Re: [tor-relays] Call for setting up new obfs4 bridges

Greeting everyone,

I've been running a TOR relay for a couple of years and as recently posted, my bandwidth usage has dribbled down to almost nothing.

I was going to pull the relay as the ubuntu box is basically doing nothing and not being utilised by TOR.

Then I saw the above email about being a bridge and thought, fine, I'll configure it to be a bridge and help out someone.

Tried to do it via the docker/script method, but soon realised that was outside my skill level (hey stop laughing! :P)

So I did it via the method here: https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy

Setting ORPort to 443 as suggested.

I forwarded that port on the router and then tested it, but it said it was closed. So I thought my router was playing up.

I checked a few other ports using online tools and a few of them were closed.

I forwarded a new another port to some other software on another machine and that worked?!

So I realised the ports are open on the router but closed on the ubuntu machine.

I've played around with all the settings, changed by torrc file to a really basic one of:

RunAsDaemon 1
BridgeRelay 1

# Replace "TODO" with a Tor port of your choice. This port must be externally
# reachable. Avoid port 9001 because it's commonly associated with Tor and
# censors may be scanning the Internet for this port.
ORPort 9051

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO" with an obfs4 port of your choice. This port must be
# externally reachable. Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:443

# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port
# number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@xxxxxxxxx>" with your email address so we can contact you if
# there are problems with your bridge. This is optional but encouraged.
ContactInfo blades1000@xxxxxxxxx

# Pick a nickname that you like for your bridge. This is optional.
Nickname MelbTORbridge

I was able to monitor tor still with NYX, but that seems to have stopped and given me an error of:

Unable to authenticate: socket connection failed ([Errno 104] Connection reset by peer)

I was blowing a gasket yesterday and about to flush the whole machine, but left it for the day and figured I'd ask for help before I scrap it and go back to the original tor relay Torrc file.

Any help would be greatly appreciated.

On Wed, Jul 3, 2019 at 1:01 PM Philipp Winter <phw@xxxxxxxxxxxxxx> wrote:

On Wed, Jul 03, 2019 at 02:09:02AM +0000, torix@xxxxxxxxxxxxxx wrote:
> Looking at the new, improved instructions for Debian/Ubuntu obfs4
> bridges, I am confused by the talk about a fixed obfs4 bridge port.
> The line to do this is commented out. Does that mean it is optional
> to give obfs4 a fixed port? If it were a random port, however, I'd
> need a lot of open ports on my firewall...

We recommend to not set ServerTransportListenAddr and keep the "ORPort
auto" setting, which makes Tor pick a random OR and obfs4 port for you.
These random ports persist across restarts, so you only have to forward
them once -- at least as long as you keep your data directory. We don't
provide a static port in the sample config because we don't want
operators to end up with the same port. If that was the case, censors
could scan the IPv4 address space for these ports and block all bridges
they find that way.

That said, feel free to choose your own obfs4 port. For example, we
could use more bridges whose obfs4 port is 443. Just avoid port 9001 as
it's commonly associated with Tor and an attractive target for
Internet-wide scanning.

I hope this clears things up a bit.

Cheers,
Philipp
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays