Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your Debian server.
Now regarding the choice of location for the server, in order to make sure that Tor remains decentralised, make sure that you are picking a country that doesn't have many tor nodes (see the bubbles graph):
Disclaimer: Do not host your Tor node in Germany, Netherlands or in the US, as there are already too many nodes in those countries. Try to run your own Tor nodes in countries that have the least nodes preferably, as this will help keeping the Tor network decentralized.
apt update -y && apt upgrade -y
apt install curl tmux vim obfs4proxy nyx gnupg2 -y
root@Datura:~# cat /etc/apt/sources.list |head -n3
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
apt update -y
apt install tor nyx
#To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use
#Open conf file
vim /etc/tor/torrc
#Added configuration
BridgeRelay 1
# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort 37051
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:8042
# Local communication port between Tor and obfs4. Always set this to "auto".
# "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto
# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo nihilist@nowhere.moe
# Pick a nickname that you like for your bridge. This is optional.
Nickname Nihilist
Then restart the tor service + enable it:
#Restart service
systemctl restart tor@default
#Enable at boot
systemctl enable --now tor@default
Once it finished installing, you can monitor your tor bridge node activity with nyx:
sudo -u debian-tor nyx
Next install tor-browser (in arch linux you can do it from the AUR), if not just go to the downloads page.
yay -S torbrowser-launcher
Then Launch it, and go in your preferences:
Here specifying your own bridge is not that simple, you need to use the following syntax:
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0
First find the ip address of your server:
root@debian-s-1vcpu-1gb-lon1-01:~# curl ifconfig.me && echo && echo
134.209.26.190
Next find the port :
sudo -u debian-tor nyx
Just hit right arrow 3 times to get to your torrc config preview:
And here we have port 8042. Next we need the fingerprint which is at page 1 of nyx, so press leftarrow to get back to page 1 and then scroll down using the downarrow:
Here it is 829165B21621041E7A9CDF7192AFFC51CA640B0E, be careful not to copy the other one above which is the HASHED identity key. Here we want the original identity key fingerprint. After this, we need the server's certificate:
root@debian-s-1vcpu-1gb-lon1-01:~# cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
# obfs4 torrc client bridge line
#
# This file is an automatically generated bridge line based on
# the current obfs4proxy configuration. EDITING IT WILL HAVE
# NO EFFECT.
#
# Before distributing this Bridge, edit the placeholder fields
# to contain the actual values:
# <IP ADDRESS> - The public IP address of your obfs4 bridge.
# <PORT> - The TCP/IP port of your obfs4 bridge.
# <FINGERPRINT> - The bridge's fingerprint.
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
Here in this case we need the last part: cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
And so we combine it all to get the string we need:
Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
Paste it in and hit "new identity":
Then we check if it is working on check.torproject.org:
And that's it! we have been able to use our own VPS-hosted tor bridge!
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)