[%sep] Testing obfs4proxy on FreeBSD
###20170807###
Testing obfs4proxy on FreeBSD and OpenBSD by gman999
The Tor Project's Pluggable Transports are a mitigation measure against deep-packet inspection, a.k.a. DPI. Commonly deployed on Tor bridges, obfs4proxy is the most common PT in use.
There is currently no official FreeBSD or OpenBSD support for obfs4, which means that the operating system diversity of obfs4proxy providers is dismal.
TDP is working to change that.
While our Tor Browser for OpenBSD doesn't yet support PTs on the client side, we've made some significant steps recently.
Vinicius built security/obfs4proxy with the two previously unported dependencies, security/go-ed25519 and security/go-siphash for FreeBSD.
We also have net/obfs4proxy for OpenBSD -current, ready for testing.
Within our openbsd-ports project resides net/obfs4proxy, along with the required and unofficially ported devel/go-goptlib, security/go-ed25519, security/go-siphash.
What can you do?
If you're running a FreeBSD or OpenBSD-current Tor bridge, grab the source and build it (we're working on a solution for -stable). In the case of OpenBSD it must be either i386 or amd64 at the moment (the go compiler does not yet support non-x86 architectures there).
Adding obfs4proxy support to a Tor bridge is easy, with the addition of a single line:
ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy managed
Additional options that control logging are available; read the man page for more details. The author's own README is also recommended reading.
With info level logging enabled, the log, residing in the Tor data directory pt_state/obfs4proxy.log, should show something like this:
2017/08/05 18:03:29 [NOTICE]: obfs4proxy-0.0.7 - launched
2017/08/05 18:03:29 [INFO]: obfs4proxy - initializing server transport listeners
2017/08/05 18:03:29 [INFO]: obfs4 - registered listener: [scrubbed]:35549
2017/08/05 18:03:29 [INFO]: obfs4proxy - accepting connections
Feedback, comments and patches are appreciated, preferably as a GitHub issue for FreeBSD or OpenBSD.
Both will be submitted to the respective ports trees.
A final general note on obfs4proxy. For obvious obfuscation purposes, the TCP port obfs4 listens on is randomized, although the same port will be used between restarts. That causes an issue for anyone running a bridge on a residential connection, where some form of port forwarding by port and protocol is necessary.
There is a simple work-around to that problem in the torrc file. Just add the following line with the preferred TCP port allowing a long-term setting for the necessary port forward:
ServerTransportListenAddr obfs4 0.0.0.0:$preferred_port