25/09/2012
setting up tor + obfsproxy + brdgrd to fight censhorship
*WARNING* 14/01/2014 This post is quite deprecated. For example obfsproxy has been completely rewritten in python and there is a newer and more secure replacement of obfs2, named obfs3. Please read this obfsproxy-debian-instructions for any updates.
*Updated* look at the bottom for list of changes
This post is a simple guide to create a debian/ubuntu packages out of the latest versions of Tor, obfsproxy and brdgrd in order to setup a “special gateway” and help people who face censorship issues. Sharing some of your bandwidth helps a lot of people get back their freedom.
Tor
I guess most people already know what Tor is, quoting from Tor’s website:
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
obfsproxy
obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking transformed traffic instead of the actual Tor traffic.
brdgrd
brdgrd is short for “bridge guard”: A program which is meant to protect Tor bridges from being scanned (and as a result blocked) by the Great Firewall of China.
Combining these to work together is quite easy if you follow this simple guide/howto.
////// Become root $ sudo su - ////// Get build tools/packages # cd /usr/src/ # apt-get install build-essential libssl-dev devscripts git-core autoconf debhelper autotools-dev libevent-dev dpatch pkg-config # apt-get install hardening-includes asciidoc docbook-xml docbook-xsl xmlto # apt-get install screen libnetfilter-queue-dev ////// Get latest versions of tor/obfsproxy/brdgrd # git clone https://git.torproject.org/debian/obfsproxy.git # git clone https://git.torproject.org/debian/tor.git # git clone https://git.torproject.org/brdgrd.git ////// Compile obfsproxy & create package # cd obfsproxy/ # ./autogen.sh # debuild -uc -us ////// Compile tor & create package # cd ../tor/ # ./autogen.sh # debuild -uc -us ////// Install packages ////// The following package versions might be different depending on your configuration. Change them appropriately by looking at the deb files in your path: ls *.deb # cd .. # dpkg -i tor-geoipdb_0.2.4.3-alpha-1_all.deb obfsproxy_0.1.4-2_amd64.deb tor_0.2.4.3-alpha-1_amd64.deb ////// Create Tor configuration ////// PLEASE SEE THE CHANGEME_X VARIABLE BELOW BEFORE RUNNING THE FOLLOWING COMMAND # cat > /etc/tor/torrc << EOF AvoidDiskWrites 1 DataDirectory /var/lib/tor ServerTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed Log notice file /var/log/tor/notices.log ## If you want to enable management port uncomment the following 2 lines and add a password ## ControlPort 9051 ## HashedControlPassword 16:CHANGEME ## CHANGEME_1 -> provide a nickname for your bridge, can be anything you like. Nickname CHANGEME_1 ## CHANGEME_2 -> How many KB/sec will you share. Don't be stingy! Try putting _at least_ 20 KB. RelayBandwidthRate CHANGEME_2 KB ## CHANGEME_3 -> Put a slightly higher value than your previous one. e.g if you put 500 on CHANGEME_2, put 550 on CHANGEME_3. RelayBandwidthBurst CHANGEME_3 KB ExitPolicy reject *:* ## CHANGEME_4 -> If you want others to be able to contact you uncomment this line and put your GPG fingerprint for example. #ContactInfo CHANGEME_4 ORPort 443 #ORPort [2001:db8:1234:5678:9012:3456:7890:1234]:443 BridgeRelay 1 ## CHANGEME_5 -> If you don't want to publish your bridge in BridgeDB, so you can privately share it with your friends uncomment the following line #PublishServerDescriptor 0 EOF ////// Restart Tor # /etc/init.d/tor restart ////// Compile and run brdgrd ////// If you've changed ORport in Tor config above, be sure to change the "--sport 443" port below as well ////// brdgrd does not help since obfsproxy is already running in front of the bridge, but won't hurt either. # cd brdgrd/ # make # iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 443 -j NFQUEUE --queue-num 0 ////// brdgrd Can't do IPv6 yet...so the next line is commented out ////// ip6tables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 443 -j NFQUEUE --queue-num 0 ////// You can run brdgrd without root, just by setting some correct cap_net_admin rights ////// Instead of: screen -dmS brdgrd ./brdgrd -v $ sudo screen -dmS brdgrd setcap cap_net_admin=ep ./brdgrd -v # tail -f /var/log/tor/notices.log
The above guide has been tested on Debian Squeeze and Ubuntu 12.04.
That’s it. You just made the world a better place.
*Update*
I’ve made some changes to the post according to comments on the blog post and #tor-dev.
a) Changed URLs for the git clone operations to https:// instead of git://
b) Changed brdgrd git url to gitweb.torproject.org instead of github.
c) Changed config sections of torrc file
d) Added some more info on brdgrd
*Update2*
Tor has published “official” instructions for setting up obfsproxy bridges on Debian boxes –> Setting up an Obfsproxy Bridge on Debian/Ubuntu
*Update3*
Update sample config to inform about unpublished bridges.
Filed by kargig at 18:50 under Encryption,IPv6,Linux,Networking,Privacy
Tags: 12.04, brdgrd, bridgedb, censorship, debian, guide, HOWTO, ipv6, Linux, obfsproxy, Precise Pangolin, Privacy, Squeeze, tor, ubuntu
7 Comments | 30,759 views
Good post! Thanks for sharing..
Although home dsl connections in Greece suck for upload bw
Hi!
Thanks for this guide! Please notice that the brdgrd repository was moved to https://gitweb.torproject.org/brdgrd.git
Hi there,
I am the author of brdgrd. Please note that brdgrd only makes sense when run with a normal bridge. It does not help with obfsproxy although it does not hurt either. Also, brdgrd can’t deal with IPv6 traffic.
You can use file system capabilities so you don’t have to run the tool as root: sudo setcap cap_net_admin=ep ./brdgrd
Thanks for the comment. I’ve made some amendments on the things you pointed out.
Nice post! I have a question for you.
I have 7mbps of upstream bw that I would love to share. However I my isp is in the bad isps list and is known to not allow tor on its residential network. Would that obfuscate traffic from them too? Is it safe?
Yes, you can setup an obfsproxy bridge to help people enter the Tor network. All packets arriving at your bridge will be obfuscated so they won’t be recognized as Tor.
Don’t attempt though to set up an exit node in your “residential network”. That would be a very bad idea.
[…] part. Instructions on installing obfsproxy on Debian/Ubuntu are given in my previous blog post setting up tor + obfsproxy + brdgrd to fight censhorship. Installing netcat, the openbsd version; package name is netcat-openbsd on Debian/Ubuntu, is also […]