1. Enable Automatic Software Updates

One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about it. Follow the instructions to enable automatic software updates for your operating system.

2. Bootstrap pkg

This guide assumes we have already a base installation of FreeBSD running, and only the base system. That means we do not have any packages installed, or even the pkg packages manager itself (there's no sudo available - we are running commands as root).

To bootstrap and install pkg we should run the following command:

# pkg bootstrap
# pkg update -f

To follow upstream updates in a "faster way" we recommend changing the 'quarterly' branch used by pkg to its 'latest' branch.

One additional step is to prefer using HTTPS to fetch our packages, and updates - so here we also need an extra package to help us out (ca_root_nss).

Installing the ca_root_nss package:

# pkg install ca_root_nss

We are keeping the original setting used by pkg but setting a new one that will override it. So we set up a new directory, and then create a configuration file to override what we need. This configuration file will be /usr/local/etc/pkg/repos/FreeBSD.conf.

Creating the new directory:

# mkdir -p /usr/local/etc/pkg/repos

This is how the new configuration file /usr/local/etc/pkg/repos/FreeBSD.conf must look like:

FreeBSD: {
  url: pkg+https://pkg.freebsd.org/${ABI}/latest
}

After applying all these changes, we update the packages list again and try to check if there's already a new update to apply:

# pkg update -f
# pkg upgrade -y -f

3. Install Tor

You can choose to install the stable version (recommended):

# pkg install tor

Or install an alpha release:

# pkg install tor-devel

4. Install obfs4proxy

# pkg install obfs4proxy-tor

5. Edit your Tor config file, usually located at /usr/local/etc/tor and replace its content with:

RunAsDaemon 1
BridgeRelay 1

# Αντικαταστήστε το "TODO1" με την πόρτα Tor που επιθυμείτε. Η πόρτα πρέπει να έχει εξωτερική πρόσβαση.
# προσβάσιμη. Αποφύγετε τη θύρα 9001 επειδή χρησιμοποιείται συνήθως από το Tor και 
# ενδέχεται να πραγματοποιείται σάρωση για έλεγχο Διαδικτύου για αυτήν την πόρτα.
ORPort TODO1

ServerTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy

# Αντικαταστήστε το "TODO2" με μια πόρτα obfs4 της επιλογής σας.  Η πόρτα πρέπει να είναι
# εξωτερικά προσβάσιμη και διαφορετική από αυτή του ORPort.
# Αποφύγετε τη χρήση της πόρτας 9001 επειδή χρησιμοποιείται συνήθως από
# το Tor και ελεγκτές για σάρωση του Διαδικτύου από αυτή την πόρτα.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2

# Τοπική πόρτα επικοινωνίας μεταξύ του Tor και obfs4.  Ορίστε πάντα σε "αυτόματο".
# Το "Ext" σημαίνει "εκτεταμένα", όχι "εξωτερικά". Μην προσπαθήσετε να ορίσετε συγκεκριμένη θύρα
# με αριθμό, που δεν επικοινωνεί με 0.0.0.0.
ExtORPort auto

# Αντικαταστήστε το "<address@email.com>" με το δικό σας email ώστε να μπορούμε να επικοινωνήσουμε εάν
# εάν παρουσιαστεί κάποιο πρόβλημα με τη γέφυρά σας.  Είναι προαιρετικό αλλά προτείνεται η χρήση.
ContactInfo <address@email.com>

# Επιλέξτε ένα ψευδώνυμο για την γέφυρά σας. Προαιρετική επιλογή.
Ψευδώνυμο PickANickname

Log notice file /var/log/tor/notices.log

Μην ξεχάσετε να αλλάξετε τις επιλογές ORPort, ServerTransportListenAddr, ContactInfo και Nickname.

  • Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use our reachability test to see if your obfs4 port is reachable from the Internet.

  • Are you using FreeBSD's firewall with a "default deny" policy? If so, make sure that your obfs4proxy can talk to your Tor process over the loopback interface. Don't forget to whitelist Tor's ExtORPort.

6. Ensure that the random_id sysctl setting is enabled

# echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
# sysctl net.inet.ip.random_id=1

7. Start the tor daemon and make sure it starts at boot

# sysrc tor_setuid=YES
# sysrc tor_enable=YES
# service tor start

8. Monitor your logs

To confirm your bridge is running with no issues, you should see something like this in /var/log/tor/notices.log:

[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

9. Final Notes

If you are having trouble setting up your bridge, have a look at our help section. If your bridge is now running, check out the post-install notes.