Running an obfs4 Tor bridge on port 80/443

Note: 2018 version here.

I’m a big fan of Tor. Not that I live in a country where it’s really needed, but just for the fun of it. Most of non-techie people think it’s just a mess of illegal stuff, they just ignore the fact that a lot of people live in countries where there’s no speech freedom, or limited internet access.

Personally, I occasionally work in places where there are very restrictive firewalls which block non standard ports and do packet inspection, so I wasn’t even able to get out on port 80 with a protocol which wasn’t http! So I needed obfuscated bridges, on port 80.

In the past I bought a cheap VPS via LowEndBox, and installed there an obfs3 Tor bridge. At that time there was no proper way to run obfs3proxy on privileged port (< 1024), and the only way I found on StackExchange was to do some hackish port forwarding. And my bridge is happily doing it’s job.

Lately I was thinking about it and I thought it was a shame to be the only one using it, since due to the forwards it was not publicly advertised and thus not usable by others. And there’s always need of Tor Bridges on port 80 or 443. So I investigated if there was a better way to run a bridge, and thanks to a comment (on StackExchange, again) I was directed to obfs4proxy, which allows binding on port below 1024 without big deals.

So even I wanted to share the whole setup.

First, there are two ways to install obfs4proxy: via Tor repository or by compiling it.

Install obfs4proxy via Tor packages

The easiest and more convenient way to install obfs4proxy is using packages. Debian (from jessie and above) and Ubuntu (from xenial and up) already provide the package. But it’s often better to use Tor’s repository, as might provide a more up to date version (if the distro is supported).

Follow these step to configure the Tor repository on Debian/Ubuntu based distributions.

First visit Tor website to obtain the sources.list. Once done paste the two lines with the one below into a new file /etc/apt/sources.list.d/tor.list:

deb http://deb.torproject.org/torproject.org obfs4proxy main

Then run these commands (the same on the link above) to import the GPG key and install tor and obfs4proxy:


gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install tor deb.torproject.org-keyring obfs4proxy

That’s it’.

Install obfs4proxy by compiling it

We need some dependencies. Please note you need Go 1.2.0 or later, so for some Ubuntu versions (like 14.04) you need a PPA.


apt-get install golang git-core

Then build it:


go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy

cp $GOPATH/bin/obfs4proxy /usr/local/bin

Done…

Prepare obfs4proxy binary

As written on the project’s README, we need to allow obfs4proxy binary bind privileged ports with the following command:


setcap 'cap_net_bind_service=+ep' /usr/bin/obfs4proxy

If you installed from sources fix the path.

Configure Tor

Get rid of the default torrc and create a new one:


mv /etc/tor/torrc{,_DEFAULT}

cat &amp;lt;&amp;lt; EOF &amp;gt; /etc/tor/torrc
ExitPolicy reject *:*
#Bridge config
RunAsDaemon 1
ORPort&amp;amp;amp;nbsp;4235
BridgeRelay 1
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs3 [::]:443
ServerTransportListenAddr obfs4 [::]:80
ExtORPort auto
ContactInfo your &amp;lt;contact@info&amp;gt;
Nickname &amp;lt;node_nickname&amp;gt;
EOF

First of all, if you compiled from source fix again the obfs4proxy path.

Since obfs4proxy can still work with obfs3 protocol, in this file I’ve chosen to have two listening ports, one for obfs4 and one for obfs3.

The ServerTransportListenAddr allows to specifically choose which ports the obfuscator should listen to, and to what IPs. In this case the [::] specification means to listen to all IPv6 and IPv4 addresses. If you don’t have IPv6 configured on your node just replace it with the more common 0.0.0.0.

The default ORPort is 9001, but that could ease bridges fingerprinting. Choose a random port is better for the bridge’s usability.

Once you’re satisfied restart tor service, and don’t forget to open the ports above (4235, 443, 80, all TCP) on your firewall!

Done!

Adding your obfs4 Tor bridge to torrc or Tor Browser

Last, if you want to benefit yourself from your bridge let’s see how to configure it.

obfs4 transport has a rather different syntax than the old obfs3. In the latter it’s enough to write ip:port syntax, while in obfs4 you must add some parameters. So get back on the server and:

  1. get Tor’s fingerprint with either one of the two commands below
    tor --list-fingerprint
    cat /var/lib/tor/fingerprint
    

    which returns node’s nickname and fingerprint (remove the spaces between the hash value, if present);

  2. get brige’s cert hash and options with the command
    cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
    

    and copy the last line.

Now you’re ready to complete the Tor client config. Paste the line obtained at step 2 above and replace <IP ADDRESS>:<PORT> <FINGERPRINT> respectively with Tor node’s IP, port, and the hash returned at step 1. Don’t forget to tell Tor to use bridges. So in summary, if you want to use bridges in your torrc add the following lines:


UseBridges 1
ClientTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
Bridge obfs4 ip_of_your_server:80 fingerprint_hash cert=1+hash_obtained_at_&amp;amp;amp;amp;nbsp;iat-mode=0

If you want to configure Tor Browser click on the onion button right left the address bar, click Tor Network Settings… then Enter custom bridges and add the line above, except the leading Bridge word.

Useful links
Credits

Heading image by Modestas Urbonas.

3 pensieri su “Running an obfs4 Tor bridge on port 80/443

  1. Hi,
    There is a vital missing part in your howto and actually my stock status: how do you create the master cert and its hash and options ?
    Cause in my cnetos machine the “/pt_state/obfs4_bridgeline.txt” does not exist. Can you explain please this?

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Solve : *
26 − 7 =


Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.