Tor有关Bridge relays的建议与配置方案

作者：Mike Zhang 来源：MIKE的自由网志

今天偶然间看到网上Andrew的一文“大声疾呼:请中国的Tor中继服务提供者仅把自己设置为”中间人”后，深有感触。虽然实际使用中我并没有发现国内tor的relay服务器被出用最终出口的情况，但只要是公开的relay服务器肯定有可能被利用来做最终出口。如果最终出口在大-陆-网络中的话，的确就失去意义了。虽然可能不会被找到访问者，但多少也有可能为tor的relay服务运行者带来多多少少地麻烦。所以在大-陆-网络中设置仅以Bridge relays模式运行tor relay看来是十分有必要的。

Win版的Tor设置Bridge relays方式为：
设定->中继->Tor 网络中继->服务策略->清除所有的选择(也就是一个也别选中)->保存

Linux版的Tor设置Bridge relays的方式稍复杂点，我试了一下，具体设置如下：
# vi /usr/local/etc/tor/torrc

在原来的ORPort设置的最后面，把此设置打开：
ExitPolicy reject *:*
即不允许原来的tor relay任何服务作出口，由于我还要运行着tor的匿名网站，故此断的relay其它设置还要保留着。

然后在此配置文件的最后面，把Bridge Relay的相关配置的前三行enable：
ORPort 443
BridgeRelay 1
RelayBandwidthRate 500KBytes
#ExitPolicy reject *:*

保存后重启tor的服务即可。

如果你把debug的log打开，应该可以看到都是一些类似如下的日志记录：
Apr 05 11:44:23.939 [debug] directory_handle_command_get(): rewritten url as ‘/tor/server/d/0E1353F11009ECEA964B01930………………………………..(太长了，中间省略)…………………. z’.
Apr 05 11:44:23.939 [debug] conn_write_callback(): socket 19 wants to write.
Apr 05 11:44:23.939 [debug] connection_dir_finished_flushing(): Finished writing server response. Closing.
Apr 05 11:44:23.939 [debug] conn_close_if_marked(): Cleaning up connection (fd 19).
Apr 05 11:44:23.939 [debug] connection_remove(): removing socket 19 (type Directory), n_conns now 12
Apr 05 11:44:23.939 [debug] _connection_free(): closing fd 19.
Apr 05 11:44:24.034 [debug] conn_read_callback(): socket 8 wants to read.
Apr 05 11:44:24.034 [debug] connection_handle_listener_read(): Connection accepted on socket 19 (child of fd 8).
Apr 05 11:44:24.034 [debug] connection_add(): new conn type Directory, socket 19, n_conns 12.
Apr 05 11:44:24.166 [debug] conn_read_callback(): socket 19 wants to read.
Apr 05 11:44:24.166 [debug] read_to_chunk(): Read 1448 bytes. 1448 on inbuf.
Apr 05 11:44:24.166 [debug] fetch_from_buf_http(): headers not all here yet.
Apr 05 11:44:24.166 [debug] directory_handle_command(): command not all here yet.
Apr 05 11:44:24.181 [debug] global_read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] global_write_bucket now 10485760.
Apr 05 11:44:24.181 [debug] global_relayed_read_bucket now 2048000.
Apr 05 11:44:24.181 [debug] global_relayed_write_bucket now 2048000.
Apr 05 11:44:24.181 [debug] or_conn->read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] or_conn->read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] circuit_is_acceptable(): Skipping one-hop circuit.
Apr 05 11:44:24.181 [debug] circuit_is_acceptable(): Skipping one-hop circuit.
Apr 05 11:44:24.181 [debug] circuit_get_open_circ_or_launch(): one on the way!
Apr 05 11:44:24.378 [debug] conn_read_callback(): socket 20 wants to read.
Apr 05 11:44:24.378 [debug] connection_read_to_buf(): 20: starting, inbuf_datalen 0 (0 pending in tls object). at_most 16384.
Apr 05 11:44:24.379 [debug] connection_read_to_buf(): After TLS read of 1024: 1098 read, 0 written
Apr 05 11:44:24.379 [debug] connection_or_process_cells_from_inbuf(): 20: starting, inbuf_datalen 1024 (0 pending in tls object).

这些log和之前非仅仅是bridge relays的模式的日志是完全不一样的。

同时在我把tor relay设置成bridge relays运行后，再检测原来设置在此之上的“http://o2ykh5czcfujbqty.onion/”的tor匿名网站也是正常的。

这样就一切ok设置好了。

关于Bridge relays在配置文件里有如下一段说明：
## Bridge relays (or “bridges” ) are Tor relays that aren’t listed in the
## main directory. Since there is no complete public list of them, even if an
## ISP is filtering connections to all the known Tor relays, they probably
## won’t be able to block all the bridges. Unlike running an exit relay,
## running a bridge relay just passes data to and from the Tor network –
## so it shouldn’t expose the operator to abuse complaints.

主要意思就是说以Bridge relays模式运行后，你的tor relay服务器就不会在公开的relay目录里显示出来了，这样可以防止被当地ISP根据公开的relay目录来block，当然你也只能作一个幕后英雄了。:-)不过此种情况实在太适合我们目前的情况了，我把我的tor relay服务器调整成这种模式后，所以我也宁可当一个幕后英雄。

非常感谢Andrew在其blog上的文章给我的启发。

http://androidgao.blogspot.com/2008/03/tor.html
2008-03-24

大声疾呼:请中国的Tor中继服务提供者仅把自己设置为"中间人"

因为你是在中国你是在互联网的伟大长城里

如果你有心作为Tor服务器(也就是被翻译成中继的东东)
切记将自己设置为中间人也就是不允许任何客户端把你作为Tor网络的出口否则....
就好像我要挖地道越狱好不容易挖通了却发现是在另一间监狱 : (

具体设置方法如下(假设您使用Vidalia):

设定->中继->Tor 网络中继->服务策略->清除所有的选择(也就是一个也别选中)->保存

Posted by Andrew Goal at 23:55

请点击www.chinagfw.org访问我们

订阅地址：http://feeds2.feedburner.com/chinagfwblog。2、需要Psiphon2注册邀请的朋友，请向eng...@sesawe.net发送电子邮件请求，说明 "can I have psiphon2 access" 并告诉您所在的国家。也可以使用Twitter Direct Messages或登陆Psiphon网站直接向Psiphon索取使用邀请。3、 GFW Blog现提供最新翻墙工具下载（地址一、二、三），翻墙（突破网络封锁）方法介绍请见本站anti-censorship部分。4、本站热烈欢迎各位朋友投稿或推荐文章，请发邮件至chinagfwblog[at]gmail.com。5、敬请关注、支持、参与Sesawe和黑箱监管集体诉讼。

http://www.chinagfw.org/2009/07/torip.html

Thursday, July 30, 2009

带Tor时指定地区IP出口

来源：JS 应用实录 – by N作坊

在应用洋葱头Tor的过程中，有时会想获取指定区域的IP以满足一些特殊场合的应用。比如有时在某国外网站上申请账号需要该地区的IP都能申请。

　　方法很简单：

　　一、先打开Tor的网络地图，找到该地区的服务器节点，记下该服务器名称（多找几个以免由于线路问题等连不上）。

　　二、从开始菜单的Tor里打开Torrc配置文件，或是直接从Tor控制面版中的　设定→高级→Tor配置文件　中找到配置文档的路径，然后打开此文档。　　　　在最后一行加上如下格式：

　　　　代码
　　　　ExitNodes Server1,Server2

　　三、停止Tor，然后重新启动，Tor就会加载新的配置文档。

　　打开一个能显示IP及地区的页面，验证一下吧，是不是达到你的目的了？

http://www.chinagfw.org/2009/05/tor-torproject-mirror.html

Saturday, May 16, 2009

Tor镜像地址 TorProject mirror

来源：Evil 7

TOR官方网站无法访问，官网上有镜像站点的地址（这里提供一个能访问的镜像列表地址），我试了一下，除了两个地址外，其余的网站地址都可以使用（北京网通测试通过）。

中国大陆可以使用的tor官网镜像地址：

先是加密格式的地址：
https://tor.plentyfact.net/
https://tor.ccc.de/index.html.zh-cn
https://torproj.xpdm.us/index.html.zh-cn

再是普通格式的地址：
http://tor.plentyfact.net/
http://tor.unfix.org/
http://tor.sixxs.net/
http://crypto.nsa.org/tor/
http://tor.boinc.ch/
http://tor.cypherpunks.at/
http://tor.blingblingsquad.net/
http://mirror.onionland.org/
https://tor.plentyfact.net/
http://www.theonionrouter.com/
http://tor.hermetix.org/
http://tor.kamagurka.org/
http://tor.amorphis.eu/
http://tor.cybermirror.org/
http://tor.anonymity.cn/
http://tor.amorphis.eu/
http://tor.ccc.de/download.html.zh-cn
http://tor.zuo.la/index.html.zh-cn

https://bridges.torproject.org/

Bridge relays

(or "bridges" for short) are Tor relays that aren't listed in the main directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges.

