wiki:doc/PluggableTransports/obfs4proxy

This guide will help you run an obfs4 bridge to help censored users connect to the Tor network.

If you're a censored user and need a bridge to connect, please see How to use a PT bridge.

Note: This guide is intended for Debian based machines. If you're running other *nix systems, you should probably compile obfs4 from source.

  1. Install Tor:

    Get the latest version of Tor. If you're on Debian stable sudo apt-get install tor should give you the latest stable version of Tor.

    Note:
    Ubuntu users need to get it from Tor repository. Please see "Download instructions for Ubuntu".
  2. Install obfs4proxy:

    obfs4proxy package is available on sid, stretch and jessie. If you're running any of them, sudo apt-get install obfs4proxy should work.
    If not, you can either add deb http://deb.torproject.org/torproject.org obfs4proxy main to your sources.list or build it from source.
  3. Edit your Tor config file, usually located at /etc/tor/torrc and add the following lines:

    #Bridge config
    RunAsDaemon 1
    ORPort 9001
    BridgeRelay 1
    ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
    # For a fixed obfs4 port (i.e. 9002), uncomment the following line.
    #ServerTransportListenAddr obfs4 0.0.0.0:9002
    # Local communication port between Tor and obfs4. Always set this to "auto". "Ext" means
    # "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0.
    ExtORPort auto
    
    #Set your bridge nickname and contact info
    ContactInfo <your-contact-info>
    Nickname pick-a-nickname
    

    Don't forget to change contact info and nickname values.
  4. Restart tor: service tor restart.
  5. Monitor your logs (usually in your syslog), to confirm your bridge is running with no issues.

    You should see something like this:

    [notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
    [notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
    [notice] Registered server transport 'obfs4' at '[::]:46396'
    [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
    [notice] Bootstrapped 100%: Done
    [notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
    [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
    

Remember the random port associated to your bridge needs to be open for incoming connections. You can find it from the logs: it's 46396 in this example. To use a fixed port, use the ServerTransportListenAddr option in your Tor config file.

Congrats! If you get to this point, it means that your obfs4 bridge is setup and is being distributed by BridgeDB to censored users. If you want to connect to the bridge manually, you'll need to know the bridge's obfs4 certificate. See the file /var/lib/tor/pt_state/obfs4_bridgeline.txt and paste the entire bridge line into Tor Browser:

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0

You'll need to replace <IP ADDRESS>, <PORT>, and <FINGERPRINT> with the actual values, which you can find in the tor log. Make sure to use <FINGERPRINT>, not <HASHED FINGERPRINT>; and that <PORT> is the one from the log line Registered server transport 'obfs4', not the one from the line Now checking whether ORPort ... is reachable.

If you run into any issues while setting up your bridge, please join #tor-relays channel on OFTC IRC network and hopefully someone can help you.

Last modified 5 days ago Last modified on Oct 17, 2018, 6:11:34 AM