Opened 3 years ago

Closed 3 years ago

#23095 closed defect (fixed)

Can't connect with TBB to my private bridge using OBFS3/4, if I use NOPROTOCOL it connects. The Bridge says it is properly set.

Reported by: help-OBFS4-BRIDGE Owned by:
Priority: High Milestone:
Component: Circumvention Version: Tor: 0.3.0.9
Severity: Major Keywords: Bridge obfs4 Private general failure
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by dcf)

I Think the problem is in my private bridge, it's just unfindable to me.
I doubt my TBB is the cause since this problem also appears using whonix.
========================================================================

I have set a Private Bridge on one of my servers. When I try to use it with the TBB(tor browser bundle) of one of my laptops it does connect only if I specify no protocol, If I use obfs3 or obfs4 I get erros, and I have already checked it is correctly set (the obfs4 plugin) in my server.
Weird thing is that if I connect with no protocol, and then once it is connected I change the bridge line and insert obfs3 or obfs4 and keep browsing, then it switches to using the protocol without errors, but if I restart the browser then I get the error. Basically it only fails at starting the connection when I use the obfs3/obfs4 protocols in my private bridge line.

HERE ARE THE OUTPUTs of errors and configs.

1- OUTPUT when I specify no protocol (and it connects successfully and I can normally browse the web with my TBB):

08/03/2017 16:54:51.400 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop 
08/03/2017 16:54:52.100 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit 
08/03/2017 16:54:53.000 [NOTICE] new bridge descriptor 'Unnamed' (fresh): $HERE-IS-MY-SERVER-FINGERPRINT~Unnamed at HERE-IS-MY-SERVER-IP-ADDRESS 
08/03/2017 16:54:54.200 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working. 
08/03/2017 16:54:54.200 [NOTICE] Bootstrapped 100%: Done 
08/03/2017 16:54:55.200 [NOTICE] New control connection opened from 127.0.0.1. 
08/03/2017 16:54:55.200 [NOTICE] New control connection opened from 127.0.0.1. 

2-OUTPUT when I specify protocol obfs3 ( and I restart the browser to make the first connection USING the protocol obfs3):

08/03/2017 13:03:45.200 [NOTICE] Bootstrapped 80%: Connecting to the Tor network 
08/03/2017 13:03:45.700 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop 
08/03/2017 13:03:46.200 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure") 
08/03/2017 13:03:47.100 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure") 
08/03/2017 13:03:47.700 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit. 
08/03/2017 13:03:47.900 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
08/03/2017 13:03:47.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/03/2017 13:03:47.900 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
08/03/2017 13:03:48.700 [NOTICE] Delaying directory fetches: DisableNetwork is set. 

3-OUTPUT when I specify protocol obfs4 ( and I restart the browser to make the first connection USING the protocol obfs4):

08/03/2017 12:56:29.300 [NOTICE] Bootstrapped 80%: Connecting to the Tor network 
08/03/2017 12:56:29.600 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop 
08/03/2017 12:56:29.600 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure") 
08/03/2017 12:56:30.600 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure") 
08/03/2017 12:56:31.600 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit. 
08/03/2017 12:56:32.600 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit. 
08/03/2017 12:56:33.400 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
08/03/2017 12:56:33.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/03/2017 12:56:33.400 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
08/03/2017 12:56:33.600 [NOTICE] Delaying directory fetches: DisableNetwork is set. 

4-OUTPUT of my torrc file in my private bridge (my server):

SocksPort 0
ORPort 27654
BridgeRelay 1
PublishServerDescriptor 0
Exitpolicy reject *:*

# Use obfs4proxy to provide the obfs4 protocol.
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

5-OUTPUT of my /var/log/syslog so you can see that my private bridge server successfully opens circuit and that it SUCCESSFULLY USES the OBFS4 PLUGIN. -if you want to see /var/log/tor/log well it does not exist in my server, instead the /var/log/tor/log gets printed at syslog.:

