Help Censored Users, Run a Tor Bridge

News
1

by ggus | November 17, 2021

Run a Tor Bridge campaign

Bridges are private Tor relays that serve as stepping stones into the network. When the Tor network is blocked, users can get a bridge to circumvent censorship. Thanks to our community of bridge operators, users in China, Belarus, Iran, and Kazakhstan can connect to the Tor network and access the free and open Internet.

We currently have approximately 1,200 bridges, 900 of which support the obfs4 obfuscation protocol. Unfortunately, these numbers have been decreasing since the beginning of this year. It's not enough to have many bridges: eventually, all of them could find themselves in block lists. We therefore need a constant trickle of new bridges that aren't blocked anywhere yet. This is where we need your help.

The goal of this campaign is to bring more than 200 obfs4 bridges online by the end of this year. We will wrap up the campaign on January 7, 2022. To show our appreciation for your volunteer work, we're offering unique and exclusive Tor reward kits. For example, if you run 10 obfs4 bridges for one year, you can get the Golden Gate bridge kit, including 1 Tor hoodie, 2 Tor T-shirts, and a sticker pack. Some of these kits are limited.

1. Golden Gate bridge (limited to 10 kits)

  • Run 10 obfs4 bridges for 1 year.
  • Reward kit: 1 Tor hoodie + 2 Tor T-shirt + stickers pack.

2. Helix bridge (limited to 20 kits)

  • Run 5 obfs4 bridges for 1 year.
  • Reward kit: 1 Tor T-shirt + stickers pack.

3. University bridge kit (limited to 10 kits)

  • Run 2 obfs4 bridges for 1 year in your university.
  • Reward kit: 1 Tor T-shirt + stickers pack.

4. Rialto bridge (randomly select 10 new bridge operator)

  • Run 1 obfs4 bridge for 1 year and you will be part of the 'reward lottery'.
  • We will randomly select 10 new bridge operators to receive a metallic roots Tor t-shirt as a token of our gratitude for your help defending the open internet.

Setting Up A Bridge

To set up an obfs4 bridge, check out our newly revised installation instructions. We have guides for several Linux distributions, FreeBSD, OpenBSD, and docker. Note that an obfs4 bridge needs both an open OR and an open obfs4 port. If you run into any trouble while setting up your bridge, check out our help page and our new Forum.

Once you have set up your bridge, find your bridge line (our post-install instructions explain how) and send an email to frontdesk@torproject.org. If you are running more than one bridge, it's preferable to send all of them once.

Technical requirements

To join the bridges campaign, you must follow these requirements:

  • Static IPv4 address. Although Tor bridges can operate behind dynamic IP addresses, this scenario is not that optimal while thinking about others who need to regularly configure the new IP addresses manually. IPv6 is definitely a plus, but it's not required.

  • Obfs4 pluggable transport configured. As this being the pluggable transport with higher probabilities of passing through global censorship, we opted to choose this one.

  • Uptime 24/7. Serving to the networking 24/7 is vital for bridges, as those who really need to workaround censorship depend on Tor being always available;

  • Only 2 bridges per IPv4 address.

  • Operators running more than 2 bridges should avoid sequential IP addresses. Sequential IP addresses make it easier for a group of bridges being blocked by entities that want filters against the whole network CIDR i.e. /24 for IPv4 or /64 for IPv6. If someone wants to block one bridge, and the whole netmask is used to block this particular bridge, and others are on the same address space, those other bridges will be blocked too, as a side effect.

  • Avoid running bridges on the same IP address of your (public) relay.

  • Relay operators running a large chunk of Tor exit nodes are discouraged to run bridges.

Other campaign rules

  • Participants should claim their reward by commenting on the Bridge's topic on the Tor Forum and sending an email with their full bridge line to frontdesk@torproject.org.

  • Bridges will be tested and validated by the Tor Project staff.

  • Rewards for the Golden Gate kit will follow this timeline:

    • 1 month - Tor Stickers
    • 3 months - Tor T-shirt
    • 6 months - 2nd Tor T-shirt
    • 9 months - Hoodie

  • Rewards for Helix kit will follow this timeline:

    • 1 month - Tor Stickers
    • 5 months - Tor T-shirt

  • Bridge operators must follow the Tor relay good practices.

  • Due to our limited staff capacity at the end of year, Golden Gate and Helix operators should expect to receive their first reward in January 2022.

Other ways to help

If you're not technical enough to run a bridge, but want to help censored users, there are other ways you can help:

  • Run a Snowflake proxy. You do not need a dedicated server and can run a proxy by simply installing an extension in your browser. The extension is available for Firefox and Chrome. There is no need to worry about which websites people are accessing through your proxy. Their visible browsing IP address will match their Tor exit node, not yours.
  • Make a donation to the Tor Project to support our work developing and sharing tools for privacy and freedom online.
  • Help translate Tor materials and documentation including information on how to set up a bridge.
  • Share your support of running and using Tor bridges on social media.
This is a companion discussion topic for the original entry at https://blog.torproject.org/run-a-bridge-campaign/
14 Likes
2

Hello, tor is blocked in my area, and my computer’s IP cannot Run a Tor Bridge, but if I buy an unrestricted vps for Run a Tor Bridge, is this feasible? :smiling_face_with_three_hearts:

1 Like
3

Yes, running a bridge in a VPS is generally a good idea and AFAIK is how most bridges are hosted.

