Linktr
RRSS
Resources
Donate
GitHub
Free services!

Tor obfs4 bridge

The design of the Tor network means that the IP address of Tor relays is public. However, one of the ways Tor can be blocked by governments or ISPs is by blocklisting the IP addresses of these public Tor nodes. Tor Bridges are nodes in the network that are not listed in the public Tor directory, which makes it harder for ISPs and governments to block them. We are going to use a kind of pluggable transport called obfs4, a special kind of bridge, to address this by adding a layer of obfuscation.

USE WITH CAUTION - For this guide to work properly, you will need to open ports too are reachable from outside

Difficulty: Medium

Requirements

Preparations

Install dependencies

obfs4 makes Tor traffic look random and also prevents censors from finding bridges by Internet scanning. One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so we can configure all.

  • Ensure you are logged in with the user admin and install obfs4 proxy

$ sudo apt install obfs4proxy

Installation

  • Ensure you have Tor daemon installed in your system

$ tor --version

Example of expected output:

> Tor version 0.4.7.10.
[...]

If not obtain results, follow the Privacy section to install it

Configuration

  • Stay logged in with admin user, edit the torrc config file

$ sudo nano /etc/tor/torrc

  • Add the next lines at the end of the file. We will use 2 ports: <TODO1> and <TODO2>, make sure you replace them. Save and exit

BridgeRelay 1
ExtORPort auto
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

ORPort <TODO1> IPv4Only
ServerTransportListenAddr obfs4 0.0.0.0:<TODO2>

ContactInfo <[email protected]>
Nickname <PickANickname>
💡 <TODO1> ⬇️
Replace <TODO1> with a Tor port of your choice >1024. Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
💡 <TODO2> ⬇️
Replace <TODO2> with an obfs4 port of your choice. This port must be externally reachable and must be different from the one specified for ORPort <TODO1>. Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
💡 ContactInfo ⬇️
Replace <[email protected]> with your email address so we can contact you if there are problems with your bridge. This line can be used to contact you if your relay or bridge is misconfigured or something else goes wrong. Note that we archive and publish all descriptors containing these lines and that Google indexes them, so spammers might also collect them. You may want to obscure the fact that it's an email address and/or generate a new address for this purpose. e.g ContactInfo Random Person <nobody AT example dot com>. You might also include your PGP or GPG fingerprint if you have one. This is optional but encouraged.
💡 Nickname ⬇️
Replace <PickANickname> with a nickname that you like for your bridge. Nicknames must be between 1 and 19 characters inclusive and must contain only the characters [a-zA-Z0-9]. This is optional.

Don't forget to change the ORPort <TODO1>, ServerTransportListenAddr <TODO2>, ContactInfo [email protected], and Nickname <PickANickname> options.

By default, Tor will advertise your bridge to users through various mechanisms. If you want to run a private bridge, for example, you'll give out your bridge address manually to your friends. Add the next line at the end of the torrc file:

BridgeDistribution none

Currently valid, recognized options are: none | any | https | email | moat

If you don't specify this line, by default the method will be any , this means that you give the choice of whatever method it sees fit

Configure Firewall & Router

  • Configure the firewall to allow incoming requests to be replaced <TODO1> and <TODO2> previously configured in the section before

$ sudo ufw allow <TODO1>/tcp comment 'allow OR port Tor bridge from anywhere'
$ sudo ufw allow <TODO2>/tcp comment 'allow obsf4 port Tor bridge from anywhere'

Note that both Tor's OR port and its obfs4 port must be reachable from outside.

If your bridge is behind a NAT, make sure to open both ports. See portforward.com for directions on how to port forward with your NAT/router device.

You can use our reachability test to see if your obfs4 port <TODO2> is reachable from the Internet.

Enter the website your public "IP ADDRESS" obtained with $ curl icanhazip.com or navigate directly with your regular browser to icanhazip.com on your personal computer inside of the same local network, and put your <TODO2> port.

Systemd hardening

  • To work around systemd hardening, you will also need to set Tor services, edit the next files

$ sudo nano /lib/systemd/system/[email protected]

  • Change "NoNewPrivileges=yes" to "NoNewPrivileges=no". Save and exit

# Hardening
NoNewPrivileges=no
$ sudo nano /lib/systemd/system/[email protected]

  • Change "NoNewPrivileges=yes" to "NoNewPrivileges=no". Save and exit

# Hardening
NoNewPrivileges=no

  • Reload systemd manager configuration to apply service changes

$ sudo systemctl daemon-reload

  • Restart Tor to apply changes

$ sudo systemctl restart tor

Testing

  • Check the systemd journal to see Tor logs since the last update output logs. Press Ctrl-C to exit

$ journalctl -f -u tor@default --since '1 hour ago'

  • Verify that your relay works, if your logfile (syslog) contains the following entry after starting your tor daemon your relay should be up and running as expected

[...]
Your Tor server's identity key fingerprint is '<YourNickname> <FINGERPRINT>'
Your Tor bridge's hashed identity key fingerprint is '<YourNickname> <HASHED FINGERPRINT>'
Your Tor server's identity key ed25519 fingerprint is '<YourNickname> <KEY ED25519 FINGERPRINT>'
You can check the status of your bridge relay at https://bridges.torproject.org/status?id=<HASHED FINGERPRINT>
[...]
[...]
> Now checking whether IPv4 ORPort <IP ADDRESS:<TODO1>> is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
> Self-testing indicates your ORPort <IP ADDRES:<TODO1>> is reachable from the outside. > Excellent. Publishing server descriptor.
> Performing bandwidth self-test...done
[...]

