Clarify documentation for obfs4 setup
I'd like to provide feedback on configuring a Tor bridge with obfs4 enabled.
It was difficult, and it took me several hours to figure it out, because the installation guides that I found weren't clear enough.
Maybe this feedback can help to clarify the existing guides that talk about obfs4 configuration.
First, I read a suggestion somewhere to use ExtORPort auto which defines the port used by obfs(4)proxy, and that port should ideally be bound to localhost only.
The above was a major source of confusion, it never worked for me. Only when I eventually looked at the README for obfs4proxy, which suggested to use a ServerTransportListenAddr configuration, I realized that the earlier statement might have been incorrect.
Second, it seems that ORPort must be port 443. With other ports, TBB gave me complaints that it failed to access the bridge IP with the configured bridge port, although that port was clearly reachable. Only after I configured ORPort to use 443 that error message on the client side went away.
Third, it was confusing which hash/fingerprint must to be used in the bridge configuration line. Looking at the tor logfile, it prints two different lines with fingerprints: Your Tor server's identity key fingerprint is '...first-hash...' Your Tor bridge's hashed identity key fingerprint is '...second-hash...'
From my naive point of view, it seemed obvious to use the second-hash, because it's labeled as being the bridge hash. But I found that it only works, if I use the first server identity hash.
Fourth, for the configuration values PORT-FOR-OBFS4 and PORT-FOR-OBFS3, you should pick numbers greater than 1024, because otherwise obfs4proxy might have trouble using that port.
Also, because I am installing on a host with multiple IP addresses, I'm providing the additional configuration parameters that are required to bind everything to the correct IP.
Below is what I use in /etc/tor/torrc:
ORPort IPADDRESS:443 Address IPADDRESS OutboundBindAddress IPADDRESS
0 means: private bridge, do not publish
1 means: bridge information automatically published
PublishServerDescriptor 0
SocksPort 0 BridgeRelay 1 Exitpolicy reject :
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy --enableLogging --logLevel=INFO ServerTransportListenAddr obfs4 IPADDRESS:PORT-FOR-OBFS4 ServerTransportListenAddr obfs3 IPADDRESS:PORT-FOR-OBFS3
NickName BRIDGE-NICKNAME
Log notice file /var/log/tor/notice.log
Note you must replace all of the following identifiers with your own values:
- BRIDGE-NICKNAME
- IPADDRESS
- PORT-FOR-OBFS4
- PORT-FOR-OBFS3
Start Tor (e.g. service tor start)
Search for your fingerprint: grep -i "server.*fingerprint" /var/log/tor/notice.log | tail -1
In the line that is printed, Use the code at the end, which looks like: ABDEF1234567890ABDEF1234567890ABDEF12345 (And use your own code below, where this document uses ABDEF1234567890ABDEF1234567890ABDEF12345)
Get some additional parameters that the obfs4 client configuration requires: cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
You need information from the line that looks like: Bridge obfs4 : cert=bla-bla-bla-bla-bla-bla-bla-bla iat-mode=0
Now you can assemble the complete line to use your bridge, again, replace the values with the correct ones:
obfs4 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345 cert=bla-bla-bla-bla-bla-bla-bla-bla iat-mode=0
The above configuration also enabled obfs3 on a separate port. The configuration line for the obfs3 bridge is simpler:
obfs3 IPADDRESS:PORT-FOR-OBFS4 ABDEF1234567890ABDEF1234567890ABDEF12345
Trac:
Username: kaie