wiki:FlashProxyHowto

Flash proxy works differently than other transports, and you need to take some extra steps to get it to work. Most probably, you will need to configure port forwarding. You also need a copy of the Tor Browser Bundle with support for pluggable transports. This page describes how to configure the browser bundle and deal with other situations that may arise.

When you start the flash proxy software, your computer's external IP address is sent in a covert and encrypted way to the flash proxy facilitator. Shortly after that, several web browsers will try to connect to your computer in order to give you access to Tor. Your computer needs to be able to receive these connections, and port forwarding is the usual way to do that.

In some cases these steps may not be necessary, such as when you use IPv6, or when your computer is not behind network address translation (NAT).

Setting up port forwarding

The steps needed to enable port forwarding unfortunately differ depending on your networking equipment. But the overall procedure is usually the same. You load the IP address of your router (it is often 192.168.0.1 or 192.168.1.1) in a web browser, and follow the configuration instructions. This article has a summary:

The default external port you have to open is TCP port 9000. The easiest thing to do is to forward the external port 9000 to port 9000 on your internal IP address. Using a different, randomly chosen port number will make you more resistant to censorship, but it requires editing your torrc file.

Configuring the browser bundle (first run)

The first time you run the browser bundle, you will have the chance to configure settings needed for flash proxy. If it's not the first time you are running the browser bundle, then look at the section on configuring the browser bundle (later runs).

The browser bundle will ask you if you want to Connect or Configure. Click Configure.

Tor Launcher Connect/Configure panel.

You must answer No to the question Does this computer need to use a proxy to access the Internet? Pluggable transports are not compatible with upstream proxies.

Tor Launcher proxy panel.

The next question Does this computer's Internet connection go through a firewall that only allows connections to certain ports? does not affect flash proxy. Say No.

Tor Launcher firewall panel.

At the question Does your Internet Service Provider (ISP) block or otherwise censor connections to the Tor Network?, answer Yes.

Tor Launcher blocking panel.

In the bridge settings screen, choose Connect with provided bridges and select flashproxy from the selection box.

Tor Launcher bridges panel.

You may have to allow the program flashproxy-client.exe through your firewall. This is because flash proxy opens a listening port in order to receive connections from proxies. (It's the same reason that you need to configure port forwarding.)

Windows firewall alert.

Configuring the browser bundle (later runs)

If it's not your first time running the browser bundle, you can access the network settings by clicking the onion icon and selecting Open Network Settings.

Where the onion icon is.

In the Tor Network Settings window, check the box that says My Internet Service Provider (ISP) blocks connections to the Tor network and select flashproxy under Connect with provided bridges.

Tor Network Settings window.

Finding torrc

You need to edit your torrc file if you want to change the port that flash proxy listens on (by default it is TCP port 9000), or if you want to change some other options like logging. torrc is inside a directory called Data/Tor inside the browser bundle.

There are actually two files you need to access: torrc and torrc-defaults. The default settings are in torrc-defaults, including the ClientTransportPlugin flashproxy line that is used to configure flash proxy. In order to make changes to the default settings, you need to copy the line from torrc-defaults and paste it into torrc. The reason for this is that any changes you make to torrc-defaults will be erased when you upgrade your browser bundle, while changes made to torrc will remain.

On Windows, open the folder Data\Tor, right-click on torrc, and select Open with. You can edit the file using Notepad.

A screenshot of finding torrc in a Windows browser bundle.

On OS X, you must right-click or command-click on the browser bundle icon, and select "Show Package Contents". Then go to the folder Data/Tor and double-click torrc to open.

A screenshot of the "Show Package Contents" menu on Mac OS X. A screenshot of finding torrc in a Mac OS X browser bundle.

On GNU/Linux, open the file Data/Tor/torrc in a text editor.

Changing settings

The default settings are in a file called torrc-defaults in the same directory as torrc. In order to change the default settings for flash proxy, you must copy this line from torrc-defaults and paste it into torrc:

ClientTransportPlugin websocket exec Tor\PluggableTransports\flashproxy-client --register :0 :9000

The configuration in torrc takes precedence over the configuration in torrc-defaults. Depending on your platform, the line may have PluggableTransports/flashproxy-client or ./Tor/PluggableTransports/flashproxy-client in place of Tor\PluggableTransports\flashproxy-client . This is normal. Just remember not to change anything before flashproxy-client.

The --register part tells the client program to send your address to the flash proxy facilitator. You won't get any service without this, so leave it there.

The :0 part is the local SOCKS listening port. This is the port that receives connections from the Tor running in the browser bundle. The special value :0 means that a random port is chosen. You don't have to change this part.

The :9000 part is the external listening port number. This is what you have to change if you have forwarded a different port. Suppose you have forwarded port 39208, for example. Then you would change the line to

ClientTransportPlugin websocket exec Tor\PluggableTransports\flashproxy-client --register :0 :39208

For a list of other options you can pass to flashproxy-client, see the man page at https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/doc/flashproxy-client.1.txt.

Using IPv6 (or forcing IPv4)

Sometimes IPv6 connections are less censored, or are not subject to NAT. In this case, you can force the use of IPv6 only by adding the -6 option to the command line. For example,

ClientTransportPlugin websocket exec Tor\PluggableTransports\flashproxy-client --register :0 :9000 -6

If you are on a dual-stack (both IPv4 and IPv6) system, and have forwarded an IPv4 port, there is a chance that flashproxy-client will use IPv6 anyway, and you won't receive any connections. To force the use of IPv4, use the -4 option.

ClientTransportPlugin websocket exec Tor\PluggableTransports\flashproxy-client --register :0 :9000 -4

Troubleshooting

After starting the browser bundle, you should receive a connection from a flash proxy within 60 seconds. If the Tor log shows anything above 10%, it means that you got some level of flash proxy service. Look for the bridge fingerprint of the websocket bridge in the log:

[notice] new bridge descriptor '3VXRyxz67OeRoqHn' (fresh): $86FA348B038B6A04F2F50135BF84BB74EF63485B~3VXRyxz67OeRoqHn at 0.0.1.0

Try adding the --log option to the flashproxy-client command line. This will create a log file somewhere inside the browser bundle folder. The log file will have a line for every new proxy connection. For example,

ClientTransportPlugin websocket exec Tor\PluggableTransports\flashproxy-client --register :0 :9000 --log flashproxy-client.txt

Consider making a report of your experience, good or bad, at the flash proxy usability page.

Last modified 4 weeks ago Last modified on Mar 19, 2014 7:24:09 AM

Attachments (14)

Download all attachments as: .zip