Now that we have a Tor bridge running (previous guide), we might want to obfuscate the traffic to look more like normal HTTPS traffic. This is useful for censorship circumvention or if you simply don’t want “spies” knowing that you are using Tor.

This guide assumes you are running Debian or Ubuntu but you can adapt what you learn here to use in other distros.

This guide also assumes you read my previous guide on how to set up a Tor bridge!

Installing and setting up obfs4proxy

To be able to obfuscate the traffic, we are going to install obfs4 proxy which is as the name says, a proxy server using the obfs4 protocol.

sudo apt install obfs4proxy

Now we’re going to edit /etc/tor/torrc and add the following lines:

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:443
ExtORPort auto

While 443 is the recommended port, it might already be in use for HTTPS in which case you should use another common port like one used for encrypted email transfer. Note that using any port below 1024 will need further setup due to security restrictions.

Allowing ports below 1024

As stated above, using any port below 1024 will need further setup. First run the following command:

sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

Now edit the files /lib/systemd/system/[email protected] and /lib/systemd/system/[email protected] and in both files change NoNewPrivileges=yes to NoNewPrivileges=no and then execute systemctl daemon-reload to apply the changes.

[UPDATE]

It can happen, that during an update, the Tor service files will be overwritten and the modifications thus removed. This will result in the proxy not functioning on the desired port anymore (if below 1024). This can be fixed by marking the service files as immutable after modification, like this:

sudo chattr +i /lib/systemd/system/[email protected]
sudo chattr +i /lib/systemd/system/[email protected]

UPDATE 2020-11-23

Editing the service file is bad for two reasons: If you edit it directly and don’t protect it, changes will be lost on updates. If you edit it and protect it, it won’t be able to update.

So instead, try creating an override for each with:

systemctl edit [email protected]
systemctl edit [email protected]

And in each editor that appears, you’ll want to fill in this:

[Service]
NoNewPrivileges=no

This way, that part of the original service file should always be overriden without “tampering” with the original file, without losing changes and without blocking updates!

Note that the original, ugly method, was copied from the Tor documentation. So, it wasn’t me! :^)

Restarting Tor and testing

Now simply restart Tor with systemctl restart tor and wait for it to start up. Running netstat -tlpn will show if obfs4proxy is up and running at the desired port. Remember to allow the desired obfs4proxy port in your firewall!

Using the bridge

To use the bridge you need to know your bridge line which is formatted like the following:

Bridge obfs4 IP:PORT FINGERPRINT cert=CERTIFICATE iat-mode=0

To get the fingerprint, as discussed in my previous guide, simply run cat /var/lib/tor/fingerprint and use the hexadecimal encoded fingerprint at the end of the line. To get the certificate and overall bridge line, run cat /var/lib/tor/pt_state/obfs4_bridgeline.txt which will output the line you will have to copy and edit to replace IP address, port and fingerprint.

Your final bridge line to use in Tor Browser might look like:

Bridge obfs4 1.2.3.4:443 0F00ABC123 cert=raNdomStufFinbAse64+/fOobAR iat-mode=0

In Tor Browser, update the bridge line we used in my previous guide, with the new line. Make sure the line really does start with “Bridge obfs4” or it won’t work!

Conclusion

It’s easy to extend our Tor bridge to add obfuscation which is recommended so that spying eyes won’t know you are using Tor, which can help to circumvent censorship or simply not get attention. ;)

Check my previous guide to see how to set all of this up from scratch

My previous guide on how to set up a Tor bridge