you give the choice of whatever method it sees fit
Configure Firewall & Router
Configure the firewall to allow incoming requests to be replaced
<TODO1>
and<TODO2>
previously configured in the section before
Note that both Tor's OR port and its obfs4 port must be reachable from outside.
If your bridge is behind a NAT, make sure to open both ports. See portforward.com for directions on how to port forward with your NAT/router device.
You can use our reachability test to see if your obfs4 port <TODO2>
is reachable from the Internet.
Enter the website your public "IP ADDRESS" obtained with curl icanhazip.com
or navigate directly with your regular browser to icanhazip.com on your personal computer inside of the same local network, and put your <TODO2>
port.
Systemd hardening
To work around systemd hardening, you will also need to set Tor services, edit the next files
Change
"NoNewPrivileges=yes"
to"NoNewPrivileges=no"
. Save and exit
Same for
"[email protected]"
file, edit the service
Change
"NoNewPrivileges=yes"
to"NoNewPrivileges=no"
. Save and exit
Reload systemd manager configuration to apply service changes
Restart Tor to apply changes
Testing
Check the systemd journal to see Tor logs since the last update output logs. Press Ctrl-C to exit
Verify that your relay works, if your logfile (syslog) contains the following entry after starting your tor daemon your relay should be up and running as expected
About 3 hours after you start your relay, it should appear on Relay Search on the Metrics portal. You can search for your relay using your nickname or IP address and monitor your obfs4 bridge's usage on Relay Search. Just enter your bridge's "HASHED FINGERPRINT" in the form and click on "Search"
Ensure that the Tor port related to the bridge and the Obfs4proxy service are working and listening at the the ports selected
Example of expected output:
If you want to connect to your bridge manually, you will need to know the bridge's obfs4 certificate. Open the file "obfs4_bridgeline.txt" to obtain your bridge info
Paste the next entire bridge line into your Tor browser
Remember to exclude the "Bridge" word to avoid incompatibility with the Tor Browser Android version
You'll need to replace "IP ADDRESS", "PORT", and "FINGERPRINT" with the actual values, which you can find in the tor log. Make sure that you use "PORT" as the obfs4 port <TODO2>, not <TODO1>, and that you chose "FINGERPRINT", not "HASHED FINGERPRINT"
More info to connect the Tor browser to your own Tor bridge on this website in the "ENTERING BRIDGE ADDRESSES"
section
Extras (optional)
Enable automatic software updates
One of the most important things to keep your relay secure is to install security updates timely and ideally do it automatically, so you can not forget about them. Follow the instructions to enable automatic software updates for your operating system.
Install dependencies
Edit the next file and enter the next lines at the end of the file. Save and exit
(Optional) If you want to automatically reboot add the following line at the end of the file
You can test your unattended-upgrades setup with the following command
If you want to see the debug output but don't change anything use
Install Nyx
Nyx is a command-line monitor for Tor. With this, you can get detailed real-time information about your relays such as bandwidth usage, connections, logs, and much more.
With user
admin
, install the package
Add the user
admin
to thedebian-tor
group
The assigned group becomes active only in a new user session. Log out from SSH
Log in as the user
admin
again ->ssh [email protected]
Execute Nyx
Press the right -> navigation key to navigate to page 2/5 to show the traffic of your Tor instance
Press
"q"
key 2 times to exit
Add bridge to Tor daemon
On some occasions, due to some circumstances, your ISP, the company's network, your country, etc, could be censoring your access to Tor and with it the proper functioning of RaMiX.
Visit this website, and complete the captcha to get bridges. Select one of the 3 lines and replace the content in the next torrc
configuration:
On the RaMiX node, with the user
admin
, install theofbs4
proxy
Edit the
torrc
file
Add the next lines at the end of the file
Add the needed lines with the number of bridges that you wish, replacing <IP_ADDRESS>, <PORT>, <FINGERPRINT>, and <CERTIFICATE> with those obtained before
Restart Tor to apply changes
Monitor tor logs to ensure all is correct
Example output:
Upgrade
To upgrade simply use apt by typing this command
Uninstall
Uninstall obfs4 proxy
Uninstall obfs4proxy software
Uninstall Tor configuration
Reverts "torrc" file configuration commenting previously configured lines. Save and exit
Uninstall FW configuration and router NAT
Display the UFW firewall rules and note the numbers of the rules for Tor bridge (e.g. W, Z, Y, and Z below)
Expected output:
Delete the rule with the correct number and confirm with "yes"
Check the correct update of the rules
Reverts router NAT configuration following the same Configure Firewall and NAT previous step but this time deleting the configuration setting
Uninstall systemd hardening
Reverts "systemd hardening" in service files configuration changing the next files
Change
"NoNewPrivileges=no"
to"NoNewPrivileges=yes"
. Save and exit
Same for
"[email protected]"
file, change"NoNewPrivileges=no"
to"NoNewPrivileges=yes"
. Save and exit
Reload systemd manager configuration to apply the service changes
Port reference
Last updated