Support webtunnel, obfs and snowflake bridges

.github/renovate.json

@@ -24,6 +24,33 @@
       "versioningTemplate": "loose",
       "datasourceTemplate": "repology",
       "depNameTemplate": "alpine_3_19/{{package}}"
+    },
+    {
+      "fileMatch": ["/Dockerfile$"],
+      "matchStrings": [
+        "ARG OBFS_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
+      ],
+      "versioningTemplate": "loose",
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "Yawning/obfs4"
+    },
+    {
+      "fileMatch": ["/Dockerfile$"],
+      "matchStrings": [
+        "ARG SNOWFLAKE_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
+      ],
+      "versioningTemplate": "loose",
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "tpo/anti-censorship/pluggable-transports/snowflake"
+    },
+    {
+      "fileMatch": ["/Dockerfile$"],
+      "matchStrings": [
+        "ARG WEBTUNNEL_VERSION=[\"']?(?<currentValue>.+?)[\"']?\\s+"
+      ],
+      "versioningTemplate": "loose",
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "tpo/anti-censorship/pluggable-transports/webtunnel"
     }
   ],
   "packageRules": [

tor/DOCS.md

@@ -51,6 +51,7 @@ client_names:
   - haremote2
 ports:
   - 8123
+bridges: []
 ```
 
 **Note**: _This is just an example, don't copy and past it! Create your own!_
@@ -150,6 +151,62 @@ The accepted syntaxs of this configuration is:
 If you do not define a published port, the local port will be used.
 If you do not define a hostname or IP adress `homeassistant` will be used.
 
+### Option: `bridges`
+
+> Keep the option value clean to avoid using of any transport plugins and bridges.
+
+Bridges are Tor relays that help you circumvent censorship.
+Access to bridges is provided by supported transport plugins:
+
+#### OBFS
+
+Because bridge addresses are not public, you will need to request them yourself. You have a few options:
+
+* Visit [Tor][tor-bridges-obfs4] project and follow the instructions, or
+* Email bridges@torproject.org from a Gmail, or Riseup email address
+* Send a message to @GetBridgesBot on Telegram. Tap on 'Start' or write /start or /bridges in the chat.
+
+For example:
+
+```yaml
+bridges:
+  - >-
+    obfs4 123.45.67.89:443 EFC6A00EE6272355C023862378AC77F935F091E4
+    cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA
+    iat-mode=0
+```
+
+#### Webtunnel
+
+Visit [Tor][tor-bridges-webtunnel] project and follow the instructions
+
+For example:
+
+```yaml
+bridges:
+  - >-
+    webtunnel 192.0.2.3:1
+    DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
+    url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
+    ver=0.0.1
+```
+
+#### Snowflake
+
+What is [snowflake][what-is-snowflake], example:
+
+```yaml
+bridges:
+  - >-
+    snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72
+    fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72
+    url=https://snowflake-broker.torproject.net/
+    ampcache=https://cdn.ampproject.org/
+    front=www.google.com
+    ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
+    utls-imitate=hellorandomizedalpn
+```
+
 ## Tor client access setup
 
 Using this add-on, you can access your Home Assistant instance over Tor from
@@ -261,3 +318,6 @@ SOFTWARE.
 [releases]: https://github.com/hassio-addons/addon-tor/releases
 [semver]: http://semver.org/spec/v2.0.0.htm
 [tor-hidden-service]: https://www.torproject.org/docs/hidden-services.html.en
+[tor-bridges-obfs4]: https://bridges.torproject.org/bridges/?transport=obfs4
+[tor-bridges-webtunnel]: https://bridges.torproject.org/bridges/?transport=webtunnel
