Hello,
I want to launch a Tor bridge and I found this tutorial. I have some questions:
1- For a Tor bridge server, which ports should be open?
2- In ServerTransportListenAddr obfs4 0.0.0.0:443 option, the 0.0.0.0 IP, should it be the IP address of my server?
3- How to launch a Snowflake bridge?
Thank you.
On another thread, it says ports 80, 443, and 8080 are particularly helpful to users behind firewalls in repressive regimes.
0.0.0.0 means listen on all interfaces.
For a standalone snowflake see here:
if you havn’t found it already 
Hello,
Thank you so much for your reply.
I have two questions:
1- So, can I change it to the IP address of my NIC?
2- In an internal network, is it possible to set up a Tor Bridge for testing on a client that has access to the Internet? For example, The IP address of the client is 172.21.2.3 and it has access to the Internet. Install a Tor bridge on this client and connect the rest of the clients in the internal network to this Tor bridge. Is this possible? Or the computer on which the Tor bridge is started must have a global IP address?
If by address of your NIC you mean your private address, don’t do that or else it won’t work. Just leave ORPort 0.0.0.0:443 as is or remove 0.0.0.0, tor will get your public IP. Except for IPv6, in that case you must specify your IPv6 address like this ORPort [YourIPv6Address]:443.
It is mandatory to use IPv4, but enabling IPv6 is really important if you have that choice. If you have both, IPv4 and IPv6 available, you config may look like this:
ORPort 443
ORPort [YourIPv6Address]:443
Please use ports of your choice, but as the other operator said, ports 80, 443 and 8080 are specially useful, as they are ports that are often open. I just set up a Guard/Middle relay with that piece of configuration and it is working great. Hopefully, it will work for bridges.
Hello,
Thank you so much for your reply.
So, can I change 0.0.0.0 to my public IP?
You said, if I remove 0.0.0.0, then Tor will get my public IP. That’s mean, I just need to write :443?
Hello,
Without the “:” before, just ORPort 443, as there is no IP address specified, no need to use ":*
BTW thanks for this post, I setup a bridge this week and your post was useful for me
There is no need to specify IP address, as Cryptux said:
Explanation: If you specify your public IP address it will bind to it, and if it doesn’t match then your bridge won’t work. This is important because little people have an static IPv4 address - and if it is dynamic, when your router (or machine, in case you are running your bridge on a cloud service provider) reboots, it is likely to get a new IPv4 address.
TL;DR: Just leave your configuration as ORPort 443 or ORPort 0.0.0.0:443, whatever you like the most.
Hello,
This config has been working well for me:
AssumeReachable 1
BridgeDistribution none
BridgeRelay 1
ContactInfo [your email]
ControlPort 9051
ExtORPort auto
Log notice file [wherever you’re logging]
Nickname [pickone]
ORPort 127.0.0.1:auto
PublishServerDescriptor 0
RelayBandwidthBurst 1073741824
RelayBandwidthRate 1073741824
ServerTransportListenAddr obfs4 0.0.0.0:8080
ServerTransportPlugin obfs4 exec /your/path/to/obfs4proxy
This will be a ’secret’ bridge [PublishServerDescriptor 0] which you could send to frontdesk@torproject.org or distribute yourself. Assume Reachable 1 means there will be no reachability test in your log. I also allowed incoming traffic to port 8080 in my device firewall as well as the NAT firewall in my router. YMMV on the firewall rules.
Hello,
Thank you so much for your reply.
The Tor has two options:
ORPort 0.0.0.0:443
ServerTransportListenAddr obfs4 0.0.0.0:443
I have two questions:
1- If my server IP address is dynamic, then it is better to use 0.0.0.0 for both options because Tor automatically selects my IP address and if my server IP address is static, then I can use my static IP address instead of 0.0.0.0 . Am I right?
2- In the above two options, should both ports be the same?
1.If you have a dynamic IP address, do not specify any address at all:
ORPort 443
2.No, they have to be different. ORPort is any, and the transport port is publicly available (443, 80, etc.)
Hello,
Thank you so much for your reply.
The ORPort is the port that accepts client connections and connections from other relays.
Why @Quartermarsh used ORPort 127.0.0.1:auto ? How can clients and other relays connect to 127.0.0.1 ?
Consider the following two options:
ORPort STATIC_IP:443
ServerTransportListenAddr obfs4 STATIC_IP:80
A Tor bridge server using the above configuration only needs to have ports 443 and 80 open?
See here:
So with your bridgeline specifying [your ip]:8080 etc. and ServerTransportListenAddr obfs4 0.0.0.0:8080 specified in your config then clients will connect on the port specified. Like this:
Aug 01 09:31:16.275 [notice] Opening Socks listener on 127.0.0.1:9050
Aug 01 09:31:16.276 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Aug 01 09:31:16.276 [notice] Opening Control listener on 127.0.0.1:9051
Aug 01 09:31:16.276 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051
Aug 01 09:31:16.276 [notice] Opening OR listener on 127.0.0.1:0
Aug 01 09:31:16.276 [notice] OR listener listening on port 58225.
Aug 01 09:31:16.276 [notice] Opened OR listener connection (ready) on 127.0.0.1:58225
Aug 01 09:31:16.276 [notice] Opening Extended OR listener on 127.0.0.1:0
Aug 01 09:31:16.276 [notice] Extended OR listener listening on port 58226.
Aug 01 09:31:16.276 [notice] Opened Extended OR listener connection (ready) on 127.0.0.1:58226
Hello,
Thanks again.
something like internal connection?