This page shows you how to create a public obfs4 bridge. By making a bridge "public" you allow the Tor Project to share your bridge with users from around the world.
The article here expands on the article on the Tor Project website about setting up a bridge on Debian/Ubuntu. The purpose of this expansion is to include some details and explanations missing from the original article. For ease of reference, we use the same section numbering:
To create a public obfs4 bridge, you will need a virtual private server (VPS). You can rent a VPS from many providers. Some of the most popular ones are OVH, Hetzner, and DigitalOcean. Of course, these are fine, but you can increase the diversity of the Tor network by choosing a provider not on the list of the most popular ones. You'll need to consult your provider's Acceptable Use Policy to make sure the provider allows Tor (non-exit) nodes. Choose a provider with a large monthly bandwidth allowance. Your VPS should use KVM or Xen virtualization (but not OpenVZ). You'll need a public IPv4 address. Bridges can have 512 MB of RAM, but ideally your VPS will have 1 GB or more of RAM. Tor does not need much disk storage, so disk space will probably not be a limiting factor. For operating system, choose Debian 10 or Debian 11.
You can SSH into your server using an SSH client such as a terminal emulator, Windows PowerShell, PuTTY, or XSHELL. Ideally you set up your server with an SSH public key on the server and an SSH private key on the client. If you are not using public key authentication, make sure you choose a strong password.
In the commands in this tutorial, we assume you log in as root. If you are not root, then either prefix commands by sudo, or else switch to the root user (sudo su -) before you start work.
After you first create your server, update all the existing packages:
apt update && apt upgrade
There are many ways to add a firewall to your server. In this tutorial, you will use iptables to implement the firewall. Note that some VPS providers implement security groups outside of the server itself in their server management web application.
In the iptables rules below:
YOUR.PC.IP.ADDRESS with your actual PC IP address
(or a range of IP addresses, such as YOUR.PC.0.0/16, if your IP address changes from time to time but always falls within a range). If you do not know your IP address, visit https://whatismyipaddress.com to determine it.8888,
with your own choice of port number.9999,
with your own choice of port number. This is the port the rest of the Tor network uses to communicate with your bridge.Here are the iptables rules to implement a basic firewall to protect your server from unauthorized access:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p tcp -s YOUR.PC.IP.ADDRESS --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 8888 -j ACCEPT iptables -A INPUT -p tcp --dport 9999 -j ACCEPT iptables -P INPUT DROP
The next set of rules block IPv6 input. You will need to change these if you actually want to use IPv6 as well as IPv4 for your ORPort.
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -p icmpv6 -j ACCEPT ip6tables -P INPUT DROP
Save these rules so that they persist across reboots:
apt install iptables-persistent
You will need to keep your server up to date by issuing the commands apt update && apt upgrade periodically, for example every week or every month. However, there may be urgent security upgrades in between your manual updates. We will use the unattended-upgrades package to apply urgent upgrades within 24 hours. In addition, we will install the package apt-listchanges to compare new versions with previous ones and report on what has changed.
Install the packages:
apt install unattended-upgrades apt-listchanges
Edit the default configuration file:
vi /etc/apt/apt.conf.d/50unattended-upgrades
Change the Origins-Pattern section to specify Debian security upgrades and Tor Project upgrades:
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=TorProject";
};
The list of packages to exclude should be empty:
Unattended-Upgrade::Package-Blacklist {
};
Do :wq on your computer keyboard and press Enter to write the file to disk and quit the editor.
To activate unattended-upgrades, edit the apt configuration stub:
vi /etc/apt/apt.conf.d/20auto-upgrades
Edit the file so that you do apt-get update automatically every 1 days; do apt-get autoclean every 5 days; run the unattended-upgrade upgrade script every 1 day; and show verbose output:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Verbose "1";
Do :wq on your computer keyboard and press Enter to write the file to disk and quit the editor.
Test unattended-upgrade manually with the debug option (-d):
unattended-upgrade -d
Display the results, if any:
cat /var/log/unattended-upgrades/unattended-upgrades.log
Unattended-upgrades is now configured. Note that you will still need to issue the commands apt update && apt upgrade periodically for all other, non-urgent upgrades.