Aug  3 12:27:53 server1 tor[1607]: Configuration was valid
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Tor 0.3.0.9 (git-100816d92ab5664d) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8.
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.488 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.489 [notice] Read configuration file "/etc/tor/torrc".
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.494 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or somet$
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.494 [notice] Based on detected system memory, MaxMemInQueues is set to 768 MB. You can override this by setting MaxMemInQueues by hand.
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.495 [notice] I think we have 64 CPUS, but only 1 of them are available. Telling Tor to only use 1. You can override this with the NumCPUs option
Aug  3 12:27:53 server1 tor[1610]: Aug 03 12:27:53.496 [notice] Opening OR listener on 0.0.0.0:27654
Aug  3 12:27:53 server1 Tor[1610]: Can't get entropy from getrandom().
Aug  3 12:27:53 server1 Tor[1610]: Tor 0.3.0.9 (git-100816d92ab5664d) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g and Zlib 1.2.8.
Aug  3 12:27:53 server1 Tor[1610]: Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Aug  3 12:27:53 server1 Tor[1610]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Aug  3 12:27:53 server1 Tor[1610]: Read configuration file "/etc/tor/torrc".
Aug  3 12:27:53 server1 Tor[1610]: Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Aug  3 12:27:53 server1 Tor[1610]: Based on detected system memory, MaxMemInQueues is set to 768 MB. You can override this by setting MaxMemInQueues by hand.
Aug  3 12:27:53 server1 Tor[1610]: I think we have 64 CPUS, but only 1 of them are available. Telling Tor to only use 1. You can override this with the NumCPUs option
Aug  3 12:27:53 server1 Tor[1610]: Opening OR listener on 0.0.0.0:27654
Aug  3 12:27:53 server1 Tor[1610]: We use pluggable transports but the Extended ORPort is disabled. Tor and your pluggable transports proxy communicate with each other via the Extended ORPort so it$
Aug  3 12:27:53 server1 Tor[1610]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Aug  3 12:27:53 server1 Tor[1610]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Aug  3 12:27:53 server1 Tor[1610]: Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Aug  3 12:27:54 server1 Tor[1610]: Your Tor server's identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-FINGERPRINT'
Aug  3 12:27:54 server1 Tor[1610]: Your Tor bridge's hashed identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-bridgedhashed-FINGERPRINT'
Aug  3 12:27:54 server1 Tor[1610]: Bootstrapped 0%: Starting
Aug  3 12:27:56 server1 Tor[1610]: Starting with guard context "default"
Aug  3 12:27:56 server1 Tor[1610]: Bootstrapped 80%: Connecting to the Tor network
Aug  3 12:27:56 server1 systemd[1]: Started Anonymizing overlay network for TCP.
Aug  3 12:27:56 server1 Tor[1610]: Signaled readiness to systemd
Aug  3 12:27:56 server1 Tor[1610]: Opening Control listener on /var/run/tor/control
Aug  3 12:27:56 server1 Tor[1610]: Bootstrapped 85%: Finishing handshake with first hop
Aug  3 12:27:57 server1 Tor[1610]: Bootstrapped 90%: Establishing a Tor circuit
Aug  3 12:27:57 server1 Tor[1610]: Registered server transport 'obfs4' at '[::]:39979'
Aug  3 12:27:58 server1 Tor[1610]: Tor has successfully opened a circuit. Looks like client functionality is working.
Aug  3 12:27:58 server1 Tor[1610]: Bootstrapped 100%: Done
Aug  3 12:27:58 server1 Tor[1610]: Now checking whether ORPort HERE-IS-MY-SERVER-IP-ADDRESS:27654 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug  3 12:27:58 server1 Tor[1610]: Self-testing indicates your ORPort is reachable from the outside. Excellent.
Aug  3 12:28:03 server1 Tor[1610]: Performing bandwidth self-test...done.

OUTPUT of my tor version in my private bridge server:

tor:
  Installed: 0.3.0.9-1~xenial+1

My private bridge server OS is Unbutu 16.04 Xenial.
Sorry I didn't know how to put the code in the boxes since "[code]" doesn't work..

When I connect from my TBB to my private bridge I used the normal syntax:
<protocol(if any)> <myPrivateBridgeAddress>:<port,in my case is 27654> <fingerprint of the bridge>

Please help me, I have even changed OS from debian to ubuntu thinking this would solve the problem. As a matter of fact now I have the same problem as before...

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by dcf

Description: modified (diff)

My guess is that you are using the wrong port. You should be using port 39979, not 27654. The obfs4 port is different from the ORPort. Notice this line in the server logs:

Aug  3 12:27:57 server1 Tor[1610]: Registered server transport 'obfs4' at '[::]:39979'

With obfs4, you need more than the bridge address and fingerprint. You also need the cert parameter. You can find the information in datadir/pt_state/obfs4_bridgeline.txt.

I'm a little confused, though, because your client-side tor logs say they were getting to 85% bootstrapped before failing. It shouldn't be able to get that far if you were connecting to the wrong port. I would have expected it to stop at 5% or 10%.

comment:2 in reply to:  1 Changed 3 years ago by cypherpunks

Replying to dcf:

I'm a little confused, though, because your client-side tor logs say they were getting to 85% bootstrapped before failing. It shouldn't be able to get that far if you were connecting to the wrong port. I would have expected it to stop at 5% or 10%.

