4
Personal words (../../)/ posts (../)/ Beating Tor blockade in Syria by setting up an Obfsproxy-enabled Tor bridge Tor is now blocked in Syria Several reports (https://twitter.com/dlshadothman/status /280415764664680448) showed that Syria now blocks Tor, including connections to non-public bridges. This means that the blockade is most probably achieved using Deep Packet Inspection (DPI (https://en.wikipedia.org/wiki/Deep_packet_inspection)) techniques, probably in the same way as Iran tries to block Tor. It has been reported to us that connection difficulties have increased since the 2-days blackout (http://www.cert.at/services/blog/20121129184048-616.html) a couple of weeks ago. This leads me to think that the blackout was a deliberate maintenance operation designed to setup new monitoring and censorship equipment. This is an increase in the regime censorship, after blocking the OpenVPN protocol (http://bluecabinet.info/wiki/Blue_cabinet/Fortinet/Syria) that is used among others by the well-known HotSpotShield provider as well as on some Telecomix/World Neighborhood servers (but don't worry, our cryptoporn tunnels beat that). Syrian insiders can however still configure their Tor installation to connect to bridges equipped with Obfsproxy in order to keep Tor working. They need to know a couple of such bridges and follow these easy instructions (https://www.torproject.org/projects/obfsproxy.html.en). Server administrators may give a hand to the effort by setting up Obfsproxy- equipped bridges. This page is intended as a quick tutorial for administrators who want their bridge to be at the same time a classical one (connection without Obfsproxy) and an Obfsproxy-enabled one. The idea is to open new ports on which Obfsproxy will listen and forward connections to Tor, and to leave unchanged the ports already opened by the Tor bridge. The current Tor bridge configuration is left untouched, we will just run Obfsproxy to listen on new ports. Installing Obfsproxy Install the required dependencies to build Obfsproxy, as listed on the installation instructions (https://www.torproject.org/projects/obfsproxy- instructions.html.en). Get a copy of the Obfsproxy sourcecode: Beating Tor blockade in Syria by setting up an Obfsprox... https://words.ceops.eu/posts/Beating Tor blockade in Syr... 1 de 4 30/04/13 04:00

obfsproxy

Embed Size (px)

Citation preview

Page 1: obfsproxy

Personal words (../../)/ posts (../)/

Beating Tor blockade in

Syria by setting up an

Obfsproxy-enabled Tor

bridge

Tor is now blocked in Syria

Several reports (https://twitter.com/dlshadothman/status

/280415764664680448) showed that Syria now blocks Tor, including

connections to non-public bridges. This means that the blockade is most

probably achieved using Deep Packet Inspection (DPI

(https://en.wikipedia.org/wiki/Deep_packet_inspection)) techniques, probably

in the same way as Iran tries to block Tor. It has been reported to us that

connection difficulties have increased since the 2-days blackout

(http://www.cert.at/services/blog/20121129184048-616.html) a couple of

weeks ago. This leads me to think that the blackout was a deliberate

maintenance operation designed to setup new monitoring and censorship

equipment. This is an increase in the regime censorship, after blocking the

OpenVPN protocol (http://bluecabinet.info/wiki/Blue_cabinet/Fortinet/Syria)

that is used among others by the well-known HotSpotShield provider as well

as on some Telecomix/World Neighborhood servers (but don't worry, our

cryptoporn tunnels beat that).

Syrian insiders can however still configure their Tor installation to

connect to bridges equipped with Obfsproxy in order to keep Tor

working. They need to know a couple of such bridges and follow these easy

instructions (https://www.torproject.org/projects/obfsproxy.html.en).

Server administrators may give a hand to the effort by setting up Obfsproxy-

equipped bridges. This page is intended as a quick tutorial for administrators

who want their bridge to be at the same time a classical one (connection

without Obfsproxy) and an Obfsproxy-enabled one. The idea is to open new

ports on which Obfsproxy will listen and forward connections to Tor, and to

leave unchanged the ports already opened by the Tor bridge.

The current Tor bridge configuration is left untouched, we will just run

Obfsproxy to listen on new ports.

Installing Obfsproxy

Install the required dependencies to build Obfsproxy, as listed on the

installation instructions (https://www.torproject.org/projects/obfsproxy-

instructions.html.en).

Get a copy of the Obfsproxy sourcecode:

Beating Tor blockade in Syria by setting up an Obfsprox... https://words.ceops.eu/posts/Beating Tor blockade in Syr...

