Tor obfs4 bridge

skyfighter · 4 February 2020 19:37

Hi all, would it be possible to add the option for setting up an obfs4 bridge to Tor addon?
Here is a guide from torproject.org that may will help: https://community.torproject.org/relay/setup/bridge/

Thanks in advance

ms · 14 February 2020 09:26

Yes running a Tor Bridge is supported.

ummeegge · 30 September 2020 14:35

Hi all,
this topic is a kind of old but am currently around the obfuscating topic and tested also obfs4proxy for Tor (same might be interesting for OpenVPN) to, let´s say, scramble a little around .

The setup:

Since go is meanwhile also available on IPFire, obfs4proxy can be build in IPFire environment like explained in here --> https://github.com/Yawning/obfs4#installation .
Bridge addresses incl. fingerprint, certificate and mode can be found in here --> https://bridges.torproject.org/bridges?transport=obfs4 .

obfs_bridge_address838×377 26.3 KB
The bridge addresses will be included into Tor configuration in /var/ipfire/tor/torrc but a “Bridge” will be set at the beginning of the line, also UseBridges will be activated. The complete torrc looks now like this:

# obfs4proxy settings
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy -enableLogging=true -logLevel INFO managed
# From tor bridge address side --> https://bridges.torproject.org/bridges?transport=obfs4
Bridge obfs4 185.72.156.57:443 57EDD0BEFB27A78056CB95EC23092D59716A9260 cert=oUvzR6y6YHiWfmy+X+AbSDpJbHtOvBWbiDw/wmx9OU9BFOs5r9uW0zIlbU1ufqKxH/5+TQ iat-mode=0
Bridge obfs4 216.126.231.145:8080 E1E11AEA17661A302507775069C50E784979E21E cert=6PuMrTakSg5Coza5tUNl11SSeaWtXFkxiNyRhyXXNS6BnTiZoPbRo3uZY0+MeMzJN1E2Ew iat-mode=0

ControlPort 9051
SocksPort 0.0.0.0:9050
SocksPolicy accept 192.168.12.0/255.255.255.0
SocksPolicy accept 192.168.134.0/255.255.255.0
SocksPolicy accept 10.1.52.0/255.255.255.0
SocksPolicy reject *

the “-enableLogging=true -logLevel INFO” parameter has been set for more information but are not needed. The log are located under /var/lib/tor/pt_state/obfs4proxy.log .

A
chown root:tor /usr/bin/obfs4proxy
should be made.

Restart has been made via command line with a
/usr/local/bin/torctrl stop
/usr/local/bin/torctrl restart
.

Checking /var/log/messages looks like this:

Sep 30 15:38:55 ipfire-prime Tor[28323]: Read configuration file "/usr/share/tor/defaults-torrc".
Sep 30 15:38:55 ipfire-prime Tor[28323]: Read configuration file "/etc/tor/torrc".
Sep 30 15:38:55 ipfire-prime Tor[28323]: ControlPort is open, but no authentication method has been configured.  This means that any program on your computer can reconfigure your Tor.  That's bad!  You should upgrade your Tor controller as soon as possible.
Sep 30 15:38:55 ipfire-prime Tor[28323]: You specified a public address '0.0.0.0:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Sep 30 15:38:55 ipfire-prime Tor[28323]: Opening Socks listener on 0.0.0.0:9050
Sep 30 15:38:55 ipfire-prime Tor[28323]: Opened Socks listener on 0.0.0.0:9050
Sep 30 15:38:55 ipfire-prime Tor[28323]: Opening Control listener on 127.0.0.1:9051
Sep 30 15:38:55 ipfire-prime Tor[28323]: Opened Control listener on 127.0.0.1:9051
Sep 30 15:38:56 ipfire-prime Tor[28323]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Sep 30 15:38:57 ipfire-prime Tor[28323]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Sep 30 15:38:57 ipfire-prime Tor[28323]: Bootstrapped 0% (starting): Starting
Sep 30 15:38:59 ipfire-prime Tor[28323]: Starting with guard context "bridges"
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bridge 'Unnamed' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (185.72.156.57:443) based on the configured Bridge address.
Sep 30 15:38:59 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (cached): $57EDD0BEFB27A78056CB95EC23092D59716A9260~Unnamed at 185.72.156.57 and [2606:2e00:0:3e::1d]
Sep 30 15:38:59 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (cached): $E1E11AEA17661A302507775069C50E784979E21E~Unnamed at 216.126.231.145
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bridge 'Unnamed' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (185.72.156.57:443) based on the configured Bridge address.
Sep 30 15:38:59 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (cached): $57EDD0BEFB27A78056CB95EC23092D59716A9260~Unnamed at 185.72.156.57 and [2606:2e00:0:3e::1d]
Sep 30 15:38:59 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (cached): $E1E11AEA17661A302507775069C50E784979E21E~Unnamed at 216.126.231.145
Sep 30 15:38:59 ipfire-prime Tor[28323]: Delaying directory fetches: Pluggable transport proxies still configuring
Sep 30 15:38:59 ipfire-prime Tor[28323]: Application request when we haven't received a consensus with exits. Optimistically trying known bridges again.
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 1% (conn_pt): Connecting to pluggable transport
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 10% (conn_done): Connected to a relay
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 14% (handshake): Handshaking with a relay
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Sep 30 15:38:59 ipfire-prime Tor[28323]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Sep 30 15:39:00 ipfire-prime Tor[28323]: Bridge 'Unnamed' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (185.72.156.57:443) based on the configured Bridge address.
Sep 30 15:39:00 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (fresh): $E1E11AEA17661A302507775069C50E784979E21E~Unnamed at 216.126.231.145
Sep 30 15:39:01 ipfire-prime Tor[28323]: Bootstrapped 100% (done): Done
Sep 30 15:39:01 ipfire-prime Tor[28323]: Bridge 'Unnamed' has both an IPv4 and an IPv6 address.  Will prefer using its IPv4 address (185.72.156.57:443) based on the configured Bridge address.
Sep 30 15:39:01 ipfire-prime Tor[28323]: new bridge descriptor 'Unnamed' (fresh): $57EDD0BEFB27A78056CB95EC23092D59716A9260~Unnamed at 185.72.156.57 and [2606:2e00:0:3e::1d]

If a bridge fails, Tor logs it at messages with e.g.:
Tor[10896]: Proxy Client: unable to connect to 2.202.119.133:41902 ("general SOCKS server failure")

ps looks like this:

$ ps aux | grep obfs | grep -v grep
tor      10897  0.0  0.7 850664 14276 ?        Sl   16:39   0:03 /usr/bin/obfs4proxy -enableLogging=true -logLevel INFO managed

so obfs4proxy runs with lowered privileges .

netstat said:

$ netstat -tlpn | grep obfs
tcp        0      0 127.0.0.1:34779         0.0.0.0:*               LISTEN      10897/obfs4proxy

So obfs4proxy is active…

The nDPI of ntopng sees Tor like this:

obfs_tor-nDPI1348×347 34.8 KB

So it seems to work fine at a first glance but i asked myself if obfs4proxy is currently the state of the art in this topic and i found this paper --> https://www.researchgate.net/publication/328842109_A_Study_in_Protocol_Obfuscation_Techniques_and_their_Effectiveness which is pretty interesting IMHO. A pretty interesting tool might also be Meek --> https://trac.torproject.org/projects/tor/wiki/doc/meek will give it also a try if the build is done.

So it should not be that hard to activate obfs4proxy for Tor in IPFire even it is currently all done via commandline and not integrated in the WUI.

Some info from here.

Best,

Erik