[tor-relays] Bridge Usage and Setup

isis isis at torproject.org
Tue Jun 2 05:28:07 UTC 2015 

Tom Ritter transcribed 2.8K bytes:
> Earlier this month I set up an obfs3/obfs4 bridge that (as far as I
> can tell) has never been used. Is this normal?  My bridge is at
> https://atlas.torproject.org/#details/C184F644B9D39B26647779282003ACAF59E8028A
> 

Your bridge is in BridgeDB, and it's allocated to the HTTPS Distributor, so it
should be distributed.  There are just a couple slights issue (as far as I can
tell):

 * Your Bridge doesn't have the Stable flag. [0]  BridgeDB tries really hard to
   make sure that, in a given response to a client:
       1) At least one Bridge has the Stable flag, and
       2) At least one Bridge is listening on 443.

 * Neither the obfs3 nor obfs4 interfaces are listening on IPv6; they're both
   only on IPv4.  (I think that's what you wanted, but it's a known bug [1] and
   just FYI.)  As you likely already know, it's not currently possible to run
   two obfs3 simultaneously — one IPv4 and one IPv6 — and the same goes for
   obfs4 and every other PT.  Internally, tor currently only has one slot for
   an "obfs3". [2]  Similarly, Stem uses a Python dictionary where the keys are
   the pluggable transport methodnames.

> During this exercise I ran across a few pain points for setting up a
> bridge.  Maybe I completely ignored some existing resource for this,
> but the bottom of https://www.torproject.org/docs/bridges is out of
> date, BridgeDB doesn't have a link anywhere, and trac's search isn't
> that good but I couldn't find anything on that either.
> 
> 1) Setup
> I followed https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/README.md
> to set up the obfs3/obfs4
> As good as this is, it would be great if it included a minimal and
> complete torrc for an obfs4 bridge, and perhaps also for an
> obfs3/obfs4 bridge and an IPv6 setup.  My torrc is
> 
> SocksPort 0
> ControlPort 9051
> HashedControlPassword ...
> CookieAuthentication 1
> ORPort 9001
> ORPort [<public ipv6 addr>]:9001
> BridgeRelay 1
> ExtORPort auto
> ServerTransportPlugin obfs3,obfs4 exec /usr/local/bin/obfs4proxy
> ServerTransportListenAddr obfs3 [::]:80
> ServerTransportListenAddr obfs4 [::]:443
> 
> 2) Testing
> How do I (easily) confirm my bridge is correctly configured?
> Especially if I don't have an IPv6 connection for TBB?
> 
> netstat seems to say that things are good.  The tcp6 connections on 80
> and 443 also apply to ipv4 though; right?

Somehow, possibly due to one of the above-mentioned bugs, your tor and
BridgeDB both seem to think that you're *only* listening on IPv4… so I'm a bit
confused by what netstat is telling you…

> $ netstat -lpn
> tcp        0      0 127.0.0.1:9051          0.0.0.0:*
> LISTEN      479/tor
> tcp        0      0 0.0.0.0:9001            0.0.0.0:*
> LISTEN      479/tor
> tcp        0      0 127.0.0.1:55346         0.0.0.0:*
> LISTEN      479/tor
> tcp6       0      0 :::443                  :::*
> LISTEN      480/obfs4proxy
> tcp6       0      0 <public ipv6 addr> :::*                    LISTEN
>     479/tor
> tcp6       0      0 :::80                   :::*
> LISTEN      480/obfs4proxy
> 
> I can put my bridge line into TBB and try and use it for obfs4; seems
> to work. But actually finding that bridge line wasn't straightforward
> (cat /var/lib/tor/pt_state/obfs4_bridgeline.txt and then edit the
> fields, right?) And it doesn't help for obfs3.

Would it be easier, perhaps, if obfs4proxy were to also put your obfs3 (and/or
scramblesuit) bridge lines into that file?  (I thought it already did this,
but I must be wrong.)

You had to edit it?

> Some external validation would be nice.
>
> 3) Usage
> Can do I figure out if my bridge is being used?  I've identified the following:
> 
> $  cat /var/lib/tor/stats/bridge-stats
> bridge-stats-end 2015-05-31 18:58:43 (86400 s)
> bridge-ips
> bridge-ip-versions v4=0,v6=0
> bridge-ip-transports
> 
> $ zgrep unique /var/log/tor/*
> (a bunch of lines of "0 unique clients")
> 
> Atlas graphs, showing virtually no traffic
> 
> 
> 
> 
> I feel like #2 might be addressed by Weather (if it was working), but
> all of these might be a good subject for a wiki page on how to run a
> bridge, if my understanding of everything is correct.


I agree that all of the FAQ-ish questions you've just mentioned should be
somewhere, easily accessible, on the website.  I've created ticket #16261 for
updating the "Running a Bridge" portion of the bridges.html page, [3] but I'm
totally open to suggestions if people think the documentation should go into
the FAQ page, or on a wiki page (or link to a wiki page, so that it's easier
for community members to contribute tips and ideas), or somewhere else.

[0]: https://globe.torproject.org/#/bridge/C184F644B9D39B26647779282003ACAF59E8028A
[1]: https://trac.torproject.org/projects/tor/ticket/12138
[2]: https://trac.torproject.org/projects/tor/ticket/11211
[3]: https://trac.torproject.org/projects/tor/ticket/16261

Thanks for running an obfs4 bridge!

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150602/0cdf312d/attachment-0001.sig>

More information about the tor-relays mailing list