I've setup various Tor related bridge formats in a series of beta tests with another Tor hidden node anonymous file sharing application some years ago. At that time (pre-Russian-Ukraine) conflict, I was focused on users in China being able to ease around the Great China Firewall Wall using a bridged Tor connection. I found the maze of Amazon servers used by the Meek bridge worked well.
What is needed is the clearly understood path used by DarkMX's default Tor folder. Lacking that, the user would need to create a tor folder then instruct tor where the customized torrc file is upon opening the tor router. In 'that' folder the bridge binarys you wish to use are placed into that folder. DarkMX developers or a talented DarkMX user could merely copy them from the tor browser over to your Tor folder.
The torrc file must be rewritten to use the supported bridge you want and have the binary in place to use. If the tor folder is moved to a user location folder they must use the -f flag to instruct the tor binary to look at a path link to locate and use a specific torrc file therein. Example ./tor -f /home/name/tor-9058/torrc
These are my linux based field nodes that I have only slightly edited (removing the name of that other decentralized file sharing application) to provide a view on adding built in DarkMX support for tor bridges.
Tor Bridges to the Tor Network, why, con's, pro's, what and the how on Tor Bridges.
References
https://www.torproject.org/docs/bridges
https://bridges.torproject.org/ <-- Public Database list of active bridges
https://bridges.torproject.org/bridges <-- Several active Tor Bridges you can use
bridges@torproject.org <-- Email bridges with a message in the email body stating "get bridges" without the quotes and that email request must be from Riseup, Gmail or Yahoo.
bridges@bridges.torproject.org with a message in the body saying “get bridges” without the quotes and that email request must be from Riseup, Gmail or Yahoo.
Often Tor Bridges are used when a ISP or Nation they are located in blocks a direct connection to the Tor Network. Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor.
Con's
While bridges are a good idea, unfortunately they may not be enough. According to Jacob Applebaum, (a tor developer) bridge traffic is still vulnerable to something called DPI (deep packet inspection) to identify internet traffic flows by protocol, in other words they can tell you are using tor by analyzing the traffic.
While tor uses bridge relays to get around a censor that blocks by IP address, the censor can use DPI (deep packet inspection tools) to recognize and filter tor traffic flows even when they connect to unexpected IP addresses. This is less likely to be done by your ISP, and more likely to be done by the NSA, or other oppressive governments like in China and Iran, so you can choose if this is an issue for you.
Pro's
Many Tor Bridges appear to ISP as one of millions of normal data connections from peer to another peer or server. The only way the ISP to remotely discern you are in fact connecting to the Tor Network would be a individual deep packet inspection that would likely show several of your datastream http headers are stripped by going through an elite (series) of anonymous proxys.
To circumvent such heavy handed gestapo like censorship, Tor introduced obfuscated bridges. These bridges use special plugins called pluggable transports which obfuscate the traffic flow of Tor, making its detection far more difficult and harder.
References
https://www.torproject.org/docs/bridges#PluggableTransports
https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/HEAD:/doc/obfs3/obfs3-protocol-spec.tx
https://gitweb.torproject.org/pluggable-transports/obfs4.git/
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/list
Types, description
.
obfs4
Description: Is a transport with the same features as ScrambleSuit but utilizing Dan Bernstein's elligator2 technique for public key obfuscation, and the ntor protocol for one-way authentication. This results in a faster protocol and transforms the data traffic to look like random noise on a VOIP connection.
Language: Go
Maintainer: Yawning Angel
Obs4 Evaluation
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/Obfs4Evaluation
.
meek
Description: Is a transport that uses HTTP for carrying bytes and TLS for obfuscation. Traffic is relayed through a third-party server (Google App Engine). It uses a trick to talk to the third party so that it looks like it is talking to an unblocked server.
Language: Go
Maintainer: David Fifield
meek Evaluation
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/MeekEvaluation
.
FTE (Format-Transforming-Encryption)
Description: It transforms Tor traffic to arbitrary formats using their language descriptions. See the research paper. It utilizes Format Transforming Encryption, a cryptographic primitive family that transforms plaintext into cyphertext that fits a predefined format, usually that of completely different another protocol.
Language: Python/C++
Maintainer: Kevin Dyer
FTE Evaluation
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/FteEvaluation
.
The above pluggable bridge transports are the three most popular and widely used pluggable obfuscation (disguising) transports to tranform users and tor replying datastreams into nearly undetectable data seen by ISP's and even NSA using Deep Packet Inspections on your individual connection.
.
Setting up a Tor Bridge Relay
On Linux to obtain the obfs4 proxy
$ sudo apt-get install obfs4proxy
.
