# Support Ukraine, Run a Bridge

### Provision a machine

I used Digital Ocean to provision a machine. It is a reputable company that will guarantee high uptime for your instance. If you have a machine with appropriate specs, you could use that instead (and skip to Running Tor).

If you’re using Digital Ocean, follow these steps:

1. Make an account here, and create a droplet (their name for an instance). For the image, select the Marketplace tab and then Docker on Ubuntu.

2. For the CPU, select the shared CPU option. Among the other CPU options, “Regular Intel with SSD” is fine. Don’t waste money on a dedicated CPU, or otherwise fancy CPU. For more money you could provision a machine with more/better CPUs, but a single Intel CPU is sufficient for running a bridge and only costs five dollars per month. If you want to spend more than five dollars, it would be more productive to run multiple bridges on separate IPs. (This can be done by creating multiple droplets.)

3. The datacenter region is not super important. I chose the Germany because the goal is to mask Tor users traffic as normal internet traffic, and Germany has a robust internet presence (and is closer to Eastern Europe than the US, i.e., less latency).

4. For authentication, SSH keys are always better, but if you’re going for quick and easy, the password option is fine. Just make sure to choose a secure password!

5. From the additional options, select IPv6.

6. Click on your droplet and go to Networking. At the bottom of the page, there are some firewall options. Set up your rules as follows:

Inbound

TypeProtocolPort RangeSources
SSHTCP22All IPv4, All IPv6
HTTPSTCP443All IPv4, All IPv6
CustomTCP9001All IPv4, All IPv6

Outbound

TypeProtocolPort RangeSources
ICMPICMP All IPv4, All IPv6
All TCPTCPAll portsAll IPv4, All IPv6
DNS TCPTCP53All IPv4, All IPv6
DNS UDPUDP53All IPv4, All IPv6
7. Once the droplet is up and running, you’ll want to access the console. There are numerous links on the page to do so. It will bring up a new browser window and drop you into an SSH-like session.

### Running Tor

1. Define bridge properties. Create a configuration file called .env, or download the template here. You can download it from the command line like so

wget https://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/raw/main/.env


Open the file with an editor (e.g. vim). The file should look like the following

# Your bridge's Tor port.
OR_PORT=X
PT_PORT=Y
EMAIL=Z

2. Replace X with 9001, it doesn’t actually matter what port you use here, but 9001 is the standard OR port.

3. Replace Y with 443, this is important; this is the port your bridge will listen on and to be maximally effective, it needs to be a port that people frequently connect to. Port 443 is the default HTTPS port, so encrypted connections to it are not conspicuous.

4. Lastly, replace Z with your email address surrounded by quotes. If you’re worried about spam, you can write it like “name [AT] email [DOT] com”, or similar. This is what the Tor network operators will use to contact you if there’s a problem with your relay.

Your .env file should now look like the following

# Your bridge's Tor port.
OR_PORT=9001
PT_PORT=443
EMAIL="name [AT] email [DOT] com"

5. Download the docker-compose.yml file, like so

wget https://gitlab.torproject.org/torproject/anti-censorship/docker-obfs4-bridge/raw/main/docker-compose.yml


Note that this file must be in the same directory as the .env file from above.

6. You are now ready to start the bridge. From the same directory, run

docker-compose up -d obfs4-bridge


You should see output like

Creating root_obfs4-bridge_1 ... done


Congrats! You are now running a Tor bridge relay. To make sure everything has gone smoothly, you can check the Tor logs

docker logs root_obfs4-bridge_1


In the logs, one line will look something like

   Your Tor bridge's hashed identity key  fingerprint is 'DockerObfs4Bridge 72D839E2A373C515596B0A45DCF6BF340119713C'


If you go to the Tor metrics relay search and enter the fingerprint, details about the relay will appear. Note that it will not show up until the relay has undergone some automated validation, which may take a few hours. Also note, that it will be beneficial to restart your relay from a new machine (or droplet in Digital Ocean) every couple weeks to evade censorship.