To create a private obfs4 bridge, you will need a virtual private server (VPS) running Debian 10.
After you first create your server, update all the existing packages:
sudo apt update sudo apt upgrade
Then install Nftables to implement your server’s firewall:
sudo apt install nftables sudo systemctl enable nftables sudo systemctl start nftables
Now add the rules. In the rules below:
YOUR.PC.IP.ADDRESS with your actual PC IP address
(or a range of IP addresses, such as YOUR.PC.0.0/16, if your IP address changes from time to time but always falls within a range).443,
with your own choice of port number.sudo nft add rule inet filter input ct state related,established \
counter accept
sudo nft add rule inet filter input iif lo counter accept
sudo nft add rule inet filter input tcp dport 22 \
ip saddr YOUR.PC.IP.ADDRESS counter accept
sudo nft add rule inet filter input tcp dport 443 counter accept
Drop any unexpected traffic:
sudo nft add rule inet filter input counter drop
Save these rules so that they persist across reboots:
sudo su -c 'nft list ruleset > /etc/nftables.conf'
Install the prerequisite package:
sudo apt install apt-transport-https
Add the Tor repositories to your Advanced Packaging Tool (APT) sources list:
sudo vi /etc/apt/sources.list
Press Shift+g to navigate to the bottom of the file. Press the o key to open lines for input. Add lines at the bottom for the Tor project repositories:
deb https://deb.torproject.org/torproject.org buster main deb-src https://deb.torproject.org/torproject.org buster main
Press the Esc key on your computer keyboard to escape from insert mode. Type :wq and press Enter to write the file to disk and quit the editor.
Add the GNU Privacy Guard (GPG) key used to sign the Tor packages. The escape character (backslash) appears in the commands below to escape a line break. You can, if you wish, omit the escape character and enter the commands as a single line.
sudo apt install gpg
wget -qO- https://deb.torproject.org/torproject.org/\
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 \
| sudo apt-key add -
Update your package lists:
sudo apt update
Install Tor and the Tor Debian keyring from the Tor project repository:
sudo apt install tor deb.torproject.org-keyring
Install the package for obfs4:
sudo apt install obfs4proxy
Allow obfs4proxy to bind to privileged ports:
sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
While #18356 is still outstanding, you must also amend two Systemd service files as follows.
Edit the default service file:
sudo vi /lib/systemd/system/tor@default.service
Use the Page Down key on your keyboard.
Use the down arrow key to reach the line that says NoNewPrivileges=yes.
Press the w key twice to go forward to the word yes.
Use the x key three times to delete three characters.
Press the a key to append characters.
Change the line to read:
NoNewPrivileges=no
Press the Esc key on your computer keyboard to escape from insert mode. Type :wq and press Enter to write the file to disk and quit the editor.
Edit the service file:
sudo vi /lib/systemd/system/tor@.service
Where it says NoNewPrivileges=yes, repeat the process to change it to read:
NoNewPrivileges=no
Type :wq and press Enter to write the file to disk and quit the editor.
Then run:
sudo systemctl daemon-reload
Edit the Tor configuration file:
sudo vi /etc/tor/torrc
Press the keys dG on your computer keyboard to delete the existing lines. Press the i key to enter insert mode. Insert the lines that follow. Note that:
ORPort is set to the default of 9001, that port is not open in the firewall,
and so the server is not open to probing.PublishServerDescriptor 0 in the sample configuration file below,
but you can alternatively specify BridgeDistribution none.
That will make your bridge publish its statistics in the metrics dataset
while preventing BridgeDB from giving out the bridge.ExitPolicy reject *:* is an optional safeguard,
since it should be redundant with setting BridgeRelay 1.443 with your choice of port number for incoming obfuscated connections.yourname@example.com with your actual email address.PonteVecchio with your choice for a bridge nickname.Log notice file /var/log/tor/log ORPort 9001 AssumeReachable 1 ExtORPort auto BridgeRelay 1 PublishServerDescriptor 0 ExitPolicy reject *:* ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:443 ContactInfo yourname@example.com Nickname PonteVecchio
Press the Esc key on your computer keyboard to escape from insert mode. Type :wq and press Enter to write the file to disk and quit the editor.
Start your bridge running with your revised configuration by issuing the command:
sudo systemctl restart tor
Obtain a template for the bridge line:
sudo cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
The template will look like this:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> \ cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA \ iat-mode=0
Obtain your bridge’s fingerprint:
sudo cat /var/lib/tor/fingerprint
The results will show your bridge nickname and its fingerprint:
PonteVecchio EFC6A00EE6272355C023862378AC77F935F091E4
Substitute your server’s IP address, your chosen port, and your fingerprint into the bridge line. The results will look like this:
Bridge obfs4 123.45.67.89:443 EFC6A00EE6272355C023862378AC77F935F091E4 \ cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA \ iat-mode=0
Check the Tor log file:
sudo cat /var/log/tor/log
You should see a line:
Bootstrapped 100% (done): Done
Open Windows PowerShell and issue the following command.
Replace 123.45.67.89 by your server’s actual IP address
and 443 by your choice of port.
Test-NetConnection -ComputerName "123.45.67.89" -Port 443 -InformationLevel "Detailed"
After a minute or so, you should see a line:
TcpTestSucceeded : True
Test your bridge from the Tor Browser for Windows, as described in the article How to Use Tor Private Obfs4 Bridges from Windows.
Communicate the bridge line to your user(s) by a secure method such as Signal or Telegram messengers or from a secure website. Note that email is normally not secure.
Signal and Telegram are blocked in several countries. In some cases it may be possible to connect to Telegram using an MTProto proxy. Describing how to use a proxy in Telegram is out of scope for this article.
There is a decision to be made as to whether you install and configure software before or after you enter a censored country.
There is a trade-off here between convenience and security. It is more convenient to install software and configurations in a free country. The risk is that electronic devices may be inspected when entering a censored country. On the other hand, installing software and configurations after arrival may necessitate additional circumvention measures to reach blocked resources. In the worst case, a user may be completely unable to download the required software and configurations.
If you want to monitor your bridge, you can optionally install the Nyx command-line monitor, previously known as the anonymizing relay monitor (arm):
sudo apt install python3-pip sudo pip3 install nyx
Edit your Tor configuration file:
sudo vi /etc/tor/torrc
Add the lines:
ControlPort 9051 CookieAuthentication 1
Press the Esc key on your computer keyboard to escape from insert mode. Type :wq and press Enter to write the file to disk and quit the editor.
Start your bridge running with your revised configuration by issuing the command:
sudo systemctl restart tor
Add yourself to the debian-tor group.
In the command that follows, replace yourusername by your actual username:
sudo usermod -a -G debian-tor yourusername
Log off and then log on again so that the above command becomes effective.
Invoke Nyx with the command:
nyx
Use the left and right arrows on your computer keyboard to page through the Nyx screens. Press q and then q again to quit Nyx.