Klaus' Log

Sa 23 Mai 2020

How to setup a dualstack Tor bridge with obfs4proxy in 2020

Posted by Klaus Eisentraut in howto   

One of my servers is idling most of the time and one boring evening, I decided it can donate some of its capacity to the tor network. However, this server runs a low-traffic mailserver and I don't want to end up its IP address on blacklists. Therefore, I decided to run a Tor bridge in order to help people in countries with censored internet. It was relatively straight-forward to set it up, but I didn't find an all-in-one instruction. Therefore, I'll document it here.

I chose 12345 as the tor ORPort and 12346 as the obfs4proxy port but you can choose any other ports. My tor relay has both an IPv4 and an IPv6 address, too.

Compiling obfs4proxy

obfs4proxy is an obfuscator which makes it impossible to distinguish traffic from random data without knowing the key of the obfs4proxy server. Unfortunately, it is not in the official Arch Linux repository, so I decided to compile it myself. It is written in the modern programming language go, so I installed it first with pacman -S go. Then, I cloned the official repository and compiled obfs4proxy.

git clone https://gitlab.com/yawning/obfs4
cd obfs4/
go build -o obfs4proxy/obfs4proxy ./obfs4proxy
cp ./obfs4proxy/obfs4proxy /usr/bin/obfs4proxy

Install tor and configure /etc/tor/torrc

This step was easy. Just install tor with pacman -Syu tor and edit /etc/tor/torrc. I simply replaced it with the following configuration:

SocksPort 0
ORPort XX.XXX.XXX.XXX:12345
ORPort [2XXX:XXXX:X:XXXX::X]:12345
BridgeRelay 1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:12346
ExtORPort auto
ContactInfo Klaus Eisentraut <XXXX@XXX.de>
Nickname nocensorship 
ExitPolicy reject *:* # no exits allowed
ExitPolicy reject6 *:*
RelayBandwidthRate 1000 KB  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 2000 KB # But allow bursts up to 200KB/s (1600Kbps)
AccountingMax 800 GB
AccountingStart month 19 3:17 
Log notice file /var/log/tor/notices.log
MaxMemInQueues 1 GB

Then, I started and enabled the tor service which was as simple as systemctl start tor.service and systemctl enable tor.service.

Test it

After setting everything up, one should do the following in order to check that everything is working smoothly:

  • Check that there are no errors in /var/log/tor/notices.log.
  • Get your Bridge line. The last line of /var/lib/tor/pt_state/obfs4_bridgeline.txt should look like the following: Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=B9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw iat-mode=0. You need to replace the IP address and port with the ones you have configured above. The fingerprint also needs to be replaced with the contents of /var/lib/tor/fingerprint. You should have something like Bridge obfs4 [2XXX:XXXX:X:XXXX::X]:12346 90084127661DB83D8E41B567349FD46808F5169C cert=B9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw iat-mode=0 now.
  • Start Tor browser and select "Tor is censored in my country" and "Provide a bridge I know".
  • If you can access the internet with the Tor browser now, everything is working fine!
  • Now, the most important step is patience. After a few hours, I could find my relay on metrics.torproject.org. However, it had no traffic at all for around the first two months. I was quite sure I must have done something wrong, but after two months of idling, the relay suddenly gained users and is now pushing traffic.

Conclusion

In the last 24 hours I helped a total of 88 IPs to access uncensored internet over the tor network. It's not much, but it it nice to see that there are connections from Iran, Russia, China, Hongkong and Venezuela!

# cat /var/lib/tor/stats/bridge-stats 
bridge-stats-end 2020-05-22 18:17:56 (86400 s)
bridge-ips ir=16,ru=16,us=16,ae=8,ar=8,au=8,br=8,ca=8,cn=8,co=8,cz=8,de=8,ec=8,eg=8,gh=8,hk=8,id=8,in=8,it=8,mx=8,nl=8,ph=8,sg=8,tr=8,tw=8,ve=8
bridge-ip-versions v4=88,v6=0
bridge-ip-transports obfs4=88