The Tor BSD Diversity Project


Testing obfs4proxy on FreeBSD and OpenBSD

467 words by gman999 written on 2017–08–08, last edit: 2017–09–03, tags: freebsd, openbsd, pt, tbb, torPrevious post: Getting SickNext post: Tor Browser 7.0.4 in OpenBSD -current ports

UPDATE 20170810: both ports are ready for more testing, and the OpenBSD obfs4 and the two dependencies were submitted for the ports system.

UPDATE 20170809: as per Yawning’s ticket we’re in the process of updating and testing both ports.

The Tor Project’s Pluggable Transports are a mitigation measure against deep-packet inspection, a.k.a. DPI. Commonly deployed on Tor bridges, obfs4proxy is the most common PT in use.

There is currently no official FreeBSD or OpenBSD support for obfs4, which means that the operating system diversity of obfs4proxy providers is dismal.

TDP is working to change that.

While our Tor Browser for OpenBSD doesn’t yet support PTs on the client side, we’ve made some significant steps recently.

Vinicius built security/obfs4proxy for FreeBSD with the two previously unported dependencies, security/go-ed25519 and security/go-siphash.

We also have net/obfs4proxy for OpenBSD -current, ready for testing. It seems to also build fine on -stable.

Within our openbsd-ports project resides net/obfs4proxy, along with the required and unofficially ported devel/go-goptlib, security/go-ed25519 and security/go-siphash.

What can you do?

If you’re running a FreeBSD or OpenBSD -current Tor bridge, grab the source and build it. In the case of OpenBSD it must be either i386 or amd64 at the moment (the go compiler does not yet support non-x86 architectures).

Adding obfs4proxy support to a Tor bridge is easy, with the addition of a single line:

ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed

Additional options that control logging are available; read the man page for more details. The author’s own README is also recommended reading.

With info level logging enabled, the log, residing in the Tor data directory pt_state/obfs4proxy.log, should show something like this:

2017/08/05 18:03:29 [NOTICE]: obfs4proxy-0.0.7 - launched
2017/08/05 18:03:29 [INFO]: obfs4proxy - initializing server transport listeners
2017/08/05 18:03:29 [INFO]: obfs4 - registered listener: [scrubbed]:35549
2017/08/05 18:03:29 [INFO]: obfs4proxy - accepting connections

Feedback, comments and patches are appreciated, preferably as a GitHub issue for FreeBSD or OpenBSD.

Both will be submitted to the respective ports trees.

A final general note on obfs4proxy. For obvious obfuscation purposes, the TCP port obfs4 listens on is randomized, although the same port will be used between restarts. That causes an issue for anyone running a bridge on a residential connection, where some form of port forwarding by port and protocol is necessary.

There is a simple work-around to that problem in the torrc file. Just add the following line with the preferred TCP port allowing a long-term setting for the necessary port forward:

ServerTransportListenAddr obfs4$preferred_port

Copyright © 2015–2017 by The Tor BSD Diversity Project (TDP). All Rights Reserved.