I try start a obfs4 bridge, and I have some errors.
My box is located on a DMZ where nothing is allowed by default. So I made the Port Forwarding for OR and OBFS4 ports (inbound connexion) but I don’t know what I need to open from my box to the WAN (outbound connexion).
Thanks in advance …
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:YYYY
Replace XXXX and YYYY with two ports at your choice and “expose” them in the internet (aka port forwarding)
- Avoid port 9001 because it’s commonly associated with Tor and censors may be scanning the Internet for this port.
- If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to give obfs4
CAP_NET_BIND_SERVICEcapabilities to bind the port with a non-root user:
Thanks for answering, but you described the inbound connexion but what about the outbound connexion ?
Is there a port or a range of ports to join the other relays/bridge, is there a broker, … who initiate the connexion ?
I can’t find a flow matrix for obsf4 bridges …
If I understand well how obfs4 works you don’t need port forwarding for other ports than XXXX and YYYY.
XXXX → censored users are communicating with your obfs4 bridge
YYYY → obfs4 bridge is communicating with tor relays
Are you saying that outbound connections are also prohibited by default?
I’m afraid there’s no specifically constrained port or port range. Tor relays can use any port (by specifying a different
ORPort in their
torrc file. The default is
9001, but some relays use a different one. And bridges are practically required to be able to connect to any Tor relay, because clients choose circuits at random.
So it looks to me you need to work on allowing connections to all outbound ports.