I'm 99% sure that it's because he connected to Tor without bridges first and had descriptors cached. Anyway, another reason why the immediate 0% -> 85% is confusing, as stated by ux-team.

comment:3 Changed 3 years ago by cypherpunks

Status: newneeds_information

comment:4 Changed 3 years ago by help-OBFS4-BRIDGE

Status: needs_informationnew

Answering to comment:1 & comment:2


Quote myself:

Aug  3 12:27:54 server1 Tor[1610]: Your Tor server's identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-FINGERPRINT'
Aug  3 12:27:54 server1 Tor[1610]: Your Tor bridge's hashed identity key fingerprint is 'Unnamed HERE-IS-MY-SERVER-bridgedhashed-FINGERPRINT'

I need to use the Tor server's identity key fingerprint not the Tor bridge's hashed identity key fingerprint to connect to the private bridge using obfs4 right? If not I'll have to redo these tests below.
#################################################################################################

Ok, I created another VM and installed the TBB (so it is a clean one, freshly installed, never connected, never used), opened the TBB, selected configure, my isp is blocking blabla, custom bridges, and I used the following line as "diff" told me (using the cert parameter obtained at /pt_state/obfs4_bridgeline.txt in my private bridge server).
syntax used:

obfs4 HERE-IS-MY-SERVER-IP-ADDRESS:39979 HERE-IS-MY-SERVER-FINGERPRINT cert=HERE-IS-MY-SERVER-CERT iat-mode=0

Tried to connect using port 39979 and output was the following (didn't go further than 10%):

08/04/2017 05:12:48.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:12:48.700 [NOTICE] Switching to guard context "bridges" (was using "default") 
08/04/2017 05:12:48.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:12:48.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:12:48.700 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
08/04/2017 05:12:48.700 [NOTICE] Renaming old configuration file to "/home/user/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc.orig.1" 
08/04/2017 05:12:50.100 [NOTICE] Bootstrapped 5%: Connecting to directory server 
08/04/2017 05:12:50.100 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
08/04/2017 05:12:50.700 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:39979 ("general SOCKS server failure") 
08/04/2017 05:13:21.600 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
08/04/2017 05:13:21.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:13:21.600 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 

After that I closed the TBB, waited for about 20 seconds, reopened the TBB, and repeating the same procedure as before, I used the same bridge string but with the port changed to 27654, output (didn't go further than 10% as before):

08/04/2017 05:16:01.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:16:01.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:16:01.400 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:16:01.400 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
08/04/2017 05:16:03.000 [NOTICE] Bootstrapped 5%: Connecting to directory server 
08/04/2017 05:16:03.000 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
08/04/2017 05:16:03.500 [WARN] Proxy Client: unable to connect to HERE-IS-MY-SERVER-IP-ADDRESS:27654 ("general SOCKS server failure") 
08/04/2017 05:16:13.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
08/04/2017 05:16:13.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
08/04/2017 05:16:13.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 

I did not restart/reboot the server since when I opened this ticket, so no ports have changed, nor tor service have been stopped/restarted/reloaded in any way.
Just to make sure ports were open and functioning here's the output of "netstat -nltp" (ports are open), the only firewall the server goes through allows everything except udp traffic, so the firewall is not a concern:

root@myPrivateBridge:~# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      267/sshd        
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      418/master      
tcp        0      0 0.0.0.0:27654           0.0.0.0:*               LISTEN      1610/tor        
tcp6       0      0 :::22                   :::*                    LISTEN      267/sshd        
tcp6       0      0 :::25                   :::*                    LISTEN      418/master      
tcp6       0      0 :::39979                :::*                    LISTEN      1611/obfs4proxy 

Tell me what more tests I can run please. Using my private bridge without protocol, thus not using obfs4, is useless to me..

Please keep helping me, I'll run all the tests you want.

Last edited 3 years ago by help-OBFS4-BRIDGE (previous) (diff)

comment:5 Changed 3 years ago by help-OBFS4-BRIDGE

Resolution: fixed
Status: newclosed

YEA!!!!!!!!!!!!!!!!!!!!!!!! FIXED!!!!!!!!!
Basically both users dcf and cypherpunks were right about what they said, the only thing that was missing is that in the syntax to connect to the bridge the keyword "bridge" was missing. (If it doesn't work try "Bridge" with the B in uppercase, but im almost sure it's with the lower case.)

So the syntax actually was:
bridge obfs4 <BRIDGE-IP-HERE>:<BRIDGE-OBFS4-PORT(not the 'ORPort')-HERE> <BRIDGE-SERVER-FINGERPRINT-HERE> cert=<YOUR-BRIDGE-CERT-HERE> iat-mode=0

Indeed I only needed to add the keyword "bridge" at the beginning.

THANK ALL!!!! WOULD NOT HAVE BEEN POSSIBLE WITHOUT THE REPLIES AND HELP!!! ALL THE BEST TO YOU!!!

THANK YOU THANK YOU THANK YOU!!!!

Note: See TracTickets for help on using tickets.