Tor: ExitNodes with obfs4 not working

t1m013y · October 8, 2024, 1:40pm

Tor successfully connects with obfs4 bridges but when I add strict ExitNodes to my torrc:

ExitNodes {nl},{de},{fi},{se},{no},{pl},{us},{it},{fr},{es}
StrictNodes 1

Tor cannot connecting and starts echoing [notice] Application request when we haven't used client functionality lately. Optimistically trying known bridges again. in logs.

I don’t know if this problem is caused by using obfs4 because I cannot connect to tor without bridges (because of censorship).

ValdikSS · October 8, 2024, 8:35pm

Try to remove Tor data directory. Sometimes the DB happens to be in inconsistent state on the older versions. Make sure that you don’t have anything important there (such as keys for hidden services).

t1m013y · October 9, 2024, 7:37pm

I deleted tor’s data directory, but it didn’t help. Still this message. When I remove ExitNodes and StrictNodes lines, tor starts working again.

ValdikSS · October 10, 2024, 1:18am

Which version do you use?

t1m013y · October 10, 2024, 1:12pm

I use tor expert bundle for Windows.

tor.exe --version output:

Tor version 0.4.8.12 (git-2beaa7557c3c93ec).
This build of Tor is covered by the GNU General Public License (https://www.gnu.org/licenses/gpl-3.0.en.html)
Tor is running on Windows 8 [or later] with Libevent 2.1.12-stable, OpenSSL 3.0.15, Zlib 1.3.1, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Tor compiled with clang version 16.0.4

ValdikSS · October 12, 2024, 1:16pm

Well, do you have ExcludeNodes option? StrictNodes just enables strict handling of ExcludeNodes.

 StrictNodes 0|1
     If StrictNodes is set to 1, Tor will treat solely the ExcludeNodes option as a requirement to follow for all the circuits you generate, even if doing so will break functionality for you
     (StrictNodes does not apply to ExcludeExitNodes, ExitNodes, MiddleNodes, or MapAddress). If StrictNodes is set to 0, Tor will still try to avoid nodes in the ExcludeNodes list, but it will
     err on the side of avoiding unexpected errors. Specifically, StrictNodes 0 tells Tor that it is okay to use an excluded node when it is necessary to perform relay reachability self-tests,
     connect to a hidden service, provide a hidden service to a client, fulfill a .exit request, upload directory information, or download directory information. (Default: 0)

Works for me in Tor 0.4.8.12 @ Fedora with your configuration (with bridges), no issues.

t1m013y · October 13, 2024, 9:06am

Thanks! I thought that StrictNodes option is applicable to ExitNodes. I removed StrictNodes option and cleared data directory and tor connected successfully. Also I had the problem with no configured geoip files. I solved it by adding GeoIPFile and GeoIPv6File to my torrc-defaults.

My final configuration (I’m using tor expert bundle on Windows):

torrc:

SocksPort 127.0.0.1:9015
HTTPTunnelPort 127.0.0.1:9018

UseBridges 1

Bridge obfs4 ...
Bridge obfs4 ...

ExitNodes {nl},{de},{fi},{se},{no},{pl},{us},{it},{fr},{es}

ServerDNSResolvConfFile resolv.conf
AvoidDiskWrites 1

Bridges data is replaces with ...

torrc-defaults:

ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesuit,webtunnel exec tor\pluggable_transports\lyrebird.exe
ClientTransportPlugin snowflake exec tor\pluggable_transports\snowflake-client.exe
ClientTransportPlugin conjure exec tor\pluggable_transports\conjure-client.exe -registerURL https://registration.refraction.network/api

GeoIPFile data\geoip
GeoIPv6File data\geoip6
DataDirectory datadir