So here’s my dilemma. I’ve been trying to set up a obfs4proxy for a couple of weeks now on Arch linux. I’ve run in to this problem. With my public IP my ORPort is reachable but with the IP that shows up in tor.services, my IP, it says “not reachable” on tor project | reachability test. I get that common message -“Your server has not managed to confirm reachability for its ORPort(s) at” but I also get this affirming message of hope - " Heartbeat: Since last heartbeat message, I have seen 66 unique clients". Am I impatient and one day the “conformation” will come? Am I misconfigured? I probably am. What can I do to fix it. My torrc file is:
BridgeRelay 1
DataDirectory /var/lib/tor
User tor
# Replace "TODO1" with a Tor port of your choice. This port must be externally
# reachable. Avoid port 9001 because it's commonly associated with Tor and
# censors may be scanning the Internet for this port.
ORPort 443
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
# Replace "TODO2" with an obfs4 port of your choice. This port must be
# externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:445
# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port
# number, nor listen on 0.0.0.0.
ExtORPort auto
# Replace "<address@email.com>" with your email address so we can contact you if
# there are problems with your bridge. This is optional but encouraged.
ContactInfo <redacted>
# Pick a nickname that you like for your bridge. This is optional.
Nickname <redacted>
I did it to the specs on the Tor Project | Arch Linux page. Please help!
This may sound either stupidly obvious or you have no idea what I’m talking about, but did you edit your router firewall settings to allow incoming traffic to your machine?
If you go to https://bridges.torproject.org/status?id=YourFingerprint you can check if your bridge is usable.
Your orport doesn’t need to be reachable for your bridge to work. The pluggable transport is the important part. The webtunnel bridge docs even recommend to block the orport.
Yep but I have only one port that’s reachable. I get the heartbeat that tells me 51 unique clients here, 61 there. I’ve ran through the router settings at least 3 times. I just can’t get that “server hasn’tconfirmed” message to go away. I’m also worried that if I’m miss-configured am I vulnerable. It’s reachable on the tor port reachability test - Tor Project | TCP Reachability Test . I’m really new at this. But thanks for responding
Could you post the logs from your bridge? Just redact the fingerprint and the ip address.
Have you followed all steps from the tutorial? Since your obfs4 is configured to listen on a port below 1024 there are some extra steps in there. And after every obfs4 update you have to run sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxyagain.
It seems your clients do not use your obfs4 at all, but your ORPort. Are you able to use your bridge from a different internet connection, e.g. a mobile hotspot?
You may also have a look at your /var/lib/tor/state if the line TransportProxy obfs4 has the correct public IP in it.
I looked at the /tor/state, It had a whole lot of relays, there fingerprints, and the names of the relays. I seen no IPs in there. But when I use systemctl status tor, I get a different IP there than my public IP. I copied the whole “state” and saved it, but it was long with relay names and their fingerprints. I don’t wanna dox anyone. The end of it looks like this with no redactions: LastRotatedOnionKey 2025-02-08 21:42:50
LastWritten 2025-02-16 23:15:40
MinutesSinceUserActivity 4
TorVersion Tor 0.4.8.14
TotalBuildTimes 700
TransportProxy obfs4 [::]:445
I’m wondering if my IP is supposed to be between obfs4 and 443.
Right be for I took that state, I got one of these and then restarted:
etected possible compression bomb with input size = 28213 and output siz
Possible compression bomb; abandoning stream.
possible compression bomb with input size = 27596
from what I’ve read, this is bad actor on some mission. Is it aimed at me or somebody else? Should I be worried or write it off and let the “system” take care of it? I’m a little nervous with a dysfunctional bridge. I’m still new at this stuff. Oh yeah, my setup is set to every thing on this page: Tor Project | Arch Linux
If your public IPv4 does not change often you should put it here. If it does change often, you should consider having a WebTunnel bridge (with Dynamic DNS and a corresponding CNAME)…
I looked into those two, the CName was orphaned in arch, as far as I can tell. I have one called ddns but it needs EGrep which i haven’t been able to find. I do have ARTI , but I need a human readable config file for it and a few pointers. I also have WebTunnel, server and client, but I have a little more to read. This might be a stupid question but, It seems all those tunnels need servers, do I need to run a server to make this bridge work? Another question that maybe stupid, could my browser snowflakes interrupt anything? I did fill in my IP on the ServerTransportListeningAddr. I’ll still be here taking suggestions. thanks for all your help
tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service. You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow. Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.
[Unit]
Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target
[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768
# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=no
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL
[Install]
WantedBy=multi-user.target
Is there anything in /system/tor.services that might be added or changerd?
Have you tried to make other services available on your internet connection? Maybe just try to host a webserver and make sure your portforwarding works. If you are stuck behind cgnat you won’t be able to host an obfs4 or webtunnel bridge at home.
CNAME is a dns entry which points one domain to another. This is useful if you want to use example.org as your domain but only example.com supports dyndns.
A server is just a pc on the internet. So yes, those tunnels need servers but if your pc at home is reachable from the outside it basically is a server.
No, this shouldn’t have any effect on this problem.