Document how NGOs can run private obfs4 bridges, and get some doing it
One of our eventual goals is to get bridgedb back on its feet, and using bridge distribution strategies that China can't defeat, but in the mean time we should document one approach that should still work: setting up your Tor Browser with a private (not publicized) tor bridge.
In particular, we know many NGOs that would be happy to run unpublished obfs4 bridges for their people, and give them private bridge addresses when they visit China.
There are several steps to following through with this idea.
Round one (minimum viable approach):
(1) Document for NGOs how to easily run a few private obfs4 bridges. I've seen some guides floating around but nothing both simple and obviously official.
(2) Document for NGOs how they should get these bridge addresses to their users, and how the users should add them to Tor Browser. On Android it seems that Orbot hooks the "bridge://" url, so sending bridge addresses via signal, email, etc should work: the user clicks on the bridge address, which launches Orbot which adds that bridge to its configuration. Having docs for actual users, with screenshots and stuff, would be the clear next step. On desktop the interface choices are messier: see #28015 (moved).
(3) Walk a few NGOs through the process from beginning to end, so we can confirm for ourselves that it works as intended, and so we can have a more direct connection to actual users to get feedback on all angles of the user experience.
Round two (once we like round one):
(4) Document for NGOs how to run a series of obfs4 bridges. This could start with one bridge address per computer, but the longer term answer is to have a single Tor client binding to many bridge addresses, maybe with help from the ISP to point these many bridge addresses to that Tor.
(5) Understand if private bridges actually work in China. Apparently Lantern uses obfs4 and they don't get blocked by DPI, so that's a good start, but I've also heard stories of DPI-based throttling. In step 3 above we'll get some anecdotal answers, but here we should design and deploy some recurring experiments from computers inside China that assess (a) connectivity, (b) whether it can bootstrap, and (c) throughput, through a private bridge.
(6) We should invent and document some best practices for where NGOs ought to run their bridges, and how many bridges they need per user. At the extreme bad end of the spectrum, they would run one bridge and give it to all of the people attending a given training -- and in that case, apart from the obvious "what if one of the users is bad and gets the address blocked" worry, discovering some of the users could lead to discovering other related users. At the other end of the spectrum is one bridge (on its own separate ISP) per user. What are some acceptable solutions in between?