1. Enable Automatic Software Updates

One of the most important things to keep your relay secure is to install security updates timely and ideally automatically so you can not forget about it. Follow the instructions to enable automatic software updates for your operating system.

2. Configure Tor Project's Repository

Configuring the Tor Project's Repository for Fedora consists basically on setting up /etc/yum.repos.d/Tor.repo with the following content:

[tor]
name=Tor for Fedora $releasever - $basearch
baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/fedora/public_gpg.key
cost=100

More information about it can be found here.

3. Install tor

Once you are set configuring the Tor repository, you are now able to install the package:

# dnf install tor

4. Install obfs4proxy

We are opting here to install and use obfs4 as pluggable transport, so we are going to install obfs4proxy.

Different from other Linux distributions, Fedora offers a binary package we can use. It's available since Fedora 33.

The package is called obfs4 and this is all you need to install it:

# dnf install obfs4

For more information about installing or building obfs4proxy from source, please refer to its official documentation.

5. Edit your Tor config file, usually located at /etc/tor/torrc and replace its content with:

RunAsDaemon 1
BridgeRelay 1

# Replace "TODO1" with a Tor port of your choice.  This port must be externally
# reachable.  Avoid port 9001 because it's commonly associated with Tor and
# censors may be scanning the Internet for this port.
ORPort TODO1

ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy

# Replace "TODO2" with an obfs4 port of your choice.  This port must be
# externally reachable and must be different from the one specified for ORPort.
# Avoid port 9001 because it's commonly associated with
# Tor and censors may be scanning the Internet for this port.
ServerTransportListenAddr obfs4 0.0.0.0:TODO2

# Local communication port between Tor and obfs4.  Always set this to "auto".
# "Ext" means "extended", not "external".  Don't try to set a specific port
# number, nor listen on 0.0.0.0.
ExtORPort auto

# Replace "<address@email.com>" with your email address so we can contact you if
# there are problems with your bridge.  This is optional but encouraged.
ContactInfo <address@email.com>

# Pick a nickname that you like for your bridge.  This is optional.
Nickname PickANickname

Don't forget to change the ORPort, ServerTransportListenAddr, ContactInfo, and Nickname options.

  • Note that both Tor's OR port and its obfs4 port must be reachable. If your bridge is behind a firewall or NAT, make sure to open both ports. You can use our reachability test to see if your obfs4 port is reachable from the Internet.

5. Disable SeLinux

Check wether SeLinux is set to "Enforcing".

# getenforce

If set to "Enforcing", change Status to "Permissive".

# setenforce 0

6. Restart Tor

# systemctl enable --now tor

7. Monitor your logs

To confirm your bridge is running with no issues, you should see something like this (usually in /var/log/tor/log or /var/log/syslog):

[notice] Your Tor server's identity key fingerprint is '<NICKNAME> <FINGERPRINT>'
[notice] Your Tor bridge's hashed identity key fingerprint is '<NICKNAME> <HASHED FINGERPRINT>'
[notice] Registered server transport 'obfs4' at '[::]:46396'
[notice] Tor has successfully opened a circuit. Looks like client functionality is working.
[notice] Bootstrapped 100%: Done
[notice] Now checking whether ORPort <redacted>:3818 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
[notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.

8. Final Notes

If you are having trouble setting up your bridge, have a look at our help section. If your bridge is now running, check out the post-install notes.