Hi,

On 15 Apr 2020, at 01:45, Wilton Gorske <wilton@riseup.net> wrote:

Secondly, and mainly, I am working on setting up ten obsf4 bridge relays
on macOS and keep running into port issues, so I'm hoping to get some
general advice and guidance about how to set this up in the absence of
updated macOS tutorials online.

Thanks for running Tor bridges!

These bridge relays are going to run on one macOS server. Knowing that
they can each have their own dedicated IP address, could someone advise
how to best set up these multiple obsf4 bridge instances so each can be
run (tor -f /usr/local/etc/tor/torrc.1, torrc.2, torrc.3, etc...) under
one non-root user

It's slightly safer to run each instance under its own user.

Then the keys for each instance aren't available to the other instances.

You might find Debian's tor-instance-create script useful:
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor-instance-create

In particular, you can have a defaults torrc for each instance, and then
just change the addresses and ports in each instance's torrc.

with only two public ports open on the data center
network (80 and 443)? I'm getting stuck at the port reachability phase,
and even more so when trying to run multiple instances with
forwarding/binding warnings.

The Application Level Firewall allows certain granted programs
(tor/tor-gencert/tor-print-ed-signing-cert/tor-resolve/torify/obfs4proxy)
the ability to open or accept a network socket. By editing the macOS
network system settings to route port 80 to 9005, and noting ORPort 80
NoListen ORPort 0.0.0.0:9005 NoAdvertise in the torrc, that works
correctly (including routing 443 for obfs4proxy). Running a second
instance is where it seems to break down. Is there a way to have
multiple tor instances sharing a port?

No, tor doesn't support port multiplexing across multiple tor
processes,

Instead, tor automatically multiplexes multiple clients over the same
port, without any special configuration on the server.

My guess is the main issue is that at the system routing level, I need a
way to note each IP and port so it goes to the right tor instance.
Currently, the forwarding is set up like:
rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port
9005
I'm guessing I need some way to designate IP XX.XXX.XX.120 -> port 9005
(torrc.1), XX.XXX.XX.121 -> port 9006 (torrc.2), XX.XXX.XX.122 -> port
9007 (torrc.3), etc. Is that correct?

Yes, that sounds sensible.

A copy of my notes and configurations so far can be found here:
http://5jp7xtmox6jyoqd5.onion/p/ISjeXEW-vt8H1s89bwSW

Please feel free to make suggestions or edits directly in that etherpad.
I'm sure there are multiple ways to do this, but I definitely want to
make sure I am using the most secure method as opposed to the easiest or
quickest... Thanks for any help in advance.

T