Opened 10 months ago

Closed 9 months ago

Last modified 9 months ago

#32891 closed task (implemented)

Set up default bridge in Denmark

Reported by: phw Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-bridges, TorBrowserTeam202001R, 9.5a5, 9.0.5
Cc: toke@…, cohosh, sysrqb Actual Points:
Parent ID: Points: 0.2
Reviewer: boklm Sponsor:

Description

My former Karlstad University colleague Toke Høiland-Jørgensen generously offered to set up a default bridge, which also speaks IPv6. Let's use this ticket to coordinate this effort and eventually get the new bridge into tor-browser-launcher and tor-android-service.

Child Tickets

Change History (10)

comment:1 Changed 10 months ago by tohojo

Right, running a bridge now with this config:

SocksPort 0
ExtORPort auto
ExitPolicy reject *:*

# memory
MaxMemInQueues 1 GB

# more useful statistics
EntryStatistics 1
ExtraInfoStatistics 1
HeartbeatPeriod 1 hour
AssumeReachable 1

# obfs4 and parameters
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportOptions obfs4 iatMode=0

# announce bridges
BridgeRelay 1
BridgeDistribution none

# These ports must be externally reachable.  Avoid port 9001.
ServerTransportListenAddr obfs4 45.145.95.6:27015
OutboundBindAddress [2a0c:4d80:42:702::1]
OutboundBindAddress 45.145.95.6
ORPort 45.145.95.6:27018
Address 45.145.95.6

# identity
Nickname dktoke
ContactInfo abuse@toke.dk

The server has a v6-to-v4 proxy setup so the same bridge is available via IPv6, resulting in these two bridge lines:

Bridge lines:

obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0
obfs4 [2a0c:4d80:42:702::1]:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0

Also available in DNS as tor-bridge.toke.dk.

Last edited 10 months ago by tohojo (previous) (diff)

comment:2 Changed 10 months ago by phw

For the record, we ran into an issue with the IPv6 bridge because it was configured to be IPv6-only, meaning that it did not have an IPv4 address in its descriptor. This resulted in the bridge being unable to create its own descriptor and I was unable to bootstrap a connection over the bridge. We solved this problem by running an IPv4-only bridge and configuring a port forward from an IPv6 address to the IPv4 address.

comment:3 Changed 10 months ago by tohojo

Yes. In case anyone wants to replicate it, I setup the port using systemd sockets and netcat, using these two files:

/etc/systemd/system/tor-proxy-defaultbr.socket:

[Unit]
Description=Socket for IPv6 proxying of Tor defaultbr

[Socket]
ListenStream=[2a0c:4d80:42:702::1]:27015
BindIPv6Only=yes
Accept=yes
TriggerLimitIntervalSec=0

[Install]
WantedBy=multi-user.target

/etc/systemd/system/tor-proxy-defaultbr@.service:

[Unit]
Description=Tor defaultbr netcat proxy

[Service]
ExecStart=/bin/nc 45.145.95.6 27015
StandardInput=socket
StandardOutput=socket
StandardError=journal
SuccessExitStatus=1

comment:4 Changed 10 months ago by phw

Status: newneeds_review

I also updated our sysmon.conf and added both bridges to our default bridges wiki page.

comment:5 Changed 10 months ago by gk

Keywords: TorBrowserTeam202001R added

comment:6 Changed 9 months ago by boklm

Reviewer: boklm

comment:7 in reply to:  4 ; Changed 9 months ago by boklm

Cc: sysrqb added

Replying to phw:

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

comment:8 in reply to:  7 ; Changed 9 months ago by sysrqb

Resolution: implemented
Status: needs_reviewclosed

Replying to boklm:

Replying to phw:

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

Thanks! Merged this as 18ba7d2780b1d5194cc5854d703655f6c9d3d196.

comment:9 in reply to:  8 Changed 9 months ago by sysrqb

Keywords: 9.5a5 9.0.4 added

Replying to sysrqb:

Replying to boklm:

Replying to phw:

This looks good to me. I merged the patch to master with commit 215aed39ee177bd0a371e8e4b6d7de3fcf69ffed, and cherry-picked it to maint-9.0 as commit 82672d50af26c862214f3c1c2670897f94a9dbf9.

This looks good to me too, however I don't have write access on this repository, so someone else (sysrqb?) will have to push it.

Thanks! Merged this as 18ba7d2780b1d5194cc5854d703655f6c9d3d196.

And merged on maint-9.0 as commit 0d50bcb46dc0ec08c7076d26da3eb561ba10d6b1.

comment:10 Changed 9 months ago by sysrqb

Keywords: 9.0.5 added; 9.0.4 removed
Note: See TracTickets for help on using tickets.