September 08, 2018
Recently I discovered that my college’s Wi-Fi network (and most likely, their commercial firewall Fortinet is on their behalf, without their knowledge) is blocking connections to the Tor Directory Authorities, as well as blocking connections to the default bridges (also acknowledged as the hard-coded bridges) included with Tor Browser. Because I use Tor Browser as my primary internet browser this makes things a bit more difficult while I’m on campus. Luckily I took the time to learn about Tor Bridges and how to run my own.
This tutorial focuses on configuring a tor bridge server, it does not explain the basics of running a Linux Server and it assumes that you have basic Linux shell knowledge. If you have never used the Linux shell before I recommend completing the tutorial at https://www.codecademy.com/learn/learn-the-command-line. Additionally, a lot of new user-friendly tutorials for various configuration tasks can be found at https://www.digitalocean.com/community.
The first thing you will need to do is get a server with high-speed internet connectivity. This should be located in a datacenter with stable power and high availability & fast networking - it’s also recommended to get a static IP Address (although a dynamic one which doesn’t change often should also be okay).
Luckily you don’t have to pay for an expensive server. Cloud computing providers such as Google Cloud, Microsoft Azure, and Amazon Web Services all offer a generous free tier including a low powered virtual server which is more than enough to run a small Tor Bridge for your personal use. It probably won’t be able to handle 100s of users but it should be able to handle you and a few of your friends and family members. I recommend using Google Compute Engine.
If the public bridges designed through BridgeDB or Email work for you then use those. There are more people using them and depending on your observer you are more likely to blend in with the crowd than when you are the only user connecting to an IP Address. However the public bridges are sometimes slower, additionally, some censors (for example China) have the majority of public bridges blocked off. Lastly, you might not want to take away bandwidth from users whom a public bridge is their only option to connect to Tor due to costs or other reasons.
I want the bridge to draw as little attention as possible from my college’s network administrators so I choose to do the following to minimize risks:
For this tutorial I’ve decided to use Google Compute Engine, any server will do, however, this is tested with Debian Strech on Google Compute Engine. So it’s time to create and power on your server. Connect to SSH and get let’s get started :)
Before doing anything else you should make sure that the following tasks are taken care of:
If you are following along with this tutorial’s suggestions and are using Google Compute Engine you only need to run
sudo apt-get install tor obfs4proxy, on other service providers you may also need to run
sudo apt-get install iptables which we’ll use later in the tutorial for some port forwarding shenanigans.
First things first let’s move the default torrc to a sample file so it’s not interfering with anything we configure. Run
sudo mv /etc/tor/torrc /etc/tor/torrc.sample in your SSH Shell.
sudo nano /etc/tor/torrc and start writing out your torrc. The torrc is one of the most simple configuration files I’ve seen. It’s pretty straight forward. Take a look at the following example:
## # OBFS4 Tor Bridge Configuration ## ExitPolicy reject *:* RunAsDaemon 1 ORPort xxxx BridgeRelay 1 PublishServerDescriptor 0 ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:xxxx ExtORPort auto ContactInfo xxxx Nickname xxxx
You need to pick random port numbers for ORPort and OBFS4 Port, along with setting a Nickname and providing a contact email address. You can safely leave the nickname and contact email address as xxxx since it’s a private bridge if you were running a public bridge you would want to set a recognizable nickname and email address so people can contact you if something isn’t working quite right on your bridge.
Something to consider: To minimize the enumeration risks of running a bridge I recommend picking completely random port numbers from your ORPort and OBFS4 port. While it’s not perfect and a full port scan could still reveal that you are running a bridge, the risk of detection by your adversary drops.
Your final torrc file will look something like the following:
## # OBFS4 Tor Bridge Configuration ## ExitPolicy reject *:* RunAsDaemon 1 ORPort 8817 BridgeRelay 1 PublishServerDescriptor 0 ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:2888 ExtORPort auto ContactInfo Nathaniel Suchy <email@example.com> Nickname nsuchy
Next up we will need to add a few firewall rules to allow you to access the bridge from port 443.
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT sudo iptables -I INPUT 1 -p tcp --dport 2888 -j ACCEPT sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 2888
sudo service tor restart in your SSH Terminal and you’re ready to configure your client (Tor Browser).
Finally, it’s time to configure Tor Browser to connect to your bridge. First things first open Tor Browser and open “Tor Network Settings”, check the box “Tor is censored in my country”, click “Provide a bridge I know” and paste your bridge line.
To get your bridge line run
sudo cat /var/lib/tor/pt_state/obfs4_bridgeline.txt in your SSH Terminal. Your response should look like the following:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERT INCLUDED HERE> iat-mode=0
<IP Address> will be the IP Address provided to you by your service provider. <PORT> will be 443. <FINGERPRINT> can be found by running
sudo cat /var/lib/tor/fingerprint in your SSH Terminal - the response will be your bridge’s nickname followed by a space and a string of text, your bridge line should only include that string of text (leave out the nickname and space). Finally, <CERT INCLUDED HERE> was already provided when getting your bridge line, no further action is required here. Your final bridge line will look like the following:
Bridge obfs4 188.8.131.52:443 A1B2C3D4E5F6G7H8I9JK0 cert=A1B2C3D4E5F6G7H8I9JK0 iat-mode=0
You can now give Tor Browser your bridge line and connect to the Tor Network :)
Make sure that your Google Compute Engine firewall rules allow “HTTPS” (TCP Port 443) if the port isn’t open and is blocked by the firewall no one can connect to your bridge and use what you just set up.
For more detailed information on configuring bridges, check out https://www.torproject.org/docs/bridges.html.en, https://tb-manual.torproject.org/en-US/bridges.html, and https://bridges.torproject.org/howto
And if you are still confused after reading over all of this information, please join #tor at irc.oftc.net and someone there will help you.
I’m always open to your suggestions and/or feedback, if you have suggestions or feedback on this blog please send an email to firstname.lastname@example.org I’d love to hear from you :)