Two-layered access

danial · September 25, 2022, 1:56pm

Hey folks

The mobile Internet in Iran is only-Iran access these days, but the servers in data-centers have access to the Internet; albeit they are restricted too and can not connect directly to TOR.

First thing I tried was to setup a TOR connection via a bridge on a server which was fine and working. But when I tried to turn that to a bridge it-self, I found that it’s not possible (or I didn’t find a way). The second thing I tried was to run tor over a local socks proxy.

This is my torrc file:

Socks5Proxy 127.0.0.1
ORPort auto
BridgeRelay 1
PublishServerDescriptor 0
Exitpolicy reject *:*

Nickname [myname]
ContactInfo [my mail]

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
ServerTransportOptions obfs4 iat-mode=2
ExtORPort auto

When I run tor, I get this log:

[n] Tor 0.4.6.10 opening log file.
[n] We compiled with OpenSSL 30000020: OpenSSL 3.0.2 15 Mar 2022 and we are running with OpenSSL 30000020: 3.0.2. These two versions should be binary compatible.
[n] Tor 0.4.6.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.35 as libc.
[n] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
[n] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[n] Read configuration file "/etc/tor/torrc".
[n] Based on detected system memory, MaxMemInQueues is set to 1420 MB. You can override this by setting MaxMemInQueues by hand.
[n] Opening Socks listener on 127.0.0.1:9050
[n] Opened Socks listener connection (ready) on 127.0.0.1:9050
[n] Opening OR listener on 0.0.0.0:0
[n] OR listener listening on port 40785.
[n] Opened OR listener connection (ready) on 0.0.0.0:40785
[n] Opening OR listener on [::]:0
[n] OR listener listening on port 35951.
[n] Opened OR listener connection (ready) on [::]:35951
[n] Opening Extended OR listener on 127.0.0.1:0
[n] Extended OR listener listening on port 43267.
[n] Opened Extended OR listener connection (ready) on 127.0.0.1:43267
[n] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
[n] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
[n] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. 
[n] Your Tor server's identity key  fingerprint is [fp]
[n] Your Tor bridge's hashed identity key  fingerprint is [fp]
[n] Your Tor server's identity key [ik] fingerprint is '[fp]'
[n] You can check the status of your bridge relay at https://bridges.torproject.org/status?id=[fp]
[n] Bootstrapped 0% (starting): Starting
[n] Starting with guard context "default"
[n] Signaled readiness to systemd
[w] Managed proxy '/usr/bin/obfs4proxy' did not configure the specified outgoing proxy and will be terminated.
[w] Pluggable Transport process terminated with status code 0
[n] Bootstrapped 3% (conn_proxy): Connecting to proxy
[n] Opening Socks listener on /run/tor/socks
[n] Opened Socks listener connection (ready) on /run/tor/socks
[n] Opening Control listener on /run/tor/control
[n] Opened Control listener connection (ready) on /run/tor/control
[n] Bootstrapped 4% (conn_done_proxy): Connected to proxy
[n] Bootstrapped 10% (conn_done): Connected to a relay
[n] Bootstrapped 14% (handshake): Handshaking with a relay
[n] Bootstrapped 15% (handshake_done): Handshake with a relay done 
[n] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
[n] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
[n] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
[n] Bootstrapped 100% (done): Done
[n] Now checking whether IPv4 ORPort [ip]:40785 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)

and after a long time, I get something like this:

Your server has not managed to confirm reachability for its ORPort(s) at [ip]:40785. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

But I can manually telnet and connect to the port on the IP from everywhere.

One time I get something like this:

[n] Self-testing indicates your ORPort [ip]:8080 is reachable from the outside. Excellent.
[n] Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 127 buildtimes.
[n] No circuits are opened. Relaxed timeout for circuit 168 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.
[n] No circuits are opened. Relaxed timeout for circuit 195 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [23 similar message(s) suppressed in last 4500 seconds]
[n] No circuits are opened. Relaxed timeout for circuit 203 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [7 similar message(s) suppressed in last 5280 seconds]
[n] Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 117 buildtimes.
[n] No circuits are opened. Relaxed timeout for circuit 358 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [9 similar message(s) suppressed in last 3660 seconds]
[n] Heartbeat: Tor's uptime is 6:00 hours, with 0 circuits open. I've sent 1.91 MB and received 7.74 MB. I've received 51 connections on IPv4 and 0 on IPv6. I've made 21 connections with IPv4 and 0 with IPv6.
[n] While not bootstrapping, fetched this many bytes: 5704117 (server descriptor fetch); 483366 (consensus network-status fetch); 35954 (microdescriptor fetch)
[n] Heartbeat: In the last 6 hours, I have seen 0 unique clients.
[n] No circuits are opened. Relaxed timeout for circuit 360 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [1 similar message(s) suppressed in last 5400 seconds]
[n] Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 117 buildtimes.

But I never get the port for obfs4 bridge anyway

Vort · September 25, 2022, 2:35pm

I have non-traditional idea.
It may not be suitable to you, but anyway.

I wonder if Yggdrasil Network is blocked.
If not, you can install Yggdrasil nodes both on remote server and your PC.
Then add bunch of peers at remote server and add remote server peer to node on PC.
After setup is finished, you can access any Yggdrasil addresses from your PC.
One of such addresses corresponds to my “bridge”: [21b:321:3243:ecb6:a4cf:289c:c0f1:d6eb]:16728 835FFE642EFA3BB7936663D2365A15D319FB6226.

Several notes however: 1. My bandwidth is not unlimited, so I can’t handle much users - it is better to use my node just for testing. 2. Yggdrasil code is not stable enough and may contain problems. 3. If Yggdrasil is blocked, then, of course, such method will not work.

danial · September 25, 2022, 5:12pm

Unfortunately there is no IPv6 in Iran

Vort · September 25, 2022, 5:28pm

Yggdrasil addresses are virtual, only OS support for IPv6 is needed.
Real peer connections can be IPv4.

arma · September 25, 2022, 5:57pm

It is the Socks5Proxy line that isn’t compatible with your obfs4 bridge set-up.

That is, one Tor cannot both be an obfs4 bridge and also be configured to itself use a Socks5Proxy.

You can see in your logs that it is failing – Tor tells obfs4proxy to configure your Socks5Proxy, and it fails with

[w] Managed proxy '/usr/bin/obfs4proxy' did not configure the specified outgoing proxy and will be terminated.
[w] Pluggable Transport process terminated with status code 0

and after that your Tor is going to be broken.

(If somebody changed the obfs4proxy code to know how to set up a Socks5Proxy, your approach could work. But it would seem that nobody has implemented that feature in obfs4proxy yet.)

Taking a step back: it looks like you are trying to chain a bunch of proxies together? And you have some external socks5proxy of your own which is good at getting out of the censorship? The Tor bridge config isn’t really intended for being used as one piece of a multi-proxy setup, but keep playing around with it and you might be able to make it work. I would start by changing your bridge to be a “vanilla” bridge, i.e. not obfs4. You do that by removing those three lines at the bottom of your torrc file, and then on the client side your bridge line is simply “IP:port” with no extra parameters.

Oh, and lastly, your Tor 0.4.6.x version is out of date – you should be using either 0.4.5 (long term stable) or 0.4.7 (current stable).

Good luck!

danial · September 25, 2022, 10:35pm

I upgraded the tor and now my torrc is:

Socks5Proxy 127.0.0.1
ORPort 8080
BridgeRelay 1
PublishServerDescriptor 0
Exitpolicy reject *:*

Nickname [myname]
ContactInfo [mymail]

But I still get this:

[n] Tor 0.4.7.10 opening log file.
[n] We compiled with OpenSSL 30000020: OpenSSL 3.0.2 15 Mar 2022 and we are running with OpenSSL 30000020: 3.0.2. These two versions should be binary compatible.
[n] Tor 0.4.7.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.35 as libc.
[n] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
[n] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[n] Read configuration file "/etc/tor/torrc".
[n] Based on detected system memory, MaxMemInQueues is set to 1420 MB. You can override this by setting MaxMemInQueues by hand.
[n] Opening Socks listener on 127.0.0.1:9050
[n] Opened Socks listener connection (ready) on 127.0.0.1:9050
[n] Opening OR listener on 0.0.0.0:8080
[n] Opened OR listener connection (ready) on 0.0.0.0:8080
[n] Opening OR listener on [::]:8080
[n] Opened OR listener connection (ready) on [::]:8080
[n] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
[n] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
[n] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. 
[n] Your Tor server's identity key  fingerprint is [fp]
[n] Your Tor bridge's hashed identity key  fingerprint is[fp]
[n] Your Tor server's identity key [ik] fingerprint is [fp]
[n] You can check the status of your bridge relay at https://bridges.torproject.org/status?id=[fp]
[n] Bootstrapped 0% (starting): Starting
[n] Starting with guard context "default"
[n] Signaled readiness to systemd
[n] Bootstrapped 3% (conn_proxy): Connecting to proxy
[n] Opening Socks listener on /run/tor/socks
[n] Opened Socks listener connection (ready) on /run/tor/socks
[n] Opening Control listener on /run/tor/control
[n] Opened Control listener connection (ready) on /run/tor/control
[n] Bootstrapped 4% (conn_done_proxy): Connected to proxy
[n] Bootstrapped 10% (conn_done): Connected to a relay
[n] Bootstrapped 14% (handshake): Handshaking with a relay
[n] Bootstrapped 15% (handshake_done): Handshake with a relay done 
[n] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
[n] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
[n] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
[n] Bootstrapped 100% (done): Done 
[n] Now checking whether IPv4 ORPort [ip]:8080 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)

and after 20 minutes:

[w] Your server has not managed to confirm reachability for its ORPort(s) at 87.247.184.247:8080. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

But I can telnet to 8080 port of my ip from everywhere.

arma · September 25, 2022, 11:41pm

What is the socks5proxy that you’re trying to send this Tor’s traffic into?

That is, what process is listening on localhost port 1080, and what does this process do?

danial · September 26, 2022, 1:17am

That’s a shadowsock connection over v2ray

danial · September 26, 2022, 1:33pm

I just got another VPS with a direct connection to tor and I set up a bridge on that:

ORPort auto
BridgeRelay 1
ExitPolicy reject *:*
## CHANGEME_1 -> provide a nickname for your bridge, can be anything you like
Nickname [myname]
ContactInfo [mymail]
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy managed
ServerTransportOptions obfs4 iat-mode=2
ExtORPORT auto

But in this case I get these outputs too:

[n] Tor 0.4.5.10 opening log file.
[n] We compiled with OpenSSL 101010bf: OpenSSL 1.1.1k  25 Mar 2021 and we are running with OpenSSL 101010ef: 1.1.1n. These two versions should be binary compatible.
[n] Tor 0.4.5.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.31 as libc.
[n] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[n] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[n] Read configuration file "/etc/tor/torrc".
[n] Based on detected system memory, MaxMemInQueues is set to 732 MB. You can override this by setting MaxMemInQueues by hand.
[n] Opening Socks listener on 127.0.0.1:9050
[n] Opened Socks listener connection (ready) on 127.0.0.1:9050
[n] Opening OR listener on 0.0.0.0:0
[n] OR listener listening on port 42835.
[n] Opened OR listener connection (ready) on 0.0.0.0:42835
[n] Opening OR listener on [::]:0
[n] OR listener listening on port 36297.
[n] Opened OR listener connection (ready) on [::]:36297
[n] Opening Extended OR listener on 127.0.0.1:0
[n] Extended OR listener listening on port 39125.
[n] Opened Extended OR listener connection (ready) on 127.0.0.1:39125
[n] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
[n] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
[n] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
[n] Your Tor server's identity key  fingerprint is [fp]
[n] Your Tor bridge's hashed identity key  fingerprint is [fp]
[n] Your Tor server's identity key [ik] fingerprint is [fp]
[n] Bootstrapped 0% (starting): Starting
[n] Starting with guard context "default"
[n] Signaled readiness to systemd
[n] Registered server transport 'obfs4' at '[::]:46731'
[n] Bootstrapped 5% (conn): Connecting to a relay
[n] Opening Socks listener on /run/tor/socks
[n] Opened Socks listener connection (ready) on /run/tor/socks
[n] Opening Control listener on /run/tor/control
[n] Opened Control listener connection (ready) on /run/tor/control
[n] Unable to find IPv6 address for ORPort 36297. You might want to specify IPv4Only to it or set an explicit address or set Address.
[n] Bootstrapped 10% (conn_done): Connected to a relay
[n] Bootstrapped 14% (handshake): Handshaking with a relay
[n] Bootstrapped 15% (handshake_done): Handshake with a relay done
[n] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
[n] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
[n] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
[n] Bootstrapped 100% (done): Done
[n] Now checking whether IPv4 ORPort 95.215.59.243:42835 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[w] Your server has not managed to confirm reachability for its ORPort(s) at [ip]:42835. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

In this case, the port is available from outside too.
I there a chance they blocked the reachability check of tor? I don’t know how it’s doing

danial · September 27, 2022, 8:45pm

The problem has been solved by adding

AssumeReachable 1

to torrc

system · September 27, 2022, 10:45pm

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.

gus · September 28, 2022, 1:28pm

Hi! Please check out this guide:

github.com/net4people/bbs

Tutorial: setting up a Tor bridge for Iran

opened 12:00PM - 28 Sep 22 UTC

meskio

Iran

During network shutdowns in Iran connections inside the country do still work. W…e can set up a bridge to be reachable from inisde Iran to be used to connect to Tor when there is a network shutdown. We need two servers: * SI a server in Iran that will relay traffic to the bridge * SO a server outside iran that will run the bridge ## Setting up a bridge in the server outside Iran (SO) Install docker and docker compose: https://docs.docker.com/compose/install/ Get the docker-compse.yml file ``` $ mkdir bridge $ cd bridge $ wget https://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/raw/main/docker-compose.yml ``` Edit bridge/.env with the following content: ``` # Set required variables OR_PORT=3344 PT_PORT=3355 EMAIL=your@email.com # If you want, you could change the nickname of your bridge #NICKNAME=DockerObfs4Bridge # Configure the bridge so it will not be distributed by bridgedb: OBFS4_ENABLE_ADDITIONAL_VARIABLES=1 OBFS4V_BridgeDistribution=none ``` Start the bridge: ``` $ docker compose up -d ``` Get it's bridge line: ``` $ docker exec bridge-obfs4-bridge-1 get-bridge-line obfs4 x.x.x.x:3355 AAABBBBCCCDDDD cert=abcdx iat-mode=0 ``` Test the bridge copying into Tor Browser ## Setting up a proxy in the server inside Iran (SI) ### SSH We can use ssh for this: ``` # ssh -L 3355:127.0.0.1:3355 x.x.x.x:3355 ``` x.x.x.x is the IP address of SO ### kcptun kcptun is a network enhancement proxy that tunnel a stream based traffic over a UDP transport protocol. Download the utility from https://github.com/xtaci/kcptun/releases first, then run the following command on SO ``` server_linux_amd64 -t "127.0.0.1:3355" -l "0.0.0.0:7923" -mtu 1400 --nocomp -sndwnd 16384 --rcvwnd 16384 --datashard 0 --parityshard 0 --crypt aes --smuxver 2 --key "*****" ``` run the following command on SI ``` client_linux_amd64 -l "0.0.0.0:3355" -r "x.x.x.x:7923" -mtu 1400 --nocomp -sndwnd 16384 --rcvwnd 16384 --datashard 0 --parityshard 0 --crypt aes --smuxver 2 --key "*****" ``` x.x.x.x is the IP address of SO 7923 is the port kcptun listens on Since kcptun consume more traffic than typical tcp based transport, this transport can reshape traffic, so that it is not obvious that this VPS serves as a forwarder's role. As a side effect the connection quality may be improved with parameter tuning. ## Hand out the bridge Now we can distribute the bridgeline replacing the IP address with the one of SI (y.y.y.y): ``` obfs4 y.y.y.y:3355 AAABBBBCCCDDDD cert=abcdx iat-mode=0 ```