[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] obfs4 bridge current setup is not entirely clear



On Mittwoch, 8. November 2023 17:42:46 CET s7r wrote:

> 2. It was recommended on the mail list that obfs4 bridges should not 
> open their ORPorts publicly to prevent scanning the entire 1-65536 port 
> range and determine it's a Tor bridge. OK.

Not recommended, but rather a request to try it out.

Some info in the old thread
https://lists.torproject.org/pipermail/tor-relays/2023-August/021259.html

Relevant tiket from meskio:
https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/129

> But if you try:
> 
> ORPort 127.0.0.1:auto
> ORPort [::1]:auto
> AssumeReachable 1 # needed to skip ORPort reachability test
> 
> Tor will start but it will constantly complain in the log with:
> 
> [warn] The IPv4 ORPort address 127.0.0.1 does not match the descriptor 
> address REAL_IPv4_ADDRESS. If you have a static public IPv4 address, use 
> 'Address <IPv4>' and 'OutboundBindAddress <IPv4>'. If you are behind a 
> NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort 
> <InternalPort> NoAdvertise'.
> 
> [warn] The IPv6 ORPort address ::1 does not match the descriptor address 
> REAL_IPv6_ADDRESS. If you have a static public IPv4 address, use 
> 'Address <IPv6>' and 'OutboundBindAddress <IPv6>'. If you are behind a 
> NAT, use two ORPort lines: 'ORPort <PublicPort> NoListen' and 'ORPort 
> <InternalPort> NoAdvertise'.

Yes you can ignore the logs. Not exposing OrPort for bridges is still 
experimental feature.

I've gradually reconfigured _all_ bridges over the last 2 months:
The number of connections/users has stayed pretty much the same.
Bridges with setting "BridgeDistribution any" the distribution method has not 
changed.

OrPort must forwarded or should not firewalled otherwise the status will be 
dysfunctional on https://bridges.torproject.org/status

> So what is the best way to for an user to open both IPv4 and IPv6 
> pluggable transport ports?

The ServerTransportListenAddr line is dual stack friendly.
ServerTransportListenAddr obfs4 [::]:8443


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays