Am a novice compiling Tor (0.3.2.9) and been successful using this from a Tor Browser as a private bridge by entering "a.b.c.d:9001" into Tor Browser. However, pointing my Tor Browser to the obfs4 on the same machine fails with something like General SOCKS failure in the log. Below is my torrc:
SOCKSPort 0 CookieAuthentication 1 ControlPort 9051 ORPort 9001 ExtORPort auto ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy # ServerTransportListenAddr obfs4 [::]:60443 ServerTransportListenAddr obfs4 0.0.0.0:60443 ExitRelay 0 BridgeRelay 1 PublishServerDescriptor 0
Tests I have done: (1) using obfs4 compiled from git repository, as well as the OS package. (2) opening port 60443, as well as dropping all firewalls - does not make a difference; meanwhile, pointing telnet at a.b.c.d 60443 connects successfully (3) using Tor Browser with default supplied obfs4 bridges works well (log shows I was able to download a list of bridges and their fingerprints).
So I think I have ruled out problems with my Tor client (Tor Browser), and I have ruled out firewall configurations on the server, and ruled out obfs4 being blocked on my ISP. Since Tor itself works, and I have tried obfs4 from source as well as from the OS package, the only thing I can think of is something wrong with the config above.
Any hints would be appreciated, as well as any steps I can do to further diagnose would be helpful.
Thanks, Jack
Alright, problem solved although I don't understand why. Hope someone can educate me:
What I did. (1) Turned on Log debug stderr in torrc, and I could see obfs4 loading correctly. (2) Then I realized obfs4 writes to a file to help people construct the bridgeline for tow browser in pt_state/obfs4_bridgeline.txt
The format is like: Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=[scrubbed] iat-mode=[scrubbed]
Which is different from the bridge line I used by hand, i.e. has FINGERPRINT, has cert=? and iat-mode=?. These extra bits made all the difference, but why?
Jack
30. Mar 2018 15:02 by jackoreamnos@tutanota.com mailto:jackoreamnos@tutanota.com:
Am a novice compiling Tor (0.3.2.9) and been successful using this from a Tor Browser as a private bridge by entering "a.b.c.d:9001" into Tor Browser. However, pointing my Tor Browser to the obfs4 on the same machine fails with something like General SOCKS failure in the log. Below is my torrc:
SOCKSPort 0 CookieAuthentication 1 ControlPort 9051 ORPort 9001 ExtORPort auto ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy # ServerTransportListenAddr obfs4 [::]:60443 ServerTransportListenAddr obfs4 0.0.0.0:60443 ExitRelay 0 BridgeRelay 1 PublishServerDescriptor 0
Tests I have done: (1) using obfs4 compiled from git repository, as well as the OS package. (2) opening port 60443, as well as dropping all firewalls - does not make a difference; meanwhile, pointing telnet at a.b.c.d 60443 connects successfully (3) using Tor Browser with default supplied obfs4 bridges works well (log shows I was able to download a list of bridges and their fingerprints).
So I think I have ruled out problems with my Tor client (Tor Browser), and I have ruled out firewall configurations on the server, and ruled out obfs4 being blocked on my ISP. Since Tor itself works, and I have tried obfs4 from source as well as from the OS package, the only thing I can think of is something wrong with the config above.
Any hints would be appreciated, as well as any steps I can do to further diagnose would be helpful.
Thanks, Jack
On 31 Mar 2018, at 04:03, jackoreamnos@tutanota.com jackoreamnos@tutanota.com wrote:
Alright, problem solved although I don't understand why. Hope someone can educate me:
What I did. (1) Turned on Log debug stderr in torrc, and I could see obfs4 loading correctly. (2) Then I realized obfs4 writes to a file to help people construct the bridgeline for tow browser in pt_state/obfs4_bridgeline.txt
The format is like: Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=[scrubbed] iat-mode=[scrubbed]
Which is different from the bridge line I used by hand, i.e. has FINGERPRINT, has cert=? and iat-mode=?. These extra bits made all the difference, but why?
Tor can't connect to an obfs4 bridge without its certificate. The encryption just won't work.
iat-mode controls some other protocol details.
T
On Sat, Mar 31, 2018 at 07:40:48AM +1100, teor wrote:
Which is different from the bridge line I used by hand, i.e. has FINGERPRINT, has cert=? and iat-mode=?. These extra bits made all the difference, but why?
Tor can't connect to an obfs4 bridge without its certificate. The encryption just won't work.
Right. The longer answer is because obfs4 protects against what are called "active probing" attacks: https://www.freehaven.net/anonbib/#foci12-winter where the censor sees a connection that their Deep Packet Inspection (DPI) system can't classify for sure, so they do a follow-up connection talking the protocol they think it might be.
If you connect to an obfs2 bridge from within China, it will trigger an "active probe" followup, which talks obfs2 + tor to the destination, and when the bridge talks obfs2 + tor back, that address gets banned.
For obfs4, the active prober doesn't know the secret "cert" parameter, and without that the obfs4 bridge won't act like an obfs4 bridge, making it hard for the censor to decide for certain that it should be banned.
Hope that helps, --Roger
On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote:
For obfs4, the active prober doesn't know the secret "cert" parameter,
For far far more detail on the various pluggable transports and how they look on the wire, check out this awesome page that David Fifield put together:
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTr...
--Roger
Thank you all, that was very helpful. - Jack
30. Mar 2018 20:53 by arma@mit.edu mailto:arma@mit.edu:
On Fri, Mar 30, 2018 at 04:52:23PM -0400, Roger Dingledine wrote:
For obfs4, the active prober doesn't know the secret "cert" parameter,
For far far more detail on the various pluggable transports and how they look on the wire, check out this awesome page that David Fifield put together:
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTr... https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
--Roger
tor-relays mailing list tor-relays@lists.torproject.org mailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
jackoreamnos@tutanota.com -
Roger Dingledine -
teor