One of my servers is idling most of the time and one boring evening, I decided it can donate some of its capacity to the tor network. However, this server runs a low-traffic mailserver and I don't want to end up its IP address on blacklists. Therefore, I decided to run a Tor bridge in order to help people in countries with censored internet. It was relatively straight-forward to set it up, but I didn't find an all-in-one instruction. Therefore, I'll document it here.
I chose 12345 as the tor ORPort and 12346 as the obfs4proxy port but you can choose any other ports. My tor relay has both an IPv4 and an IPv6 address, too.
obfs4proxy is an obfuscator which makes it impossible to distinguish traffic from random data without knowing the key of the obfs4proxy server.
Unfortunately, it is not in the official Arch Linux repository, so I decided to compile it myself.
It is written in the modern programming language
go, so I installed it first with
pacman -S go.
Then, I cloned the official repository and compiled
git clone https://gitlab.com/yawning/obfs4 cd obfs4/ go build -o obfs4proxy/obfs4proxy ./obfs4proxy cp ./obfs4proxy/obfs4proxy /usr/bin/obfs4proxy
Install tor and configure /etc/tor/torrc
This step was easy. Just install tor with
pacman -Syu tor and edit
/etc/tor/torrc. I simply replaced it with the following configuration:
SocksPort 0 ORPort XX.XXX.XXX.XXX:12345 ORPort [2XXX:XXXX:X:XXXX::X]:12345 BridgeRelay 1 ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:12346 ExtORPort auto ContactInfo Klaus Eisentraut <XXXX@XXX.de> Nickname nocensorship ExitPolicy reject *:* # no exits allowed ExitPolicy reject6 *:* RelayBandwidthRate 1000 KB # Throttle traffic to 100KB/s (800Kbps) RelayBandwidthBurst 2000 KB # But allow bursts up to 200KB/s (1600Kbps) AccountingMax 800 GB AccountingStart month 19 3:17 Log notice file /var/log/tor/notices.log MaxMemInQueues 1 GB
Then, I started and enabled the tor service which was as simple as
systemctl start tor.service and
systemctl enable tor.service.
After setting everything up, one should do the following in order to check that everything is working smoothly:
- Check that there are no errors in
- Get your Bridge line. The last line of
/var/lib/tor/pt_state/obfs4_bridgeline.txtshould look like the following:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=B9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw iat-mode=0. You need to replace the IP address and port with the ones you have configured above. The fingerprint also needs to be replaced with the contents of
/var/lib/tor/fingerprint. You should have something like
Bridge obfs4 [2XXX:XXXX:X:XXXX::X]:12346 90084127661DB83D8E41B567349FD46808F5169C cert=B9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw iat-mode=0now.
- Start Tor browser and select "Tor is censored in my country" and "Provide a bridge I know".
- If you can access the internet with the Tor browser now, everything is working fine!
- Now, the most important step is patience. After a few hours, I could find my relay on metrics.torproject.org. However, it had no traffic at all for around the first two months. I was quite sure I must have done something wrong, but after two months of idling, the relay suddenly gained users and is now pushing traffic.
In the last 24 hours I helped a total of 88 IPs to access uncensored internet over the tor network. It's not much, but it it nice to see that there are connections from Iran, Russia, China, Hongkong and Venezuela!
# cat /var/lib/tor/stats/bridge-stats bridge-stats-end 2020-05-22 18:17:56 (86400 s) bridge-ips ir=16,ru=16,us=16,ae=8,ar=8,au=8,br=8,ca=8,cn=8,co=8,cz=8,de=8,ec=8,eg=8,gh=8,hk=8,id=8,in=8,it=8,mx=8,nl=8,ph=8,sg=8,tr=8,tw=8,ve=8 bridge-ip-versions v4=88,v6=0 bridge-ip-transports obfs4=88