Ptadapter

Pluggable transports like meek and obfs4 can be difficult to use outside of Tor. That’s because they communicate with a parent process using a specification that is not widely implemented. ptadapter wraps pluggable transports to provide a simple local TCP interface so that pluggable transports can easily be used by other programs.

Author’s announcement: https://groups.google.com/d/msg/traffic-obf/cPc8JgwK2_k/S6TJjCweEAAJ


Here is a tutorial on using ptadapter and obfs4 to obfuscate a simple HTTP proxy.

Server

Install the dependencies.

$ sudo apt install python3-pip obfs4proxy ncat
$ sudo pip3 install ptadapter

Run your HTTP proxy, listening on a localhost port. (You can replace this step with any kind of server you want.)

$ ncat -l -k --proxy-type http 127.0.0.1 3128

Create a file called ptadapter.ini. The format is documented here

[server]
exec = /usr/bin/obfs4proxy
state = pt_state
forward = 127.0.0.1:3128
tunnels = server_obfs4
[server_obfs4]
transport = obfs4
listen = 0.0.0.0:9999 # replace this with a port of your choice

Run ptadapter on the configuration file. Now you have an external obfs4 listener on 0.0.0.0:9999 that will deobfuscate traffic and forward it to 127.0.0.1:3128.

$ ptadapter -S ptadapter.ini

Get the bridge’s certificate for pt_state/obfs4_bridgeline.txt. The important part is cert=..., the obfs4 server’s public key information. You will need it when setting up the client.

$ cat pt_state/obfs4_bridgeline.txt
Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=1/x+AlgQH0T9ZD23FUzs7SeYzDFhxIXjlbTwU7ExkAXVAmi601C4S4Auk+oRqniAIbqmXg iat-mode=0

Client

Install the dependencies.

$ sudo apt install python3-pip obfs4proxy
$ sudo pip3 install ptadapter

Create a file called ptadapter.ini. Copy the values for options-cert and options-iat-mode from pt_state/obfs4_bridgeline.txt on the server.

[client]
exec = /usr/bin/obfs4proxy
state = pt_state
tunnels = client_obfs4
[client_obfs4]
transport = obfs4
listen = 127.0.0.1:3128
upstream = <IP address of server>:9999
options-cert = 1/x+AlgQH0T9ZD23FUzs7SeYzDFhxIXjlbTwU7ExkAXVAmi601C4S4Auk+oRqniAIbqmXg
options-iat-mode = 0

Run ptadapter on the configuration file. Now you have a local listener at 127.0.0.1:3128 that will obfuscate and forward to server:9999, which will then deobfuscate and forward to its own 127.0.0.1:3128. Basically, the client’s port 3128 is connected to the server’s port 3128 through a magic obfuscated tunnel.

$ ptadapter -C ptadapter.ini

Now you can test the tunnel, treating the client’s local 127.0.0.1:3128 as if it were an HTTP proxy.

$ curl -x http://127.0.0.1:3128/ https://wtfismyip.com/text
<IP address of server>

You can also configure 127.0.0.1:3128 in your web browser, etc.

Troubleshooting

Use the -v option to make ptadapter more verbose.

$ ptadapter -vv -S ptadapter.ini
$ ptadapter -vv -C ptadapter.ini

Enable obfs4proxy logging in ptadapter.ini. The logs will appear in pt_state/obfs4proxy.log.

[server]                 
exec = /usr/bin/obfs4proxy --enableLogging --unsafeLogging --logLevel=DEBUG