1 de 4 30/04/13 04:00

Page 2: obfsproxy

git clone https://git.torproject.org/obfsproxy.git

Go into the newly created obfsproxy directory and compile Obfsproxy:

./autogen.sh && ./configure && make

If everything goes well, it will create a binary called obfsproxy in the current

directory: Obfsproxy is compiled and ready to use. You can optionally install

the binary system-wide by issuing, as root:

make install

Running Obfsproxy

As an example, let us assume that your Tor bridge is already listening on IP

123.45.67.89, port 1234. Indeed, replace those values by the IP and port of

your own network interface on which your Tor bridge is already listening.

We want Obfsproxy to listen on port 45678 and forward connections to our

Tor bridge. Thanks to this, clients will be able to obfuscate their Tor traffic

through the Obfsproxy client which connects to the Obfsproxy server you are

going to setup.

Simply run the following command to have obfsproxy listening on the right

port and forwarding connections to your Tor bridge:

obfsproxy obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:45

678

This commands starts Obfsproxy and gives it the following instructions:

the first parameter, obfs2, is the name of the obfuscation protocol that

we want to use on the server and that the clients connecting to us must

use as well - obfs2 is the only included with Obfsproxy at the moment,

and running Obfsproxy without argument will give you a list of available

protocols;

--dest=123.45.67.89:1234 is an option for the obfs2 protocol which

specifies that each new connection (and subsequent communication)

should be forwared to this IP and port once it has been de-obfuscated;

server 123.45.67.89:45678 tells Obfsproxy to listen for incoming

connections on IP 123.45.67.89, port 45678.

In short, Obfsproxy will accept connections on IP 123.45.67.89, port 45678,

and will expect a stream from the client that respects the obfs2 obfuscation

protocol. If it is the case, it will trigger a connection on 123.45.67.89 port

1234, where the Tor bridge is listening. Traffic from the client will be

de-obfuscated and forwarded to the Tor bridge. Symetrically, traffic from the

Tor bridge will be obfuscated before being sent to the client.

To open more than one port with Obfsproxy, you don't need to run it several

times, just activate obfs2 as many times as needed, with one new port each

Beating Tor blockade in Syria by setting up an Obfsprox... https://words.ceops.eu/posts/Beating Tor blockade in Syr...

2 de 4 30/04/13 04:00

Page 3: obfsproxy

time:

obfsproxy obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:45

678 \

obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:44000 \

obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:44001

This command additionally tells obfsproxy to accept connections on ports

44000 and 44001 and forward them to the Tor bridge.

Here is a simple script if you want to open many ports and avoid typing the

full command:

#!/bin/sh

# Public IP address we listen on (both Tor and Obfsproxy)

host=123.45.67.89

# Ports that Obfsproxy should open

ports="7007 10001 43657 54675 2378 9990 8881"

# What port our Tor bridge listens on

tor_port=1234

command="$(which obfsproxy) "

for port in $ports; do

command="$command obfs2 --dest=$host:$tor_port server $host

:$port"

done

echo Running command: $command

$command

Your bridge is ready to be used through Obfsproxy!

Advertising your Bridge

Tor bridges are by definition not made public by Tor, as opposed to relays.

Hence, a Tor bridge has to be communicated by hand to people in order to

be useful.

You may give the IP and port of your bridge to trusted contacts of your own

in order to help them. You may publish them anywhere, but if censors find

out, they might block your bridge's IP.

We are setting up a few bridges, that can be requested from our IRC

(https://chat.wnh.me), with a particular focus on Syrian insiders. You are

welcome to tell us about yours so that we can add it to our list.

Tags: bridge (../../tags/bridge/) iran (../../tags/iran/) obfsproxy (../..

Beating Tor blockade in Syria by setting up an Obfsprox... https://words.ceops.eu/posts/Beating Tor blockade in Syr...

3 de 4 30/04/13 04:00

Page 4: obfsproxy

/tags/obfsproxy/) syria (../../tags/syria/) tor (../../tags/tor/)

Last edited 2013-03-09 20:09 +0100

Beating Tor blockade in Syria by setting up an Obfsprox... https://words.ceops.eu/posts/Beating Tor blockade in Syr...

4 de 4 30/04/13 04:00


Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Plato - Symposium

Plato - Symposium

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents
Chapter 24

Chapter 24

Documents
Who Killed God

Who Killed God

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
18 Tricks to Teach Your Body

18 Tricks to Teach Your Body

Documents
xCDC14a

xCDC14a

Documents
Bhagavad Gita

Bhagavad Gita

Documents
United States Constitution

United States Constitution

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Documents
Aesops Fables

Aesops Fables

Documents
How Computer Keyboards Work

How Computer Keyboards Work

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
Rubik's cube solution

Rubik's cube solution

Documents
Acetone Peroxide

Acetone Peroxide

Documents
Venture Capital

Venture Capital

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Tragic Heroes

Tragic Heroes

Documents
Algorithms

Algorithms

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Documents
Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Documents
Barclays1

Barclays1

Documents