Opened 10 months ago

Last modified 3 months ago

#26920 new enhancement

Deploy Marionette as a Pluggable Transport

Reported by: Marionette Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: Marionette tor-pt
Cc: dcf, ahf, gk, cohosh Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor19


This is a ticket to organize the deployment of Marionette as a new pluggable transport integrated into Tor. The original code is currently located at It has already been shown to be compatible with Tor in March in its Python encumbered form. Currently, it can be compiled as a completely standalone binary, and therefore should be easy to integrate. We would like it to be integrated before the end of September.

To run it as a bridge, currently, use the torcc files in the etc/tor directory in the github repository above.

Child Tickets

#29623defectnewtbb-teamDeploy Marionette in Linux nightly builds

Change History (7)

comment:1 Changed 10 months ago by dcf

Cc: dcf added
Component: Obfuscation/Pluggable transportApplications/Tor Browser
Owner: changed from asn to tbb-team
Priority: Very HighMedium

tor-dev thread

We are now ready to integrate Marionette, or at least have it evaluated, as a bridge for the Tor browser in its Pythonless form.

At the Tor meeting in March, we successfully operated Marionette as a bridge by implementing the PT v2.0 specification (Thanks ahf!).

Now we have a new version of Marionette which operates as a stand-alone binary (NO PYTHON!). I checked that it still forms a bridge, like at the Tor meeting. We also have a wider variety of transports enabled.

We are in the process of writing the documentation for Marionette, but the documentation on the web page should be sufficient for at least getting a full evaluation started. We'd like to have the evaluation complete by the end of next month, hopefully the middle of next month, and stand ready to make any and all changes necessary.

A full set of documentation will also be written for designing your own protocols. This is in process.

comment:2 Changed 6 months ago by arma

Cc: ahf added
Sponsor: Sponsor19

comment:3 Changed 5 months ago by gaba

Keywords: tor-pt added

comment:4 Changed 4 months ago by gk

Cc: gk added

comment:5 Changed 3 months ago by cohosh

I have a marionette bridge set up for testing.

Bridge Info

You can add the following line to the client's torrc file:

Bridge marionette

The hashed-fingerprint is F669BDEFC46E6F441A87418579A653C1D35BCF6F

This bridge also has an IPv6 address: 2604:a880:cad:d0::30:1

Testing specifics

You can place quite a bit of load on this one. I've placed an accounting max of 1TB/month on the bridge.

Build process for marionette

It took some work to build the marionette server and configure the torrc file at the bridge. Right now it does not work out the box and the given torrc files in the marionette repository need to be modified for production bridge use.

I've created a pull request to fix the compilation and linking issues here:

These are the steps that I followed to build and deploy marionette:

  1. Build the dependencies ./ Note: you should run this script instead of following the User Guide. This will install the dependencies locally instead of system-wide and put them in the directory third_party/libs (which is where marionette later assumes they will be)
  1. go build
  1. go install ./cmd/marionette
  1. Place the binary (located locally in $GOPATH/bin) in /usr/local/bin/ of the bridge server

Here's a sample torrc file that will work:

Nickname pick-a-nickname
ContactInfo you <your email>
RunAsDaemon 0
Log notice stderr

BridgeRelay 1
ORPort 9001
ExtORPort 9002
#IPv6 is also enabled
ORPort [ipv6 address]:9001

ServerTransportPlugin marionette exec /usr/local/bin/marionette pt-server -log-file /var/log/tor/marionette-server.log -format http_simple_blocking

# Marionette gets its listening port from its specification document.
# This should be fixed before deployment. We hardcode this value to 8081.
ServerTransportListenAddr marionette

I've verified the bridge is working by connecting with a client with the following torrc file:

RunAsDaemon 0
Log notice stderr
DataDirectory datadir

SocksPort 19050

UseBridges 1

# See comment in torrc.server for information about why this must always be 8081.
Bridge marionette

ClientTransportPlugin marionette exec ./marionette pt-client -log-file marionette-client.log -format http_simple_blocking

Other notes on marionette

  • The dependencies for marionette are still a bit troublesome. I'm worried that they will be difficult to maintain and easily go out of date. I see that python is no longer required which seems to be an improvement but I'm curious about the need for re2 and openfst.
  • It would be nice to fix the listen port to not be hardcoded:
    # Marionette gets its listening port from its specification document.
    # This should be fixed before deployment. We hardcode this value to 8081.
    ServerTransportListenAddr marionette

At cmd/marionette/pt_server.go:86

                // Marionette always listen on port 8081 so we ignore TOR.
                // This should probably be fixed.
                host, port, err := net.SplitHostPort(bindAddr.Addr.String())
Last edited 3 months ago by cohosh (previous) (diff)

comment:6 Changed 3 months ago by cohosh

Cc: cohosh added

comment:7 Changed 3 months ago by cohosh

Just commenting to say that I've reallocated some resouces and have updated information for this bridge:

Note: See TracTickets for help on using tickets.