Thanks for operating relay and bridges!
Is it accurate that my bridge provides both obfs4 and vanilla, not exclusively obfs4?
yes, though vanilla bridges are not very useful in practice. They are easy to detect, many censors, and some sufficiently smart firewalls, can block them right away.
I’ve configured a random high port as ORPort
and port 443 as ServerTransportListenAddr obfs4
, as clients will connect to my obfs4 port, correct?
As your bridge appear to be both vanilla and obfs4, you should expect connection to both, but mostly obfs4 as it’s used way more.
If I wish to put it into “production” now, is it adequate to simply remove BridgeDistribution none
and reload the process? Do I need to restart it?
It’s enough to remove that line and reload tor.
Who then decides which distribution method is used? The authorities? Should I actively choose a method?
If you don’t specify a distribution mechanism, rdsys/bridgedb (the thing in charge of distributing bridges) will pick one at random, weighted on what might be more useful.
My VPS has a static IP address, but since bridges are eventually blocked by censors, should I migrate the relay to a new VPS after some time?
The answer is probably yes, but defining “some time” is not trivial. On one side, as you said, it’s likely your IP will get blocked by censors after some time. This means rotating IPs is probably a good idea. On the other side, when you change your bridge IP, users which knew about it no longer do (including users somewhere were censors block tor, but lack the capabilities to efficiently block bridges). Once all the bridge they have changed, they have to ask for more bridges, which to them is effectively as if their bridges got blocked.
I think 1 year is long enough that the benefit of changing IP (no longer be blocked by stronger censors) outweigh the cost of breaking a bridge that was working for other people.
Note that there seems to be a bug which causes bridge distribution to sometime get stuck as None on metrics.tpo. If your bridge looks like it’s working, that you get a nice obfs4: functional
message from bridges.tpo, but that it’s still being shown as not distributed, the issue is probably not on your side.