To use the above lines, go to Vidalia's Network settings page, and click "My ISP blocks connections to the Tor network". Then add each bridge address one at a time.

Configuring more than one bridge address will make your Tor connection more stable, in case some of the bridges become unreachable.

Another way to find public bridge addresses is to send mail to bri...@torproject.org with the line "get bridges" by itself in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from a gmail or yahoo account.

Tor 突破网络封锁桥接 bridge 代理功能

https://groups.google.com/group/lihlii/browse_thread/thread/3f4825bb87fb7b00

http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/

How to setup a Tor relay or Tor bridge

18th June, 2009

For those in Iran. Here is a guide in Farsi for installing Tor so you can surf the web without censorship: http://greenoolo.pieceoftheworld.org/

IMPORTANT UPDATE (23/06/09): New email addresses have been added, and others updated. If you have Tor setup in bridge mode, resend your connection information to us.

IMPORTANT UPDATE #2: When posting in the comments section do not post your normal email address, do not use your name/alias (make up a new one) or post other personally identifiable information. This is very important.

UPDATE: slseveral sends this interesting read: http://blog.torproject.org/blog/measuring-tor-and-iran That might ease those wondering if we’re actually helping

What is Tor? (from https://www.torproject.org/)

“Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.”

This is something of great value to our friends in Iran.

Get Tor

(all found at https://www.torproject.org/easy-download.html.en)

Os X: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.0.34-0.1.10-universal.dmg

Windows: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.0.34-0.1.10.exe

Linux/Unix/src: https://www.torproject.org/download-unix.html.en

and install (detailed instructions Windows, Os X) (short version: double click install file)

Relay or Bridge?

A relay will be a proxy in the Tor network and help speed up the network for the people using it – a bridge, on the other hand, will enable people to reach the Tor network if the relays are blacklisted. If you setup a bridge, you will need to get its address to the people that are going to use it (more on that later. Short: do not post it publicly).

IMPORTANT: We’re going to need both sorts (mostly relays though), so please answer the poll (at the end) on which type you’ve set up. And if the type doesn’t matter to you, please check the poll to see how others have chosen and balance it up.

Relay:

(from https://www.torproject.org/docs/tor-doc-relay.html.en#setup)

Right click on the Vidalia icon in your task bar. Choose Control Panel.
Click Setup Relaying.
Choose Relay Traffic for the Tor network.
Enter a nickname for your relay. (Optional, enter contact information.)
Change ports from the default ports (needs to be >1024 on Os X and Linux/Unix)
If you have UPnP: Choose Attempt to automatically configure port forwarding. Push the Test button to see if it works. If it does work, great. If not, see “Firewall/router” below.
Choose the Bandwidth Limits tab. Select how much bandwidth you want to provide for Tor users like yourself.
Choose the Exit Policies tab. If you want to allow others to use your relay for these services, don’t change anything. Un-check the services you don’t want to allow through your relay. If you want to be a non-exit relay, un-check all services.
Click the Ok button. See “Check if it works” below for confirmation that the relay is working correctly.

Firewall/Router:

If you are using a firewall, open a hole in your firewall/router so incoming connections can reach the ports you configured (Relay Port (plus Directory Port if you enabled it)). Make sure you allow all outgoing connections, so your relay can reach the other Tor relays.

Check if it works:

Restart your relay. If it logs any warnings, address them. Look at the updates at the end of the post for help resolving issues that arise.

As soon as your relay manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a log entry like Self-testing indicates your ORPort is reachable from the outside. Excellent.If you don’t see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it’s testing the IP and port you think it should be testing, etc.

Problems?

And now what?

Well, congratulations, this is it. People can now surf the internet without fear of filtering/blocking or surveillance. Collect your karma points and continue followinghttps://twitter.com/#search?q=%23IranElection orhttp://www.huffingtonpost.com/2009/06/13/iran-demonstrations-viole_n_215189.html

Bridge:

Right click on the Vidalia icon in your task bar. Choose Control Panel.
Click Setup Relaying.
Click Help censored users reach the Tor network
Enter a nickname for your relay. (Optional, enter contact information.)
Change ports from the default ports (needs to be >1024 on Os X and Linux/Unix)
If you have UPnP: Choose Attempt to automatically configure port forwarding. Push the Test button to see if it works. If it does work, great. If not, see “Firewall/router” below.
Choose the Bandwidth Limits tab. Select how much bandwidth you want to provide for Tor users like yourself.
Click the Ok button. See “Check if it works” below for confirmation that the bridge is working correctly.
Now scroll down to “Get the address to those that need it” and follow the instructions. Do NOT publish your connection information in the comments.

Firewall/Router:

Check if it works:

Restart your bridge. If it logs any warnings, address them. Look at the updates at the end of the post for help resolving issues that arise.

As soon as your bridge manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a log entry like Self-testing indicates your ORPort is reachable from the outside. Excellent.If you don’t see this message, it means that your relay is not reachable from the outside — you should re-check your firewalls, check that it’s testing the IP and port you think it should be testing, etc.

Problems?

Get that address to those that need it (IMPORTANT)

After successfully setting up the bridge, click “Setup Relay” and you will see your IP port and a string of chars, this is your bridge address.

Your bridge address is not posted publicly, you need to get it to those that need it.

Email this bridge address to anony...@gmail.com, gr88p...@googlegroups.com, t...@austinheap.com, iranc...@iansbrain.com and protes...@gmail.com or Direct Message (private message) in Twitter to @iran09, @austinheap, @protesterhelp, @persiankiwior @stopahmadi. If you email be sure to include “Tor bridge” in the subject line.

And now what?

Poll:

Which type have you set up? (please, only answer this when you have a working relay/bridge)

Relay
Bridge

View Results
Polldaddy.com

Update 1:
GeoIP error:

Ian Says:

19th June, 2009 at 02:38 |

download this http://git.torproject.org/checkout/tor/master/src/config/geoip and put it in C:\Documents and Settings\{username}\Application Data\Tor\

Open ports in the router:

Carl Says:

21st June, 2009 at 13:01 |

Then you need to forward that port from your router to your computer.

See: http://portforward.com/ for info and howto:s

Update2:
DNS hijacking:

From David and slseveral:

http://dnsresolvers.com/ got me past the hijacking errors (Verizon FIOS DNS servers.)

Update3:
DIR Port not reachable, but OR port is.

Boogs says:
“THE SOLUTION, at least for me, was to download the latest unstable version athttp://www.torproject.org/download.html.en and presto, now everything works just like it should. There must be a bug in the latest stable version.”

How can you help, 2nd edition.

Talk to friends and spread the word of the Iranian struggle for freedom. Refer them to this guide if you think it was good.

If you know Farsi, please help translate

https://www.torproject.org/docs/tor-doc-windows.html.en

https://www.torproject.org/docs/tor-doc-osx.html.en

Possibly related posts: (automatically generated)

Posted by Carl

Filed in helping hand, howto ·Tags: #iranelection, election, howto, iran, tor, tor bridge, tor relay

184 Comments »

184 Responses to “How to setup a Tor relay or Tor bridge”

   1.
      The Plan to Expose the Basij « OUT the Basij Project said
      30th June, 2009 at 16:02

      [...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]
      Reply
   2.
      Iran Rally Posting Central « Iranian Support Rallies said
      30th June, 2009 at 16:02

      [...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]
      Reply
   3.
      Twitted by calimbasina said
      1st July, 2009 at 07:57

      [...] This post was Twitted by calimbasina [...]
      Reply
   4.
      Emiliano ZAPATA said
      21st July, 2009 at 15:55

      Dear Ladies and Gentlemen
      Dear Friends

      I am writing you from Iran.
      Thanks for giving me the possibility to answer you in this particular sensitive case!

      At first I would recommend you to establish a secure connection like https:// … Secure Mail and connection, because this letter – sent by “simple” http:// … – could be hacked and opened by anyone and any government that you can imagine.

      Secondly, we are not able – at the present time and since several weeks – to click and get to any Website concerning Tor, TorProject and Tor Bridges et cetera!

      It would be useful to send us directly (to our e-mails) the new, most recent and almost “unknown” Tor Bridges in order to set Tor in motion, activate Tor Anonymizer and its Vidalia-Bundle programme.

      I’ve been using the well-tried and stable Tor/Vidalia-Bundle connection since four years without any problem until the last weeks, as Tor and Google established a special site for Tor in connection with filtering in Iran. The iranian government then acquired knowledge about Tor and its potential and abilities.

      Now iranian government blocked Tor Websites. Tor Bridges are unreachable for us, unless we get them via https:// … on e.g. Gmail or Yahoo Mail.

      I would appreciate it, if you could send us Tor Bridges containing IP No./Port/Fingerprint as following:

      65.38.17.23:443 444c7f993fc52fe31c139ea98b4526cd425574db

      91.143.81.140:443 aac8e94cfeac563dc56fbe52b544d363f5f87e2d

      78.51.24.120:443 4f7ca9413130d60e1bf488613eebdff54decf490

      Thanks for your efforts in advance.

      Kind Regards
      Emiliano ZAPATA
      Reply
          *
            Hawk said
            29th July, 2009 at 03:10

            xxx.xxx.xxx.xxx:xxxx (edit: mod)
            Reply
                o
                  Carl said
                  3rd August, 2009 at 07:56

                  Do not post your bridge address here. Please read the instructions one more time.

                  The distribution of bridge addresses is being handled through trusted sources. Do not give bridges to just anyone who asks for them. Any bridge posted publicly is potentially compromised.
                  Reply
   5.
      MichaellaS said
      21st July, 2009 at 23:31

      tks for the effort you put in here I appreciate it!
      Reply
          *
            Carl said
            3rd August, 2009 at 08:02

            Cheers
            Reply
   6.
      LnddMiles said
      21st July, 2009 at 23:54

      The best information i have found exactly here. Keep going Thank you
      Reply
Marc Byrd said
23rd June, 2009 at 21:44
If I can confirm that my initial bridge is working correctly, I’m happy to:
1) Widely distribute IP’s
2) Confirm that machines are being used
3) Would like to know when they start to be blocked, automate if possible
4) Fire up new machines as some become blocked, update list of available servers
5) Shut down blocked machines
6) Repeat as needed

I’m willing to run as many servers as required in US and EU. With some help I’m confident this can be automated.

Reply
Show your solidarity: how to setup a TOR relay via GUI - Page 2 - Why We Protest - IRAN said
24th June, 2009 at 03:36
[...] Another writeup and where to send TOR bridges How to setup a Tor relay or Tor bridge How to help #iranelection [...]

Reply
Bren said
24th June, 2009 at 03:48
The TOR authority also distribute bridge addresses when requested, which means it might also be shared. By design you cannot help one group of people more than the others, which is equivalent to some sort of censorship. Once people get into the TOR network via bridges, all the relays are equally shared. Any user helps because the traffic are mashed up to be untraceable (provided the network is not overloaded).

Also geoip mentioned above don’t work for the stable version, but require the newer development version.

Some details here:
http://bit.ly/zAajH
http://iran.whyweprotest.net/keeping-your-anonymity-iran/802-show-your-solidarity-how-setup-tor-relay-via-gui.html#post5188

Reply
Ellipsix Informatics > Blog said
24th June, 2009 at 05:39
[...] For anyone interested, here's more information about setting up a Tor relay or bridge to help Iranian activists and/or, more generally, the cause [...]

Reply
slseveral said
24th June, 2009 at 07:32
Would like some confirmation or negation as two whether I’m on the right path to solving bridge/exit-relay setup trouble. I’ll list what current setup and what I’m thinking about changing it to.

Current setup problem:

internet –> FIOS router (dhcp currently gives out 192.168.1.xxx, can be changed) –> Vonage Router (dhcp gives out 192.168.15.xxx, can’t be changed) Netgear WPN824v2 (dhcp currently gives out 192.168.0.xxx, can be changed) –> PC running Tor and Vidalia where i’ll be running bridge/exit relay

The two ports I’ve configged for the bridge are forwarded to the next thing in the chain (so on the fios router the two ports are forwarded to the vonage router’s internal IP where the same two ports are forwarded to the netgear’s IP which forward’s those to ports to the PC running tor/vidalia.)

After 20 minutes logs show ports not reachable. I’ve triple-checked all port forwardings to no avail.

Here’s what I’m thinking:

Since I can’t change the middle router (vonage) to dole out a different IP block than 192.168.15.xxx, change the other two to that block, so i’ll have:

interwebs –> FIOS router giving out 192.168.15.xxx –> Vonage router still giving out 192.168.15.xxx –> Netgear giving out 192.168.15.xxx –> PC with the Tor bridge on it.

Questions are:
1) Will this work or with the router conflict, all wanting to be boss?
2) If it works, can I then just set up port forwarding on the FIOS router directly to the PC’s internal IP?

Going to take some time due to number of devices connected to the netgear at present with assigned IPs, so wanting a sanity check before I dig in.

TIA

Reply
slseveral said
24th June, 2009 at 07:35
Correction to question 1) at the end there:
1) Will this work or will the routers conflict, all wanting to be boss?

Reply
Carl said
24th June, 2009 at 08:42
My guess is the router keeps outside separated from inside. So it shouldn’t matter. There might of course be some interesting side effects, I don’t know for certain. Most of all i think it is confusing and i can’t see how it would help.

The question that strikes me is why you have this setup. Why not have a router at the border and then have the others just function as switches?

I have a setup with multiple dhcp:s as well. But that is to separate my open wifi from my home network. Do you really need the segmentation you have right now?

Reply
slseveral said
24th June, 2009 at 08:47
Thanks for the reply Carl.

Sadly, yes, needed. FIOS router lacks features I need, vonage router has no wifi but must be in the loop for the voip to work. netgear has needed features and wifi.

Since posting the above I discovered that the netgear was randomly nuking my port forwards. a little googling indicated that it is a known bug. disabling SPI Firewall stops the bug. restarted, waiting/watching logs now now to see if ports are accessible.

Reply
slseveral said
24th June, 2009 at 08:58
Work around of disabling SIP firewall didn’t fix. still nuking port forward rules. found new firmware version. will upgrade and try again tmw night.

Reply
Carl said
24th June, 2009 at 09:18
Good luck! And please post back success/fail

slseveral said
25th June, 2009 at 07:00
And I quote:
“Jun 24 22:56:11.544 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.”

Sending info to contacts listed above shortly.

On Looking Deeper, Or, Things About Iran You Might Not Know « advice from a fake consultant said
24th June, 2009 at 07:54
[...] up “relays” and “bridges” that can be accessed by people in Iran—and this is something you yourself can do that can be of considerable benefit to Iranians trying to reach out to the rest of [...]

Reply
Steve Mahfouz said
24th June, 2009 at 14:04
here is my information for my Tor relay bridge:

*.*.*.*:* *************************************** (mod: do NOT publish connection information here, send it to the email addresses listed in the howto above)

Peace and freedom for Iran !

Steve Mahfouz

Reply
guest said
24th June, 2009 at 17:08
Please do not publish your bridge IP address in public like this, send it only in private email to those listed in the article.

Try to get yourself a new ipaddress by using the “ip release” and “ip renew” command, then when you see you have gotten a new ipaddress, then generate the new bridge relay address and send it in private email to the emailaddresses listed in this article

Reply
jolle said
24th June, 2009 at 21:38
I’m trying to set up a bridge, but I’m not sure if it works. I have not received confirmation trough self testing, but I do both receive and send data the bandwidth graph tells me it received 105 KB and sent 186 KB.

Some questions : I have a WAN and a LAN address. The WAN address is shown in the bridge address. Is this wrong? It is the same though as shown when I check my ip-adress on http://www.ip-adress.com

Can this be a router issue or an ISP issue?

Reply
jolle said
24th June, 2009 at 22:41
I checked the info and it says that the address resolves to private IP address 192.168.*.*

I tried to access my router, but I failed. My housemate changed the password and can’t fix it.

I’ll try something else tomorrow.

Reply
Carl said
25th June, 2009 at 08:09
Ah, good.

Reply
Carl said
25th June, 2009 at 08:08
This is all good. The WAN address is your external address, the one people need to reach you. Your LAN address is the address you computer has internally and uses when communicating with the router.

Confirmation can take some time. Have you configured your router correctly? (Port forwarding?)

Reply
Sandra said
25th June, 2009 at 03:10
Set up a bridge but how do I know if it’s working ok? Message log hasn’t done anything for a while and bandwidth usage barely changes.

Reply
Carl said
25th June, 2009 at 07:50
Thank you for your help!

Before you can see traffic on your bridge someone we have forwarded your bridge to must explicitly connect to it. It can take time, and it may even never happen.

I don’t know how quickly they identify and block bridges, but some time ahead yours may be needed.

If you feel you need more immediate feedback i suggest running a relay instead.

Reply
Sandra said
25th June, 2009 at 08:03
I’ll stay as a bridge for now as there’s a lot less of them according to your poll. Just hope that it works ok.

Reply
Carl said
25th June, 2009 at 08:05
Thanks

Reply
jolle said
26th June, 2009 at 16:27
If the message log doesn’t do anything, check if you have your port forwarded to the router. That’s what stopped it for me.

Reply
billyhoush.com » Blog Archive » Help Iranians get the message out! said
25th June, 2009 at 05:10
[...] You can learn how to do both through easy steps shown here: http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]

Reply
slseveral said
25th June, 2009 at 07:31
Bah. ORPort Reachable, DirPort is not. Port Forwardings are set up the same except for the port numbers of course.

Thoughts? (reading thread, haven’t seen it yet, but not done reading…)

Reply
slseveral said
25th June, 2009 at 07:41
Carl, safe to assume that your comments about not needing the DirPort refer to relays rather than bridges? Bridges need the DirPort, yes?

Reply
Carl said
25th June, 2009 at 07:58
>From what I’ve been able to gather; no, they don’t.

Your bridge connects to the tor network and those accessing your bridge need only that. I’ll try to find more info on what the DIR port does when i can find the time.

Reply
Ian said
25th June, 2009 at 10:34
I saw 2 green connection lines to Iran late last night.

Reply
Chaya said
25th June, 2009 at 12:54
Carl, I can’t find your comment to me anywhere here; but you’re right – I don’t feel comfortable with these instructions! Thank you, anyway. BTW, what do I do with this Tor thing I downloaded????

Reply
Carl said
25th June, 2009 at 13:10
The comments wound up in the “About” section of this blog, so i removed them. But you got my answers in an email.

If you already installed it you can remove it by clicking the “Uninstall” icon in the “Vidalia bundle” folder in your start menu.

If you did not install it, there is nothing you need to do to.

Thank you

Reply
Sandra said
25th June, 2009 at 17:37
Just got back from work and checked my bridge’s log, found a lot of messages saying almost same thing:

Notice: We tried for 15 seconds to connection to ‘[scrubbed]‘ using exit ‘…….’. Retrying on a new cuircuit.

Notice: Tried for 120 seconds to get a connection to [scrubbed]:80. Giving up.

I’m assuming something isn’t working right?

Reply
slseveral said
26th June, 2009 at 06:51
Closing in on 24 hours since I emailed my bridge info to the email addresses above. I didn’t receive any email replies, but something seems to be happening…

Bandwidth usage shows…
Recv: 7.93 MB
Sent: 3.13 MB

This seems to bode well, though I expected heavier usage based on the graph here:

http://blog.torproject.org/blog/measuring-tor-and-iran

Reply
Carl said
26th June, 2009 at 08:48
Well, one could expect quite a bit of lag between the time bridge is up until it’s IP has found it’s way to user. At least that is my experience.

Thanks for the link, really interesting read! And good to see that we are doing something useful

Reply
Carl said
26th June, 2009 at 08:53
Link goes in a top update, with credit given to you. Cheers!

Reply
Kate said
27th June, 2009 at 05:03
I’m also having issues with my Dirport being unreachable. This would be easier for me to resolve on my Windows machine, but I’m running this off my Macbook and don’t know how to tweak settings as well. Any ideas?

Reply
Carl said
27th June, 2009 at 14:38
It’s ok to disable the DIR port

Reply
Goose said
27th June, 2009 at 14:31
I have been having the DirPort Warning message upon using my bridge. >From what I can gather online (see website link) this is a bug. The workaround is to disable the Dirport as apparently bridges do not need it.

Hope that helps anyone.

Reply
Boogs said
27th June, 2009 at 19:56
FOR THOSE HAVING TROUBLE WITH THEIR DIRPORT NOT BEING REACHABLE, I was having the same problem. It was frustrating because I wasn’t behind a router and my ORport was working just fine, so I couldn’t figure out what the problem was.

THE SOLUTION, at least for me, was to download the latest unstable version at http://www.torproject.org/download.html.en and presto, now everything works just like it should. There must be a bug in the latest stable version. (This is on XP SP3, by the way.)

Let’s get those bridges going!

Reply
Carl said
27th June, 2009 at 22:59
Cheers mate! Your solution goes as an update to the guide, with attribution ofc

Reply
slseveral said
29th June, 2009 at 20:57
sweet, will get it tonight. Thanks!

Reply
slseveral said
30th June, 2009 at 06:42
I’m not liking the fact that http://www.torproject.org isn’t responding to http requests right now. not liking that at all. can’t help but wonder if there are bad guys involved.

Reply
Carl said
30th June, 2009 at 08:03
Not liking that at all… Let’s hope not

Reply
slseveral said
30th June, 2009 at 20:36
back up today.

Reply
Carl said
1st July, 2009 at 07:36
\o/

slseveral said
1st July, 2009 at 08:01
Yup. 0.2.1.16 fixed the DirPort accessibility issue for me too.

Note to other taking this route: Pay attention during upgrade. Don’t let the update it overwrite your settings file (default option.) Click the correct button for the keeping of your existing settings to maintain happiness level.

Thx again Boogs.

Reply
Twitted by joshuakchance said
28th June, 2009 at 05:53
[...] This post was Twitted by joshuakchance [...]

Reply
ErikCincinnati said
29th June, 2009 at 03:52
I run a relay, but not an open one. (e.g. the sites that can be exited from my relay are limited – this is to prevent file-sharing complains from the RIAA).

What sites (specific news, communication, etc) are most important to the people of IRAN, and blocked?

Thanks, Erik

Reply
Carl said
29th June, 2009 at 06:50
Can’t really say. But my guess would be:

Social: Twitter Facebook Myspace?

Communication: Gmail/GTalk Yahoo/YahooMail MSN/hotmail others

News: bbc, bbc persia others

Please amend the list if you’ve got more.

Reply
ateologu said
29th June, 2009 at 14:55
Methinks popular e-mail hosts should have priority. Twitter is less known and used than some people might have you think.

Reply
Carl said
29th June, 2009 at 18:21
Ah, right you are. Left out the most obvious one

Reply
Twitted by areyoufitenough said
29th June, 2009 at 13:35
[...] This post was Twitted by areyoufitenough [...]

Reply
Zach said
30th June, 2009 at 12:36
I’m still getting this message when trying to run a relay:

Jun 30 07:33:22.322 [Warning] Your server (74.138.222.208:9050) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

I tried opening up the port on AirPort as mentioned elsewhere on this thread, but that didn’t help.

Any last suggestions before I give up?

Reply
Carl said
30th June, 2009 at 14:23
Sorry mate. If you’ve opened the port in your router (airport) correctly, and made exceptions for Tor in the os x firewall (if it is enabled, which it usually is not). Then i cannot see why it’s not working.

Maybe you are behind a NAT? Have you successfully opened ports to your computer in the past?

Reply
Zach said
30th June, 2009 at 15:04
I’ve never tried to open ports before. I don’t think I’m behind an NAT, but how would I know? I’m trying to run the relay on a computer at my home and my ISP is Insight.

Thanks!

Reply
Carl said
30th June, 2009 at 20:23
There is a site that can help you with portforwarding (portforward.com). Check that everything is correctly configured and the port you redirect in your router is the same that you have specified in Tor.

Reply
The Plan: Get Information INTO Iran « Get REAL News into Iran! said
30th June, 2009 at 15:56
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]

Reply
Iran Images Project « Iran Image Project said
30th June, 2009 at 15:57
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]

Reply
Let’s get the United Nations in on Iran! « Contact the U.N. on Iran said
30th June, 2009 at 15:59
[...] http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/ [...]

Reply

SD_Dave said
21st June, 2009 at 04:52
I’m running MAC OS X and I keep getting this error when I test the UPnP “No UPnP-enabled devices found.” The message loge gives me this warning: “Jun 20 20:29:03.820 [Warning] Your server (removed IP/Port for this post) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.”

I’m totally not great at this stuff, but any help in setting this up would be great.

Reply
SD_Dave said
21st June, 2009 at 06:25
I give up! I can’t even get connected anymore to even get “errors” I keep getting rejected by my peers

Reply
oriste said
21st June, 2009 at 16:36
Unfortunately Mac OS X has a somewhat peculiar implementation of UPnP. I had the same problems. You will have to manually open a port in your router by going to the router control panel in your web browser. In my case (Speedtouch 585) I had to add an entry to “Game and Application Sharing”. Your router might use different terminology. Don’t give up, keep trying!

Reply
sassafras said
22nd June, 2009 at 06:52
If you are using airport. Open airport utility and click manual setup. click the “advanced” (gear shape) at the top of the page. From there click the “Port Mapping.”

Add the port.
Public: 9050
Ip Address (something like) 10.0.1.2 — you get that from your system preferences/network. But airport will start with 10.0.1.X
Private 9050.

Then ok, and update. Your airport will restart. In vidalia be sure to specify the port 9050 for the client to use. Restart vidalia.

Then you should be good to go.

Reply
Zach said
23rd June, 2009 at 12:44
I tried that, but no luck. When testing, I still get the “No UPnP-enabled devices found” message. I put 9050 as both the Relay Port and the Directory Port: Was that correct?

And my log gives these two messages:

Jun 23 07:39:56.395 [Notice] Your DNS provider gave an answer for “duhcnbuj646oej.invalid”, which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We’ve noticed 1 possibly bad addresses so far.

Jun 23 07:39:56.575 [Notice] Your DNS provider has given “208.69.32.132″ as an answer for 7 different invalid addresses. Apparently they are hijacking DNS failures. I’ll try to correct for this by treating future occurrences of “208.69.32.132″ as ‘not found’.

Reply
sassafras said
23rd June, 2009 at 19:32
Based on the log then you are actually connection. The app is testing and will block those addresses that are no good. if you look in the log you should see something like “self-testing indicates your ORport is reachable.”

Reply
Zach said
23rd June, 2009 at 22:05
I don’t have a message like that in my log. Instead I have

Jun 23 16:47:26.760 [Warning] Your server ([IP ADDRESS]) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

Reply
sassafras said
23rd June, 2009 at 22:22
Was that for the relay port, or the directory port? I don’t think you have to run the directory.

best proxy said
21st June, 2009 at 04:56
*.*.*.* tor network (mod: Do not publish IP here, see instructions)

Reply
best proxy said
21st June, 2009 at 05:02
the last 3 running

Reply
Carl said
21st June, 2009 at 09:40
Do NOT publicize your bridge here. Look in the instructions. Please.

Reply
Shane said
21st June, 2009 at 06:13
I wish I could help with this. Spent years working with this kind of stuff. Unfortunately my current security concerns make it were doing this would be irresponsible on my part. May check with a friend and see if I can’t put one of my old PC’s running Linux on his connection to help.

Either way it is good to see people coming together like this to stop tyranny.

Reply
Panotikon said
21st June, 2009 at 09:52
set up relay — running well and getting others to do the same… In the region, and as most relays are in Europe, hope this helps…

Reply
Kyle said
21st June, 2009 at 12:24
I’m trying to set up a relay but I keep getting this error message:

Jun 21 13:18:03.109 [Warning] Your server (edited for anonymity:9100) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

I’ve changed my directory port a couple times, and I don’t have a firewall up. how else can I troubleshoot this?
(my relay port is 443. should i change it?)

Reply
Carl said
21st June, 2009 at 12:57
Are you connected to the internet via a router?

Reply
Kyle said
21st June, 2009 at 13:00
yup.

Reply
Carl said
21st June, 2009 at 13:01
Then you need to forward that port from your router to your computer.

See: http://portforward.com/ for info and howto:s

Reply
R.T said
21st June, 2009 at 13:52
While Vidalia has verified my “DirPort” is reachable, I can’t get it to connect to a circuit to verify anything else. Help!

Reply
Carl said
21st June, 2009 at 15:09
I don’t understand your problem/question. Could you maybe elaborate a little?

Reply
IranFrance said
21st June, 2009 at 16:19
You can check your status here :
http://torstatus.kgprog.com/

Reply
slseveral said
21st June, 2009 at 21:10
Would like to share 2Mbps of my 5Mbps up (for bridge) but am having trouble dealing with a triple-NAT situation [FIOS router --> Vonage router --> Home Network Router (Netgear)]

Have forwarded ports from each to the next but still no joy showing in Tor logs.

Would appreciate tips if anyone is up for the challenge.

DM @slseveral

Thx

Reply
greeny said
21st June, 2009 at 21:55
setup a 1.5 Mbps relay… good luck everyone!!!

Reply
Speed of Iran vote count called suspicious - Page 6 - Just BS - The Ultimate Chat and Debate Forum said
22nd June, 2009 at 03:29
[...] Posted by ImWithStupid Keep up the good fight, Brother!!!! How to setup a Tor relay or Tor bridge How to help #iranelection Solidarity dude!! . . __________________ The NewSucks500.com Return of the [...]

Reply
SJE said
22nd June, 2009 at 04:53
I’ve set up a Tor relay and it works sometimes, but then other times I get messages like this in the log:

“Your DNS provider gave an answer for “sh.invalid”, which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We’ve noticed 1 possibly bad addresses so far.”

Do you know what it means for someone to “hijack DNS failures” and how I fix this?

Thanks!

Reply
sassafras said
22nd June, 2009 at 06:57
I believe the tor client will automatically block it. If you check the log soon after it should say so.

Here is info on DNS hijacking.

http://en.wikipedia.org/wiki/DNS_hijacking

Reply
SJE said
22nd June, 2009 at 07:12
Hmmm. Well the problem is, I notice that when I’m getting that log message, I don’t seem to be connected to the Tor network, i.e. my relay isn’t listed in “View the network”.

(Conversely, when I’m not getting the message, I do show up in the network.)

So unless I can get it to stop doing that, I’m worried that I’m not actually able to volunteer my computer’s services….

If anyone knows a way to fix this please let me know.

Thanks!

Reply
Me said
22nd June, 2009 at 09:25
Salam! I struggle with setting up a TOR bridge:

After starting up the log files indicating: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

I also find my bridge name in the Tor List Map.

After 20min I get the [Warning] Your server (n.n.n.n:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

After this message I cannot see my bridge name in the Tor List Map.

I have disabled for testing it firewall, deinstalled Virus Software.

I can see that ports in my router (Fritz Wlan 7170) get opended from Vidalia controlled by UPnP.

Any suggestion what to do? Would be great to know. Thanks

Reply
Anne said
22nd June, 2009 at 13:36
Hi,
I told somebody about this project, which I think is a wonderful idea. But – he said that if someone is then using my computer to access illegal material, that I might be held accountable. Is that technically possible? Is there a saftety difference between bridges and relays?

Reply
Carl said
22nd June, 2009 at 19:20
I am not a lawyer

Tor is a network which bounces traffic between relays and then the traffic exits from an exit relay.

As a relay you can be both relay and exit relay (unless you follow the instructions to setup as a no-exit relay. Then your computer won’t be the one showing up in the server logs as where the traffic originated from. You’ll only send traffic to other relays.

As a bridge you’ll function as an entry-point to the Tor network and send traffic to other relays.

In all three scenarios you’ll be relaying information that is potentially illegal (in some country). You can’t protect yourself against that. But as an exit-node your computer will be the one showing up in server logs as the one accessing the “illegal” information.

Reply
sassafras said
23rd June, 2009 at 20:56
Tor isn’t 100% anonymity. There are many ways to find out who’s who. But where it can be effective is helping others skirt around an iron curtain, and ext in a place where they won’t be tracked down by local authorities for accessing uncensored press etc.

ISPs don’t get in trouble for people accessing “illegal” info. To my knowledge Time Warner has never been convicted of piracy, but i imagine their connections have been used for such. If you ever had a problem. you just tell them you run a tor exit nod. Enough said. A jury of twelve will get it. You are not doing anything illegal and authorities are well aware of the tor network and actually use them as well (and probably have their own exits nods etc). Read the tor description. Now you may be violating your contract with your isp, but that is a different issue all together.

So the twinge of fear you feel for helping the tor network (many people feel it), because people may be using it for negative things (i’m sure some people do), you can have about free speech in general (some people use it to promote hate). But image having that same fear when accessing FB or Twitter, or blogging about local politics, not to mention actual non-violent protest against government. So, for myself, dealing with that twinge of fear is the least i can do to help others in repressed countries access free information.

I’m not a lawyer either, but i do live in a democratic republic. Laws are there to protect me. Not the case for many other people in the world.

Reply
David said
22nd June, 2009 at 13:41
I had a little trouble with OpenDNS stuffing up TOR. Seems that their policy of referring to their own splash page when addresses don’t exist threw a spanner in the works. My ISP uses very dodgy DNS so I had to look elsewhere.

Fixed it by changing DNS server to 205.210.42.205 and 64.68.200.200 (DNSResolvers)

Reply
Carl said
22nd June, 2009 at 19:24
Thank you for reporting back how you fixed your problem.

Reply
Any Mouse said
22nd June, 2009 at 14:30
I’ve been doing the tor relay thing for a while but I’ve not always got it going but for the past few days I’ve been doing it to help the people in Iran who want to get information out to the greater world about what is happening in their country.

Reply
Carl said
22nd June, 2009 at 19:24
Thank you

Reply
Kat said
22nd June, 2009 at 19:44
Jun 22 13:19:24.642 [Notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 22 13:20:09.190 [Notice] Performing bandwidth self-test…done.
Jun 22 13:21:20.327 [Notice] Your DNS provider gave an answer for “ecqrtede6″, which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We’ve noticed 2 possibly bad addresses so far.
Jun 22 13:25:49.504 [Warning] Failed to open GEOIP file C:\Users\Leah\AppData\Roaming\tor\geoip.
Jun 22 13:25:49.507 [Warning] Failed to open GEOIP file C:\Users\Leah\AppData\Roaming\tor\geoip.
Jun 22 13:27:57.306 [Notice] Your DNS provider gave an answer for “ygvc4puw6ynvg”, which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We’ve noticed 2 possibly bad addresses so far.
Jun 22 13:39:11.268 [Warning] Your server (71.126.19.253:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Jun 22 13:59:11.273 [Warning] Your server (71.126.19.253:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Jun 22 14:19:11.283 [Warning] Your server (71.126.19.253:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Jun 22 14:39:11.327 [Warning] Your server (71.126.19.253:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

I am about to give up and I did email the numbers. I been spending a lot of time doing this and yes the ports are open as I had program that opened them. I figure at this point I may not be able to do it via my ISP.

Kat

Reply
Carl said
22nd June, 2009 at 20:18
Many of these issues have already been answered above.

Search for “GeoIP” among the comments and you will find an answer.

You can turn off DirPort, it is not needed. Click “Setup Relaying” and un-check “Mirror relay directory”.

The DNS hijacking i do not know how what to do about. You can find more info about it on http://en.wikipedia.org/wiki/DNS_hijacking

Reply
Kat said
22nd June, 2009 at 19:52
I think my ISP blocks it so I am going to uninstall it. I tried to help Iran.

Reply
Carl said
22nd June, 2009 at 20:23
Too bad :/
Thanks for trying though

Reply
Danny said
22nd June, 2009 at 22:41
If I set up a relay (not a bridge) – do I also need to send my address to the people listed? I’m glad I can help, cheers from Poland

Reply
Carl said
23rd June, 2009 at 06:36
Nope

Reply
greenforiran said
22nd June, 2009 at 22:46
Hi–We are thinking of starting a HOW TO help page on our website. Can we use this material? We will credit you of course! Thanks!

Reply
Carl said
23rd June, 2009 at 06:37
Of course

Reply
Carl said
23rd June, 2009 at 11:19
Send me a link to where i can find it when your HOWTO is up

Reply
Shangool said
23rd June, 2009 at 00:56
Hi,

I have compiled a little suite of tools that can be used to run Tor as a client from a memory stick for OS X. By copying the package onto a memory stick you have a standalone version of Firefox with Torbutton plugin, Tor and Privoxy.

This lets users surf anonymously without having install any software to access a Tor bridge directly onto a computer. The config is currently setup working but with the default Tor bridges I strongly recommend that these are changed before use to one of the secure Bridges.

http://files.me.com/thatlondon/xebckk

There are full installation and configuration instruction in the README file, its a first release so please email me if something does not work quite right.

Reply
Carl said
23rd June, 2009 at 06:53
Great

The same portable-Tor-on-usb-bundle for windows can be found here: http://www.torproject.org/torbrowser/dist/tor-im-browser-1.2.1_en-US.exe

Reply
Top Posts « WordPress.com said
23rd June, 2009 at 01:53
[...] How to setup a Tor relay or Tor bridge What is Tor? (from https://www.torproject.org/) “Tor protects you by bouncing your communications around a [...] [...]

Reply
slseveral said
23rd June, 2009 at 07:13
Thanks David. http://dnsresolvers.com/ got me past the hijacking errors (Verizon FIOS DNS servers.)

Now waiting 20 mins (or less?) to see if my bridge ports are reachable via the 3-router chain I’m trying to forward them through *sheepish grin*

Reply
Zach said
23rd June, 2009 at 13:53
Getting this error message now:

Jun 23 08:47:26.135 [Warning] Your server ([IP REDACTED]) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.

Any suggestions?

Thanks!

Reply
Carl said
23rd June, 2009 at 14:26
If you are having troubles with the DIR port you can disable it.

Click “Setup Relaying” and un-check “Mirror relay directory”.

Reply
Zach said
23rd June, 2009 at 15:23
Thanks Carl, I followed your suggestion but now am getting a similar error message: DIRport has been replaced by ORPort.

Reply
Carl said
23rd June, 2009 at 15:45
Are you connected to the internet via a router? Have you configured it to forward the correct port(s)?

If not, see http://portforward.com/ for info and howto:s

Reply
Zach said
23rd June, 2009 at 15:48
Yes, I am using an AirPort Express. I followed Sassafras’s suggestion on this page (http://anonygreen.wordpress.com/2009/06/18/how-to-setup-a-tor-relay-or-tor-bridge/#comment-66) for configuring it.

Reply
Carl said
23rd June, 2009 at 16:04
Ah, good. Was the port you specified in your airport the same as under “setup relaying” -> “relay port”?

Sorry if I ask really basic questions, but I want to eliminate all the low-hanging fruit first.

Reply
Zach said
23rd June, 2009 at 16:13
No need to apologize–I’m definitely low-hanging fruit when it comes to Tor.

Yes, I have 9050 for the Public Port and Private Port in AirPort Utility and have 9050 in Sharing > Relay Port.

Thanks for all of your help Carl!

Reply
Carl said
23rd June, 2009 at 16:22
I was referring to the easy-to-make problems and misconfigurations as the low-hanging fruit

Is the Os X built-in firewall enabled or disabled?
See: http://security.getnetwise.org/tools/firewall-osx-instruct

Reply
Zach said
23rd June, 2009 at 16:34
In System Preferences > Security >Firewall, Allow all incoming connections is selected.

Is there anywhere else I should look?

Reply
Carl said
23rd June, 2009 at 16:42
I’m running out of ideas.

Have you successfully opened ports to other applications previously?

Do you know if you’re on some kind of security package from your ISP that blocks all incoming connections to you ip, or do you know if you are behind a NAT?

Have you tried changing the port to something else? I had a similar problem setting up Tor, but it was resolved when i changed port.

Reply
Zach said
23rd June, 2009 at 18:13
I’ve never tried to open up pots before. Also not sure if my ISP is running a security package, although I also received these messages in my log:

Jun 23 08:10:13.823 [Notice] Your DNS provider gave an answer for “b72a24tyukubh”, which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We’ve noticed 1 possibly bad addresses so far.

Jun 23 08:10:14.011 [Notice] Your DNS provider has given “208.69.32.132″ as an answer for 7 different invalid addresses. Apparently they are hijacking DNS failures. I’ll try to correct for this by treating future occurrences of “208.69.32.132″ as ‘not found’.

What’s a NAT? And do you have a recommendation as to what I should change the port to?

Thanks again!

Reply
sassafras said
23rd June, 2009 at 22:49
You isp is highjacking DNS, which often means when someone mistypes and address, or gives and address that doesn’t exist, it corrects the spelling or redirects to the isp’s splash page. Those are the friendly forms, i’m sure there are less friendly versions.

What is sound’s like you need to do is point to a different DNS server. a “dns resolver.”

http://dnsresolvers.com/

So, if you are on airport. Open the utility and and click on the “internet” button.

You will find two “DNS Server” fields. Replace the existing numbers with those from the DNS resolvers.

205.210.42.205
and
64.68.200.200

I hope this helps.

Reply
sassafras said
23rd June, 2009 at 22:51
Oops. You guys resolved it. Sorry for the double post. Thx Carl. I’m a little confused by the layout of the threads. anyway to collapse and expand as needed?

Reply
Carl said
24th June, 2009 at 06:42
Yeah, I wish. Haven’t found a way to do that in wordpress. If anyone knows please holler.

I’ve made wordpress split comments into pages though. So it should be a little more manageable.

Carl said
23rd June, 2009 at 20:20
NAT: http://en.wikipedia.org/wiki/Network_address_translation

To be able to run Tor you need a public IP address. If you are behind a NAT you won’t be able to get Tor to run.

DNS Hijacking: http://en.wikipedia.org/wiki/DNS_hijacking

To get rid of the dns hijacking you need to change your DNS server(s) to ones not controlled by your ISP – who is doing the hijacking.

http://dnsresolvers.com/ has a list.

As for which port to choose try one >1024 but less than 65536.

Reply
Zach said
23rd June, 2009 at 22:08
Ah. My ISP did hijack my DNS, although I took it back by adding two public DNS servers (208.67.222.222 and 208.67.220.220) to System Preferences > Network> Advanced > DNS.

Reply
Zach said
23rd June, 2009 at 23:04
Sorry–should have written that I took it back a while ago, yet I still had the problem today.

Sassafras–thanks for your suggestion. I followed it, but got this error message:

Jun 23 18:03:22.126 [Notice] Your DNS provider has given “208.69.32.132″ as an answer for 8 different invalid addresses. Apparently they are hijacking DNS failures. I’ll try to correct for this by treating future occurrences of “208.69.32.132″ as ‘not found’.

Reply
ateologu said
23rd June, 2009 at 20:57
Should I expect some green lines on my network map connecting to Iran, showing me that I’m being useful?

Reply
Carl said
23rd June, 2009 at 22:01
If someone connects to your bridge/relay i suspect so.

Reply
ateologu said
24th June, 2009 at 18:32
Wait a minute: if Tor is blocked in Iran and the people there have to use bridges, I shouldn’t be able to see any lines starting in Iran on the RELAYS map, as their lines will start at whatever relay their bridge leaves them off at.

So if all Iranians are using bridges, there’s no way to know if we’re helping them or not.

And then there’s the question of why there are 3-4 relays showing up in Iran on the map, with no activity.

Reply
ateologu said
25th June, 2009 at 10:30
Someone hosting a BRIDGE please confirm if you’ve EVER seen a green line on the Relays Map starting from IRAN. I’d like to know when I’m really helping because so far all I can see on my map are European and American relay paths.

Thanks
and
Always Remember the Voice!

Reply

Twitter Green Avatars « Change Meme said
18th June, 2009 at 08:27
[...] set up a tor [...]

Reply
dreadedcandiru said
19th June, 2009 at 01:34
Just restarted my bridge–the message log gave me the good “reachable from the outside” message, but I also got one before that which said “Failed to open GEOIP file.” How do I fix that (assuming I need to)?

Reply
Ian said
19th June, 2009 at 02:38
download this http://git.torproject.org/checkout/tor/master/src/config/geoip and put it in C:\Documents and Settings\{username}\Application Data\Tor\

Reply
dreadedcandiru said
19th June, 2009 at 02:49
What extension should I put on that?

Reply
dreadedcandiru said
19th June, 2009 at 03:02
Oh, never mind–just got it working! Awesome. Should I send the bridge info to Austin Heap, @ProtesterHelp, or both? (Don’t have e-mail info for the Iranians, and I can’t DM them either…)

Reply
jeff said
19th June, 2009 at 03:16
Got a bridge setup, need to know where to find the address and codes I need to make available, and where to make them available

Reply
dreadedcandiru said
19th June, 2009 at 03:31
When you click “setup relaying” with your bridge set up, there’s a string of numbers at letters across the bottom of that window that says “Let others access your bridge by giving them this line.” Send that via DM or e-mail to Austin Heap (m...@austinheap.com) or @ProtesterHelp (protes...@gmail.com).

Reply
Ian said
19th June, 2009 at 04:36
I am keeping lists of relays in secure places around the nets and feeding them to people who can share them with who needs them.
iranc...@iansbrain.com

Reply
skullbochs said
19th June, 2009 at 07:14
I’m set up as a no-exit relay, bandwidth capped to 200kb/s. Hope it helps some.

Reply
Ayudemos A Irán Haz Tu Avatar de Twitter Verde said
19th June, 2009 at 14:05
[...] Creación de un Tor. [...]

Reply
free iran said
19th June, 2009 at 14:24
Hello, first I set up my tor as a relay then I tried to set up as a bridge but nobody answered my mail when I send my bridge address. So I came back to a little relay (70ko) with exit policy (web and SSL). The problem is I don’t know if it really helps iranians or anybody else…

Reply
dreadedcandiru said
19th June, 2009 at 17:14
They usually don’t answer–these guys are getting a LOOOOOOOOOT of mail lately–but my bridge is getting traffic now. But it’s cool, we need relays too; they apparently speed up the network and make it tougher to crack.

Reply
Edgar A. Ronda said
19th June, 2009 at 18:25
[...] Creación de un Tor. [...]

Reply
Carl said
19th June, 2009 at 18:31
Thanks for helping out Ian (and others). I’m in middle-of-nowhere-land and have gprs-connection-in-fair-winds-and-once-in-a-blue-moon

Keep it green

Reply
theice said
19th June, 2009 at 20:41
Got a brigde set-up and send it to Austin, dont see no traffic yet…

Reply
dreadedcandiru said
19th June, 2009 at 22:08
You should also send it to iranc...@iansbrain.com and protes...@gmail.com…

Reply
Carl said
19th June, 2009 at 22:10
They’re probably pretty bogged down with emails of different kind. Your bridge won’t relay traffic until they give its address to someone.

You could also send it to Ian at iranc...@iansbrain.com and he will pass it on.

If you want more immediate gratification you could set it up as a relay instead.

Reply
Danny said
20th June, 2009 at 00:23
cool!

my best bet would be a GUI-less remote Linux server (not too old Ubuntu – I forget which), any chance you could do a command-line version of the instructions?

Reply
Carl said
20th June, 2009 at 07:28
When I get back to civilization, I will

Reply
philbb said
20th June, 2009 at 07:00
I keep getting a “Failed to retrieve port mapping” error when testing my connection. Any help?

Reply
Carl said
20th June, 2009 at 07:27
Have you tried changing the ports around? Are you running win/osx or linux/unix?

Reply
Ian said
20th June, 2009 at 07:17
I have been instructed to keep my secure list up for a few weeks or longer by someone in the know.

Reply
Carl said
20th June, 2009 at 07:29
Goodie

Reply
philbb said
20th June, 2009 at 07:30
Sorry about the lack of info. I’m running WinXP. I’m trying to set up a bridge. And yes, I’ve tried various ports.

Reply
philbb said
20th June, 2009 at 09:45
I’m still getting the “Failed to retrieve a port mapping” error, but everything seems to be working.

Reply
Carl said
20th June, 2009 at 10:04
Good. Could it be a UPnP error maybe?

Reply
Pomóż Iranowi! Osiem akcji pomocy. said
20th June, 2009 at 11:29
[...] Tora. Program, wraz z instalacją obsługi znajduje się na oficjalnej stronie. Istnieje także tekst, który dokładnie objaśnia jak ustawić Tor by pomóc [...]

Reply
oriste said
20th June, 2009 at 14:14
Is it useful to set up a Tor bridge when one doesn’t have a FIXED IP address? If not, can you make this explicit in the article and advice those on dynamic IP addresses to set up relays instead?
Keep up the good work.

Reply
Carl said
20th June, 2009 at 16:49
>From what I understand of (http://anonymous.livelyblog.com/2007/08/01/tor-needs-bridge-support-testers/)
Relevant part:
“Then clients that use your bridge can add

UpdateBridgesFromAuthority 1

to their torrc, and now even if your IP:port change (for example you’re
on a dynamic IP address), they’ll still be able to find you again.”

you can run a bridge on a dynamic IP.

Reply
oriste said
21st June, 2009 at 16:38
Thanks for explaining that. I only hope that clients using my bridge will have the technical savvy to add that line. It was not in my torrc.sample file and it’s not in the Vidalia user interface either.

Reply
randomhuman said
22nd June, 2009 at 12:44
Looks like that UpdateBridgesFromAuthority line was included in the torrc by Vidalia here. I think dynamic ips may not work with our methods of distributing the bridge addresses though, no? If the IP changes before anybody gets a chance to use it, will it still be possible to auto update?

Reply
Carl said
23rd June, 2009 at 07:35
Probably no.

Reply
Omir55 said
20th June, 2009 at 17:11
OK, I think I’ve got the bridge working, at least the logs say so. Now off to publicize it. The only question is, I’m not sure which ports to advertise, so I opened both up. My torrc file says:

SocksListenAddress a.b.c.d:9100

and

OrPort 846

This is behind a firewall set up with NAT; the actual address is w.x.y.z. So should I be advertising w.x.y.z:846 or w.x.y.z:9100? Or something entirely different?

Thanks for setting this page up!

Reply
Carl said
20th June, 2009 at 23:21
9100 would be vital if you want others to able to connect to you afaik

Reply
Omir55 said
21st June, 2009 at 07:25
I finally got it working. You need to send the person who wants to connect to you the entire machine passkey that Tor generates. Something like w.x.y.z:9002 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF

Reply
theice said
20th June, 2009 at 17:35
Took the bridge out and started relaying.

Reply
Carl said
20th June, 2009 at 23:26
Thank you

Reply
Helft iranischen bloggern und installiert tor bridges | Ennos Testwelt said
20th June, 2009 at 21:00
[...] tor bridges (da habt ihr keinen rehctlichen Kummer wie bei den exit nodes oder so). Guckt euch das hier an und helft [...]

Reply
re Semblance said
21st June, 2009 at 01:32
2 questions
not seeing the “check if it works” button anywhere

what do you mean by “restart the relay”? restart tor?

Reply
Carl said
21st June, 2009 at 09:29
There is no such button.

You have to check the messege log to and look for the message “Self-testing indicates your ORPort is reachable from the outside. Excellent.”

Restart Tor, yes.

Reply
Nicky said
21st June, 2009 at 03:20
What is the risk to doing this on our end? I really want to help Iranians but don’t want to help child pornographers.

Reply
Carl said
21st June, 2009 at 09:36
It’s hard to give anonymity to someone, without giving it to anyone. It’s like handing out knifes – you’ll make it easier for the majority and maybe even save lives, but you’ll always have parasites who will abuse your gift.

In your case I think running a bridge will make it less likely your help is abused. But really no. As soon as you publicize your address you loose control over who uses it and for what. And I am under no illusion that there are no child pornographers in Iran.

Reply
best proxy said
21st June, 2009 at 03:41
*.*.*.* (mod: Do not publish IP here, see instructions)

Reply
best proxy said
21st June, 2009 at 03:47
*.*.*.* (mod: Do not publish IP here, see instructions)

Reply
best proxy said
21st June, 2009 at 04:29
Indirizzo IP: *.*.*.* (mod: Do not publish IP here, see instructions)

Reply

wanghx

unread,

Sep 28, 2009, 11:22:44 AM9/28/09

to lihlii-g, Salon Friends

http://tor.zuo.la/bridges.html.zh-cn

Tor：网桥

网桥中继（简称“网桥”）是 Tor 中继，但不被列在 Tor 的主目录中。因为没有它们的完整公共目录，即使您的 ISP 屏蔽了所有已知的 Tor 中继，也不可能屏蔽所有的网桥。如果您怀疑您的Tor网络被屏蔽了，您可能需要用到 Tor 的网桥功能。

网桥对于 Tor 的反屏蔽战役来讲是一个进步。但很有可能在 ISP 过滤了 Internet 的情况下，您仍能够不使用网桥功能而直接连接 Tor。许多屏蔽程序通过搜寻那些未加密的 Tor 目录请求来识别您是否在使用 Tor，但 Tor 0.2.0.23-rc 或更高版本默认使用加密的目录请求。这一变化意味着大多数屏蔽程序将不能识别 Tor 连接。因此，您应该首先尝试不使用网桥功能来连接 Tor，也许在不使用网桥功能的情况下您仍然能够连接 Tor 网络。

注意：Tor 也可能因其它原因而不能工作。最新版本的 Windows Tor 浏览器套件试图给予您更好的关于 Tor 故障原因的提示。当您遇到问题时，您也应该仔细阅读 FAQ：关于 Tor 使用常见问题。如果您觉得问题很明显是被屏蔽了，或您就是想试一试网桥功能，请您继续阅读。请确定您正在使用最新版 0.2.1.x 或0.2.2.x 的 Tor 软件。

要使用网桥，您必须找到一个网桥地址。此外，您得将 Tor 配置为使用这个网桥。您可以用 Vidalia（Tor 的 GUI 控制程序）来配置。如果您的 Internet 使用了代理，您也要在 Vidalia 中配置同样的代理。如果您认为不需要代理，也可不配置。可以试一试是否需要代理，如果有问题，可以向我们求助。

现在，您可以通过访问 https://bridges.torproject.org/ 来获取网桥地址。如果该网页被屏蔽了，且您也没有任何代理或其它方法访问该页面，请参考查找网桥的其它方法。

理解网桥

例如，您得到一个网桥地址如下：

bridge 141.201.27.48:443 4352e58420e68f5e40bf7c74faddccd9d1349413

理解网桥地址的含义并非必须，但却比较有用。如果您愿意，您可以跳过本节。
第一部分是 IP 地址：'141.201.27.48'
第二部分是端口：'443'
第三部分是指纹（可选）： '4352e58420e68f5e40bf7c74faddccd9d1349413'

在 Vidalia Tor 中使用网桥

要使用上述示例中的网桥，请前往 Vidalia 的 Network settings（网络设置）页面，选中 "My ISP blocks connections to the Tor network"（我的 ISP 阻挡了对 Tor 网络的连接）项，一次一个的将网桥地址加入设置中，即将网桥地址粘帖到"Add a Bridge"（添加一个网桥）框中，点击 "+"。添加网桥如下图所示：
Vidalia 的网络设置界面

您可能想将您所知的所有网桥都添加进去，较多的网桥可以增加 Tor 的稳定性。因为，虽然一个网桥就足以让您进入 Tor 网络了，但如果您只有一个网桥，而该网桥关闭了，您将从 Tor 网络断开。

查找 Tor 网桥的其它方法

另一个查找公共网桥地址的方法是给 bri...@torproject.org 发邮件，邮件正文为 "get bridges" 。您必须使用 gmail 的电子邮件账户, 否则攻击者很容易制造大量的电子邮件地址来窃取所有的网桥地址。当您发送邮件后，几乎立即可以收到回信，回信包含如下信息：

Here are your bridge relays:

 bridge 60.16.182.53:9001 c9111bd74a710c0d25dda6b35e181f1aa7911133
 bridge 87.237.118.139:444 c18dde4804e8fcb48464341ca1375eb130453a39
 bridge 60.63.97.221:443 ab5c849ed5896d53052e43966ee9aba2ff92fb82

您收到包含网桥信息的回复后，就可以在 Vidalia 中设置使用。设置方法

建立一个 Tor 网桥

如果您愿意提供帮助，但是无法运行普通的 Tor 中继，您可以运行一个网桥中继。您可以通过 Vidalia 进行配置，或者您可以手动修改 torrc 文件，您只需要修改以下四行：


SocksPort 0
ORPort 443
BridgeRelay 1
Exitpolicy reject *:*

如果您在启动时看到“Could not bind to 0.0.0.0:443: Permission denied”这样的错误，您需要挑选一个 1023 以上的端口作为 ORPort（例如 8080），或者，配置复杂的端口转发。

当您的服务器被配置成为网桥后，它将不再出现在 Tor 公共网络列表中。

您的网桥中继会自动将其地址发布到权威网桥，地址将通过上面提到的 HTTPS 或电子邮件的方法分发到给户。您也可以将网桥地址直接告诉用户：如果您使用 Vidalia，网桥地址可以复制粘贴自设置窗口。如果您使用 Linux 或 BSD，网桥地址需要按照上面的格式手工生成（不同的平台下，指纹可以在 Tor 日志文件或 /var/lib/tor/fingerprint 文件中找到）。

如果您需要从技术角度了解更多有关网桥的设计，请参考 Tor 网桥规格说明。如果您对运行私人网桥或其它特殊应用感兴趣，也请您务必阅读该说明。

"Tor" 和 "Onion Logo" 是 The Tor Project, Inc. 的注册商标。
本站内容采用 CC 署名 3.0 美国许可，除非另行说明。

警告: 本翻译的内容可能是过时的。英文原文位于第 20677 次修订，但本翻译基于第 19850 次修订。

本页面还有如下语言的版本: Deutsch, English, español, فارسی (Fārsī), français, Italiano, 日本語 (Nihongo), 한국어 (Hangul), polski, Português。
如何设置默认语言。

Tor 的开发者和 EFF 均未对本翻译的精确性和正确性作检查。它可能是过时的或者错误的。 Tor 的官方网站的语言是英文，位于 https://www.torproject.org/。

Webmaster - 最后修改: Wed Sep 2 13:55:09 2009 - 最后编译: Sun Sep 27 20:51:53 2009

wanghx

unread,

Sep 28, 2009, 6:18:11 PM9/28/09

to lihlii-g, Salon Friends

客户端添加网桥 tor bridge 的地址时，识别码 key 有什么作用呢？

当网桥服务器更换地址或者端口以后，依然能够通过网桥目录服务器查询到这个网桥服务器的新地址。但是当你连一个网桥都没有连上的时候，这个 key 显然是没什么用处的了。
这可能是程序设计中试图连接网桥的代码首先尝试去联系目录服务器查询网桥的地址造成连接不上的问题，或者，是因为验证 key 的代码有错误。所以有许多用户报告说，目前不加 key 可以连上，加了 key 反倒连不上。

Reply all

Reply to author

Forward

0 new messages

Tor有关Bridge relays的建议与配置方案

wanghx

Tor有关Bridge relays的建议与配置方案

大声疾呼:请中国的Tor中继服务提供者仅把自己 设置为"中间人"

请点击www.chinagfw.org访问我们

Thursday, July 30, 2009

Saturday, May 16, 2009

Bridge relays

Tor 突破网络封锁桥接 bridge 代理功能

18th June, 2009

184 Responses to “How to setup a Tor relay or Tor bridge”

wanghx

wanghx

大声疾呼:请中国的Tor中继服务提供者仅把自己设置为"中间人"