Bridge obfs4proxy permission error

$ sudo cat /var/lib/tor/stats/bridge-stats
bridge-stats-end 2023-02-24 19:19:21 (86400 s)
bridge-ips de=8
bridge-ip-versions v4=8,v6=0
bridge-ip-transports <OR>=8

And the log file you’ll find as attachement.
[redacted]

Alright, first things first, let’s fix this error:

Feb 24 20:29:27 Tor[551]: Server managed proxy encountered a method error. (obfs4 listen tcp 0.0.0.0:443: bind: permission denied)
Feb 24 20:29:27 Tor[551]: Managed proxy at '/usr/bin/obfs4proxy' failed the configuration protocol and will be destroyed.

It means that the pluggable transport obfs4 is installed, but it needs some special permission to run.

From the Tor Community portal, Tor bridge documentation:

If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to give obfs4 CAP_NET_BIND_SERVICE capabilities to bind the port with a non-root user:

So, to fix this permission error, you can change the OBSF4 Port in your torrc to something higher like 55555, or run follow the instructions below.

  1. Run command in your terminal:
sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
  1. You will also need to change your systemd hardening, for example:
sudo gedit /lib/systemd/system/tor@default.service

And set this line:

NoNewPrivileges=no

  1. Now, you need to do the same thing here:
sudo gedit /lib/systemd/system/tor@.service

And set this line:

NoNewPrivileges=no

  1. Finally, restart your Tor daemon:
sudo systemctl daemon-reload

To confirm that you fixed this issue, you can search your bridge fingerprint on Tor Metrics – you need to wait 3 hours to see this update on Metrics – and you will find a line confirming that you have obfs4 pluggable transport:“Transport protocols obfs4”. And you should not see that error in your logs anymore.
By fixing this error, your bridge will be distributed by moat - see this bug.

After you fix this, I will follow up with you to fix two other issues: obfs4proxy version (you must use the package from bullseye-backports) and Tor version (0.4.7.x instead of 0.4.5 - EOL).

Thank you very much, and sorry for the delay. There was something with more priority in my life. But now I have followed your steps. The three hours you mentioned at the end will being finished at 4 p.m. CET. Then I will check TorMetrics and will come back here for learning next steps.

ADDENDUM:

It’s now 9 p.m. CET. But TorMetrics remains reporting:

Transport protocols
none