Support Ukraine, Run a Bridge

Putin’s government has a deep history of repression. Ukrainians and Russian dissidents alike fear retaliation for sharing anti-Putin sentiments–and rightfully so. It was less than two years ago that a prominent political opponent of Putin was nearly assassinated by an potent nerve agent. For this reason, Russian dissidents and the innocent people in occupied Ukraine must be exceedingly cautious with their political rhetoric. The Tor network is the best available option for those individuals seeking anonymous internet access and communication, but the success of Tor depends on the efforts and resources of volunteers to keep it running. Tor is in desperate need of volunteers, and if you have a little bit of technical background and $5 dollars, you can support free speech in Ukraine, Russia, and across the world.

Evading censorship

Tor is the present-day gold standard for anonymous communication. At a high level, it works by routing its users’ internet traffic through a series of (usually) three relays. A user’s Tor browser encrypts their traffic with a series of keys only known to the user and each relay. The relays each remove a layer of encryption, as the traffic passes through on its way to the final destination–a process called onion encryption. This ensures that none of the relays know the contents of the traffic, nor do they know both the user’s IP and the destination’s IP. This provides relationship anonymity, i.e., no one can associate a user with the websites they are connecting to.

Cat and mouse

Tor is an excellent tool for dissidents, but oppressive governments aren’t stupid. Since Tor relays are publicly known, censoring governments can (and do) block access to them. They do this by blocking the IPs associated with known Tor relays.

The designers of Tor have built in a mechanism to help affected users circumvent this type of censorship. The mechanism is called a bridge relay. A bridge is just like a normal relay, but its IP address is not publicly advertised—users must request them individually as-needed.

Tor is heavily used all over the world. Everyday more than two million people connect to the Tor network. Despite this, there is an ongoing shortage of Tor relays, only about 7000 in the whole world. Tor relays are run by volunteers, and they require real servers with appropriate networking capabilities—so it’s not surprising there are so few. Bridge relays, in particular, are sparse– less than 2500 are operational at the moment. To make matters worse, would-be censoring governments are constantly on the lookout for bridges, and they will block them as soon as they find them. Since the bridges have to be made available to people without confirming their identities, this means that all bridges get blocked eventually. The solution: churn. Bridges need to be restarted from new IPs every few weeks.

How to help

The remaining question is: how can you help Ukraine? Unsurprisingly, bridge use has gone through the roof in both Ukraine and Russia. Bridge users from Ukraine Bridge users from Russia

These are likely people trying to avoid the prying eyes of a certain tyrannical government. If you have the computer chops to set up a bridge, this is a tangible way to help journalists and political dissidents communicate.

The following is how I started running a bridge. It can reasonably be done by any computer-savvy person (e.g. a software engineer) in about twenty minutes. This isn’t the only way to setup a bridge and I can’t guarantee that it’s the cheapest (though, it’s only $5 per month), but it is certainly quick and easy.

Provision a machine

I used Digital Ocean to provision a machine. It is a reputable company that will guarantee high uptime for your instance. If you have a machine with appropriate specs, you could use that instead (and skip to Running Tor).

If you’re using Digital Ocean, follow these steps:

  1. Make an account here, and create a droplet (their name for an instance). For the image, select the Marketplace tab and then Docker on Ubuntu.

  2. For the CPU, select the shared CPU option. Among the other CPU options, “Regular Intel with SSD” is fine. Don’t waste money on a dedicated CPU, or otherwise fancy CPU. For more money you could provision a machine with more/better CPUs, but a single Intel CPU is sufficient for running a bridge and only costs five dollars per month. If you want to spend more than five dollars, it would be more productive to run multiple bridges on separate IPs. (This can be done by creating multiple droplets.)

  3. The datacenter region is not super important. I chose the Germany because the goal is to mask Tor users traffic as normal internet traffic, and Germany has a robust internet presence (and is closer to Eastern Europe than the US, i.e., less latency).

  4. For authentication, SSH keys are always better, but if you’re going for quick and easy, the password option is fine. Just make sure to choose a secure password!

  5. From the additional options, select IPv6.

  6. Click on your droplet and go to Networking. At the bottom of the page, there are some firewall options. Set up your rules as follows:

    Inbound

    TypeProtocolPort RangeSources
    SSHTCP22All IPv4, All IPv6
    HTTPSTCP443All IPv4, All IPv6
    CustomTCP9001All IPv4, All IPv6

    Outbound

    TypeProtocolPort RangeSources
    ICMPICMP All IPv4, All IPv6
    All TCPTCPAll portsAll IPv4, All IPv6
    DNS TCPTCP53All IPv4, All IPv6
    DNS UDPUDP53All IPv4, All IPv6
  7. Once the droplet is up and running, you’ll want to access the console. There are numerous links on the page to do so. It will bring up a new browser window and drop you into an SSH-like session.

Running Tor

  1. Define bridge properties. Create a configuration file called .env, or download the template here. You can download it from the command line like so

    wget https://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/raw/main/.env
    

    Open the file with an editor (e.g. vim). The file should look like the following

    # Your bridge's Tor port.
    OR_PORT=X
    # Your bridge's obfs4 port.
    PT_PORT=Y
    # Your email address.
    EMAIL=Z
    
  2. Replace X with 9001, it doesn’t actually matter what port you use here, but 9001 is the standard OR port.

  3. Replace Y with 443, this is important; this is the port your bridge will listen on and to be maximally effective, it needs to be a port that people frequently connect to. Port 443 is the default HTTPS port, so encrypted connections to it are not conspicuous.

  4. Lastly, replace Z with your email address surrounded by quotes. If you’re worried about spam, you can write it like “name [AT] email [DOT] com”, or similar. This is what the Tor network operators will use to contact you if there’s a problem with your relay.

    Your .env file should now look like the following

    # Your bridge's Tor port.
    OR_PORT=9001
    # Your bridge's obfs4 port.
    PT_PORT=443
    # Your email address.
    EMAIL="name [AT] email [DOT] com"
    
  5. Download the docker-compose.yml file, like so

    wget https://gitlab.torproject.org/torproject/anti-censorship/docker-obfs4-bridge/raw/main/docker-compose.yml
    

    Note that this file must be in the same directory as the .env file from above.

  6. You are now ready to start the bridge. From the same directory, run

    docker-compose up -d obfs4-bridge
    

    You should see output like

    Creating root_obfs4-bridge_1 ... done
    

    Congrats! You are now running a Tor bridge relay. To make sure everything has gone smoothly, you can check the Tor logs

    docker logs root_obfs4-bridge_1
    

In the logs, one line will look something like

   Your Tor bridge's hashed identity key  fingerprint is 'DockerObfs4Bridge 72D839E2A373C515596B0A45DCF6BF340119713C'

If you go to the Tor metrics relay search and enter the fingerprint, details about the relay will appear. Note that it will not show up until the relay has undergone some automated validation, which may take a few hours. Also note, that it will be beneficial to restart your relay from a new machine (or droplet in Digital Ocean) every couple weeks to evade censorship.

For additional details and debugging advice, see the Tor website.

This is a difficult time for many people, and if you are like me, you probably feel pretty useless right now. Running a Tor bridge is no replacement for donating money to the Ukrainian cause or the work people are doing on the ground in Ukraine. But it will help Ukrainians and Russian dissidents communicate safely–and that’s worth something.

🇺🇦 Slava Ukraini 🇺🇦