Hi there,
I have two questions regarding bridge operations:
Is it possible to run an obfs4 Bridge with external-reachable IPv6 only?
I've tried to setup a "Node" on a seperate host, but in the same network as
my relay. (VLAN-seperated)
The idea was to open all external ports required for the tor part (on IPv4
and IPv6) and assign one different IPv6-Address as External obfs Port.
I generally thought this could be beneficial, as with every firewall restart
I get new IPs and potentially evade blocklists.
>From what I read there is a higher demand of bridges at the moment due to
russian and chinese "ip whitelisting" attempts.
Overall, the Networking Scheme would look like this (from Firewall-View)
--------
WAN
Source Target IP-Ver Port
Desc.
WAN Tor-Relay IPv4/6 30003
Allow Incoming Relay-Traffic
WAN Tor-Bridge IPv4/6 30004
Allow Incoming Bridge-OR Traffic
WAN Tor-Bridge IPv6 56120
Allow Incoming Bridge-Obfs4 Traffic
--------
DMZ
Source Target IP-Ver Port
Desc.
Tor-Relay "WAN" IPv4/6 *
Allow Outgoing Relay-Traffic
Tor-Bridge "WAN" IPv4/6 *
Allow Outgoing Tor/Bridge Traffic
--------
The Bridge is starting but freezes in a state before any major bootstrapping
happened. (see Logs attached)
I can see outbound and inbound traffic on the tor ports (30004), but not on
the bridge ports. I assume the Tor part is "partially" working.
In the Log: Is the last line [notice] Opened Extended OR listener connection
(ready) on 127.0.0.1:50652 - is that an internal Port or the port that I
want to be 56120?
Maybe someone could give me hint if this frankenstein construct is even
supposed to work (like having a bridge with only public IPv6 Adress) and If
there are any security constraints.
Second Question: Should I exclude my own relay as Guard?
Other thoughts:
To improve privacy for the bridge even more, i thought about adding a second
Interface to the VM, and work with IPv6 ULA and NAT for the needed Tor
Connection.
E.g. Pick any GUA from the External Availabe IP-Range and NAT it to ULA
"fc55:c737:c747:c757::cafe" and do also Outbound NAT to the GUA again to not
confuse the peers.
But this is for another time.
Last point, maybe it makes you smile about my stupidness.. I took alot of
thought into physical security of my server, last Step was to trigger a
Bitlocker-Lock, when the Chassis is opened.
Unfortunetaly, the Chassis_Intrusion Implemetation of the Board is not
great, so I ended up with connecting the Chassis Switch onto the CLR_CMOS
Header. "Perfect Solution".
When you open up the chassis, the system immediately resets and due to PCR
Missmatch, the drive cannot be decrypted. I have removed any "Recovery
Options" from bitlocker, so no 40 Digit Number you may enter in this case.
If not planned, during a normal boot the TPM + Key-File + Pin would be
needed to unseal the drive.
I'm using TSME as additional layer of protection, so all of my ram is
enrypted and cold boot attacks are not an option anymore. The measured
performance impact was only about 6% in my case. It can be enabled in the
Bios.
To prevent DMA Attacks, I disabled USB-Support, Audio, SATA and there is
even no free PCIe Slot or any other interface on the Board.
Reason for all of this is that I may want to spread some more relays, and I
cannot guard them or ensure that they are 100% safe from physical tampering,
so I want them to just go down immediately when someone messes with them.
If you have any more thoughts/improvements, let me know.
After this long mail, I'm pretty sure you will all sleep well!
Best regards and a nice start into the week!
Joker
Nov 23 17:32:28.431 [notice] Tor 0.4.8.21 running on Windows 8 [or later] with
Libevent 2.1.12-stable, OpenSSL 3.5.4, Zlib 1.3.1, Liblzma N/A, Libzstd N/A and
Unknown N/A as libc.
Nov 23 17:32:28.431 [notice] Tor can't help you if you use it wrong! Learn how
to be safe at https://support.torproject.org/faq/staying-anonymous/
Nov 23 17:32:28.454 [notice] Read configuration file "C:\Tor_Bridge\torrc".
Nov 23 17:32:28.456 [notice] Based on detected system memory, MaxMemInQueues is
set to 6143 MB. You can override this by setting MaxMemInQueues by hand.
Nov 23 17:32:28.458 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 23 17:32:28.458 [notice] Opened Socks listener connection (ready) on
127.0.0.1:9050
Nov 23 17:32:28.458 [notice] Opening OR listener on 0.0.0.0:30004
Nov 23 17:32:28.458 [notice] Opened OR listener connection (ready) on
0.0.0.0:30004
Nov 23 17:32:28.458 [notice] Opening OR listener on [::]:30004
Nov 23 17:32:28.458 [notice] Opened OR listener connection (ready) on [::]:30004
Nov 23 17:32:28.458 [notice] Opening Extended OR listener on 127.0.0.1:0
Nov 23 17:32:28.458 [notice] Extended OR listener listening on port 50652.
Nov 23 17:32:28.458 [notice] Opened Extended OR listener connection (ready) on
127.0.0.1:50652
Log notice file C:\Tor_Bridge\notice.log
GeoIPFile C:\Tor_Bridge\data\geoip
GeoIPv6File C:\Tor_Bridge\data\geoip6
BridgeRelay 1
# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be
scanning the Internet for this port.
ORPort 30004
ServerTransportPlugin obfs4 exec C:\Tor_Bridge\tor\lyrebird.exe
# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one
specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be
scanning the Internet for this port.
ServerTransportListenAddr obfs4 [::]:56120
# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port
number, nor listen on 0.0.0.0.
ExtORPort auto
# Replace "<[email protected]>" with your email address so we can contact you
if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo
# Pick a nickname that you like for your bridge. This is optional.
Nickname
_______________________________________________
tor-relays mailing list -- [email protected]
To unsubscribe send an email to [email protected]
