TOR obfs4 Bridge with IAT-MODE=2 - extended configuration
The basic instructions for setting up a bridge can be found on the Tor Project website (CIRCUMVENTION | Tor Project | Tor Browser Manual). This post shows how the instructions work in practice for a specific scenario: a censorship-resistant configuration on a Debian system. The specific requirements here are inspired by comments on the Tor Project forum about the needs of users in countries with extreme censorship. (https://forum.torproject.org/t/tor-relays-we-need-bridges-with-iat-mode-set-to-1-and-especially-2-as-well/1833) Tor obfs4 bridges have a rarely used packet length obfuscation feature:
iat-mode=0 (no obfuscation)
iat-mode=1 (split data into fixed-length packets)
iat-mode=2 (split data into variable-length packets)
By using obfs4 on a private bridge with obfuscated inter-arrival time (IAT) due to variable-length packets, Tor is in its most obfuscated configuration. The downside of a private bridge is that only you and your friends can use it. You could make the bridge public, but then it would be vulnerable to having your IP address scraped by certain countries. So consider the alternative of helping people in extremely censored countries. After you have set up and tested your bridge, send your private bridge line to frontdesk@torproject.org. You'll be sharing your bridge with people who really need it!
Here is an example configuration:
Log notice file /var/log/tor/log
ORPort 9123 IPv4Only
Address XX.XX.XX.XX
ExtORPort auto
BridgeRelay 1
PublishServerDescriptor bridge
BridgeDistribution none
ExitPolicy reject *:*
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:9456
ServerTransportOptions obfs4 iat-mode=2
ContactInfo you@example.com
Nickname YourBridgeNickname
ControlPort 9051
CookieAuthentication 1