Can Someone help me find my misconfiguration?

So here’s my dilemma. I’ve been trying to set up a obfs4proxy for a couple of weeks now on Arch linux. I’ve run in to this problem. With my public IP my ORPort is reachable but with the IP that shows up in tor.services, my IP, it says “not reachable” on tor project | reachability test. I get that common message -“Your server has not managed to confirm reachability for its ORPort(s) at” but I also get this affirming message of hope - " Heartbeat: Since last heartbeat message, I have seen 66 unique clients". Am I impatient and one day the “conformation” will come? Am I misconfigured? I probably am. What can I do to fix it. My torrc file is:

BridgeRelay 1
DataDirectory /var/lib/tor
User tor

# Replace "TODO1" with a Tor port of your choice.  This port must be externally
# reachable.  Avoid port 9001 because it's commonly associated with Tor and
# censors may be scanning the Internet for this port.
ORPort 443

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.  This port must be
# externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:445

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port
# number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@email.com>" with your email address so we can contact you if
# there are problems with your bridge.  This is optional but encouraged.
ContactInfo <redacted>

# Pick a nickname that you like for your bridge.  This is optional.
Nickname <redacted>

I did it to the specs on the Tor Project | Arch Linux page. Please help!

2 Likes

This may sound either stupidly obvious or you have no idea what I’m talking about, but did you edit your router firewall settings to allow incoming traffic to your machine?

3 Likes

If you go to https://bridges.torproject.org/status?id=YourFingerprint you can check if your bridge is usable.
Your orport doesn’t need to be reachable for your bridge to work. The pluggable transport is the important part. The webtunnel bridge docs even recommend to block the orport.

Could you post some logs?

4 Likes

How are your local stats looking?

cat /var/lib/tor/stats/bridge-stats

You might want to put AssumeReachable 1 in your torrc.

How do you check your reachability?

What does https://bridges.torproject.org/status?id=XXX say, where XXX is the output of cat /var/lib/tor/fingerprint?

2 Likes

Yep but I have only one port that’s reachable. I get the heartbeat that tells me 51 unique clients here, 61 there. I’ve ran through the router settings at least 3 times. I just can’t get that “server hasn’tconfirmed” message to go away. I’m also worried that if I’m miss-configured am I vulnerable. It’s reachable on the tor port reachability test - Tor Project | TCP Reachability Test . I’m really new at this. But thanks for responding

1 Like

Thanks for responding. How do I find the fingerprint? I’m still a little new to all this.

1 Like

here’s the bridge status:

bridge-stats-end 2025-02-15 04:30:03 (86400 s)
bridge-ips de=56,us=40,nl=32,gb=24,??=8,at=8,au=8,be=8,bg=8,ca=8,ch=8,cn=8,cz=8,dk=8,es=8,eu=8,fi=8,fr=8,hk=8,hu=8,ie=8,is=8>
bridge-ip-versions v4=200,v6=0
bridge-ip-transports <OR>=200
1 Like

When I do the fingerprint, I get the response I get is: "no resources for the given id

1 Like

I did the fingerprint again and got this : Bridge 3092047712924XXXXXXXXXXD70FED08EC advertises:

  • obfs4 IPv4: not yet tested
    But the " AssumeReachable 1" Did get rid of the Reachability message. So I hope I’m we’re on the right track.
1 Like

Looks like you don’t get connections via obfs4.

Could you post the logs from your bridge? Just redact the fingerprint and the ip address.

Have you followed all steps from the tutorial? Since your obfs4 is configured to listen on a port below 1024 there are some extra steps in there. And after every obfs4 update you have to run sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxyagain.

2 Likes

After a few hours know, I’m getting this:

Bridge 30920477129248XXXXXXXXXXXXXX0FED08EC advertises:

  • obfs4 IPv4: dysfunctional
    Error: timed out waiting for bridge descriptor
    Last tested: 2025-02-15 20:50:34.527476054 +0000 UTC (52m51.453958592s ago)
1 Like

It seems your clients do not use your obfs4 at all, but your ORPort. Are you able to use your bridge from a different internet connection, e.g. a mobile hotspot?

You may also have a look at your /var/lib/tor/state if the line TransportProxy obfs4 has the correct public IP in it.

1 Like

I looked at the /tor/state, It had a whole lot of relays, there fingerprints, and the names of the relays. I seen no IPs in there. But when I use systemctl status tor, I get a different IP there than my public IP. I copied the whole “state” and saved it, but it was long with relay names and their fingerprints. I don’t wanna dox anyone. The end of it looks like this with no redactions: LastRotatedOnionKey 2025-02-08 21:42:50
LastWritten 2025-02-16 23:15:40
MinutesSinceUserActivity 4
TorVersion Tor 0.4.8.14
TotalBuildTimes 700
TransportProxy obfs4 [::]:445

I’m wondering if my IP is supposed to be between obfs4 and 443.

1 Like

Right be for I took that state, I got one of these and then restarted:

etected possible compression bomb with input size = 28213 and output siz
Possible compression bomb; abandoning stream.
possible compression bomb with input size = 27596

from what I’ve read, this is bad actor on some mission. Is it aimed at me or somebody else? Should I be worried or write it off and let the “system” take care of it? I’m a little nervous with a dysfunctional bridge. I’m still new at this stuff. Oh yeah, my setup is set to every thing on this page:
Tor Project | Arch Linux

1 Like

Correct, there should be your IP.

If your public IPv4 does not change often you should put it here. If it does change often, you should consider having a WebTunnel bridge (with Dynamic DNS and a corresponding CNAME)…

1 Like

I looked into those two, the CName was orphaned in arch, as far as I can tell. I have one called ddns but it needs EGrep which i haven’t been able to find. I do have ARTI , but I need a human readable config file for it and a few pointers. I also have WebTunnel, server and client, but I have a little more to read. This might be a stupid question but, It seems all those tunnels need servers, do I need to run a server to make this bridge work? Another question that maybe stupid, could my browser snowflakes interrupt anything? I did fill in my IP on the ServerTransportListeningAddr. I’ll still be here taking suggestions. thanks for all your help

I tried to use my android tethering , no ports were reachable from that.

 tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service.  You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow.  Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.

[Unit]
Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=no
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL

[Install]
WantedBy=multi-user.target

Is there anything in /system/tor.services that might be added or changerd?

Have you tried to make other services available on your internet connection? Maybe just try to host a webserver and make sure your portforwarding works. If you are stuck behind cgnat you won’t be able to host an obfs4 or webtunnel bridge at home.

CNAME is a dns entry which points one domain to another. This is useful if you want to use example.org as your domain but only example.com supports dyndns.

A server is just a pc on the internet. So yes, those tunnels need servers but if your pc at home is reachable from the outside it basically is a server.

No, this shouldn’t have any effect on this problem.

2 Likes

Maybe try this suggestion on the other thread:

1 Like