1. Enable Automatic Software Updates
One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about it.
Follow the instructions to enable automatic software updates for your operating system.
2. Configure Tor Project's Repository
Configuring the Tor Project's package repository for Debian/Ubuntu is recommended and documented on Support portal. Please follow those instructions before proceeding.
Note: Ubuntu users need to get Tor from the Tor Project's repository.
3. Install Tor
Ensure you update the packages database before installing the package, than call apt
to install it:
# apt update
# apt install tor
4. Install obfs4proxy
On Debian, the latest version obfs4proxy
package is available in stable-backports. By default, backports packages are not installed, so to install the latest version of obfs4proxy
you need to use the following command sudo apt install -t bullseye-backports obfs4proxy
or to pin the package with a config similar to this one that you will place in /etc/apt/preferences.d/obfs4proxy.pref
.
Explanation: tor meta, always run latest version of obfs4proxy
Package: obfs4proxy
Pin: release a=bullseye-backports
Pin-Priority: 500
On Ubuntu, bionic, cosmic, disco, eoan, and focal have the package. If you're running any of them, sudo apt-get install obfs4proxy
should work.
If not, you can build it from source.
5. Edit your Tor config file, usually located at /etc/tor/torrc
and replace its content with:
BridgeRelay 1
# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort TODO1
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2
# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto
# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo <address@email.com>
# Pick a nickname that you like for your bridge. This is optional.
Nickname PickANickname
Don't forget to change the ORPort
, ServerTransportListenAddr
, ContactInfo
, and Nickname
options.
Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use our reachability test to see if your obfs4 port is reachable from the Internet.
(Optional) Configure systemd to allow obfs4 binding on privileged ports
If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to configure systemd and give obfs4 CAP_NET_BIND_SERVICE
capabilities to bind the port with a non-root user:
sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy
To work around systemd hardening, you will also need to edit and change the configuration.
Run the command:
sudo systemctl edit tor@.service tor@default.service
In the editor, enter the following text, then save and quit.
[Service]
NoNewPrivileges=no
In the second editor that appears, enter the same text, then save and quit.
[Service]
NoNewPrivileges=no
If everything worked correctly, you will now have two files /etc/systemd/system/tor@.service.d/override.conf
and /etc/systemd/system/tor@default.service.d/override.conf
containing the text you entered.
Now restart tor service:
sudo service tor restart
There is no need to run systemctl daemon-reload
because systemctl edit
does it automatically.
For more details, see ticket 18356.
6. Restart Tor
Enable and Start tor
:
# systemctl enable --now tor.service
Or restart it if it was running already, so configurations take effect:
# systemctl restart tor.service
7. Monitor your logs
To confirm your bridge is running with no issues, you should see something like this (usually in /var/log/syslog
or run # journalctl -e -u tor@default
):
[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
8. Final Notes
If you are having trouble setting up your bridge, have a look at our help section.
If your bridge is now running, check out the post-install notes.