1. Enable Automatic Software Updates

One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about it. Follow the instructions to enable automatic software updates for your operating system.

2. Configure Tor Project's Repository

Configuring the Tor Project's package repository for Debian/Ubuntu is recommended and documented on Support portal. Please follow those instructions before proceeding.

Note: Ubuntu users need to get Tor from the Tor Project's repository.

3. Install Tor

Ensure you update the packages database before installing the package, than call apt to install it:

# apt update
# apt install tor

4. Install obfs4proxy

On Debian, the latest version obfs4proxy package is available in stable-backports. By default, backports packages are not installed, so to install the latest version of obfs4proxy you need to use the following command sudo apt install -t bullseye-backports obfs4proxy or to pin the package with a config similar to this one that you will place in /etc/apt/preferences.d/obfs4proxy.pref.

Explanation: tor meta, always run latest version of obfs4proxy
Package: obfs4proxy
Pin: release a=bullseye-backports
Pin-Priority: 500

On Ubuntu, bionic, cosmic, disco, eoan, and focal have the package. If you're running any of them, sudo apt-get install obfs4proxy should work.

If not, you can build it from source.

5. Edit your Tor config file, usually located at /etc/tor/torrc and replace its content with:

BridgeRelay 1

# Replace "TODO1" with a Tor port of your choice.
# This port must be externally reachable.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ORPort TODO1

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.
# This port must be externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
# This is optional but encouraged.
ContactInfo <address@email.com>

# Pick a nickname that you like for your bridge.  This is optional.
Nickname PickANickname

Don't forget to change the ORPort, ServerTransportListenAddr, ContactInfo, and Nickname options.

Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use our reachability test to see if your obfs4 port is reachable from the Internet.

(Optional) Configure systemd to allow obfs4 binding on privileged ports

If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to configure systemd and give obfs4 CAP_NET_BIND_SERVICE capabilities to bind the port with a non-root user:

sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

To work around systemd hardening, you will also need to edit and change the configuration.

Run the command:

sudo systemctl edit tor@.service tor@default.service

In the editor, enter the following text, then save and quit.

[Service]
NoNewPrivileges=no

In the second editor that appears, enter the same text, then save and quit.

[Service]
NoNewPrivileges=no

If everything worked correctly, you will now have two files /etc/systemd/system/tor@.service.d/override.conf and /etc/systemd/system/tor@default.service.d/override.conf containing the text you entered.

Now restart tor service:

sudo service tor restart

There is no need to run systemctl daemon-reload because systemctl edit does it automatically. For more details, see ticket 18356.

6. Restart Tor

Enable and Start tor:

# systemctl enable --now tor.service

Or restart it if it was running already, so configurations take effect:

# systemctl restart tor.service

7. Monitor your logs

To confirm your bridge is running with no issues, you should see something like this (usually in /var/log/syslog or run # journalctl -e -u tor@default):

[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

8. Final Notes

If you are having trouble setting up your bridge, have a look at our help section. If your bridge is now running, check out the post-install notes.