Install the prerequisite packages:
apt install apt-transport-https gpg
Add the Tor repositories to your Advanced Packaging Tool (APT) sources lists:
vi /etc/apt/sources.list.d/tor.list
Press the i key on your keyboard to enter insert mode. Add lines for Tor Project repositories.
For Debian 10 "buster":
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org buster main
For Debian 11 "bullseye":
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main
Press the Esc key to leave insert mode. Do :wq and press Enter to write the file to disk and quit the editor.
Add the GNU Privacy Guard (GPG) key used to sign the Tor packages. The escape character (backslash) appears in the command below to escape a line break. You can, if you wish, omit the escape character and enter the command as a single line.
wget -O- https://deb.torproject.org/torproject.org/\ A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \ | gpg --dearmor \ | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
Update your package lists for the new repositories:
apt update
Install Tor and the Tor Debian keyring from the Tor project repository:
apt install tor deb.torproject.org-keyring
Check the version of Tor that was installed:
tor --version
Install the package for obfs4:
apt install obfs4proxy
Edit the Tor configuration file:
vi /etc/tor/torrc
Press the keys dG on your computer keyboard to delete the existing lines. Press the i key to enter insert mode. Insert the lines that follow. Note that:
ORPort is set to 9999, but you can change this to your own chosen value.ExitPolicy reject *:* is an optional safeguard,
since it should be redundant with setting BridgeRelay 1.8888, but you can change this to your own chosen value.@ should go.1000 GB as necessary. Note that Tor applies the limit to sending and receiving separately. You will need to determine whether your VPS provider's limits apply to sending or receiving or both added together.9051 but this port is not open in the firewall, so that only a local user on the server itself can control the Tor process using the Tor Control Protocol.Log notice file /var/log/tor/log ORPort 9999 IPv4Only ExtORPort auto BridgeRelay 1 PublishServerDescriptor bridge ExitPolicy reject *:* ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:8888 ContactInfo youremail[]yourdomain.com Nickname ChooseNameHere AccountingMax 1000 GB ControlPort 9051 CookieAuthentication 1
Press the Esc key on your computer keyboard to escape from insert mode. Type :wq and press Enter to write the file to disk and quit the editor.
Start your bridge running with your revised configuration by issuing the command:
systemctl restart tor@default
To confirm your bridge is active:
tail /var/log/tor/log
You should see a message Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
The steps in this section are optional. You'll see how to:
To test your obfs4 bridge from your own Tor Browser, first obtain a template for the bridge line:
cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
The template will look like this:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> \ cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA \ iat-mode=0
Also obtain your bridge’s fingerprint:
cat /var/lib/tor/fingerprint
The results will show your bridge nickname and its fingerprint:
ChooseNameHere EFC6A00EE6272355C023862378AC77F935F091E4
Substitute your server’s IP address, your chosen obfs4 port (8888 in our example), and your fingerprint into the bridge line. The results will look like this:
Bridge obfs4 123.45.67.89:8888 EFC6A00EE6272355C023862378AC77F935F091E4 \ cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA \ iat-mode=0
Now launch Tor Browser on your PC. Reconfigure Tor Network Settings to use your own obfs4 bridge. Test to see whether you can connect to https://check.torproject.org.
After about 3 hours, your bridge will be searchable by fingerprint (but not by IP address) at https://metrics.torproject.org/rs.html#search.
You can also check that your bridge appears to be functional by opening a browser and visiting https://bridges.torproject.org/status?id=FINGERPRINT, replacing FINGERPRINT by your bridge's fingerprint.
If you want to monitor utilization of your bridge in real time, you can optionally install the Nyx command-line monitor, previously known as the anonymizing relay monitor (arm):
apt install python3-pip pip3 install nyx
Invoke Nyx with the command:
nyx
Use the left and right arrows on your computer keyboard to page through the Nyx screens. Press q and then q again to quit Nyx.