Idea: In a censored environment, the client (code in `bitmask-core`) can use a private proxy to speak with menshen. This communication is also obfuscated using `obfs4`. This repository holds the code of the proxy part.
1) Run the server with `--state`, but without `--persist`. This generates a certificate and caches it to the state directory (`state/obfs4_state.json`). `state/obfs4_bridgeline.txt` shows you the certificate needed for the client side (pinning).
```
mkdir state/
go run ./cmd/server --addr 127.0.0.1 --port 4430 --remote 127.0.0.1:8443 --state $(pwd)/state -v
...
pea@peabox: cat state/obfs4_bridgeline.txt
# obfs4 torrc client bridge line
#
# This file is an automatically generated bridge line based on
# the current obfs4proxy configuration. EDITING IT WILL HAVE
# NO EFFECT.
#
# Before distributing this Bridge, edit the placeholder fields
# to contain the actual values:
# <IP ADDRESS> - The public IP address of your obfs4 bridge.
2) Then you can run the proxy and just use the the previously generated certificate. As the client pins the certificate, it's nice to have a persistent certificate.
```
go run ./cmd/server --addr 127.0.0.1 --port 4430 --remote 127.0.0.1:8443 --state $(pwd)/state -v --persist
2024/11/13 10:49:33 Using obfs4 config file: /home/pea/leap/obfsvpn/state/obfs4_state.json
DEBUG 2024/11/13 10:50:08 accepted connection from 127.0.0.1:46398
2024/11/13 10:50:08 Dialing: 127.0.0.1:8443
2024/11/13 10:50:08 Obfs4 client: 127.0.0.1:46398
--> Entering copy loop.
```
In this case, the proxy is listening on `127.0.0.1:4430` and the upstream menshen instance is listening on `127.0.0.1:8443`. To use/test this code, you need the client side part. It's documented [here](https://0xacab.org/leap/bitmask-core-cli/-/blob/347ed72416e3249bfdccd334e04d32767107e91b/README.md#testing-introducerinvite-code). It's basically a simple `curl` using the proxy+obfs4.
