Beating Tor blockade in Syria by setting up an Obfsprox...

https://words.ceops.eu/posts/Beating Tor blockade in Syr...

Personal words (../../)/ posts (../)/

Beating Tor blockade in Syria by setting up an Obfsproxy-enabled Tor bridge

Tor is now blocked in Syria
Several reports (https://twitter.com/dlshadothman/status /280415764664680448) showed that Syria now blocks Tor, including connections to non-public bridges. This means that the blockade is most probably achieved using Deep Packet Inspection (DPI (https://en.wikipedia.org/wiki/Deep_packet_inspection)) techniques, probably in the same way as Iran tries to block Tor. It has been reported to us that connection difficulties have increased since the 2-days blackout (http://www.cert.at/services/blog/20121129184048-616.html) a couple of weeks ago. This leads me to think that the blackout was a deliberate maintenance operation designed to setup new monitoring and censorship equipment. This is an increase in the regime censorship, after blocking the OpenVPN protocol (http://bluecabinet.info/wiki/Blue_cabinet/Fortinet/Syria) that is used among others by the well-known HotSpotShield provider as well as on some Telecomix/World Neighborhood servers (but don't worry, our cryptoporn tunnels beat that). Syrian insiders can however still configure their Tor installation to connect to bridges equipped with Obfsproxy in order to keep Tor working. They need to know a couple of such bridges and follow these easy instructions (https://www.torproject.org/projects/obfsproxy.html.en). Server administrators may give a hand to the effort by setting up Obfsproxyequipped bridges. This page is intended as a quick tutorial for administrators who want their bridge to be at the same time a classical one (connection without Obfsproxy) and an Obfsproxy-enabled one. The idea is to open new ports on which Obfsproxy will listen and forward connections to Tor, and to leave unchanged the ports already opened by the Tor bridge. The current Tor bridge configuration is left untouched, we will just run Obfsproxy to listen on new ports.

Installing Obfsproxy
Install the required dependencies to build Obfsproxy, as listed on the installation instructions (https://www.torproject.org/projects/obfsproxyinstructions.html.en). Get a copy of the Obfsproxy sourcecode:
1 de 4 30/04/13 04:00

Beating Tor blockade in Syria by setting up an Obfsprox...

git clone https://git.torproject.org/obfsproxy.git

https://words.ceops.eu/posts/Beating Tor blockade in Syr...

Go into the newly created obfsproxy directory and compile Obfsproxy:

./autogen.sh && ./configure && make

If everything goes well, it will create a binary called obfsproxy in the current directory: Obfsproxy is compiled and ready to use. You can optionally install the binary system-wide by issuing, as root:
make install

Running Obfsproxy
As an example, let us assume that your Tor bridge is already listening on IP 123.45.67.89, port 1234. Indeed, replace those values by the IP and port of your own network interface on which your Tor bridge is already listening. We want Obfsproxy to listen on port 45678 and forward connections to our Tor bridge. Thanks to this, clients will be able to obfuscate their Tor traffic through the Obfsproxy client which connects to the Obfsproxy server you are going to setup. Simply run the following command to have obfsproxy listening on the right port and forwarding connections to your Tor bridge:
obfsproxy obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:45 678

This commands starts Obfsproxy and gives it the following instructions: the first parameter, obfs2, is the name of the obfuscation protocol that we want to use on the server and that the clients connecting to us must use as well - obfs2 is the only included with Obfsproxy at the moment, and running Obfsproxy without argument will give you a list of available protocols; --dest=123.45.67.89:1234 is an option for the obfs2 protocol which specifies that each new connection (and subsequent communication) should be forwared to this IP and port once it has been de-obfuscated; server 123.45.67.89:45678 tells Obfsproxy to listen for incoming connections on IP 123.45.67.89, port 45678. In short, Obfsproxy will accept connections on IP 123.45.67.89, port 45678, and will expect a stream from the client that respects the obfs2 obfuscation protocol. If it is the case, it will trigger a connection on 123.45.67.89 port 1234, where the Tor bridge is listening. Traffic from the client will be de-obfuscated and forwarded to the Tor bridge. Symetrically, traffic from the Tor bridge will be obfuscated before being sent to the client. To open more than one port with Obfsproxy, you don't need to run it several times, just activate obfs2 as many times as needed, with one new port each
2 de 4 30/04/13 04:00

Beating Tor blockade in Syria by setting up an Obfsprox...

https://words.ceops.eu/posts/Beating Tor blockade in Syr...

time:
obfsproxy obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:45 678 \ obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:44000 \ obfs2 --dest=123.45.67.89:1234 server 123.45.67.89:44001

This command additionally tells obfsproxy to accept connections on ports 44000 and 44001 and forward them to the Tor bridge. Here is a simple script if you want to open many ports and avoid typing the full command:
#!/bin/sh # Public IP address we listen on (both Tor and Obfsproxy) host=123.45.67.89 # Ports that Obfsproxy should open ports="7007 10001 43657 54675 2378 9990 8881" # What port our Tor bridge listens on tor_port=1234 command="$(which obfsproxy) " for port in $ports; do command="$command obfs2 --dest=$host:$tor_port server $host :$port" done echo Running command: $command $command

Your bridge is ready to be used through Obfsproxy!

Advertising your Bridge

Tor bridges are by definition not made public by Tor, as opposed to relays. Hence, a Tor bridge has to be communicated by hand to people in order to be useful. You may give the IP and port of your bridge to trusted contacts of your own in order to help them. You may publish them anywhere, but if censors find out, they might block your bridge's IP. We are setting up a few bridges, that can be requested from our IRC (https://chat.wnh.me), with a particular focus on Syrian insiders. You are welcome to tell us about yours so that we can add it to our list. Tags: bridge (../../tags/bridge/) iran (../../tags/iran/) obfsproxy (../..
3 de 4 30/04/13 04:00

Beating Tor blockade in Syria by setting up an Obfsprox...

https://words.ceops.eu/posts/Beating Tor blockade in Syr...

/tags/obfsproxy/) syria (../../tags/syria/) tor (../../tags/tor/) Last edited 2013-03-09 20:09 +0100

4 de 4

30/04/13 04:00