FTE Bridge setup (still working on the client FTE transport encryption)
reference
https://trac.torproject.org/projects/tor/wiki/doc/fte/setup
https://github.com/kpdyer/fteproxy <--- to obtain fteproxy (python based)
https://pypi.python.org/pypi/fte
.
ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy
https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/README.md
Using a existing Tor Bridge for a Socks5 Proxy connection, Using a existing Tor Bridge for a regular DarkMX Node to provide another layer of obfuscation, encryption and foil ISP and Gov attempts to censor, block or snoop on your DarkMX data activitys using Deep Packet Inspections (DPI).
A example obfs4 bridge socks5 proxy torrc configuration file in a local folder named tor-9060
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed
Bridge obfs4 52.44.84.69:9443 088FF997203D7C7410C461659C4A014B245145CA cert=lehzju1j9EDuJlBOl3E0GpKc1r0QoQ2GKKsWZBNhirMv9fXnDTMRCRX9zvHJvqsisHCPaA iat-mode=0
Bridge obfs4 158.69.204.189:5269 A4C09C00899047EB1E3F3D1DC873C3D490E00EBB cert=FOQL0Mqzq2g7qV5h9S/MJNXEPGdCrZUSplgiZMnIJk0Yok4i3oFNs7mNYuxcFTKFYwM0Aw iat-mode=0
Bridge obfs4 54.92.64.102:9443 2111EB7B8A8C44C21B60B030E61F7EF2B5C869EB cert=HeOiOBp2Xfc3UexS+1UdvgdhUU8SbwrdupGzpM1yp3RdOmu3ayZFdjYyjQOCaux/fO3WSQ iat-mode=0
#ClientTransportPlugin meek exec /usr/local/bin/meek-client managed
#Bridge meek 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2cly7j4zqgua7.cloudfront.net/ front=a0.awsstatic.com
DataDirectory ~/tor-9060
GeoIPFile ~/tor-9060/geoip
GeoIPv6File ~/tor-9060/geoip6
StrictNodes 1
SocksPort 9060
.
Files used from the tor-browser
path ../tor-browser_en-US/Browser/TorBrowser/Tor to copy the 'tor' file.
path ../tor-browser_en-US/Browser/TorBrowser/Tor/PluggableTransports to copy the 'obfs4proxy' and 'meek-client' files.
path ../tor-browser_en-US/Browser/TorBrowser/Data/Tor to copy the 'geoip', 'geoip6' and torrc file.
Note: While the tor-browser torrc file is not used directly, the obfs4 bridges are more likely to come and go and knowing where to locate working fresh obfs4 bridges would quickly enable someone to paste those in from the tor-browser torrc file configured to use a obfs4 pluggable transported bridge tor relay and be back up and running.
An example of placing and using a Tor Folder (attached file) placed into the ~/.DarkMX folder to provide regular DarkMX Nodes with a Tor Bridge Socks5 Proxy ability.
Make a Tor folder inside your ~/.DarkMX folder (or copy and paste the attached Tor folder) and place the above files into it.
Check permissions on tor, obfs4proxy, meek-client and enable 'execute' if any are not.
On Linux systems, I then copy obfs4proxy and meek-client into /usr/local/bin and execute them there by a custom command in the torrc file. Inside the ~/darkmx/Tor folder you'd copy those files into your file systems bin folder.
example $ sudo cp obfs4proxy /usr/local/bin
example $ sudo cp meek-client /usr/local/bin
The socks5 proxy port chosen in this example is 9060. This doesn't interfere nor matter if you are concurrently running another tor router installed in the system files using port 9050 nor if you are concurrently running the tor browser which uses port 9150. What is essential is that you run the tor binary router inside that .DarkMX/Tor folder and you must use the -f flag to tell that tor binary where to find and use your customized torrc file (in the same folder) Inside the ~/darkmx/Tor folder.
example $ ./tor -f ~/darkmx/Tor/torrc
*** As an added bonus, I've added a bunch of new obfs4 bridges (appear as random noise to DPI) that are very fresh and should last for sometime. The meek Amazon bridge uses a rather static entry to the multi-million/sec users datastreams to the Amazon servers and appears as another Amazon connection that has millions of potental end-points and exits for a overly aggressive ISP, Government or Gestapo snoop.
Here is a working example of a linux based tor torrc file customized to use either obfs4 or meek obfuscation and encrypted bridges. Currently set for obfs4 enabled. To only use the meek-amazon obfuscation transport then comment (#) each of the obfs4 lines and uncomment the two (34,35) Meek lines in this torrc file.
*** Note you can copy the below full torrc file into your text editor and save it in your ~/darkmx/Tor folder with the filename torrc with the path names updated for your username and/or system type (linux,mac,windows). Attached files include Tor-folder.zip which includes all the above files for a linux 64bit system plus extra torrc configuration files. Place that uncompressed folder inside ~/.DarkMX and copy meek-client, obfs4proxy to /usr/local/bin system files area both with permissions to execute.
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
UseBridges 1
# Obfs4
ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed
Bridge obfs4 154.35.22.10:80 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
Bridge obfs4 154.35.22.12:4304 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0
Bridge obfs4 192.95.36.142:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1
Bridge obfs4 154.35.22.11:16488 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
Bridge obfs4 85.31.186.98:443 011F2599C0E9B27EE74B353155E244813763C3E5 cert=ayq0XzCwhpdysn5o0EyDUbmSOx3X/oTEbzDMvczHOdBJKlvIdHHLJGkZARtT4dcBFArPPg iat-mode=0
Bridge obfs4 154.35.22.9:12166 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
Bridge obfs4 38.229.1.78:80 C8CBDB2464FC9804A69531437BCF2BE31FDD2EE4 cert=Hmyfd2ev46gGY7NoVxA9ngrPF2zCZtzskRTzoWXbxNkzeVnGFPWmrTtILRyqCTjHR+s9dg iat-mode=1
Bridge obfs4 192.99.11.54:443 7B126FAB960E5AC6A629C729434FF84FB5074EC2 cert=VW5f8+IBUWpPFxF+rsiVy2wXkyTQG7vEd+rHeN2jV5LIDNu8wMNEOqZXPwHdwMVEBdqXEw iat-mode=0
Bridge obfs4 154.35.22.9:443 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
Bridge obfs4 [2001:470:b381:bfff:216:3eff:fe23:d6c3]:443 CDF2E852BF539B82BD10E27E9115A31734E378C2 cert=qUVQ0srL1JI/vO6V6m/24anYXiJD3QP2HgzUKQtQ7GRqqUvs7P+tG43RtAqdhLOALP7DJQ iat-mode=1
Bridge obfs4 154.35.22.11:443 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
Bridge obfs4 37.218.240.34:40035 88CD36D45A35271963EF82E511C8827A24730913 cert=eGXYfWODcgqIdPJ+rRupg4GGvVGfh25FWaIXZkit206OSngsp7GAIiGIXOJJROMxEqFKJg iat-mode=1
Bridge obfs4 37.218.245.14:38224 D9A82D2F9C2F65A18407B1D2B764F130847F8B5D cert=bjRaMrr1BRiAW8IE9U5z27fQaYgOhX1UCmOpg2pFpoMvo6ZgQMzLsaTzzQNTlm7hNcb+Sg iat-mode=0
Bridge obfs4 109.105.109.147:13764 BBB28DF0F201E706BE564EFE690FE9577DD8386D cert=KfMQN/tNMFdda61hMgpiMI7pbwU1T+wxjTulYnfw+4sgvG0zSH7N7fwT10BI8MUdAD7iJA iat-mode=2
Bridge obfs4 85.31.186.26:443 91A6354697E6B02A386312F68D82CF86824D3606 cert=PBwr+S8JTVZo6MPdHnkTwXJPILWADLqfMGoVvhZClMq/Urndyd42BwX9YFJHZnBB3H0XCw iat-mode=0
Bridge obfs4 154.35.22.12:80 00DC6C4FA49A65BD1472993CF6730D54F11E0DBB cert=N86E9hKXXXVz6G7w2z8wFfhIDztDAzZ/3poxVePHEYjbKDWzjkRDccFMAnhK75fc65pYSg iat-mode=0
Bridge obfs4 109.105.109.165:10527 8DFCD8FB3285E855F5A55EDDA35696C743ABFC4E cert=Bvg/itxeL4TWKLP6N1MaQzSOC6tcRIBv6q57DYAZc3b2AzuM+/TfB7mqTFEfXILCjEwzVA iat-mode=1
Bridge obfs4 154.35.22.11:80 A832D176ECD5C7C6B58825AE22FC4C90FA249637 cert=YPbQqXPiqTUBfjGFLpm9JYEFTBvnzEJDKJxXG5Sxzrr/v2qrhGU4Jls9lHjLAhqpXaEfZw iat-mode=0
Bridge obfs4 154.35.22.13:16815 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0
Bridge obfs4 154.35.22.10:443 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
Bridge obfs4 83.212.101.3:50002 A09D536DD1752D542E1FBB3C9CE4449D51298239 cert=lPRQ/MXdD1t5SRZ9MquYQNT9m5DV757jtdXdlePmRCudUU9CFUOX1Tm7/meFSyPOsud7Cw iat-mode=0
Bridge obfs4 154.35.22.9:80 C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716 cert=gEGKc5WN/bSjFa6UkG9hOcft1tuK+cV8hbZ0H6cqXiMPLqSbCh2Q3PHe5OOr6oMVORhoJA iat-mode=0
Bridge obfs4 154.35.22.13:443 FE7840FE1E21FE0A0639ED176EDA00A3ECA1E34D cert=fKnzxr+m+jWXXQGCaXe4f2gGoPXMzbL+bTBbXMYXuK0tMotd+nXyS33y2mONZWU29l81CA iat-mode=0
Bridge obfs4 85.17.30.79:443 FC259A04A328A07FED1413E9FC6526530D9FD87A cert=RutxZlu8BtyP+y0NX7bAVD41+J/qXNhHUrKjFkRSdiBAhIHIQLhKQ2HxESAKZprn/lR3KA iat-mode=0
Bridge obfs4 38.229.33.83:80 0BAC39417268B96B9F514E7F63FA6FBA1A788955 cert=VwEFpk9F/UN9JED7XpG1XOjm/O8ZCXK80oPecgWnNDZDv5pdkhq1OpbAH0wNqOT6H6BmRQ iat-mode=1
Bridge obfs4 154.35.22.10:15937 8FB9F4319E89E5C6223052AA525A192AFBC85D55 cert=GGGS1TX4R81m3r0HBl79wKy1OtPPNR2CZUIrHjkRg65Vc2VR8fOyo64f9kmT1UAFG7j0HQ iat-mode=0
# Meek-Amazon
#ClientTransportPlugin meek exec /usr/local/bin/meek-client managed
#Bridge meek 0.0.2.0:2 B9E7141C594AF25699E0079C1F0146F409495296 url=https://d2cly7j4zqgua7.cloudfront.net/ front=a0.awsstatic.com
# To run use $ ./tor -f ~/darkmx/Tor/torrc via a terminal window inside your ~/darkmx/Tor folder.
DataDirectory ~/darkmx/Tor
GeoIPFile ~/darkmx/Tor/geoip
GeoIPv6File ~/darkmx/Tor/geoip6
StrictNodes 1
SocksPort 9060
*** Note again, you'll update,edit ~/darkmx/Tor/geoip to something like C:\something etc. if you are running this on Windows.
sha256sum on the above files I copied to use from the linux 64bit tor en_browser
.
0b4728cd147136bd6acba587e8af13ff2864973e105dc4044180d340b76a271b tor
ae8d0e22e957602096918e3e805e4079fb4e8322baa7c492c9738242739ed1c2 geoip
2ad1e8e358cc2f89a2940d76a6814671fb8f146ae5d581de8fbc1c6064bce9bb geoip6
74d67cd9e493419b2ca244283cb1bf30450d422cb0aad327cf8f3bd13bb91bc9 meek-client
f2cb0ffa83658f83db626af78d8ce964aee37821735c6ef116637eeebb938bc7 obfs4proxy
.
A regular Socks5 tor Proxy torrc configuration file without using any tor bridge
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it
# To run use $ ./tor -f ~/darkmx/Tor/torrc via a terminal window inside your ~/darkmx/Tor folder. Edit paths ~/ if running Windows.
DataDirectory ~/darkmx/Tor
GeoIPFile ~/darkmx/Tor/geoip
GeoIPv6File ~/darkmx/Tor/geoip6
StrictNodes 1
SocksPort 9060
Note: You'd normally bootup this Socks5 Proxy Tor Bridge prior to booting up DarkMX and of course adjust your Socks5 Tor Proxy port to 9060 via 'Preferences' -- Network -- Hidden Service Configuration --> 9060 0 Tor outgoing Okay.
Note if the DarkMX package builders placed the Tor folder into their package ~/darkmx/Tor that would easily permit many regular DarkMX users to run the optional Tor Socks Proxy 127.0.0.1 port 9060. Linux packages could use this as is for amd64 builds. For Windows packages the builders would need to pull the outlined files from the pertinent Windows Tor Browser (32bit,64bit) to include and adjust the paths accordingly.
Note if the DarkMX developers placed this in the initial bootup coding of DarkMX to
cd ~/darkmx/Tor
./tor -f ~/darkmx/Tor/torrc
execute one time then add a Qt enable option, that would automatically provide linux users with the option to route a regular DarkMX Node via tor.
