Hi there, I have two questions regarding bridge operations: Is it possible to run an obfs4 Bridge with external-reachable IPv6 only? I’ve tried to setup a „Node“ on a seperate host, but in the same network as my relay. (VLAN-seperated) The idea was to open all external ports required for the tor part (on IPv4 and IPv6) and assign one different IPv6-Address as External obfs Port. I generally thought this could be beneficial, as with every firewall restart I get new IPs and potentially evade blocklists. From what I read there is a higher demand of bridges at the moment due to russian and chinese „ip whitelisting“ attempts. Overall, the Networking Scheme would look like this (from Firewall-View) -------- WAN Source Target IP-Ver Port Desc. WAN Tor-Relay IPv4/6 30003 Allow Incoming Relay-Traffic WAN Tor-Bridge IPv4/6 30004 Allow Incoming Bridge-OR Traffic WAN Tor-Bridge IPv6 56120 Allow Incoming Bridge-Obfs4 Traffic -------- DMZ Source Target IP-Ver Port Desc. Tor-Relay „WAN“ IPv4/6 * Allow Outgoing Relay-Traffic Tor-Bridge „WAN“ IPv4/6 * Allow Outgoing Tor/Bridge Traffic -------- The Bridge is starting but freezes in a state before any major bootstrapping happened. (see Logs attached) I can see outbound and inbound traffic on the tor ports (30004), but not on the bridge ports. I assume the Tor part is „partially“ working. In the Log: Is the last line [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:50652 – is that an internal Port or the port that I want to be 56120? Maybe someone could give me hint if this frankenstein construct is even supposed to work (like having a bridge with only public IPv6 Adress) and If there are any security constraints. Second Question: Should I exclude my own relay as Guard? Other thoughts: To improve privacy for the bridge even more, i thought about adding a second Interface to the VM, and work with IPv6 ULA and NAT for the needed Tor Connection. E.g. Pick any GUA from the External Availabe IP-Range and NAT it to ULA „fc55:c737:c747:c757::cafe“ and do also Outbound NAT to the GUA again to not confuse the peers. But this is for another time. Last point, maybe it makes you smile about my stupidness.. I took alot of thought into physical security of my server, last Step was to trigger a Bitlocker-Lock, when the Chassis is opened. Unfortunetaly, the Chassis_Intrusion Implemetation of the Board is not great, so I ended up with connecting the Chassis Switch onto the CLR_CMOS Header. „Perfect Solution“. When you open up the chassis, the system immediately resets and due to PCR Missmatch, the drive cannot be decrypted. I have removed any „Recovery Options“ from bitlocker, so no 40 Digit Number you may enter in this case. If not planned, during a normal boot the TPM + Key-File + Pin would be needed to unseal the drive. I’m using TSME as additional layer of protection, so all of my ram is enrypted and cold boot attacks are not an option anymore. The measured performance impact was only about 6% in my case. It can be enabled in the Bios. To prevent DMA Attacks, I disabled USB-Support, Audio, SATA and there is even no free PCIe Slot or any other interface on the Board. Reason for all of this is that I may want to spread some more relays, and I cannot guard them or ensure that they are 100% safe from physical tampering, so I want them to just go down immediately when someone messes with them. If you have any more thoughts/improvements, let me know. After this long mail, I’m pretty sure you will all sleep well! Best regards and a nice start into the week! Joker |
Nov 23 17:32:28.431 [notice] Tor 0.4.8.21 running on Windows 8 [or later] with Libevent 2.1.12-stable, OpenSSL 3.5.4, Zlib 1.3.1, Liblzma N/A, Libzstd N/A and Unknown N/A as libc. Nov 23 17:32:28.431 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/ Nov 23 17:32:28.454 [notice] Read configuration file "C:\Tor_Bridge\torrc". Nov 23 17:32:28.456 [notice] Based on detected system memory, MaxMemInQueues is set to 6143 MB. You can override this by setting MaxMemInQueues by hand. Nov 23 17:32:28.458 [notice] Opening Socks listener on 127.0.0.1:9050 Nov 23 17:32:28.458 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050 Nov 23 17:32:28.458 [notice] Opening OR listener on 0.0.0.0:30004 Nov 23 17:32:28.458 [notice] Opened OR listener connection (ready) on 0.0.0.0:30004 Nov 23 17:32:28.458 [notice] Opening OR listener on [::]:30004 Nov 23 17:32:28.458 [notice] Opened OR listener connection (ready) on [::]:30004 Nov 23 17:32:28.458 [notice] Opening Extended OR listener on 127.0.0.1:0 Nov 23 17:32:28.458 [notice] Extended OR listener listening on port 50652. Nov 23 17:32:28.458 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:50652
Log notice file C:\Tor_Bridge\notice.log GeoIPFile C:\Tor_Bridge\data\geoip GeoIPv6File C:\Tor_Bridge\data\geoip6 BridgeRelay 1 # Replace "TODO1" with a Tor port of your choice. # This port must be externally reachable. # Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. ORPort 30004 ServerTransportPlugin obfs4 exec C:\Tor_Bridge\tor\lyrebird.exe # Replace "TODO2" with an obfs4 port of your choice. # This port must be externally reachable and must be different from the one specified for ORPort. # Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port. ServerTransportListenAddr obfs4 [::]:56120 # Local communication port between Tor and obfs4. Always set this to "auto". # "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0. ExtORPort auto # Replace "<address@xxxxxxxxx>" with your email address so we can contact you if there are problems with your bridge. # This is optional but encouraged. ContactInfo # Pick a nickname that you like for your bridge. This is optional. Nickname
_______________________________________________ tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx