Console Script Guide¶

The console script can be used to build a standalone PT tunnel. Borrowing from the illustration in PT specifications:

+------------+                    +-------------------+
| Client App +-- Local Loopback --+ ptadapter Client  +--+
+------------+                    +-------------------+  |
                                                         |
    Public Internet (Obfuscated/Transformed traffic) ==> |
                                                         |
+------------+                    +-------------------+  |
| Server App +-- Local Loopback --+ ptadapter Server  +--+
+------------+                    +-------------------+

One copy of ptadapter runs on the client host, and one copy runs on the server host. The client app connects to the client-side ptadapter, which obfuscates traffic and sends it to the server-side ptadapter, which then unobfuscates it and forward it to the server app.

Invocation¶

If ptadapter is installed via pip, simply run it by name:

$ ptadapter

Otherwise, ensure the ptadapter directory is in the working directory or somewhere else in PYTHONPATH, and run:

$ python -m ptadapter

(All examples below will use the first format. Add python -m to the command line yourself where appropriate.)

Running ptadapter without command line arguments will print a brief usage message and an error. To see an explanation of the available command line arguments, run:

$ ptadapter --help

In most cases, the command line arguments required are pretty simple. To create the server end of an obfuscated tunnel, run:

$ ptadapter -S <config-file>

And to create the client end, run:

$ ptadapter -C <config-file>

But then, what should the config file look like?

Config file¶

Config files for ptadapter are written in the familiar INI format. For the client side, a [client] section is required, while for the server side a [server] section is required. In these sections, basic configuration options about the PT are specified, as well as a list of section names, where each of the named section describes a single transport to be used.

Below is an example config file. Please read the comments before writing your own config file, and do not copy the file wholesale.

# This is the example configuration file for ptadapter's console script.
#
# Lines beginning with "#" are comments.
#
# Use absolute paths whenever possible.
# If a relative path is used in any path config, it will be converted to an
# abosolute path relative to the working directory when ptadapter starts.
#
# Section names are case-insensitive. Do not use the section name "default" or
# any case variation thereof.
#
# It is possible to have separate client and server configuration in the same
# config file.
#
# This file is for demonstration purposes. If two instances of ptadapter
# is run using this config file, one as server and one as client, three
# separate PT tunnels will be established, between client ends
# 127.0.0.1:8000, 127.0.0.1:8001 and 127.0.0.1:8002, and the server end
# 127.0.0.1:7000.
#
# Do not use this file on your actual server! When running an obfs4proxy
# server, you do not need to specify server keys in the config file. obfs4proxy
# will generate keys and store them in the state directory.

# ====================

# Client configuration
#
# A client configuration file must have a [client] section.

[client]

exec = /usr/bin/obfs4proxy
# The Pluggable Transport's executable. It is also possible to include command
# line arguments, like the following:
# exec = /usr/bin/obfs4proxy -enableLogging

state = ./state
# The state directory. Omit this line or specify an empty value to use a
# temporary directory, which is cleaned when the PT exits.

tunnels = client_obfs4_1 client_obfs4_2 client_obfs3
# Section names describing client transport tunnels, separated by whitespace.
# Each specified section must exist.


[client_obfs4_1]
# This is the config section for a client transport tunnel.

transport = obfs4
# Name of the transport for this tunnel. Should be a supported transport method
# of the PT.

listen = 127.0.0.1:8000
# Address and port to listen for unobfuscated client traffic.

upstream = 127.0.0.1:7900
# Upstream PT address and port to send obfuscated traffic to.

# If the client transport tunnel requires per-tunnel options, specify them
# on separate lines, one line for each option.
# The configuration key should be named "options-<option name>".
# The two lines below specify the options "cert" and "iat-mode" respectively.

options-cert = TT5FYRSZBwJVcYJ6EndmG1+fykZDk9dkEEJiCmCIGnLrtH74xaWECstPhY5cACbLLnX9bw
options-iat-mode = 0

[client_obfs4_2]
transport = obfs4
listen = 127.0.0.1:8001
upstream = 127.0.0.1:7900
options-cert = TT5FYRSZBwJVcYJ6EndmG1+fykZDk9dkEEJiCmCIGnLrtH74xaWECstPhY5cACbLLnX9bw
options-iat-mode = 0

[client_obfs3]
# This is a client transport tunnel section with no additional options.
transport = obfs3
listen = 127.0.0.1:8002
upstream = 127.0.0.1:7901


# ====================

# Server configuration
#
# A server configuration must have a [server] section.

[server]

exec = /usr/bin/obfs4proxy
# The Pluggable Transport's executable. It is also possible to include command
# line arguments, like the following:
# exec = /usr/bin/obfs4proxy -enableLogging

state = ./state
# The state directory. Omit this line or specify an empty value to use a
# temporary directory, which is cleaned when the PT exits.
# For servers, it is recommended to use an actual persistent location for the
# state directory, instead of using a temporary directory, since the server
# is more likely to store state (like crypto keys, certificates, etc.)

forward = 127.0.0.1:7000
# Address and port to forward unobfuscated traffic to.

tunnels = server_obfs4 server_obfs3
# Section names describing server transports, separated by whitespace.
# Each specified section must exist.


[server_obfs4]
# This is the config section of a server transport.

transport = obfs4
# Name of the transport for this tunnel. Should be a supported transport method
# of the PT.

listen = 127.0.0.1:7900
# Address and port to listen for obfuscated client traffic.

# If the server transport  requires per-transport options, specify them
# on separate lines, one line for each option.
# The configuration key should be named "options-<option name>".
# The two lines below specify five options,
# "node-id", "private-key", "public-key", "drbg-seed" and "iat-mode"
# respectively.

options-node-id = 4d3e4561149907025571827a1277661b5f9fca46
options-private-key = 7886017adfd178cd139e91250dddee0b2af8ab6cf93f1fe9a7a469d3a13a3067
options-public-key = 4393d7641042620a60881a72ebb47ef8c5a5840acb4f858e5c0026cb2e75fd6f
options-drbg-seed = c23e876ddc408cc392317e017a6796a96161f76d8dd90522
options-iat-mode = 0


[server_obfs3]
# This is a server tranposrt config section with no options.
transport = obfs3
listen = 127.0.0.1:7901

To reiterate, do not copy the server and client options in the example config file and use it in your own production server!