+[what-is-snowflake]: https://support.torproject.org/censorship/what-is-snowflake/

tor/Dockerfile

@@ -9,14 +9,43 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 COPY rootfs /
 
 # Setup base
+ARG OBFS_VERSION=obfs4proxy-0.0.14
+ARG SNOWFLAKE_VERSION=v2.9.2
+ARG WEBTUNNEL_VERSION=c6e11b4fc27bb36d38a3dd903aaa1c5deb66ff0b
 RUN \
     apk add --no-cache \
         coreutils=9.4-r2 \
         openssl=3.1.4-r6 \
-        tor=0.4.8.11-r0
+        tor=0.4.8.11-r0 \
+        go=1.21.9-r0 \
+        git=2.43.0-r0 \
+        ca-certificates=20240226-r0 \
+        libcap=2.69-r1 \
+# Install obfs4proxy
+    && git clone -b ${OBFS_VERSION} --single-branch --depth 1 https://github.com/Yawning/obfs4.git /go/obfs4/ \
+    && cd /go/obfs4/ \
+    && go build -o /usr/local/bin/obfs4proxy ./obfs4proxy \
+# Install snowflake
+    && git clone -b ${SNOWFLAKE_VERSION} --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git /go/snowflake/ \
+    && cd /go/snowflake/client/ \
+    && go get \
+    && go build -o /usr/local/bin/snowflake \
+# Install webtunnel client
+    && git clone --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel.git /go/webtunnel/ \
+    && cd /go/webtunnel/ \
+    && git reset --hard ${WEBTUNNEL_VERSION} \
+    && cd main/client/ \
+    && go build -ldflags="-s -w" -o /usr/local/bin/webtunnel \
+# Give tranposrts clients the capability to bind privileged port.
+    && setcap \
+        'cap_net_bind_service=+ep' /usr/local/bin/obfs4proxy \
+        'cap_net_bind_service=+ep' /usr/local/bin/snowflake \
+        'cap_net_bind_service=+ep' /usr/local/bin/webtunnel
+
+WORKDIR /
 
 HEALTHCHECK \
-    --start-period=5m \
+    --start-period=60m \
     --interval=60s \
     --timeout=30s \
     CMD curl \

tor/config.yaml

@@ -25,6 +25,7 @@ options:
   ports:
     - "8123"
     - "8123:80"
+  bridges: []
 schema:
   log_level: list(trace|debug|info|notice|warning|error|fatal)?
   socks: bool
@@ -34,3 +35,5 @@ schema:
     - match(^[A-Za-z0-9+-_]{1,16}$)
   ports:
     - match(^(.*:)?(?:[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$)
+  bridges:
+    - str

tor/rootfs/etc/s6-overlay/s6-rc.d/init-tor/run

@@ -125,6 +125,29 @@ if bashio::config.true 'hidden_services'; then
     done
 fi
 
+# Configure bridges
+if bashio::config.exists 'bridges' \
+    && ! bashio::config.is_empty 'bridges';
+then
+    bashio::log.info 'Use bridges:'
+    echo "UseBridges 1" >> "${torrc}"
+
+    # Add client for OBFS transport
+    echo "ClientTransportPlugin obfs2,obfs3,obfs4,scramblesuit exec /usr/local/bin/obfs4proxy managed" >> "${torrc}"
+
+    # Add client for Snowflake transport
+    echo "ClientTransportPlugin snowflake exec /usr/local/bin/snowflake" >> "${torrc}"
+
+    # Add client for WebTunnel transport
+    echo "ClientTransportPlugin webtunnel exec /usr/local/bin/webtunnel" >> "${torrc}"
+
+    # Add bridges
+    while read -r bridge; do
+        bashio::log.info "Bridge ${bridge}"
+        echo "Bridge ${bridge}" >> "${torrc}"
+    done <<< "$(bashio::config 'bridges')"
+fi
+
 # Figure out the address
 if bashio::config.true 'hidden_services'; then
     bashio::log.info 'Starting Tor temporarly...'

tor/translations/en.yaml

@@ -30,5 +30,10 @@ configuration:
     description: >-
       Configures hosts and ports to publish via a Tor Hidden Service. Check
       the add-on documentation for the exact format to enter here.
+  bridges:
+    name: Bridges
+    description: >-
+      Configures bridges to establish connection with Tor Network. Check the 
+      add-on documentation for the exact format to enter here.
 network:
   9050/tcp: Tor SOCKS proxy port