Have I Correctly Set Up My Bridge?

I am absolutely new at Tor. As suggested by a friend of mine I have set up a Rasperry Pi running a Tor Bridge in order to support Russian people to use a free internet. But I am not sure whether my installation works. When I run journalctl -e -u tor@default I get a lot of lines like:
=== 8>< ===
Unable to find IPv6 address for ORPort . You might want to specify IPv4Only to it or set an explicit address or set >

No circuits are opened. Relaxed timeout for circuit 549 (a Testing circuit 3-hop circuit in state doing handshakes with >

Your server has not managed to confirm reachability for its ORPort(s) at . Relays do not publish descri>

Your server has not managed to confirm reachability for its ORPort(s) at . Relays do not publish descri>

Heartbeat: Tor’s uptime is 18:00 hours, with 0 circuits open. I’ve sent 3.82 MB and received 29.74 MB. I’ve received 96 >

While bootstrapping, fetched this many bytes: 41640 (microdescriptor fetch)

While not bootstrapping, fetched this many bytes: 25248238 (server descriptor fetch); 1705246 (consensus network-status >

Heartbeat: In the last 6 hours, I have seen 0 unique clients.
=== ><8 ===

What does it mean? Is there something wrong?

Hello @facebita,

Which obfs4 port are you using for your bridge ? (in the torrc file /etc/tor/torrc)
Have you forwarded this port in your router to your Raspberry Pi ?
If you are running it on IPv6 only, you must have an IPv4 address to run a tor bridge or relay.

Thanks for running a bridge for the Tor network :+1:

Port: 1800
Ort is forwarded in the router.
I do not exactly know whether I use IPv6 or not.

If important: I use a Fritzbox 7490 and an eBlocker.

For a tor bridge, you need to install obfs4proxy and configure the torrc file with an ORPort and a OBFS4 Port.

BridgeRelay 1

# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort TODO1

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo <address@email.com>

# Pick a nickname that you like for your bridge.  This is optional.
Nickname PickANickname

Make sure that you have added a different port for OR (TODO1 in the example) and OBFS4 (TODO2 in the example), they both need to be allowed in your router. We recommend using a random port for OR and port 443 for OBFS4 (to bypass restrictive firewalls).

In your router you will need to create 2 NAT rules for those ports to your raspberry pi. And if you are using a port that is below 1024 for obfs4, use this command to allow it in your OS :
sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

Documentation : https://community.torproject.org/relay/setup/bridge/debian-ubuntu/

You can verify that all these steps are done and then return a feedback here if you need more help.

Thanks :smiley:

1 Like

I followed exactly your instruction:

RunAsDaemon 1
ORPort
ServerTransportListenAddr obfs4 0.0.0.0:443
ServerTransportListenAddr obfs4 [::]:443
BridgeRelay 1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto
BridgeDistribution moat
RelayBandwidthRate 1 MB
RelayBandwidthBurst 2 MB
ContactInfo
Nickname
ControlPort 9051
CookieAuthentication 1

At the end I ran sudo setcap […]

And now journalctl remarks only one remaining issue:

»Unable to find IPv6 address for ORPort . You might want to specify IPv4Only to it or set an explicit address or set Address.«

What should I do: Set to use only IPv4, or set an IPv6 address?

Both, I do not know how to configure it.

Thanks for the info,

You forgot to add a port for ORPort, you didn’t fill ContactInfo and Nickname.
Try to add for example ORPort 8916 or a port of your choice and apply it also in your NAT rule. Both ORPort and OBFS4 port will be allowed in your router to your raspberry pi.
Nickname and ContactInfo are both important if the staff needs to contact you. They are optional.

If you don’t have any IPv6 address, you should also set ORPort 8916 IPv4Only and AddressDisableIPv6 1 to tell tor to run without IPv6.

If you want to enable IPv6, you can add manually your global link IPv6 in torrc file like this example :
ORPort [2a01:XXXX]:8916 with your own address between [ ] and the OR port.

Make sure to restart tor and tell me if you got any new errors / notices in the logs after the changes.

[quote=“Superpaul209, post:6, topic:2637”]
You forgot to add a port for ORPort, you didn’t fill ContactInfo and Nickname.[/quote]

No. I did not forgot these data. In my original post I wrote placeholders for them in angle brackets. Don’t know who have deleted it.

Now it works - as far as I can estimate it.

At the moment I don’t want to enable IPv6, because eBlocker would not work properly whan IPv6 would being enabled on my router.

I thought that you didn’t put an ORPort, my bad. Maybe it’s an automatic rule that removes the port to protect against disclosure of information on our bridge or relay, which is a good thing.

If everything works as expected it’s perfect, don’t hesitate to look at the console to check that everything is connected and then test with a client.

About the console, its the package nyx available with apt install nyx

You should look this page to have more information how to test your bridge and look the stats :

Your bridge will be available on the Metrics page after a few hours. It will shows “Bridge distribution mechanism : None” for one day on the relay search page of your bridge. Its normal. After this delay, your bridge will be automatically added into the BridgeDB with the distribution method that you have set in the torrc file or if you have none, it will chooses one for you.

You can learn more what are distribution methods on this page : https://bridges.torproject.org/info

If you have any other questions about how it works or anything else don’t hesitate :100:

nyx ist running. But with sudo. So I have found:

Two questions insofar:

1.) Am I right that I have to place $USER by my user name, or is it right to chown exactly to $USER?

2.) Am I right that the approach given there on github is not working at Raspberry Pi OS 11 (Debian Bullseye)?

So, how can I run nyx without root privileges?

Everything written on this github topic should works for your OS.

The authcookie file must be readable by the user you want to give access to nyx.
This is the only way to authorize the connection to the console.

