Optimal configuration for an obfs4 bridge

Question

In response to the blocking of Tor in even more countries and organisations, I decided to set up a (private) bridge. I would like the bridge to:

• be accessible to users with strict outgoing connection filtering (in particular, blocking of access to non-standard ports)
• be as difficult to discover as possible (consider scanning of known ports for Tor protocol)

What would be the configuration of the bridge to best address these goals?

Namely:

1. What numbers to choose for OR and obfs4proxy ports?
2. Does opening a DIR port on a bridge make sense, and if yes, on which port?
3. Which ports to forward on the router?
4. Does using IPv6 provide any benefit over just IPv4?

How to run an obfs4 bridge? provides some highlights but does not exactly answer the questions I have.

Answer 1

What numbers to choose for OR and obfs4proxy ports?

For an obfs4 bridge I'd recommend:

1. Picking a low numbered port that's used by a common service for obfs4 (it takes a few extra steps to allow obfs4 to bind to low ports) might help some user (and may hinder others, e.g. if their DPI reasons: "I know that obfs4 traffic definitely isn't the service that normally runs on port 443".)
2. Picking a randomly chosen high numbered port that isn't used by any common services for the ORPort to make it more difficult to detect by someone performing internet wide scans on common ports. (e.g. python2 -c 'import random;print random.randint(1025,65535)')

I'd strongly recommend that you implement 2, but 1 is more of an open question. By default obfs4proxy will pick a random high numbered port for itself.

Does opening a DIR port on a bridge make sense, and if yes, on which port?

No, the client will use you as a directory guard but this communication is done over the obfs4 or OR connection. This doesn't require exposing a DirPort and exposing one is just adding more potential for your bridge to be detected as a bridge from some adversary scanning for bridges.

Does using IPv6 provide any benefit over just IPv4?

It will allow users who are on IPv6-only connections to use your bridge. Anecdotally, since IPv6 isn't widely adopted some (of the crappier) DPI might have a tougher time censoring IPv6.