[ux] A user setting up a standalone obfs4 server for the first time

Thu May 26 21:58:19 UTC 2016

I gave someone tips on setting up a private obfs4 server for their own
use. They have a CS degree and prior experience with shadowsocks, but no
experience with pluggable transports. I asked them to send me the steps
they followed, thinking we might be able to turn it into a tutorial.

I first sent them a link to the Tor Browser download and this article by
Derek Cameron on setting up obfs4proxy on Debian:
        https://medium.com/@dcamero/tor-obfs4-bridge-for-gfw-5caf8db7748b
	https://archive.is/pBCF1 (to avoid CloudFlare captcha)
They had no trouble setting up their own bridge and pasting the bridge
line into Tor Browser. It worked fine, but they were disappointed with
the speed. So they did their own research on running obfs4proxy apart
from Tor and this is what they did:

== Server side
1. Set up shadowsocks server
2. Install anaconda
3. pip install aiosocks
4. yum install go (or apt-get for Debian)
5. go get git.torproject.org/pluggable-transports/obfs4.git/obfs4proxy
6. Copy $GOPATH/bin/obfs4proxy to a permanent location (e.g. /usr/local/bin)
7. git clone https://github.com/gumblex/ptproxy.git
8. Write config.json for ptproxy
{
    "role": "server",
    "state": ".",
    "local": "127.0.0.1:xxxx",
    "server": "0.0.0.0:xxxx",
    "ptexec": "obfs4proxy -logLevel=ERROR -enableLogging=true",
    "ptname": "obfs4",
    "ptserveropt": "",
    "ptproxy": ""
}
9. python ptproxy.py config.json
10. Copy down the flag printed out by obfs4proxy

== Client side
1. Download Tor Browser
2. Find path for obfs4proxy
3. git clone https://github.com/gumblex/ptproxy.git
4. Write config.json for ptproxy
{
    "role": "client",
    "state": ".",
    "local": "127.0.0.1:xxxx",
    "server": "x.x.x.x:xxxx",
    "ptexec": "/Applications/TorBrowser.app/TorBrowser/Tor/PluggableTransports/obfs4proxy -logLevel=ERROR -enableLogging=true",
    "ptname": "obfs4",
    "ptargs": "cert=<insert cert here>;iat-mode=0",
    "ptserveropt": "",
    "ptproxy": ""
}
5. python ptproxy.py config.json
6. Run shadowsocks client. Connect to the local address obfs4proxy is listening on.

Here are the lessons I take from it.

* This is what pluggable transports are supposed to achieve. Someone
  took a pluggable transports executable and plugged it into another
  system (here, shadowsocks). However it didn't happen in the way we
  anticipated: shadowsocks didn't implement the PT spec as part of their
  program. Rather, another program (gumblex/ptproxy) acted as a
  compatibility layer between a managed PT executable and an ordinary
  SOCKS-supporting program. I think this is a really promising avenue
  toward realizing the "pluggable" dream. Here are two projects I'm
  aware of that work like this. (In PT-spec terms, they convert a
  "managed" proxy into an "external" proxy.)
	https://github.com/gumblex/ptproxy.git
	https://github.com/twisteroidambassador/pluggabletransportadapter

* The Cameron article on setting up obfs4 is good. We should have more
  like that.

* It probably would have been possible to install obfs4proxy using
  apt-get rather than installing from source. (On Debian at least, I
  don't know about Red Hat.)