Tutorial: setting up a Tor bridge for Iran

[meskio]

During network shutdowns in Iran connections inside the country do still work. We can set up a bridge to be reachable from inisde Iran to be used to connect to Tor when there is a network shutdown. We need two servers:

• SI a server in Iran that will relay traffic to the bridge
• SO a server outside iran that will run the bridge

Setting up a bridge in the server outside Iran (SO)

Install docker and docker compose:
https://docs.docker.com/compose/install/

Get the docker-compse.yml file

$ mkdir bridge
$ cd bridge
$ wget https://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/raw/main/docker-compose.yml

Edit bridge/.env with the following content:

# Set required variables
OR_PORT=3344
PT_PORT=3355
EMAIL=your@email.com

# If you want, you could change the nickname of your bridge
#NICKNAME=DockerObfs4Bridge

# Configure the bridge so it will not be distributed by bridgedb:
OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
OBFS4V_BridgeDistribution=none

Start the bridge:

$ docker compose up -d

Get it's bridge line:

$ docker exec bridge-obfs4-bridge-1 get-bridge-line
obfs4 x.x.x.x:3355 AAABBBBCCCDDDD cert=abcdx iat-mode=0

Test the bridge copying into Tor Browser

Setting up a proxy in the server inside Iran (SI)

SSH

We can use ssh for this:

# ssh -L 3355:127.0.0.1:3355 x.x.x.x:3355

x.x.x.x is the IP address of SO

kcptun

kcptun is a network enhancement proxy that tunnel a stream based traffic over a UDP transport protocol.

Download the utility from https://github.com/xtaci/kcptun/releases first, then

run the following command on SO

server_linux_amd64 -t "127.0.0.1:3355" -l "0.0.0.0:7923" -mtu 1400 --nocomp -sndwnd 16384 --rcvwnd 16384 --datashard 0 --parityshard 0 --crypt aes --smuxver 2 --key "*****"

run the following command on SI

client_linux_amd64 -l "0.0.0.0:3355" -r "x.x.x.x:7923" -mtu 1400 --nocomp -sndwnd 16384 --rcvwnd 16384 --datashard 0 --parityshard 0 --crypt aes --smuxver 2 --key "*****"

x.x.x.x is the IP address of SO
7923 is the port kcptun listens on

Since kcptun consume more traffic than typical tcp based transport, this transport can reshape traffic, so that it is not obvious that this VPS serves as a forwarder's role. As a side effect the connection quality may be improved with parameter tuning.

Hand out the bridge

Now we can distribute the bridgeline replacing the IP address with the one of SI (y.y.y.y):

obfs4 y.y.y.y:3355 AAABBBBCCCDDDD cert=abcdx iat-mode=0

[xhdix]

Maybe it is possible to create the main server outside and forward the traffic only with iptables on the internal server:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT  --to-destination [foreignVPSip]:443
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source [domesticVPSip]

(Note: the amount of incoming and outgoing traffic of the internal server should not be equal)

[leoth-91]

Is it at all useful to run a bridge if you do not have a static IP?
I’m running the container but it needs restarting whenever the IP changes (once per day), which I have automatized using cron

[cross-hello]

If cloudflared still suitable for DNS service so that evokes up update upon each ip change? Oct 12, 2022 19:48:36 leoth-91 ***@***.***>:

…

Is it at all useful to run a bridge if you do not have a static IP? I’m running the container but it needs restarting whenever the IP changes (once per day), which I have automatized using cron — Reply to this email directly, view it on GitHub[#127 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYCNSGADSPBSHPRBRX3WC2QRHANCNFSM6AAAAAAQXWRRYE]. You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYGYZKJOV4US2S5BNUTWC2QRHA5CNFSM6AAAAAAQXWRRYGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSMB2VUE.gif]Message ID: ***@***.***>

[leoth-91]

If cloudflared still suitable for DNS service so that evokes up update upon each ip change?

I'm not sure I understand the sentence but only thing that happens after an IP change is that the container is restarted. Downtime is then around a minute per day, the tor relay search indicates the bridge is running.

[wkrp]

Is it at all useful to run a bridge if you do not have a static IP?

If it's a bridge you use yourself, it's okay because you can change the address at the client yourself.

If it's a bridge you want others to use, it's not very useful, because people's connection to the bridge will break whenever its IP address changes, and their saved bridge line will no longer work.