Hi, On 15 Apr 2020, at 01:45, Wilton Gorske <wilton@xxxxxxxxxx> wrote:
Secondly, and mainly, I am working on setting up ten obsf4 bridge relays on macOS and keep running into port issues, so I'm hoping to get some general advice and guidance about how to set this up in the absence of updated macOS tutorials online.
Thanks for running Tor bridges!
These bridge relays are going to run on one macOS server. Knowing that they can each have their own dedicated IP address, could someone advise how to best set up these multiple obsf4 bridge instances so each can be run (tor -f /usr/local/etc/tor/torrc.1, torrc.2, torrc.3, etc...) under one non-root user
It's slightly safer to run each instance under its own user.
Then the keys for each instance aren't available to the other instances.
You might find Debian's tor-instance-create script useful:
In particular, you can have a defaults torrc for each instance, and then just change the addresses and ports in each instance's torrc.
with only two public ports open on the data center network (80 and 443)? I'm getting stuck at the port reachability phase, and even more so when trying to run multiple instances with forwarding/binding warnings.
The Application Level Firewall allows certain granted programs (tor/tor-gencert/tor-print-ed-signing-cert/tor-resolve/torify/obfs4proxy) the ability to open or accept a network socket. By editing the macOS network system settings to route port 80 to 9005, and noting ORPort 80 NoListen ORPort 0.0.0.0:9005 NoAdvertise in the torrc, that works correctly (including routing 443 for obfs4proxy). Running a second instance is where it seems to break down. Is there a way to have multiple tor instances sharing a port?
No, tor doesn't support port multiplexing across multiple tor processes,
Instead, tor automatically multiplexes multiple clients over the same port, without any special configuration on the server.
My guess is the main issue is that at the system routing level, I need a way to note each IP and port so it goes to the right tor instance. Currently, the forwarding is set up like: rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port 9005 I'm guessing I need some way to designate IP XX.XXX.XX.120 -> port 9005 (torrc.1), XX.XXX.XX.121 -> port 9006 (torrc.2), XX.XXX.XX.122 -> port 9007 (torrc.3), etc. Is that correct?
Yes, that sounds sensible.
A copy of my notes and configurations so far can be found here: http://5jp7xtmox6jyoqd5.onion/p/ISjeXEW-vt8H1s89bwSW
Please feel free to make suggestions or edits directly in that etherpad. I'm sure there are multiple ways to do this, but I definitely want to make sure I am using the most secure method as opposed to the easiest or quickest... Thanks for any help in advance.
T
|