Help Censored Users, Run a Tor Bridge

anarcat · November 19, 2021, 8:00pm

A little more technically advanced people familiar with the Puppet configuration management engine might appreciate this Puppet code snippet that will deploy a bridge on port 443 for you:

class tor_meta::config {

  service {
    'tor@default':
      ensure     => running,
      hasrestart => true,
      hasstatus  => true;
  }

  package {
    'obfs4proxy':
      ensure => present;
  }


  tor::daemon::relay {
    'MySuperName':
      bridge_relay     => true,
      port             => 443,
      address          => "${ipaddress}",
      bandwidth_rate   => 56250, #450mbps
      bandwidth_burst  => 59375, #475mbps
      contact_info     => 'Foo Bar <foo@bar.org>',
  }

  tor::daemon::exit_policy {
    'bridge':
      reject => ['*:*'];
  }

  tor::daemon::snippet {
    'bridgedist':
      content => "BridgeDistribution none\n";
  }

  tor::daemon::snippet {
    'disableipv6':
      content => "AddressDisableIPv6 1\n";
  }

  tor::daemon::transport_plugin {
    'obfs4':
      ext_port                   => 'auto',
      servertransport_plugin     => 'obfs4 exec /usr/bin/obfs4proxy',
      servertransport_listenaddr => 'obfs4 0.0.0.0:80',
  }

  # Make sure obfs4 can bind to a low port
  exec {
    'setcap':
      command => '/sbin/setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy',
      unless  => '/sbin/getcap /usr/bin/obfs4proxy | /bin/grep ep',
      notify  => Service['tor@default'];

    'tor-systemd-reload':
      command     => '/bin/systemctl daemon-reload',
      refreshonly => true;
  }

  $services = ['tor@default.service','tor@.service']
  $services.each |String $service| {
    file_line {
      "systemd_${service}":
        path   => "/lib/systemd/system/${service}",
        line   => 'NoNewPrivileges=no',
        match  => 'NoNewPrivileges=yes',
        notify => Exec['tor-systemd-reload'];
    }
  }
}

It depends on the tor puppet module and Puppet 5.

uncensor_the_net · November 20, 2021, 12:18am

@gus Is this the link you need to validate my new tor bridge?

https://metrics.torproject.org/rs.html#details/BC3D33D414C14D06979F97C5B26BB0876F7150E9

gus · November 20, 2021, 12:19am

Yay, yes! Can you send the bridge line in private or to frontdesk@torproject.org?

uncensor_the_net · November 20, 2021, 12:23am

Sure thing, any pointer on where to find this? I’m new to Tor.

gus · November 20, 2021, 12:24am

Just follow these instructions
https://community.torproject.org/relay/setup/bridge/post-install/

uncensor_the_net · November 20, 2021, 12:36am

Awesome, sent the email. Looks like I am too new to send DMs right now.

One note, I installed via Docker. And on the docker install page (Tor Project | Docker) for step 3, it talks about a command to get the bridge line:

docker exec CONTAINER_ID get-bridge-line

Unfortunately, when I ran that I get the following:

user@dockerhost:~$ docker exec torbridge_obfs4-bridge_1 get-bridge-line

Could not create bridge line. Tor's log format may have changed. This is a bug.

I ended up just grabbing the file you suggested, but wanted to give the heads up that it looks like the docs might need an update.

gus · November 20, 2021, 12:45am

Hm, probably a bug.
I opened a ticket for the Anti-censorship team to check:

systeemkabouter · November 20, 2021, 9:32am

Ok was planning on deploying five nodes, but I really need two shirts AND a hoodie (AND stickers). So later today I will up my setup from six working bridges now to ten later on.

