The primary purpose of this submenu is to offer a simple way to configure an obfs4 bridge relay.
All of the relays that make up the Tor network are publicly listed. One way to try to prevent people from using Tor is to blacklist the public IP addresses of all of the thousands of Tor relays. However, thanks to bridges, Tor users are still able to connect to the network when the public Tor relays are blocked. Not only are bridges private, they can also modify their network packets in a way that it’s difficult for an observer to conclude that somebody is using Tor — that’s when the obfs4 comes into play. Unfortunately, the number of bridge relays have been stagnant for a while (currently, there are about 600 obfs4 bridge relays). The Tor network needs a constant trickle of new bridge relays that aren’t blocked anywhere yet — and you can help with that! By setting up a bridge relay, you can help censored users connect to the open internet through Tor.
To set up a bridge relay, your internet connection has to meet some minimal requirements:
- It has to offer at least a 1 Mbit/s down-/upload bandwidth (Speedtest).
- 24/7 internet connectivity for a longer time (weeks or months)
- The ability to expose TCP ports to the internet (public IP, port forwarding; make sure that NAT doesn’t get in the way).
The activation of a bridge relay is a three-step process:
- Check and/or change the configuration (menu entry 3).
- Activate the BRIDGE RELAY MODE (menu entry 2).
- Restart Tor (menu entry 7).
To confirm your bridge relay is running, you should see something like this in the log (menu entry 7 or 8):
[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>' [notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>' [notice] Registered server transport 'obfs4' at '[::]:46396' [notice] Now checking whether ORPort <redacted>:3818 is reachable... [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
After restarting Tor, you can perform a TCP reachability test with your IP and your OBFS4Port by yourself. After about 3 hours, you can monitor your obfs4 bridge relay on Tor Metrics by searching for your fingerprint. However, it can take several days or weeks until you see an advertised bandwidth and a consistent set of users. Don’t get discouraged if you don’t see user connections right away (see also here for more details). For the necessary values, check menu entries 3 and 5.
Important: Changing the connection settings in the main menu, activating bridge mode, or resetting Tor deactivates the bridge relay mode automatically. However, all the configurations are saved so that it is easy to restart the bridge relay mode again (menu entry 2 und then menu entry 7).
In the following, we look at all menu entries one by one:
- Menu entry 1: Run a Tor Bridge Relay – Read Me First: This brief introduction is intended to help new users, in particular, to understand and to simplify the set up of a bridge relay within TorBox. It is a summary of what has been written above.
- Menu entry 2: Toggle Bridge Relay Mode: You either can switch the bridge relay mode on or off. Before you toggle the bridge relay mode from off to on, you should check and/or change the configuration (menu entry 3).
- Menu entry 3: Check and/or change the configuration: You can only change the configuration when the bridge relay mode is off. Otherwise, you see only the currently active configuration (see image below). If the bridge relay mode is off, then you can change the following settings:
- ORPort: This port must be externally reachable. Avoid port 9001 because it’s commonly associated with Tor, and censors may be scanning the internet for this port. The default is 4235.
- OBSF4Port: This port must be externally reachable and must be different from the one specified for ORPort. Avoid port 9001 because it’s commonly associated with Tor, and censors may be scanning the internet for this port. Good port numbers are 80 and 443. The default is 443.
- Contact Email: You should add a contact email, so the people from the Tor Project can contact you if there are problems with your bridge. This is optional but encouraged. The default is <[email protected]>.
- Contact Email: Pick a nickname that you like for your bridge. This is optional. The default is “TorBox025”; however, you can let the entry stay blank.
- Menu entry 4: Reset configuration to default: Does what it says.
- Menu entry 5: Show me my personal bridge address: Does what it says. You can copy the address, give it to a friend in need, and/or use it with another TorBox or with the TorBrowser (see image below) if you are in a country with internet censorship.
- Menu entry 6: Enter the advanced configuration editor: This loads the Tor configuration file into a textual editor. You should know what you are doing before you change anything in the configuration file — here, you can break your TorBox. If you are unsure, then contact us: [email protected]. Did you something wrong? You can always overwrite this configuration with the default one, stored in ~/torbox/etc/tor/. After changing the configuration, use the following commands in the editor: CTRL-O followed with an ENTER to save the changes. CTRL-X to exit the editor.
- Menu entry 7: Restart Tor – check if it is working: To toggle the bridge relay mode on doesn’t restart Tor. You have to restart Tor with that menu entry — that’s the final step. On the contrary, if you toggle the bridge relay mode off, we directly restart Tor. In both cases, please be patient! It can take up to 5 minutes for Tor to be ready for connections.
- Menu entry 8: Show the Tor log file: Does, what it says: shows the log file. Press CTRL-C to leave the log.
- Menu entry 9: Please support the Tor Project!: Here you can find additional suggestions, how you can support the Tor Project.
- Menu entry 10: How can I help with TorBox?: We also can use a little bit of support. We are especially interested in your feedback.
• • •
Problems and questions
- When I’m connected with TorBox and use the Tor Browser on one of the clients, isn’t that a risk for my security/anonymity? –> see here.