2 Likes
4

thank you for your reply :wink:

5

Can I still get a stickers pack by running a snow flake?

6

i guess this topic is the right one?

7

So do you need more bridges than relays? But can I run relay and a bridge on the same IP even when is not recommend?

  • Avoid running bridges on the same IP address of your (public) relay.

As far as I know running a bridge is like an exit Tor, but the main difference is the IP is not listed?

8

So do you need more bridges than relays? But can I run relay and a bridge on the same IP even when is not recommend?

Running a bridge in the same IP that you have a relay is not going to help much Tor. People use bridges in places where tor relays are blocked, most of the times this blockade is by IP address. That means that the people that needs to use your bridge will not be able to reach it because your relay IP will be blocked.

As far as I know running a bridge is like an exit Tor, but the main difference is the IP is not listed?

Running a bridge is like running a relay, in a sense that people will use your bridge to move traffic into the Tor network. And yes, is not listed to make it harder for censors to block them. But is not like an exit node, people will not access the internet directly from your bridge, will just use it to access another Tor relay.

2 Likes
9

So do you need more bridges than relays

No.

But can I run relay and a bridge on the same IP even when is not recommend?

You can, you just a) shouldn’t and b) maybe it makes you ineligible for the swag

As far as I know running a bridge is like an exit Tor, but the main difference is the IP is not listed?

No. Bridges are entry nodes.

1 Like
10

No, because at the moment we have 12,000 Snowflakes proxies and only 900 obfs4 bridges. In the future we might run another ‘Run a Snowflake proxy’ campaign.

11

Hello @annoniempjuh, that’s right! If you have set up new bridges, please share the metrics.torproject.org link here.

12

A little more technically advanced people familiar with the Puppet configuration management engine might appreciate this Puppet code snippet that will deploy a bridge on port 443 for you:

class tor_meta::config {

  service {
    'tor@default':
      ensure     => running,
      hasrestart => true,
      hasstatus  => true;
  }

  package {
    'obfs4proxy':
      ensure => present;
  }


  tor::daemon::relay {
    'MySuperName':
      bridge_relay     => true,
      port             => 443,
      address          => "${ipaddress}",
      bandwidth_rate   => 56250, #450mbps
      bandwidth_burst  => 59375, #475mbps
      contact_info     => 'Foo Bar <foo@bar.org>',
  }

  tor::daemon::exit_policy {
    'bridge':
      reject => ['*:*'];
  }

  tor::daemon::snippet {
    'bridgedist':
      content => "BridgeDistribution none\n";
  }

  tor::daemon::snippet {
    'disableipv6':
      content => "AddressDisableIPv6 1\n";
  }

  tor::daemon::transport_plugin {
    'obfs4':
      ext_port                   => 'auto',
      servertransport_plugin     => 'obfs4 exec /usr/bin/obfs4proxy',
      servertransport_listenaddr => 'obfs4 0.0.0.0:80',
  }

  # Make sure obfs4 can bind to a low port
  exec {
    'setcap':
      command => '/sbin/setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy',
      unless  => '/sbin/getcap /usr/bin/obfs4proxy | /bin/grep ep',
      notify  => Service['tor@default'];

    'tor-systemd-reload':
      command     => '/bin/systemctl daemon-reload',
      refreshonly => true;
  }

  $services = ['tor@default.service','tor@.service']
  $services.each |String $service| {
    file_line {
      "systemd_${service}":
        path   => "/lib/systemd/system/${service}",
        line   => 'NoNewPrivileges=no',
        match  => 'NoNewPrivileges=yes',
        notify => Exec['tor-systemd-reload'];
    }
  }
}

It depends on the tor puppet module and Puppet 5.

6 Likes
13

@gus Is this the link you need to validate my new tor bridge?

https://metrics.torproject.org/rs.html#details/BC3D33D414C14D06979F97C5B26BB0876F7150E9

1 Like
14

Yay, yes! Can you send the bridge line in private or to frontdesk@torproject.org?

15

Sure thing, any pointer on where to find this? I’m new to Tor.

16

Just follow these instructions :smiley_cat:
https://community.torproject.org/relay/setup/bridge/post-install/

17

Awesome, sent the email. Looks like I am too new to send DMs right now.

One note, I installed via Docker. And on the docker install page (Tor Project | Docker) for step 3, it talks about a command to get the bridge line:

docker exec CONTAINER_ID get-bridge-line

Unfortunately, when I ran that I get the following:

user@dockerhost:~$ docker exec torbridge_obfs4-bridge_1 get-bridge-line

Could not create bridge line. Tor's log format may have changed. This is a bug.

I ended up just grabbing the file you suggested, but wanted to give the heads up that it looks like the docs might need an update.

18

Hm, probably a bug. :space_invader:
I opened a ticket for the Anti-censorship team to check:

19

Ok was planning on deploying five nodes, but I really need two shirts AND a hoodie (AND stickers). So later today I will up my setup from six working bridges now to ten later on.

Hi! I’m new on this forum. Been running tor relays on and off for twenty years now I think :slight_smile:

3 Likes
20

awesome! the metric.torproject.org link:
https://metrics.torproject.org/rs.html#details/FAA57E231AA6AE39C8864808974FC9DAE3967EB6

its says that its first seen 2021-05-07 13:04:40, that’s not fully corrected. its older but i did lost the keys of it…