Running an obfs4 Tor bridge on port 80/443

I’m a big fan of Tor. Not that I live in a country where it’s really needed, but just for the fun of it. Most of non-techie people think it’s just a mess of illegal stuff, they just ignore the fact that a lot of people live in countries where there’s no speech freedom, or limited internet access.

Personally, I occasionally work in places where there are very restrictive firewalls which block non standard ports and do packet inspection, so I wasn’t even able to get out on port 80 with a protocol which wasn’t http! So I needed obfuscated bridges, on port 80.

In the past I bought a cheap VPS via LowEndBox, and installed there an obfs3 Tor bridge. At that time there was no proper way to run obfs3proxy on privileged port (< 1024), and the only way I found on StackExchange was to do some hackish port forwarding. And my bridge is happily doing it’s job.

Lately I was thinking about it and I thought it was a shame to be the only one using it, since due to the forwards it was not publicly advertised and thus not usable by others. And there’s always need of Tor Bridges on port 80 or 443. So I investigated if there was a better way to run a bridge, and thanks to a comment (on StackExchange, again) I was directed to obfs4proxy, which allows binding on port below 1024 without big deals.

So even I wanted to share the whole setup.

First, there are two ways to install obfs4proxy: via Tor repository or by compiling it.

Install obfs4proxy via Tor packages

The easiest and more convenient way to install obfs4proxy is using packages. Debian (from jessie and above) and Ubuntu (from xenial and up) already provide the package. But it’s often better to use Tor’s repository, as might provide a more up to date version (if the distro is supported).

Follow these step to configure the Tor repository on Debian/Ubuntu based distributions.

First visit Tor website to obtain the sources.list. Once done paste the two lines with the one below into a new file /etc/apt/sources.list.d/tor.list:

deb obfs4proxy main

Then run these commands (the same on the link above) to import the GPG key and install tor and obfs4proxy:

gpg --keyserver --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install tor obfs4proxy

That’s it’.

Install obfs4proxy by compiling it

We need some dependencies. Please note you need Go 1.2.0 or later, so for some Ubuntu versions (like 14.04) you need a PPA.

apt-get install golang git-core

Then build it:

go get

cp $GOPATH/bin/obfs4proxy /usr/local/bin


Prepare obfs4proxy binary

As written on the project’s README, we need to allow obfs4proxy binary bind privileged ports with the following command:

setcap 'cap_net_bind_service=+ep' /usr/bin/obfs4proxy

If you installed from sources fix the path.

Configure Tor

Get rid of the default torrc and create a new one:

mv /etc/tor/torrc{,_DEFAULT}

cat << EOF > /etc/tor/torrc
ExitPolicy reject *:*
#Bridge config
RunAsDaemon 1
BridgeRelay 1
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs3 [::]:443
ServerTransportListenAddr obfs4 [::]:80
ExtORPort auto
ContactInfo your <contact@info>
Nickname <node_nickname>

First of all, if you compiled from source fix again the obfs4proxy path.

Since obfs4proxy can still work with obfs3 protocol, in this file I’ve chosen to have two listening ports, one for obfs4 and one for obfs3.

The ServerTransportListenAddr allows to specifically choose which ports the obfuscator should listen to, and to what IPs. In this case the [::] specification means to listen to all IPv6 and IPv4 addresses. If you don’t have IPv6 configured on your node just replace it with the more common

The default ORPort is 9001, but that could ease bridges fingerprinting. Choose a random port is better for the bridge’s usability.

Once you’re satisfied restart tor service, and don’t forget to open the ports above (4235, 443, 80, all TCP) on your firewall!


Adding your obfs4 Tor bridge to torrc or Tor Browser

Last, if you want to benefit yourself from your bridge let’s see how to configure it.

obfs4 transport has a rather different syntax than the old obfs3. In the latter it’s enough to write ip:port syntax, while in obfs4 you must add some parameters. So get back on the server and:

  1. get Tor’s fingerprint with either one of the two commands below
    tor --list-fingerprint
    cat /var/lib/tor/fingerprint

    which returns node’s nickname and fingerprint (remove the spaces between the hash value, if present);

  2. get brige’s cert hash and options with the command
    cat /var/lib/tor/pt_state/obfs4_bridgeline.txt

    and copy the last line.

Now you’re ready to complete the Tor client config. Paste the line obtained at step 2 above and replace <IP ADDRESS>:<PORT> <FINGERPRINT> respectively with Tor node’s IP, port, and the hash returned at step 1. Don’t forget to tell Tor to use bridges. So in summary, if you want to use bridges in your torrc add the following lines:

UseBridges 1
ClientTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
Bridge obfs4 ip_of_your_server:80 fingerprint_hash cert=1+hash_obtained_at_&amp;amp;nbsp;iat-mode=0

If you want to configure Tor Browser click on the onion button right left the address bar, click Tor Network Settings… then Enter custom bridges and add the line above, except the leading Bridge word.

Useful links

Heading image by Modestas Urbonas.

3 pensieri su “Running an obfs4 Tor bridge on port 80/443

  1. Hi,
    There is a vital missing part in your howto and actually my stock status: how do you create the master cert and its hash and options ?
    Cause in my cnetos machine the “/pt_state/obfs4_bridgeline.txt” does not exist. Can you explain please this?

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Solve : *
26 − 8 =

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.