1. Enable Automatic Software Updates
One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about it.
Follow the instructions to enable automatic software updates for your operating system.
2. Install epel-release
To install the tor
package on CentOS/RHEL, you need to enable the use of the EPEL Repository first. To do so, you must install the epel-release
package:
# yum install epel-release
Recent versions of CentOS/RHEL are using dnf
instead of yum
:
# dnf install epel-release
If you are on a recent version that uses dnf
, please keep using it for the following steps where yum
is called on this setup guide.
3. Configure Tor Project's Repository
Configuring the Tor Project's Repository for CentOS/RHEL consists basically on setting up /etc/yum.repos.d/Tor.repo
with the following content:
[tor]
name=Tor for Enterprise Linux $releasever - $basearch
baseurl=https://rpm.torproject.org/centos/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/centos/public_gpg.key
cost=100
4. Install Tor
Once you are set with EPEL and the Tor repositories, you are now able to install the package:
# yum install tor
Please note that when you are installing the first package from the EPEL repository you will be asked about verifying the EPEL's GPG signing key.
Please ensure the key matches with the one available on the Fedora Project website.
This will also happens when installing packages from Tor's repository for the first time - again you must ensure the key matches.
5. Build lyrebird (obfs4proxy) and move it into place.
Heavily outdated versions of git can make go get
fail, so try upgrading to a more recent git version if you're running into this problem.
Install the golang package and other dependencies:
# yum install git golang policycoreutils-python-utils
Now build the binary, and move it to a proper directory:
git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird
cd lyrebird
make build
sudo cp .//lyrebird /usr/local/bin/
# chcon --reference=/usr/bin/tor /usr/local/bin/lyrebird
6. Edit your Tor config file, usually located at /etc/tor/torrc
and replace its content with:
RunAsDaemon 1
BridgeRelay 1
# Replace "TODO1" with a Tor port of your choice. This port must be externally
# reachable. Avoid port 9001 because it's commonly associated with Tor and
# censors may be scanning the Internet for this port.
ORPort TODO1
ServerTransportPlugin obfs4 exec /usr/local/bin/lyrebird
# Replace "TODO2" with an obfs4 port of your choice. This port must be
# externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2
# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port
# number, nor listen on 0.0.0.0.
ExtORPort auto
# Replace "<address@email.com>" with your email address so we can contact you if
# there are problems with your bridge. This is optional but encouraged.
ContactInfo <address@email.com>
# Pick a nickname that you like for your bridge. This is optional.
Nickname PickANickname
Don't forget to change the ORPort
, ServerTransportListenAddr
, ContactInfo
, and Nickname
options.
- Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use our reachability test to see if your obfs4 port is reachable from the Internet.
7. Restart Tor
sudo semanage port -a -t tor_port_t -p tcp [OR port set earlier, in TODO1]
sudo semanage port -a -t tor_port_t -p tcp [obfs4 port set earlier, in TODO2]
Recent versions os CentOS/RHEL which ship with systemd:
# systemctl enable --now tor
... or restart it if it was running already, so configurations take effect
# systemctl restart tor
Should you use an older release like CentOS/RHEL 6, that will be:
# service tor enable
# service tor start
8. Monitor your logs
To confirm your bridge is running with no issues, you should see something like this (usually in /var/log/tor/log
or /var/log/syslog
):
[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
9. Final Notes
If you are having trouble setting up your bridge, have a look at our help section.
If your bridge is now running, check out the post-install notes.