Re: [tor-relays] Bridge Questions, Best Practices

2019-12-19 Thread Eddie 

Thanks for the follow up.

On 12/18/2019 3:20 PM, Philipp Winter wrote:

On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:

I've seen a few comments mentioning the lack of obfs4 bridges using port
443, so as I don't run any kind of webserver on the VPS I can do this.  I
also wanted to run an obfuscated bridge on port 80, but it seems that you
can only run a single instance of obfs4. Searching around, the most common
setup I found was this:

ServerTransportListenAddr obfs3 [::]:80
ServerTransportListenAddr obfs4 [::]:443

Is this the best way to support both port 80 and 443, or is there a better
way.

You cannot run two obfs4 instances under one Tor instances.  You will
either have to start two Tor instances or configure a port forward from
port 80 to 443.
Let me look into the easiest option for this.  For now, I've just 
dropped the obfs3:80 part.

Also, there's no point in running both obfs3 and obfs4: If a bridge runs
multiple transports and some are resistant to active probing attacks
(scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3,
fte), then BridgeDB won't hand out the bridge's vulnerable transports
because they constitute a liability to the resistant transports.  See
the following ticket for more details:



Next, the ORPort.  There seems to be confusing information about setting
this up, in conjunction with obfs4proxy.  Again, my setup:

ORPort 9001
ORPort [--my public ipv6 address--]:9002

Ideally, it shouldn't be necessary to expose an OR port if one is only
running an obfs4 bridge.  Unfortunately, we're not quite there yet:


I suggest selecting a random OR port other than 9001.

Done.

Again, is the the best way, as I've seen some information that says avoid
9001, but others say it's OK to use for a bridge, with obfs4proxy.

It's best to avoid port 9001 because this port is commonly associated
with Tor.  Censors could easily scan the entire IPv4 address space for
port 9001 and block whatever turns out to be a Tor bridge.

Cheers,
Philipp
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



Cheers.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Bridge Questions, Best Practices

2019-12-18 Thread Philipp Winter 
On Wed, Dec 18, 2019 at 12:12:03PM -0800, Eddie wrote:
> I've seen a few comments mentioning the lack of obfs4 bridges using port
> 443, so as I don't run any kind of webserver on the VPS I can do this.  I
> also wanted to run an obfuscated bridge on port 80, but it seems that you
> can only run a single instance of obfs4. Searching around, the most common
> setup I found was this:
> 
> ServerTransportListenAddr obfs3 [::]:80
> ServerTransportListenAddr obfs4 [::]:443
> 
> Is this the best way to support both port 80 and 443, or is there a better
> way.

You cannot run two obfs4 instances under one Tor instances.  You will
either have to start two Tor instances or configure a port forward from
port 80 to 443.

Also, there's no point in running both obfs3 and obfs4: If a bridge runs
multiple transports and some are resistant to active probing attacks
(scramblesuit, obfs4) while others aren't (vanilla Tor, obfs2, obfs3,
fte), then BridgeDB won't hand out the bridge's vulnerable transports
because they constitute a liability to the resistant transports.  See
the following ticket for more details:


> Next, the ORPort.  There seems to be confusing information about setting
> this up, in conjunction with obfs4proxy.  Again, my setup:
> 
> ORPort 9001
> ORPort [--my public ipv6 address--]:9002

Ideally, it shouldn't be necessary to expose an OR port if one is only
running an obfs4 bridge.  Unfortunately, we're not quite there yet:


I suggest selecting a random OR port other than 9001.

> Again, is the the best way, as I've seen some information that says avoid
> 9001, but others say it's OK to use for a bridge, with obfs4proxy.

It's best to avoid port 9001 because this port is commonly associated
with Tor.  Censors could easily scan the entire IPv4 address space for
port 9001 and block whatever turns out to be a Tor bridge.

Cheers,
Philipp
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Bridge Questions, Best Practices

2019-12-18 Thread Eddie 

Hi,

Just setting up a new bridge, on a new VPS, to complement the relay I 
run at home and have a couple of questions regarding best practices.


I set the bridge up from scratch, so it has no connections back to my 
relay fingerprint etc. as I understand that's "a bad thing".


I've seen a few comments mentioning the lack of obfs4 bridges using port 
443, so as I don't run any kind of webserver on the VPS I can do this.  
I also wanted to run an obfuscated bridge on port 80, but it seems that 
you can only run a single instance of obfs4. Searching around, the most 
common setup I found was this:


ServerTransportListenAddr obfs3 [::]:80
ServerTransportListenAddr obfs4 [::]:443

Is this the best way to support both port 80 and 443, or is there a 
better way.


Next, the ORPort.  There seems to be confusing information about setting 
this up, in conjunction with obfs4proxy.  Again, my setup:


ORPort 9001
ORPort [--my public ipv6 address--]:9002

Again, is the the best way, as I've seen some information that says 
avoid 9001, but others say it's OK to use for a bridge, with obfs4proxy.


Cheers.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridge questions

2018-02-13 Thread Jonathan Marquardt 
On Tue, Feb 13, 2018 at 04:49:28PM -0800, Arisbe wrote:
> I have several quick question:  Can bridges use an IPv6 ORPort? Is there any
> advantage to adding this to my bridges?  Has anyone actually seen IPv6
> connections on a bridge?

It is possible to enable IPv6 for your bridges ORPort.

Like this for example:

ORPort 443
ORPort [2a02:c207:3002:5060::1]:443

The first entry enables your IPv4 ORPort, the second does it for IPv6. You 
need to manually enter your server's reachable IPv6 address there.

As you can see here, there a many bridges with an IPv6 ORPort: 
https://metrics.torproject.org/bridges-ipv6.html

The advantage is that users can connect to your bridge using IPv6 obviously. 
The amount of users doing is around 1000, as you can see here: 
https://metrics.torproject.org/userstats-bridge-version.html?version=v6

It's always a good idea to have a look at some of the Tor Metrics. It can give 
you some valueable insights.
-- 
OpenPGP Key: 47BC7DE83D462E8BED18AA861224DBD299A4F5F3
 https://www.parckwart.de/pgp_key


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridge questions

2018-02-13 Thread TorGate 
hi, thats a question also from here :-)

regards TorGate

> Am 14.02.2018 um 01:49 schrieb Arisbe :
> 
> Hello Tor users,
> 
> I have several quick question:  Can bridges use an IPv6 ORPort? Is there any 
> advantage to adding this to my bridges?  Has anyone actually seen IPv6 
> connections on a bridge?
> 
> Thanks for the feedback...
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] bridge questions

2018-02-13 Thread Arisbe 

Hello Tor users,

I have several quick question:  Can bridges use an IPv6 ORPort? Is there 
any advantage to adding this to my bridges?  Has anyone actually seen 
IPv6 connections on a bridge?


Thanks for the feedback...

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays