setting up tor + obfsproxy + brdgrd to fight censhorship

*WARNING* 14/01/2014 This post is quite deprecated. For example obfsproxy has been completely rewritten in python and there is a newer and more secure replacement of obfs2, named obfs3. Please read this obfsproxy-debian-instructions for any updates.

*Updated* look at the bottom for list of changes

This post is a simple guide to create a debian/ubuntu packages out of the latest versions of Tor, obfsproxy and brdgrd in order to setup a “special gateway” and help people who face censorship issues. Sharing some of your bandwidth helps a lot of people get back their freedom.

I guess most people already know what Tor is, quoting from Tor’s website:

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.


obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking transformed traffic instead of the actual Tor traffic.


brdgrd is short for “bridge guard”: A program which is meant to protect Tor bridges from being scanned (and as a result blocked) by the Great Firewall of China.

Combining these to work together is quite easy if you follow this simple guide/howto.

////// Become root
$ sudo su -

////// Get build tools/packages
# cd /usr/src/
# apt-get install build-essential libssl-dev devscripts git-core autoconf debhelper autotools-dev libevent-dev dpatch pkg-config
# apt-get install hardening-includes asciidoc docbook-xml docbook-xsl xmlto
# apt-get install screen libnetfilter-queue-dev

////// Get latest versions of tor/obfsproxy/brdgrd
# git clone
# git clone
# git clone

////// Compile obfsproxy & create package
# cd obfsproxy/
# ./ 
# debuild -uc -us 

////// Compile tor & create package
# cd ../tor/
# ./ 
# debuild -uc -us 

////// Install packages
////// The following package versions might be different depending on your configuration. Change them appropriately by looking at the deb files in your path: ls *.deb

# cd ..
# dpkg -i tor-geoipdb_0.2.4.3-alpha-1_all.deb obfsproxy_0.1.4-2_amd64.deb tor_0.2.4.3-alpha-1_amd64.deb

////// Create Tor configuration

# cat > /etc/tor/torrc << EOF 
AvoidDiskWrites 1
DataDirectory /var/lib/tor
ServerTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed
Log notice file /var/log/tor/notices.log
## If you want to enable management port uncomment the following 2 lines and add a password
## ControlPort 9051
## HashedControlPassword 16:CHANGEME
## CHANGEME_1 -> provide a nickname for your bridge, can be anything you like.
Nickname CHANGEME_1
## CHANGEME_2 -> How many KB/sec will you share. Don't be stingy! Try putting _at least_ 20 KB.
RelayBandwidthRate CHANGEME_2 KB
## CHANGEME_3 -> Put a slightly higher value than your previous one. e.g if you put 500 on CHANGEME_2, put 550 on CHANGEME_3.
RelayBandwidthBurst CHANGEME_3 KB
ExitPolicy reject *:* 
## CHANGEME_4 -> If you want others to be able to contact you uncomment this line and put your GPG fingerprint for example.
#ContactInfo CHANGEME_4
ORPort 443 
#ORPort [2001:db8:1234:5678:9012:3456:7890:1234]:443
BridgeRelay 1
## CHANGEME_5 -> If you don't want to publish your bridge in BridgeDB, so you can privately share it with your friends uncomment the following line
#PublishServerDescriptor 0

////// Restart Tor

# /etc/init.d/tor restart

////// Compile and run brdgrd
////// If you've changed ORport in Tor config above, be sure to change the "--sport 443" port below as well
////// brdgrd does not help since obfsproxy is already running in front of the bridge, but won't hurt either.

# cd brdgrd/
# make
# iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 443 -j NFQUEUE --queue-num 0
////// brdgrd Can't do IPv6 the next line is commented out
////// ip6tables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport 443 -j NFQUEUE --queue-num 0
////// You can run brdgrd without root, just by setting some correct cap_net_admin rights
////// Instead of: screen -dmS brdgrd ./brdgrd -v
$ sudo screen -dmS brdgrd setcap cap_net_admin=ep ./brdgrd -v

# tail -f /var/log/tor/notices.log

The above guide has been tested on Debian Squeeze and Ubuntu 12.04.

That’s it. You just made the world a better place.

I’ve made some changes to the post according to comments on the blog post and #tor-dev.
a) Changed URLs for the git clone operations to https:// instead of git://
b) Changed brdgrd git url to instead of github.
c) Changed config sections of torrc file
d) Added some more info on brdgrd

Tor has published “official” instructions for setting up obfsproxy bridges on Debian boxes –> Setting up an Obfsproxy Bridge on Debian/Ubuntu

Update sample config to inform about unpublished bridges.

7 Responses to “setting up tor + obfsproxy + brdgrd to fight censhorship”

  1. November 2nd, 2012 | 07:25
    Using Google Chrome Google Chrome 22.0.1229.94 on Linux Linux

    Good post! Thanks for sharing..
    Although home dsl connections in Greece suck for upload bw

  2. grum
    November 4th, 2012 | 21:07
    Using Mozilla Firefox Mozilla Firefox 16.0 on Ubuntu Linux Ubuntu Linux


    Thanks for this guide! Please notice that the brdgrd repository was moved to

  3. Philipp
    November 4th, 2012 | 22:00
    Using Mozilla Firefox Mozilla Firefox 10.0 on Windows Windows 7

    Hi there,

    I am the author of brdgrd. Please note that brdgrd only makes sense when run with a normal bridge. It does not help with obfsproxy although it does not hurt either. Also, brdgrd can’t deal with IPv6 traffic.

    You can use file system capabilities so you don’t have to run the tool as root: sudo setcap cap_net_admin=ep ./brdgrd

  4. November 5th, 2012 | 10:09
    Using Debian IceWeasel Debian IceWeasel 16.0.2 on Linux Linux

    Thanks for the comment. I’ve made some amendments on the things you pointed out.

  5. sfougarakis
    December 7th, 2012 | 11:49
    Using Google Chrome Google Chrome 23.0.1271.95 on Linux Linux

    Nice post! I have a question for you.
    I have 7mbps of upstream bw that I would love to share. However I my isp is in the bad isps list and is known to not allow tor on its residential network. Would that obfuscate traffic from them too? Is it safe?

  6. December 9th, 2012 | 19:05
    Using Debian IceWeasel Debian IceWeasel 17.0.1 on Linux Linux

    Yes, you can setup an obfsproxy bridge to help people enter the Tor network. All packets arriving at your bridge will be obfuscated so they won’t be recognized as Tor.

    Don’t attempt though to set up an exit node in your “residential network”. That would be a very bad idea.

  7. March 15th, 2014 | 19:25
    Using WordPress WordPress 3.8.1

    […] part. Instructions on installing obfsproxy on Debian/Ubuntu are given in my previous blog post setting up tor + obfsproxy + brdgrd to fight censhorship. Installing netcat, the openbsd version; package name is netcat-openbsd on Debian/Ubuntu, is also […]

Leave a reply