How to run an obfs4 bridge?

Question

I want to help censored users. How can I run an obfs4 (Pluggable Transport) bridge on a Debian-like GNU/Linux machine?

Answer 1

The Tor Project's official guide is available here. It has instructions on how to set up an obfs4 bridge for several platforms, including Debian and Ubuntu. Don't forget to make sure that your OR port and your obfs4 port must be publicly reachable. Tor automatically tests its OR port but it currently (as of August 2019) does not test its obfs4 port. You can use this scanning tool to make sure that your obfs4 port is publicly reachable.

Step 0: Follow this guide to setup the official package repository, and install Tor.

Step 1: Edit your sources.list to add obfs4proxy repository:

Note: you can skip this step if you're running Debian stable (jessie) or more recent.

deb http://deb.torproject.org/torproject.org obfs4proxy main

Step 2: Install obfs4proxy:

$ sudo apt-get update && sudo apt-get install obfs4proxy

Step 3: Edit your torrc config file, usually located at /etc/tor/torrc

#Bridge config
RunAsDaemon 1
ORPort 9001
BridgeRelay 1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto
#set the Nickname and Contact info
ContactInfo <your-contact-info>
Nickname <pick-a-nickname>

Step 4: Restart Tor

$ sudo service tor restart

Step 5: Check the logs and confirm the ORPort is reachable and the obfs4proxy is working.

$ sudo tail -F /var/log/tor/log

You should see something like this:

[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

Answer 2

Great explanation, it helped me a lot. Like to add the following; These days I do not see a lot of obfs4 traffic yet. If you want to publish as an obfs3 AND obfs4 bridge relay you can change the line

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

to

ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy

You only need to install obfs4 as mentioned in the post above. obfs4 is backwards compatible with obfs3.

When you start up your bridge, you will see something like this in your logfile;

Registered server transport 'obfs3' at '[::]:41234'
Registered server transport 'obfs4' at '[::]:44321'

Leave your ExtORPort set to auto for diversity reasons. I have a firewall enabled on my Debian bridge with very restrictive port settings. I had to make port forwards for the given obfs ports in iptables (easy with gufw) as well as in my hardware (internet-)firewall to make things work. So I am not so sure that the ExORPort is for local connections only as mentioned by Rodger (please let me know if I am wrong here). The obfs3 and obfs4 transport ports Tor chooses for you will be cached, so after booting your bridge you keep the same ports. Hope this helps.

Tor needs bridges, be a bridge if you can!