Private Obfs4 Tor Bridge

-

This post gives instructions for a private obfs4 Tor bridge server running Debian 9 Stretch. For the official documentation for this and other distributions, see https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy.



Before you set up your private Tor bridge, you need to decide:
  • What port will you make the bridge to listen on? We will use port 443 in this example.
  • What port will you use for the rest of the Tor network to communicate with the bridge? We will use 6889 in this example.

Prepare Server


Get your server up to date before you begin:

apt update
apt upgrade

Open the firewall for your chosen ports and close it for all others. Assuming your local PC has IP address 11.22.33.44, you would whitelist that port and open the other ports like this:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 11.22.33.44/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 6889 -j ACCEPT
iptables -P INPUT DROP
apt install iptables-persistent

Install and Configure Packages


Install Tor and Obfs4proxy:

apt install tor obfs4proxy

Edit your Tor configuration file:

vi /etc/tor/torrc

Change the torrc file to read as follows:

RunAsDaemon 1
ORPort 6889
ExtORPort auto
ExitPolicy reject *:*
BridgeRelay 1
PublishServerDescriptor 0
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:443
ContactInfo yourname@example.com
Nickname FreeBeerPrivate

Some notes on the above:

  • The line PublishServerDescriptor 0 keeps the bridge private
  • yourname@example.com is your actual email address
  • The nickname FreeBeerPrivate can be any name of your choice, up to 19 characters long

Notice that obfs4 is going to bind to a privileged port (i.e., a port whose number is lower than 1024). Allow this to happen by issuing the commands:

apt install libcap2-bin
setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

You also need to edit:

vi /lib/systemd/system/tor@default.service

Change the line NoNewPrivileges=yes to read NoNewPrivileges=no.

Also edit:

vi /lib/systemd/system/tor@.service

Also change here the line NoNewPrivileges=yes to read NoNewPrivileges=no.

After writing the file to disk, issue the command:

systemctl daemon-reload

Restart Tor


Restart Tor with the new configuration:

systemctl restart tor

Check the log file:

tail /var/log/tor/log

You should see a message:

Self-testing indicates your ORPort is reachable from the outside. Excellent.

Check also that Tor is listening on port 6889 and Obfs4proxy is listening on port 443:

netstat -tulpn

Determine Bridge Line


Now to determine bridge line. The bridge line is what specifies your obfs4 bridge to the Tor Browser user. Obtain a template for your bridge line by issuing the command:

cat /var/lib/tor/pt_state/obfs4_bridgeline.txt

You will obtain a result that looks like this:

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=BO53...jHXA iat-mode=0

  • <IP ADDRESS> is intended to be replaced by the public IP address of your server
  • <PORT> is intended to be replaced by the port on which obfs4 is listening, which is 443 in our example
  • To obtain your server’s <FINGERPRINT>, do:

cat /var/lib/tor/fingerprint

The above returns the server nickname, followed by its fingerprint. It will look like this:

FreeBeerPrivate EF2EB5F901234567ABCDEF906238BC63ABCDEF28

Put all these elements together to form your final bridge line. It will look like this:

obfs4 188.188.188.188:443 EF2EB5F901234567ABCDEF906238BC63ABCDEF28 cert=BO53...jHXA iat-mode=0

where 188.188.188.188 is the actual IP address of your server.

Copy and paste the final bridge line into a text editor such as Gedit, TextEdit, Notepad, or Notepad++. You will need to give the bridge line to any users of your bridge, including yourself.

Install Nyx Monitor


Finally on the server, if you want to monitor your bridge, install the Nyx status monitor, earlier known as the anonymizing relay monitor (arm):

apt install python-pip
pip install nyx

Invoke Nyx with:

nyx

Use the left and right arrows on your computer keyboard to page through the Nyx screens.

Press q and then q again to quit Nyx.

Your work on setting up your privare bridge server is now done. Make sure you have that note of your final bridge line. Then exit your SSH session with the server:

exit

Comments

Post a Comment