To open the console without root rights, simply log in with the user you have created and then run the command nyx without sudo.

I also specify that the information on the console must be kept for you only and the controlport must NOT be accessible from outside. This is confidential information just like key files or anything else about your server.

I hope everything works out well for you :slight_smile:

Thank you very much for your patience!

Obviously I misunderstand something fundamental. I have added in torrc the line:

CookieAuthFileGroupReadable 1

Then I have added my username to the group who owns /var/run/tor/control.authcookie by:

sudo usermod -a -G thegroupofthecookie myusername

Next I changed the ownership of the said control.authcookie by:

sudo chown myusername:thegroupofthecookie /var/run/tor/control.authcookie

Note: I did not change the group of the cookie.

Then I have restarted tor. Then i ran nyx. After a few seconds nyx reports that the connection to tor is interrupted. And up from this moment nyx is unrespnsive. Nyx Notice reports: tor control port closed.

When I the then check the ownership of /var/run/tor/control.authcookie it is been set back to the values before I had performed sudo chown.

And when I now run sudo nyx it seems everything works as before. But now as before, I can not run nyx withoud sudoers privileges.

Thanks for your feedback.

I must be missing something …
In my situation, I built the package from source and the permissions remain the same after a reboot of tor. It’s not necessarily a recommended method which I did.

For you, it’s a service that may reset the permissions for a user that is configured during the installation of the package. From what I’ve seen, it sets up an unprivileged user automatically during the apt install and assigns permissions based on this new user. The tor service will runs with it.

I haven’t seen any official information on the tor website about this but you can try to put User myusername in the torrc config file so that it runs with your own unprivileged user. This may update the permissions automatically after a restart. It’s to be tested but I can’t confirm that it works.
If it is taken into account by tor, it will be necessary to adapt the permissions of all the files (including the keys, config, log file) so that they are readable by this user.

The objective is not to start anything, neither the console nor the service as a user with privileges. This limits potential security breaches.

I’ll try to figure step by step how I have installed the Tor bridge. Hopefuly it leads to a solution for my issues. I have started from the scratch with a brandnew installation of the current Rasperry Pi OS 64 bit from the official website. Then I took the following steps:

I have set a new password for user pi.

I have set in raspi-config GPU Memory: “16”, Localisation Options / Locale: “de_DE.UTF8”, Localisation Options / Timezone: “Berlin”, Advanced Options / Expand Filesystem: “Yes”, Update: “Yes”.

Then I have rebooted the system.

Then I have perfomed the following commands:

sudo apt update
sudo apt upgrade
sudo reboot
sudo rpi-update
sudo reboot
sudo apt-get install unattended-upgrades apt-listchanges
sudo apt update && sudo apt install tor obfs4proxy nyx -y
sudo reboot
sudo cp /etc/tor/torrc /etc/tor/torrc.backup

Now I have altered the file torrc. Please note, where I wrote asteriks, I have written in the real file my nickname, my real email address, a real port nummer.

sudo nano /etc/tor/torrc

RunAsDaemon 1
ORPort **** IPv4Only
AddressDisableIPv6 1
ServerTransportListenAddr obfs4 0.0.0.0:443
ServerTransportListenAddr obfs4 [::]:443
BridgeRelay 1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto
BridgeDistribution moat
RelayBandwidthRate 1 MB
RelayBandwidthBurst 2 MB
ContactInfo ****
Nickname ****
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1

I have closed the file and confirmed the alterations.

Then I have configured my router in order to open the respective ports and services. Followed by perfoming some last commands on the raspi.

sudo service tor restart
sudo chmod 755 /run/tor/control.authcookie
sudo usermod -a -G debian-tor pi
sudo service tor restart
nyx

Now, that I write it down, however, I’m not at all sure whether I really executed the chmod command. This would explain, why nyx isn’t working properly, wouldn’t it?

Thanks for the info, your configuration is correct.

However, it seems to me that the last restart of the service resets the cookie file permissions to the default ones. They are read-only for the owner (debian-tor) of the file by default, and not readable by the group.

This explains why the last command you do to access the console may deny you access.

  • What I think would work is to connect to the user created by the package (debian-tor) and then launch the console with it.
  • A second solution is to change the user in the config file torrc (variable User myusername) to modify all the files for this user automatically and be able to use the console.

What you did to change the file permissions manually will work until the next service restart. It’s not very convenient.

If I would add in torrc the line

User pi

would it cause some unexpected behaviour or would it affect the functioning of the Tor bridge?

It does not change anything on the functioning of the bridge, whatever the user it will be well functional.

The variable to be modified is only a recommendation so that the user who starts the service does not have privileges on the system. This increases the security for your bridge.

To have a maximum of security you need a user without privileges on the system (and therefore not in sudoers). It is optional, if you want to leave as is, you can and it will work fine :+1:. In your situation, the user pi already has many rights by default on Raspbian.

Maybe last, but not least, nevertheless not specifically Tor related: Would it be in general preferable to define different users if different services are provided by one and the same machine? Or would this be an oversophisticated approach?

I would say yes to create different users for different services that you can have on your server. It is good for isolating and assigning rights according to what they use. If a service and user is compromised, depending on their rights, they might not have access to the whole machine. That’s why you should never give too many privileges to a user.

What I recommend, if you have enough hardware, is to make one server per application so that it is totally isolated from the installed packages, users and operating system. For example a web server will be installed by itself on a debian with his own packages.
This is an example that I personally have set up. Your bridge will be alone and even isolated from the network to prevent them from entering your local network.

Everyone does what they can. If you have any other questions, feel free to ask. We are here to help :+1:

Thanks for running a bridge for the tor network :100:

1 Like