Set up default bridge in Denmark

My former Karlstad University colleague Toke Høiland-Jørgensen generously offered to set up a default bridge, which also speaks IPv6. Let's use this ticket to coordinate this effort and eventually get the new bridge into tor-browser-launcher and tor-android-service.

added 9.0.5 9.5a5 TorBrowserTeam202001R component::applications/tor browser owner::tbb-team points::0.2 priority::medium resolution::implemented reviewer::boklm severity::normal status::closed tbb-bridges type::task labels

Right, running a bridge now with this config:

SocksPort 0
ExtORPort auto
ExitPolicy reject *:*

# memory
MaxMemInQueues 1 GB

# more useful statistics
EntryStatistics 1
ExtraInfoStatistics 1
HeartbeatPeriod 1 hour
AssumeReachable 1

# obfs4 and parameters
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportOptions obfs4 iatMode=0

# announce bridges
BridgeRelay 1
BridgeDistribution none

# These ports must be externally reachable.  Avoid port 9001.
ServerTransportListenAddr obfs4 45.145.95.6:27015
OutboundBindAddress [2a0c:4d80:42:702::1]
OutboundBindAddress 45.145.95.6
ORPort 45.145.95.6:27018
Address 45.145.95.6

# identity
Nickname dktoke
ContactInfo abuse@toke.dk

The server has a v6-to-v4 proxy setup so the same bridge is available via IPv6, resulting in these two bridge lines:

Bridge lines:

obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0
obfs4 [2a0c:4d80:42:702::1]:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0

Also available in DNS as tor-bridge.toke.dk.

Trac:
Username: tohojo

For the record, we ran into an issue with the IPv6 bridge because it was configured to be IPv6-only, meaning that it did not have an IPv4 address in its descriptor. This resulted in the bridge being unable to create its own descriptor and I was unable to bootstrap a connection over the bridge. We solved this problem by running an IPv4-only bridge and configuring a port forward from an IPv6 address to the IPv4 address.

Yes. In case anyone wants to replicate it, I setup the port using systemd sockets and netcat, using these two files:

/etc/systemd/system/tor-proxy-defaultbr.socket:

[Unit]
Description=Socket for IPv6 proxying of Tor defaultbr

[Socket]
ListenStream=[2a0c:4d80:42:702::1]:27015
BindIPv6Only=yes
Accept=yes
TriggerLimitIntervalSec=0

[Install]
WantedBy=multi-user.target

/etc/systemd/system/tor-proxy-defaultbr@.service:

[Unit]
Description=Tor defaultbr netcat proxy

[Service]
ExecStart=/bin/nc 45.145.95.6 27015
StandardInput=socket
StandardOutput=socket
StandardError=journal
SuccessExitStatus=1

Trac:
Username: tohojo

• My task/32891 branch has a patch for tor-browser-build.
• My task/32891 branch has a patch for tor-android-service.

I also updated our sysmon.conf and added both bridges to our default bridges wiki page.

Trac:
Status: new to needs_review

Trac:
Keywords: N/A deleted, TorBrowserTeam202001R added

Trac:
Reviewer: N/A to boklm

Replying to phw:

• My task/32891 branch has a patch for tor-browser-build.

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

• My task/32891 branch has a patch for tor-android-service.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

Trac:
Cc: toke@toke.dk, cohosh to toke@toke.dk, cohosh, sysrqb

Replying to boklm:

Replying to phw:

• My task/32891 branch has a patch for tor-browser-build.

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

• My task/32891 branch has a patch for tor-android-service.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

Thanks! Merged this as 18ba7d2780b1d5194cc5854d703655f6c9d3d196.

Trac:
Status: needs_review to closed
Resolution: N/A to implemented

Replying to sysrqb:

Replying to boklm:

Replying to phw:

• My task/32891 branch has a patch for tor-browser-build.

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

• My task/32891 branch has a patch for tor-android-service.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

Thanks! Merged this as 18ba7d2780b1d5194cc5854d703655f6c9d3d196. And merged on maint-9.0 as commit 0d50bcb46dc0ec08c7076d26da3eb561ba10d6b1.

Trac:
Keywords: N/A deleted, 9.5a5, 9.0.4 added

Trac:
Keywords: 9.0.4 deleted, 9.0.5 added

closed

changed time estimate to 1h 36m

moved to tpo/applications/tor-browser#32891 (closed)