About 3 hours after you start your relay, it should appear on Relay Search on the Metrics portal. You can search for your relay using your nickname or IP address and can monitor your obfs4 bridge's usage on Relay Search. Just enter your bridge's "HASHED FINGERPRINT" in the form and click on "Search"

  • If you want to connect to your bridge manually, you will need to know the bridge's obfs4 certificate. Open the file "obfs4_bridgeline.txt" to obtain your bridge info

$ sudo cat /var/lib/tor/pt_state/obfs4_bridgeline.txt | grep Bridge

  • Paste the next entire bridge line into your Tor browser

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0

Remember to exclude the "Bridge" word to avoid incompatibility with the Tor Browser Android version

You'll need to replace "IP ADDRESS", "PORT", and "FINGERPRINT" with the actual values, which you can find in the tor log. Make sure that you use "PORT" as the obfs4 port <TODO2>, not <TODO1>, and that you chose "FINGERPRINT", not "HASHED FINGERPRINT"

More info to connect the Tor browser to your own Tor bridge on this website in the "ENTERING BRIDGE ADDRESSES" section

Extras (optional)

Enable automatic software updates

One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about them. Follow the instructions to enable automatic software updates for your operating system.

  • Install dependencies

$ sudo apt install unattended-upgrades apt-listchanges

  • Edit the next file and enter the next lines at the end of the file. Save and exit

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=TorProject";
};
Unattended-Upgrade::Package-Blacklist {
};

  • (Optional) If you want to automatically reboot add the following at the end of the file

Unattended-Upgrade::Automatic-Reboot "true";

  • You can test your unattended-upgrades setup with the following command

$ unattended-upgrade --debug

  • If you just want to see the debug output but don't change anything use

$ unattended-upgrade --debug --dry-run

Install Nyx

Nyx is a command-line monitor for Tor. With this, you can get detailed real-time information about your relays such as bandwidth usage, connections, logs, and much more.

  • With user admin, install the package

$ sudo apt install nyx

  • Add the user admin to the debian-tor group

$ sudo adduser admin debian-tor

  • The assigned group becomes active only in a new user session. Log out from SSH

$ exit
$ nyx

  • Press the right -> navigation key to navigate to page 2/5 to show the traffic of your Tor instance

  • Press "q" key 2 times to exit

Add bridge to Tor daemon

On some occasions, due to some circumstances, your ISP, the company's network, your country, etc, could be censoring your access to Tor and with it the proper functioning of MiniBolt.

Visit this website, and complete the captcha to get bridges. Select one of the 3 lines and replace the content in the next torrc configuration:

  • On the MiniBolt node, with the user admin, install the ofbs4 proxy

$ sudo apt install obfs4proxy

  • Edit the torrc file

$ sudo nano /etc/tor/torrc

  • Add the next lines at the end of the file

ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
UseBridges 1
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0

Add the needed lines with the number of bridges that you wish, replacing <IP_ADDRESS>, <PORT>, <FINGERPRINT>, and <CERTIFICATE> with those obtained before

  • Restart Tor to apply changes

$ sudo systemctl restart tor

  • Monitor tor logs to ensure all is correct

$ journalctl -fu tor@default

Example output:

Upgrade

  • To upgrade simply use apt by typing this command

$ sudo apt update && sudo apt upgrade

Uninstall

Uninstall obfs4 proxy

  • Uninstall obfs4proxy software

$ sudo apt autoremove obfs4proxy --purge

Uninstall Tor configuration

  • Reverts "torrc" file configuration commenting previously configured lines. Save and exit

$ sudo nano /etc/tor/torrc
#BridgeRelay 1
#ContactInfo <[email protected]>
#Nickname PickANickname
#ExtORPort auto
#ServerTransportListenAddr obfs4 0.0.0.0:TODO2
#ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

Uninstall FW configuration and router NAT

  • Display the UFW firewall rules and note the numbers of the rules for Tor bridge (e.g. W, Z, Y, and Z below)

$ sudo ufw status numbered

Expected output:

> [...]
> [W] <TODO1>           ALLOW IN    Anywhere           # allow OR port Tor bridge from anywhere
> [X] <TODO1> (v6)      ALLOW IN    Anywhere (v6)      # allow OR port Tor bridge from anywhere
> [Y] <TODO2>           ALLOW IN    Anywhere           # allow obsf4 port Tor bridge from anywhere
> [Z] <TODO2> (v6)      ALLOW IN    Anywhere (v6)      # allow obsf4 port Tor bridge from anywhere

  • Delete the rule with the correct number and confirm with "yes"

$ sudo ufw delete X

  • Check the correct update of the rules

$ sudo ufw status verbose

Reverts router NAT configuration following the same Configure Firewall and NAT previous step but this time deleting the configuration setting

Uninstall systemd hardening

  • Reverts "systemd hardening" in service files configuration changing the next files

$ sudo nano /lib/systemd/system/[email protected]

  • Change "NoNewPrivileges=no" to "NoNewPrivileges=yes". Save and exit

# Hardening
NoNewPrivileges=yes

  • Same for "[email protected]" file, change "NoNewPrivileges=no" to "NoNewPrivileges=yes". Save and exit

$ sudo nano /lib/systemd/system/[email protected]
# Hardening
NoNewPrivileges=yes

  • Reload systemd manager configuration to apply the service changes

$ sudo systemctl daemon-reload

Port reference

PortProtocolUse

<TODO1>

TCP

OR port

<TODO2>

TCP

obfs4 port

PreviousCloudflare tunnelNextNYM mixnet

Last updated