Hi! I’m new on this forum. Been running tor relays on and off for twenty years now I think

annoniempjuh · November 20, 2021, 11:47am

awesome! the metric.torproject.org link:
https://metrics.torproject.org/rs.html#details/FAA57E231AA6AE39C8864808974FC9DAE3967EB6

its says that its first seen 2021-05-07 13:04:40, that’s not fully corrected. its older but i did lost the keys of it…

gus · November 21, 2021, 2:37am

Hello bridge operators, if you’re running one of these relays, please remember to install and configure obsf4:

Nickname	Metrics link
NObridge	Relay Search
s10	Relay Search
s11	Relay Search
Spaceportal	Relay Search
Unnamed	Relay Search
Unnamed	Relay Search
Unnamed	Relay Search
Unnamed	Relay Search
Unnamed	Relay Search
Unnamed	Relay Search

Rondie · November 21, 2021, 10:51am

Got some shirts years ago, this time I really want a hoodie…
When I get 10 bridges up (added 4 so far) I’ll share the ‘Bridge obfs4’ lines with Gus, as I understand is a way to be eligible.

brian_d · November 21, 2021, 11:38am

Hi all! I just had troubles (ip blacklisted) running my relay, so I decided to run a bridge. This campaign is just perfect for me!
Some questions: I set up the torrc as shown in the instruction but I have a doubt, should also DirPort be set-up on torrc and opened on firewall?
My hashed fingerprint url is

https://bridges.torproject.org/status?id=33ADB77CD707E0EDF1711DBE7BEC63C6C876E480

as shown in the tor log, but at the moment it is not showing up anything (“no resources for the given id” message) and the tor log states:

Your server has not managed to confirm reachability for its
│ ORPort(s) at :443. Relays do not publish descriptors until
│ their ORPort and DirPort are reachable. Please check your firewalls, ports,
│ address, /etc/hosts file, etc.

So I ask you if you can confirm DirPort must be set up too.
When everything is working sould I post there the metrics url and send an email with full line to frontdesk@torproject.org to partecipate am I right?
Thanks a lot!
Brian

gus · November 21, 2021, 11:48am

Hi @brian_d,

No, you need to open your ORPort and you will see message saying that the port is reachable in your Tor logs. After ~3 hours you will be able to find your bridge on Metrics portal.

Yes, you’re right!

brian_d · November 21, 2021, 12:21pm

Hi @gus thanks a lot for the fast answer!
I am running on raspbian (Debian Stretch) but I cannot find the file obfs4_bridgeline.txt in the entire filesystem. Any help?

gus · November 21, 2021, 12:25pm

Did you install obfs4proxy? See the Debian instructions.
Follow this path and you find the file: /var/lib/tor/pt_state/obfs4_bridgeline.txt

brian_d · November 21, 2021, 1:12pm

Hi @gus,
now ORPort is verified, the problem was an Address entry with an old DNS record inside configuration
Yes obfs4proxy is correctly installed! At URL:
https://bridges.torproject.org/status?id=33ADB77CD707E0EDF1711DBE7BEC63C6C876E480
shows:

Bridge 33ADB77CD707E0EDF1711DBE7BEC63C6C876E480 advertises:

* obfs4: functional
  Last tested: 2021-11-21 12:37:49.893505938 +0000 UTC (18m2.992117131s ago)

But no file /var/lib/tor/pt_state/obfs4_bridgeline.txt is present, command find / -name obfs* has no useful result (finds binary and docs but no bridgeline). I installed tor from sources (latest version, 0.4.6.8), don’t know if this can help… any suggestion?
Thank you!

systeemkabouter · November 21, 2021, 1:13pm

Yes the Hoodie made me go to 10 too

systeemkabouter · November 21, 2021, 1:13pm

If you try that Tor will complain in the logs and ignore the Dirport setting. It is mutual exclusive apparently. Maybe to prevent bridges to be identified as such too easily?

annoniempjuh · November 21, 2021, 2:12pm

I really like hoodies!
if Tor will get support for IPv6 only, i can create a second bridge (or relay / exit node…)

would love to create 10 more bridges but currently i don’t have the resources…
for now i going to keep this one running and hope i don’t lose the keys…

brian_d · November 21, 2021, 4:20pm

Hi!
I just fixed all issues!
Here we are :
https://metrics.torproject.org/rs.html#details/33ADB77CD707E0EDF1711DBE7BEC63C6C876E480

If anyone is planning to run a bridge on raspbian stretch I followed this steps:

Downloaded and installed tor from sources (latest versions have no updated deb!)
Downloaded and installed latest GoLang binaries for ARMv6
Cloned obfs4proxy from git, latest version, and built (here deb is not supported anymore!)
Added a systemctl entry for automatic startup at boot

Hope this could help!
Brian