Previous Page

nihilist - 01 / 02 / 2024

TOR Bridge (June 2023 update)

Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your Debian server.

Initial Setup



apt update -y && apt upgrade -y
apt install curl tmux vim obfs4proxy nyx gnupg2 -y

root@Datura:~# cat /etc/apt/sources.list |head -n3

deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

apt update -y
apt install tor nyx

#To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use

#Open conf file
vim /etc/tor/torrc

#Added configuration
BridgeRelay 1

# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort 37051

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:8042

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo nihilist@nowhere.moe

# Pick a nickname that you like for your bridge.  This is optional.
Nickname Nihilist

Then restart the tor service + enable it:


#Restart service
systemctl restart tor@default

#Enable at boot
systemctl enable --now tor@default

Nyx monitoring



Once it finished installing, you can monitor your tor bridge node activity with nyx:


sudo -u debian-tor nyx

Using your own bridge



Next install tor-browser (in arch linux you can do it from the AUR), if not just go to the downloads page.


yay -S torbrowser-launcher

Then Launch it, and go in your preferences:

Here specifying your own bridge is not that simple, you need to use the following syntax:


Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0

First find the ip address of your server:


root@debian-s-1vcpu-1gb-lon1-01:~# curl ifconfig.me && echo && echo
134.209.26.190

Next find the port :


sudo -u debian-tor nyx

Just hit right arrow 3 times to get to your torrc config preview:

And here we have port 8042. Next we need the fingerprint which is at page 1 of nyx, so press leftarrow to get back to page 1 and then scroll down using the downarrow:

Here it is 829165B21621041E7A9CDF7192AFFC51CA640B0E, be careful not to copy the other one above which is the HASHED identity key. Here we want the original identity key fingerprint. After this, we need the server's certificate:



root@debian-s-1vcpu-1gb-lon1-01:~# cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
# obfs4 torrc client bridge line
#
# This file is an automatically generated bridge line based on
# the current obfs4proxy configuration.  EDITING IT WILL HAVE
# NO EFFECT.
#
# Before distributing this Bridge, edit the placeholder fields
# to contain the actual values:
#  <IP ADDRESS>  - The public IP address of your obfs4 bridge.
#  <PORT>        - The TCP/IP port of your obfs4 bridge.
#  <FINGERPRINT> - The bridge's fingerprint.

Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0

Here in this case we need the last part: cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0

And so we combine it all to get the string we need:


Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E  cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0

Paste it in and hit "new identity":

Then we check if it is working on check.torproject.org:

And that's it! we have been able to use our own VPS-hosted tor bridge!

Nihilism

Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nowhere.moe (PGP)